UNPKG

openapi-directory

Version:

Building & bundling https://github.com/APIs-guru/openapi-directory for easy use from JS

github.com/httptoolkit/openapi-directory-js

httptoolkit/openapi-directory-js

1 lines 24.4 kB
1
{"openapi":"3.0.0","info":{"version":"2019-06-10","x-release":"v4","title":"AWS SSO OIDC","description":"<p>AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a client (such as AWS CLI or a native application) to register with IAM Identity Center. The service also enables the client to fetch the user’s access token upon successful authentication and authorization with IAM Identity Center.</p> <note> <p>Although AWS Single Sign-On was renamed, the <code>sso</code> and <code>identitystore</code> API namespaces will continue to retain their original name for backward compatibility purposes. For more information, see <a href=\"https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed\">IAM Identity Center rename</a>.</p> </note> <p> <b>Considerations for Using This Guide</b> </p> <p>Before you begin using this guide, we recommend that you first review the following important information about how the IAM Identity Center OIDC service works.</p> <ul> <li> <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization Grant standard (<a href=\"https://tools.ietf.org/html/rfc8628\">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in future releases.</p> </li> <li> <p>The service emits only OIDC access tokens, such that obtaining a new token (For example, token refresh) requires explicit user re-authentication.</p> </li> <li> <p>The access tokens provided by this service grant access to all AWS account entitlements assigned to an IAM Identity Center user, not just a particular application.</p> </li> <li> <p>The documentation in this guide does not describe the mechanism to convert the access token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service endpoints. For more information, see <a href=\"https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html\">GetRoleCredentials</a> in the <i>IAM Identity Center Portal API Reference Guide</i>.</p> </li> </ul> <p>For general information about IAM Identity Center, see <a href=\"https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html\">What is IAM Identity Center?</a> in the <i>IAM Identity Center User Guide</i>.</p>","x-logo":{"url":"https://twitter.com/awscloud/profile_image?size=original","backgroundColor":"#FFFFFF"},"termsOfService":"https://aws.amazon.com/service-terms/","contact":{"name":"Mike Ralphson","email":"mike.ralphson@gmail.com","url":"https://github.com/mermade/aws2openapi","x-twitter":"PermittedSoc"},"license":{"name":"Apache 2.0 License","url":"http://www.apache.org/licenses/"},"x-providerName":"amazonaws.com","x-serviceName":"sso-oidc","x-aws-signingName":"awsssooidc","x-origin":[{"contentType":"application/json","url":"https://raw.githubusercontent.com/aws/aws-sdk-js/master/apis/sso-oidc-2019-06-10.normal.json","converter":{"url":"https://github.com/mermade/aws2openapi","version":"1.0.0"},"x-apisguru-driver":"external"}],"x-apiClientRegistration":{"url":"https://portal.aws.amazon.com/gp/aws/developer/registration/index.html?nc2=h_ct"},"x-apisguru-categories":["cloud"],"x-preferred":true},"externalDocs":{"description":"Amazon Web Services documentation","url":"https://docs.aws.amazon.com/oidc/"},"servers":[{"url":"http://oidc.{region}.amazonaws.com","variables":{"region":{"description":"The AWS region","enum":["us-east-1","us-east-2","us-west-1","us-west-2","us-gov-west-1","us-gov-east-1","ca-central-1","eu-north-1","eu-west-1","eu-west-2","eu-west-3","eu-central-1","eu-south-1","af-south-1","ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-southeast-1","ap-southeast-2","ap-east-1","ap-south-1","sa-east-1","me-south-1"],"default":"us-east-1"}},"description":"The SSO OIDC multi-region endpoint"},{"url":"https://oidc.{region}.amazonaws.com","variables":{"region":{"description":"The AWS region","enum":["us-east-1","us-east-2","us-west-1","us-west-2","us-gov-west-1","us-gov-east-1","ca-central-1","eu-north-1","eu-west-1","eu-west-2","eu-west-3","eu-central-1","eu-south-1","af-south-1","ap-northeast-1","ap-northeast-2","ap-northeast-3","ap-southeast-1","ap-southeast-2","ap-east-1","ap-south-1","sa-east-1","me-south-1"],"default":"us-east-1"}},"description":"The SSO OIDC multi-region endpoint"},{"url":"http://oidc.{region}.amazonaws.com.cn","variables":{"region":{"description":"The AWS region","enum":["cn-north-1","cn-northwest-1"],"default":"cn-north-1"}},"description":"The SSO OIDC endpoint for China (Beijing) and China (Ningxia)"},{"url":"https://oidc.