*
* AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a * client (such as AWS CLI or a native application) to register with IAM Identity Center. The service also enables the * client to fetch the user’s access token upon successful authentication and authorization with IAM Identity Center. *
*
* Although AWS Single Sign-On was renamed, the sso and identitystore API namespaces will
* continue to retain their original name for backward compatibility purposes. For more information, see IAM Identity Center rename.
*
* Considerations for Using This Guide *
** Before you begin using this guide, we recommend that you first review the following important information about how * the IAM Identity Center OIDC service works. *
** The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization * Grant standard (https://tools.ietf.org/html/rfc8628) that are * necessary to enable single sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed * for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in future releases. *
** The service emits only OIDC access tokens, such that obtaining a new token (For example, token refresh) requires * explicit user re-authentication. *
** The access tokens provided by this service grant access to all AWS account entitlements assigned to an IAM Identity * Center user, not just a particular application. *
** The documentation in this guide does not describe the mechanism to convert the access token into AWS Auth (“sigv4”) * credentials for use with IAM-protected AWS service endpoints. For more information, see GetRoleCredentials in the IAM Identity Center Portal API Reference Guide. *
** For general information about IAM Identity Center, see What is IAM Identity Center? in the * IAM Identity Center User Guide. *
*/ @ThreadSafe @Generated("com.amazonaws:aws-java-sdk-code-generator") public class AWSSSOOIDCClient extends AmazonWebServiceClient implements AWSSSOOIDC { /** Provider for AWS credentials. */ private final AWSCredentialsProvider awsCredentialsProvider; private static final Log log = LogFactory.getLog(AWSSSOOIDC.class); /** Default signing name for the service. */ private static final String DEFAULT_SIGNING_NAME = "awsssooidc"; /** Client configuration factory providing ClientConfigurations tailored to this client */ protected static final ClientConfigurationFactory configFactory = new ClientConfigurationFactory(); private final AdvancedConfig advancedConfig; private static final com.amazonaws.protocol.json.SdkJsonProtocolFactory protocolFactory = new com.amazonaws.protocol.json.SdkJsonProtocolFactory( new JsonClientMetadata() .withProtocolVersion("1.1") .withSupportsCbor(false) .withSupportsIon(false) .withContentTypeOverride("application/json") .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("SlowDownException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.SlowDownExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("AccessDeniedException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.AccessDeniedExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("ExpiredTokenException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.ExpiredTokenExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InternalServerException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InternalServerExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InvalidClientMetadataException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InvalidClientMetadataExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InvalidGrantException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InvalidGrantExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("UnauthorizedClientException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.UnauthorizedClientExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InvalidClientException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InvalidClientExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("AuthorizationPendingException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.AuthorizationPendingExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InvalidRequestException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InvalidRequestExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("InvalidScopeException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.InvalidScopeExceptionUnmarshaller.getInstance())) .addErrorMetadata( new JsonErrorShapeMetadata().withErrorCode("UnsupportedGrantTypeException").withExceptionUnmarshaller( com.amazonaws.services.ssooidc.model.transform.UnsupportedGrantTypeExceptionUnmarshaller.getInstance())) .withBaseServiceExceptionClass(com.amazonaws.services.ssooidc.model.AWSSSOOIDCException.class)); public static AWSSSOOIDCClientBuilder builder() { return AWSSSOOIDCClientBuilder.standard(); } /** * Constructs a new client to invoke service methods on SSO OIDC using the specified parameters. * ** All service calls made using this new client object are blocking, and will not return until the service call * completes. * * @param clientParams * Object providing client parameters. */ AWSSSOOIDCClient(AwsSyncClientParams clientParams) { this(clientParams, false); } /** * Constructs a new client to invoke service methods on SSO OIDC using the specified parameters. * *
* All service calls made using this new client object are blocking, and will not return until the service call * completes. * * @param clientParams * Object providing client parameters. */ AWSSSOOIDCClient(AwsSyncClientParams clientParams, boolean endpointDiscoveryEnabled) { super(clientParams); this.awsCredentialsProvider = clientParams.getCredentialsProvider(); this.advancedConfig = clientParams.getAdvancedConfig(); init(); } private void init() { setServiceNameIntern(DEFAULT_SIGNING_NAME); setEndpointPrefix(ENDPOINT_PREFIX); // calling this.setEndPoint(...) will also modify the signer accordingly setEndpoint("oidc.us-east-1.amazonaws.com"); HandlerChainFactory chainFactory = new HandlerChainFactory(); requestHandler2s.addAll(chainFactory.newRequestHandlerChain("/com/amazonaws/services/ssooidc/request.handlers")); requestHandler2s.addAll(chainFactory.newRequestHandler2Chain("/com/amazonaws/services/ssooidc/request.handler2s")); requestHandler2s.addAll(chainFactory.getGlobalHandlers()); } /** *
* Creates and returns an access token for the authorized client. The access token issued will be used to fetch * short-term credentials for the assigned roles in the AWS account. *
* * @param createTokenRequest * @return Result of the CreateToken operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidClientException * Indicates that theclientId or clientSecret in the request is invalid. For
* example, this can occur when a client sends an incorrect clientId or an expired
* clientSecret.
