You do not have sufficient access to perform this action.
* @public */ export declare class AccessDeniedException extends __BaseException { readonly name: "AccessDeniedException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be access_denied.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that a request to authorize a client with an access user session token is * pending.
* @public */ export declare class AuthorizationPendingException extends __BaseException { readonly name: "AuthorizationPendingException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be authorization_pending.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe unique identifier string for the client or application. This value comes from the * result of the RegisterClient API.
* @public */ clientId: string | undefined; /** *A secret string generated for the client. This value should come from the persisted result * of the RegisterClient API.
* @public */ clientSecret: string | undefined; /** *Supports the following OAuth grant types: Device Code and Refresh Token. * Specify either of the following values, depending on the grant type that you want:
** Device Code - urn:ietf:params:oauth:grant-type:device_code
*
* Refresh Token - refresh_token
*
For information about how to obtain the device code, see the StartDeviceAuthorization topic.
* @public */ grantType: string | undefined; /** *Used only when calling this API for the Device Code grant type. This short-term code is * used to identify this authorization request. This comes from the result of the * StartDeviceAuthorization API.
* @public */ deviceCode?: string | undefined; /** *Used only when calling this API for the Authorization Code grant type. The short-term code is * used to identify this authorization request. This grant type is currently unsupported for the * CreateToken API.
* @public */ code?: string | undefined; /** *Used only when calling this API for the Refresh Token grant type. This token is used to * refresh short-term tokens, such as the access token, that might expire.
*For more information about the features and limitations of the current IAM Identity Center OIDC * implementation, see Considerations for Using this Guide in the IAM Identity Center * OIDC API Reference.
* @public */ refreshToken?: string | undefined; /** *The list of scopes for which authorization is requested. The access token that is issued * is limited to the scopes that are granted. If this value is not specified, IAM Identity Center authorizes * all scopes that are configured for the client during the call to * RegisterClient.
* @public */ scope?: string[] | undefined; /** *Used only when calling this API for the Authorization Code grant type. This value specifies * the location of the client or application that has registered to receive the authorization * code.
* @public */ redirectUri?: string | undefined; /** *Used only when calling this API for the Authorization Code grant type. This value is generated * by the client and presented to validate the original code challenge value the client passed at * authorization time.
* @public */ codeVerifier?: string | undefined; } /** * @public */ export interface CreateTokenResponse { /** *A bearer token to access Amazon Web Services accounts and applications assigned to a user.
* @public */ accessToken?: string | undefined; /** *Used to notify the client that the returned token is an access token. The supported token
* type is Bearer.
Indicates the time in seconds when an access token will expire.
* @public */ expiresIn?: number | undefined; /** *A token that, if present, can be used to refresh a previously issued access token that * might have expired.
*For more * information about the features and limitations of the current IAM Identity Center OIDC implementation, * see Considerations for Using this Guide in the IAM Identity Center * OIDC API Reference.
* @public */ refreshToken?: string | undefined; /** *The idToken is not implemented or supported. For more information about the
* features and limitations of the current IAM Identity Center OIDC implementation, see Considerations
* for Using this Guide in the IAM Identity Center
* OIDC API Reference.
A JSON Web Token (JWT) that identifies who is associated with the issued access token. *
* @public */ idToken?: string | undefined; } /** *Indicates that the token issued by the service is expired and is no longer valid.
* @public */ export declare class ExpiredTokenException extends __BaseException { readonly name: "ExpiredTokenException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be expired_token.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that an error from the service occurred while trying to process a * request.
* @public */ export declare class InternalServerException extends __BaseException { readonly name: "InternalServerException"; readonly $fault: "server"; /** *Single error code.
* For this exception the value will be server_error.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the clientId or clientSecret in the request is
* invalid. For example, this can occur when a client sends an incorrect clientId or
* an expired clientSecret.
Single error code.
* For this exception the value will be invalid_client.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that a request contains an invalid grant. This can occur if a client makes a * CreateToken request with an invalid grant type.
* @public */ export declare class InvalidGrantException extends __BaseException { readonly name: "InvalidGrantException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_grant.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that something is wrong with the input to the request. For example, a required * parameter might be missing or out of range.
* @public */ export declare class InvalidRequestException extends __BaseException { readonly name: "InvalidRequestException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_request.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the scope provided in the request is invalid.
* @public */ export declare class InvalidScopeException extends __BaseException { readonly name: "InvalidScopeException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_scope.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the client is making the request too frequently and is more than the * service can handle.