{region}.amazonaws.com.cn","variables":{"region":{"description":"The AWS region","enum":["cn-north-1","cn-northwest-1"],"default":"cn-north-1"}},"description":"The SSO OIDC endpoint for China (Beijing) and China (Ningxia)"}],"paths":{"/token":{"post":{"operationId":"CreateToken","description":"Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/CreateTokenResponse"}}}},"480":{"description":"InvalidRequestException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidRequestException"}}}},"481":{"description":"InvalidClientException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidClientException"}}}},"482":{"description":"InvalidGrantException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidGrantException"}}}},"483":{"description":"UnauthorizedClientException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnauthorizedClientException"}}}},"484":{"description":"UnsupportedGrantTypeException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnsupportedGrantTypeException"}}}},"485":{"description":"InvalidScopeException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidScopeException"}}}},"486":{"description":"AuthorizationPendingException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AuthorizationPendingException"}}}},"487":{"description":"SlowDownException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SlowDownException"}}}},"488":{"description":"AccessDeniedException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AccessDeniedException"}}}},"489":{"description":"ExpiredTokenException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/ExpiredTokenException"}}}},"490":{"description":"InternalServerException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InternalServerException"}}}}},"parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["clientId","clientSecret","grantType"],"properties":{"clientId":{"description":"The unique identifier string for each client. This value should come from the persisted result of the <a>RegisterClient</a> API.","type":"string"},"clientSecret":{"description":"A secret string generated for the client. This value should come from the persisted result of the <a>RegisterClient</a> API.","type":"string"},"grantType":{"description":"<p>Supports grant types for the authorization code, refresh token, and device code request. For device code requests, specify the following value:</p> <p> <code>urn:ietf:params:oauth:grant-type:<i>device_code</i> </code> </p> <p>For information about how to obtain the device code, see the <a>StartDeviceAuthorization</a> topic.</p>","type":"string"},"deviceCode":{"description":"Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the <a>StartDeviceAuthorization</a> API.","type":"string"},"code":{"description":"The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token.","type":"string"},"refreshToken":{"description":"<p>Currently, <code>refreshToken</code> is not yet implemented and is not supported. For more information about the features and limitations of the current IAM Identity Center OIDC implementation, see <i>Considerations for Using this Guide</i> in the <a href=\"https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html\">IAM Identity Center OIDC API Reference</a>.</p> <p>The token used to obtain an access token in the event that the access token is invalid or expired.</p>","type":"string"},"scope":{"description":"The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.","type":"array","items":{"$ref":"#/components/schemas/Scope"}},"redirectUri":{"description":"The location of the application that will receive the authorization code. Users authorize the service to send the request to this location.","type":"string"}}}}}}},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/client/register":{"post":{"operationId":"RegisterClient","description":"Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/RegisterClientResponse"}}}},"480":{"description":"InvalidRequestException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidRequestException"}}}},"481":{"description":"InvalidScopeException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidScopeException"}}}},"482":{"description":"InvalidClientMetadataException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidClientMetadataException"}}}},"483":{"description":"InternalServerException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InternalServerException"}}}}},"parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["clientName","clientType"],"properties":{"clientName":{"description":"The friendly name of the client.","type":"string"},"clientType":{"description":"The type of client. The service supports only <code>public</code> as a client type. Anything other than public will be rejected by the service.","type":"string"},"scopes":{"description":"The list of scopes that are defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.","type":"array","items":{"$ref":"#/components/schemas/Scope"}}}}}}}},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]},"/device_authorization":{"post":{"operationId":"StartDeviceAuthorization","description":"Initiates device authorization by requesting a pair of