* @throws InvalidGrantException
* Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken
* request with an invalid grant type.
* @throws UnauthorizedClientException
* Indicates that the client is not currently authorized to make the request. This can happen when a
* clientId is not issued for a public client.
* @throws UnsupportedGrantTypeException
* Indicates that the grant type in the request is not supported by the service.
* @throws InvalidScopeException
* Indicates that the scope provided in the request is invalid.
* @throws AuthorizationPendingException
* Indicates that a request to authorize a client with an access user session token is pending.
* @throws SlowDownException
* Indicates that the client is making the request too frequently and is more than the service can handle.
* @throws AccessDeniedException
* You do not have sufficient access to perform this action.
* @throws ExpiredTokenException
* Indicates that the token issued by the service is expired and is no longer valid.
* @throws InternalServerException
* Indicates that an error from the service occurred while trying to process a request.
* @sample AWSSSOOIDC.CreateToken
* @see AWS API
* Documentation
*/
@Override
public CreateTokenResult createToken(CreateTokenRequest request) {
request = beforeClientExecution(request);
return executeCreateToken(request);
}
@SdkInternalApi
final CreateTokenResult executeCreateToken(CreateTokenRequest createTokenRequest) {
ExecutionContext executionContext = createExecutionContext(createTokenRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request* Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output * should be persisted for reuse through many authentication requests. *
* * @param registerClientRequest * @return Result of the RegisterClient operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidScopeException * Indicates that the scope provided in the request is invalid. * @throws InvalidClientMetadataException * Indicates that the client information sent in the request during registration is invalid. * @throws InternalServerException * Indicates that an error from the service occurred while trying to process a request. * @sample AWSSSOOIDC.RegisterClient * @see AWS API * Documentation */ @Override public RegisterClientResult registerClient(RegisterClientRequest request) { request = beforeClientExecution(request); return executeRegisterClient(request); } @SdkInternalApi final RegisterClientResult executeRegisterClient(RegisterClientRequest registerClientRequest) { ExecutionContext executionContext = createExecutionContext(registerClientRequest); AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics(); awsRequestMetrics.startEvent(Field.ClientExecuteTime); Request* Initiates device authorization by requesting a pair of verification codes from the authorization service. *
* * @param startDeviceAuthorizationRequest * @return Result of the StartDeviceAuthorization operation returned by the service. * @throws InvalidRequestException * Indicates that something is wrong with the input to the request. For example, a required parameter might * be missing or out of range. * @throws InvalidClientException * Indicates that theclientId or clientSecret in the request is invalid. For
* example, this can occur when a client sends an incorrect clientId or an expired
* clientSecret.
* @throws UnauthorizedClientException
* Indicates that the client is not currently authorized to make the request. This can happen when a
* clientId is not issued for a public client.
* @throws SlowDownException
* Indicates that the client is making the request too frequently and is more than the service can handle.
* @throws InternalServerException
* Indicates that an error from the service occurred while trying to process a request.
* @sample AWSSSOOIDC.StartDeviceAuthorization
* @see AWS API Documentation
*/
@Override
public StartDeviceAuthorizationResult startDeviceAuthorization(StartDeviceAuthorizationRequest request) {
request = beforeClientExecution(request);
return executeStartDeviceAuthorization(request);
}
@SdkInternalApi
final StartDeviceAuthorizationResult executeStartDeviceAuthorization(StartDeviceAuthorizationRequest startDeviceAuthorizationRequest) {
ExecutionContext executionContext = createExecutionContext(startDeviceAuthorizationRequest);
AWSRequestMetrics awsRequestMetrics = executionContext.getAwsRequestMetrics();
awsRequestMetrics.startEvent(Field.ClientExecuteTime);
Request
* Response metadata is only cached for a limited period of time, so if you need to access this extra diagnostic
* information for an executed request, you should use this method to retrieve it as soon as possible after
* executing the request.
*
* @param request
* The originally executed request
*
* @return The response metadata for the specified request, or null if none is available.
*/
public ResponseMetadata getCachedResponseMetadata(AmazonWebServiceRequest request) {
return client.getResponseMetadataForRequest(request);
}
/**
* Normal invoke with authentication. Credentials are required and may be overriden at the request level.
**/
private