* @public */ export declare class SlowDownException extends __BaseException { readonly name: "SlowDownException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be slow_down.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the client is not currently authorized to make the request. This can happen
* when a clientId is not issued for a public client.
Single error code.
* For this exception the value will be unauthorized_client.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the grant type in the request is not supported by the service.
* @public */ export declare class UnsupportedGrantTypeException extends __BaseException { readonly name: "UnsupportedGrantTypeException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be unsupported_grant_type.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe unique identifier string for the client or application. This value is an application * ARN that has OAuth grants configured.
* @public */ clientId: string | undefined; /** *Supports the following OAuth grant types: Authorization Code, Refresh Token, JWT Bearer, * and Token Exchange. Specify one of the following values, depending on the grant type that you * want:
** Authorization Code - authorization_code
*
* Refresh Token - refresh_token
*
* JWT Bearer - urn:ietf:params:oauth:grant-type:jwt-bearer
*
* Token Exchange - urn:ietf:params:oauth:grant-type:token-exchange
*
Used only when calling this API for the Authorization Code grant type. This short-term * code is used to identify this authorization request. The code is obtained through a redirect * from IAM Identity Center to a redirect URI persisted in the Authorization Code GrantOptions for the * application.
* @public */ code?: string | undefined; /** *Used only when calling this API for the Refresh Token grant type. This token is used to * refresh short-term tokens, such as the access token, that might expire.
*For more information about the features and limitations of the current IAM Identity Center OIDC * implementation, see Considerations for Using this Guide in the IAM Identity Center * OIDC API Reference.
* @public */ refreshToken?: string | undefined; /** *Used only when calling this API for the JWT Bearer grant type. This value specifies the JSON * Web Token (JWT) issued by a trusted token issuer. To authorize a trusted token issuer, * configure the JWT Bearer GrantOptions for the application.
* @public */ assertion?: string | undefined; /** *The list of scopes for which authorization is requested. The access token that is issued
* is limited to the scopes that are granted. If the value is not specified, IAM Identity Center authorizes all
* scopes configured for the application, including the following default scopes:
* openid, aws, sts:identity_context.
Used only when calling this API for the Authorization Code grant type. This value specifies * the location of the client or application that has registered to receive the authorization code. *
* @public */ redirectUri?: string | undefined; /** *Used only when calling this API for the Token Exchange grant type. This value specifies * the subject of the exchange. The value of the subject token must be an access token issued by * IAM Identity Center to a different client or application. The access token must have authorized scopes * that indicate the requested application as a target audience.
* @public */ subjectToken?: string | undefined; /** *Used only when calling this API for the Token Exchange grant type. This value specifies * the type of token that is passed as the subject of the exchange. The following value is * supported:
** Access Token - urn:ietf:params:oauth:token-type:access_token
*
Used only when calling this API for the Token Exchange grant type. This value specifies * the type of token that the requester can receive. The following values are supported:
** Access Token - urn:ietf:params:oauth:token-type:access_token
*
* Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
*
Used only when calling this API for the Authorization Code grant type. This value is generated * by the client and presented to validate the original code challenge value the client passed at * authorization time.
* @public */ codeVerifier?: string | undefined; } /** * @public */ export interface CreateTokenWithIAMResponse { /** *A bearer token to access Amazon Web Services accounts and applications assigned to a user.
* @public */ accessToken?: string | undefined; /** *Used to notify the requester that the returned token is an access token. The supported
* token type is Bearer.
Indicates the time in seconds when an access token will expire.
* @public */ expiresIn?: number | undefined; /** *A token that, if present, can be used to refresh a previously issued access token that * might have expired.
*For more * information about the features and limitations of the current IAM Identity Center OIDC implementation, * see Considerations for Using this Guide in the IAM Identity Center * OIDC API Reference.
* @public */ refreshToken?: string | undefined; /** *A JSON Web Token (JWT) that identifies the user associated with the issued access token. *
* @public */ idToken?: string | undefined; /** *Indicates the type of tokens that are issued by IAM Identity Center. The following values are supported: *
** Access Token - urn:ietf:params:oauth:token-type:access_token
*
* Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
*
The list of scopes for which authorization is granted. The access token that is issued * is limited to the scopes that are granted.
* @public */ scope?: string[] | undefined; } /** *Indicates that a token provided as input to the request was issued by and is only usable * by calling IAM Identity Center endpoints in another region.
* @public */ export declare class InvalidRequestRegionException extends __BaseException { readonly name: "InvalidRequestRegionException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_request.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** *Indicates the IAM Identity Center endpoint which the requester may call with this token.
