1 // Code generated by smithy-go-codegen DO NOT EDIT.
2 3 package ssooidc
4 5 import (
6 "context"
7 "fmt"
8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
9 "github.com/aws/aws-sdk-go-v2/service/ssooidc/types"
10 "github.com/aws/smithy-go/middleware"
11 smithyhttp "github.com/aws/smithy-go/transport/http"
12 )
13 14 // Creates and returns access and refresh tokens for authorized client
15 // applications that are authenticated using any IAM entity, such as a service role
16 // or user. These tokens might contain defined scopes that specify permissions such
17 // as read:profile or write:data . Through downscoping, you can use the scopes
18 // parameter to request tokens with reduced permissions compared to the original
19 // client application's permissions or, if applicable, the refresh token's scopes.
20 // The access token can be used to fetch short-lived credentials for the assigned
21 // Amazon Web Services accounts or to access application APIs using bearer
22 // authentication.
23 //
24 // This API is used with Signature Version 4. For more information, see [Amazon Web Services Signature Version 4 for API Requests].
25 //
26 // [Amazon Web Services Signature Version 4 for API Requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html
27 func (c *Client) CreateTokenWithIAM(ctx context.Context, params *CreateTokenWithIAMInput, optFns ...func(*Options)) (*CreateTokenWithIAMOutput, error) {
28 if params == nil {
29 params = &CreateTokenWithIAMInput{}
30 }
31 32 result, metadata, err := c.invokeOperation(ctx, "CreateTokenWithIAM", params, optFns, c.addOperationCreateTokenWithIAMMiddlewares)
33 if err != nil {
34 return nil, err
35 }
36 37 out := result.(*CreateTokenWithIAMOutput)
38 out.ResultMetadata = metadata
39 return out, nil
40 }
41 42 type CreateTokenWithIAMInput struct {
43 44 // The unique identifier string for the client or application. This value is an
45 // application ARN that has OAuth grants configured.
46 //
47 // This member is required.
48 ClientId *string
49 50 // Supports the following OAuth grant types: Authorization Code, Refresh Token,
51 // JWT Bearer, and Token Exchange. Specify one of the following values, depending
52 // on the grant type that you want:
53 //
54 // * Authorization Code - authorization_code
55 //
56 // * Refresh Token - refresh_token
57 //
58 // * JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer
59 //
60 // * Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange
61 //
62 // This member is required.
63 GrantType *string
64 65 // Used only when calling this API for the JWT Bearer grant type. This value
66 // specifies the JSON Web Token (JWT) issued by a trusted token issuer. To
67 // authorize a trusted token issuer, configure the JWT Bearer GrantOptions for the
68 // application.
69 Assertion *string
70 71 // Used only when calling this API for the Authorization Code grant type. This
72 // short-lived code is used to identify this authorization request. The code is
73 // obtained through a redirect from IAM Identity Center to a redirect URI persisted
74 // in the Authorization Code GrantOptions for the application.
75 Code *string
76 77 // Used only when calling this API for the Authorization Code grant type. This
78 // value is generated by the client and presented to validate the original code
79 // challenge value the client passed at authorization time.
80 CodeVerifier *string
81 82 // Used only when calling this API for the Authorization Code grant type. This
83 // value specifies the location of the client or application that has registered to
84 // receive the authorization code.
85 RedirectUri *string
86 87 // Used only when calling this API for the Refresh Token grant type. This token is
88 // used to refresh short-lived tokens, such as the access token, that might expire.
89 //
90 // For more information about the features and limitations of the current IAM
91 // Identity Center OIDC implementation, see Considerations for Using this Guide in
92 // the [IAM Identity Center OIDC API Reference].
93 //
94 // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
95 RefreshToken *string
96 97 // Used only when calling this API for the Token Exchange grant type. This value
98 // specifies the type of token that the requester can receive. The following values
99 // are supported:
100 //
101 // * Access Token - urn:ietf:params:oauth:token-type:access_token
102 //
103 // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
104 RequestedTokenType *string
105 106 // The list of scopes for which authorization is requested. The access token that
107 // is issued is limited to the scopes that are granted. If the value is not
108 // specified, IAM Identity Center authorizes all scopes configured for the
109 // application, including the following default scopes: openid , aws ,
110 // sts:identity_context .
111 Scope []string
112 113 // Used only when calling this API for the Token Exchange grant type. This value
114 // specifies the subject of the exchange. The value of the subject token must be an
115 // access token issued by IAM Identity Center to a different client or application.
116 // The access token must have authorized scopes that indicate the requested
117 // application as a target audience.
118 SubjectToken *string
119 120 // Used only when calling this API for the Token Exchange grant type. This value
121 // specifies the type of token that is passed as the subject of the exchange. The
122 // following value is supported:
123 //
124 // * Access Token - urn:ietf:params:oauth:token-type:access_token
125 SubjectTokenType *string
126 127 noSmithyDocumentSerde
128 }
129 130 type CreateTokenWithIAMOutput struct {
131 132 // A bearer token to access Amazon Web Services accounts and applications assigned
133 // to a user.