* @public */ endpoint?: string | undefined; /** *Indicates the region which the requester may call with this token.
* @public */ region?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that the client information sent in the request during registration is * invalid.
* @public */ export declare class InvalidClientMetadataException extends __BaseException { readonly name: "InvalidClientMetadataException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_client_metadata.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeIndicates that one or more redirect URI in the request is not supported for this operation.
* @public */ export declare class InvalidRedirectUriException extends __BaseException { readonly name: "InvalidRedirectUriException"; readonly $fault: "client"; /** *Single error code.
* For this exception the value will be invalid_redirect_uri.
Human-readable text providing additional information, used to assist the * client developer in understanding the error that occurred.
* @public */ error_description?: string | undefined; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe friendly name of the client.
* @public */ clientName: string | undefined; /** *The type of client. The service supports only public as a client type.
* Anything other than public will be rejected by the service.
The list of scopes that are defined by the client. Upon authorization, this list is used * to restrict permissions when granting an access token.
* @public */ scopes?: string[] | undefined; /** *The list of redirect URI that are defined by the client. At completion of authorization, * this list is used to restrict what locations the user agent can be redirected back to.
* @public */ redirectUris?: string[] | undefined; /** *The list of OAuth 2.0 grant types that are defined by the client. This list is used to * restrict the token granting flows available to the client.
* @public */ grantTypes?: string[] | undefined; /** *The IAM Identity Center Issuer URL associated with an instance of IAM Identity Center. This value is needed for user access to resources through the client.
* @public */ issuerUrl?: string | undefined; /** *This IAM Identity Center application ARN is used to define administrator-managed configuration for public client access to resources. At * authorization, the scopes, grants, and redirect URI available to this client will be restricted by this application resource.
* @public */ entitledApplicationArn?: string | undefined; } /** * @public */ export interface RegisterClientResponse { /** *The unique identifier string for each client. This client uses this identifier to get * authenticated by the service in subsequent calls.
* @public */ clientId?: string | undefined; /** *A secret string generated for the client. The client will use this string to get * authenticated by the service in subsequent calls.
* @public */ clientSecret?: string | undefined; /** *Indicates the time at which the clientId and clientSecret were
* issued.
Indicates the time at which the clientId and clientSecret will
* become invalid.
An endpoint that the client can use to request authorization.
* @public */ authorizationEndpoint?: string | undefined; /** *An endpoint that the client can use to create tokens.
* @public */ tokenEndpoint?: string | undefined; } /** * @public */ export interface StartDeviceAuthorizationRequest { /** *The unique identifier string for the client that is registered with IAM Identity Center. This value * should come from the persisted result of the RegisterClient API * operation.
* @public */ clientId: string | undefined; /** *A secret string that is generated for the client. This value should come from the * persisted result of the RegisterClient API operation.
* @public */ clientSecret: string | undefined; /** *The URL for the Amazon Web Services access portal. For more information, see Using * the Amazon Web Services access portal in the IAM Identity Center User Guide.
* @public */ startUrl: string | undefined; } /** * @public */ export interface StartDeviceAuthorizationResponse { /** *The short-lived code that is used by the device when polling for a session token.
* @public */ deviceCode?: string | undefined; /** *A one-time user verification code. This is needed to authorize an in-use device.
* @public */ userCode?: string | undefined; /** *The URI of the verification page that takes the userCode to authorize the
* device.
An alternate URL that the client can use to automatically launch a browser. This process * skips the manual step in which the user visits the verification page and enters their * code.
* @public */ verificationUriComplete?: string | undefined; /** *Indicates the number of seconds in which the verification code will become invalid.
* @public */ expiresIn?: number | undefined; /** *Indicates the number of seconds the client must wait between attempts when polling for a * session.
* @public */ interval?: number | undefined; } /** * @internal */ export declare const CreateTokenRequestFilterSensitiveLog: (obj: CreateTokenRequest) => any; /** * @internal */ export declare const CreateTokenResponseFilterSensitiveLog: (obj: CreateTokenResponse) => any; /** * @internal */ export declare const CreateTokenWithIAMRequestFilterSensitiveLog: (obj: CreateTokenWithIAMRequest) => any; /** * @internal */ export declare const CreateTokenWithIAMResponseFilterSensitiveLog: (obj: CreateTokenWithIAMResponse) => any; /** * @internal */ export declare const RegisterClientResponseFilterSensitiveLog: (obj: RegisterClientResponse) => any; /** * @internal */ export declare const StartDeviceAuthorizationRequestFilterSensitiveLog: (obj: StartDeviceAuthorizationRequest) => any;