134 AccessToken *string
135 136 // A structure containing information from IAM Identity Center managed user and
137 // group information.
138 AwsAdditionalDetails *types.AwsAdditionalDetails
139 140 // Indicates the time in seconds when an access token will expire.
141 ExpiresIn int32
142 143 // A JSON Web Token (JWT) that identifies the user associated with the issued
144 // access token.
145 IdToken *string
146 147 // Indicates the type of tokens that are issued by IAM Identity Center. The
148 // following values are supported:
149 //
150 // * Access Token - urn:ietf:params:oauth:token-type:access_token
151 //
152 // * Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
153 IssuedTokenType *string
154 155 // A token that, if present, can be used to refresh a previously issued access
156 // token that might have expired.
157 //
158 // For more information about the features and limitations of the current IAM
159 // Identity Center OIDC implementation, see Considerations for Using this Guide in
160 // the [IAM Identity Center OIDC API Reference].
161 //
162 // [IAM Identity Center OIDC API Reference]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
163 RefreshToken *string
164 165 // The list of scopes for which authorization is granted. The access token that is
166 // issued is limited to the scopes that are granted.
167 Scope []string
168 169 // Used to notify the requester that the returned token is an access token. The
170 // supported token type is Bearer .
171 TokenType *string
172 173 // Metadata pertaining to the operation's result.
174 ResultMetadata middleware.Metadata
175 176 noSmithyDocumentSerde
177 }
178 179 func (c *Client) addOperationCreateTokenWithIAMMiddlewares(stack *middleware.Stack, options Options) (err error) {
180 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
181 return err
182 }
183 err = stack.Serialize.Add(&awsRestjson1_serializeOpCreateTokenWithIAM{}, middleware.After)
184 if err != nil {
185 return err
186 }
187 err = stack.Deserialize.Add(&awsRestjson1_deserializeOpCreateTokenWithIAM{}, middleware.After)
188 if err != nil {
189 return err
190 }
191 if err := addProtocolFinalizerMiddlewares(stack, options, "CreateTokenWithIAM"); err != nil {
192 return fmt.Errorf("add protocol finalizers: %v", err)
193 }
194 195 if err = addlegacyEndpointContextSetter(stack, options); err != nil {
196 return err
197 }
198 if err = addSetLoggerMiddleware(stack, options); err != nil {
199 return err
200 }
201 if err = addClientRequestID(stack); err != nil {
202 return err
203 }
204 if err = addComputeContentLength(stack); err != nil {
205 return err
206 }
207 if err = addResolveEndpointMiddleware(stack, options); err != nil {
208 return err
209 }
210 if err = addComputePayloadSHA256(stack); err != nil {
211 return err
212 }
213 if err = addRetry(stack, options); err != nil {
214 return err
215 }
216 if err = addRawResponseToMetadata(stack); err != nil {
217 return err
218 }
219 if err = addRecordResponseTiming(stack); err != nil {
220 return err
221 }
222 if err = addSpanRetryLoop(stack, options); err != nil {
223 return err
224 }
225 if err = addClientUserAgent(stack, options); err != nil {
226 return err
227 }
228 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
229 return err
230 }
231 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
232 return err
233 }
234 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
235 return err
236 }
237 if err = addTimeOffsetBuild(stack, c); err != nil {
238 return err
239 }
240 if err = addUserAgentRetryMode(stack, options); err != nil {
241 return err
242 }
243 if err = addCredentialSource(stack, options); err != nil {
244 return err
245 }
246 if err = addOpCreateTokenWithIAMValidationMiddleware(stack); err != nil {
247 return err
248 }
249 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opCreateTokenWithIAM(options.Region), middleware.Before); err != nil {
250 return err
251 }
252 if err = addRecursionDetection(stack); err != nil {
253 return err
254 }
255 if err = addRequestIDRetrieverMiddleware(stack); err != nil {
256 return err
257 }
258 if err = addResponseErrorMiddleware(stack); err != nil {
259 return err
260 }
261 if err = addRequestResponseLogging(stack, options); err != nil {
262 return err
263 }
264 if err = addDisableHTTPSMiddleware(stack, options); err != nil {
265 return err
266 }
267 if err = addInterceptBeforeRetryLoop(stack, options); err != nil {
268 return err
269 }
270 if err = addInterceptAttempt(stack, options); err != nil {
271 return err
272 }
273 if err = addInterceptors(stack, options); err != nil {
274 return err
275 }
276 return nil
277 }
278 279 func newServiceMetadataMiddleware_opCreateTokenWithIAM(region string) *awsmiddleware.RegisterServiceMetadata {
280 return &awsmiddleware.RegisterServiceMetadata{
281 Region: region,
282 ServiceID: ServiceID,
283 OperationName: "CreateTokenWithIAM",
284 }
285 }
286