verification codes from the authorization service.","responses":{"200":{"description":"Success","content":{"application/json":{"schema":{"$ref":"#/components/schemas/StartDeviceAuthorizationResponse"}}}},"480":{"description":"InvalidRequestException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidRequestException"}}}},"481":{"description":"InvalidClientException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InvalidClientException"}}}},"482":{"description":"UnauthorizedClientException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UnauthorizedClientException"}}}},"483":{"description":"SlowDownException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/SlowDownException"}}}},"484":{"description":"InternalServerException","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InternalServerException"}}}}},"parameters":[],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","required":["clientId","clientSecret","startUrl"],"properties":{"clientId":{"description":"The unique identifier string for the client that is registered with IAM Identity Center. This value should come from the persisted result of the <a>RegisterClient</a> API operation.","type":"string"},"clientSecret":{"description":"A secret string that is generated for the client. This value should come from the persisted result of the <a>RegisterClient</a> API operation.","type":"string"},"startUrl":{"description":"The URL for the AWS access portal. For more information, see <a href=\"https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html\">Using the AWS access portal</a> in the <i>IAM Identity Center User Guide</i>.","type":"string"}}}}}}},"parameters":[{"$ref":"#/components/parameters/X-Amz-Content-Sha256"},{"$ref":"#/components/parameters/X-Amz-Date"},{"$ref":"#/components/parameters/X-Amz-Algorithm"},{"$ref":"#/components/parameters/X-Amz-Credential"},{"$ref":"#/components/parameters/X-Amz-Security-Token"},{"$ref":"#/components/parameters/X-Amz-Signature"},{"$ref":"#/components/parameters/X-Amz-SignedHeaders"}]}},"components":{"parameters":{"X-Amz-Content-Sha256":{"name":"X-Amz-Content-Sha256","in":"header","schema":{"type":"string"},"required":false},"X-Amz-Date":{"name":"X-Amz-Date","in":"header","schema":{"type":"string"},"required":false},"X-Amz-Algorithm":{"name":"X-Amz-Algorithm","in":"header","schema":{"type":"string"},"required":false},"X-Amz-Credential":{"name":"X-Amz-Credential","in":"header","schema":{"type":"string"},"required":false},"X-Amz-Security-Token":{"name":"X-Amz-Security-Token","in":"header","schema":{"type":"string"},"required":false},"X-Amz-Signature":{"name":"X-Amz-Signature","in":"header","schema":{"type":"string"},"required":false},"X-Amz-SignedHeaders":{"name":"X-Amz-SignedHeaders","in":"header","schema":{"type":"string"},"required":false}},"securitySchemes":{"hmac":{"type":"apiKey","name":"Authorization","in":"header","description":"Amazon Signature authorization v4","x-amazon-apigateway-authtype":"awsSigv4"}},"schemas":{"CreateTokenResponse":{"type":"object","properties":{"accessToken":{"allOf":[{"$ref":"#/components/schemas/AccessToken"},{"description":"An opaque token to access IAM Identity Center resources assigned to a user."}]},"tokenType":{"allOf":[{"$ref":"#/components/schemas/TokenType"},{"description":"Used to notify the client that the returned token is an access token. The supported type is <code>BearerToken</code>."}]},"expiresIn":{"allOf":[{"$ref":"#/components/schemas/ExpirationInSeconds"},{"description":"Indicates the time in seconds when an access token will expire."}]},"refreshToken":{"allOf":[{"$ref":"#/components/schemas/RefreshToken"},{"description":"<p>Currently, <code>refreshToken</code> is not yet implemented and is not supported. For more information about the features and limitations of the current IAM Identity Center OIDC implementation, see <i>Considerations for Using this Guide</i> in the <a href=\"https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html\">IAM Identity Center OIDC API Reference</a>.</p> <p>A token that, if present, can be used to refresh a previously issued access token that might have expired.</p>"}]},"idToken":{"allOf":[{"$ref":"#/components/schemas/IdToken"},{"description":"<p>Currently, <code>idToken</code> is not yet implemented and is not supported. For more information about the features and limitations of the current IAM Identity Center OIDC implementation, see <i>Considerations for Using this Guide</i> in the <a href=\"https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html\">IAM Identity Center OIDC API Reference</a>.</p> <p>The identifier of the user that associated with the access token, if present.</p>"}]}}},"Scope":{"type":"string"},"InvalidRequestException":{},"InvalidClientException":{},"InvalidGrantException":{},"UnauthorizedClientException":{},"UnsupportedGrantTypeException":{},"InvalidScopeException":{},"AuthorizationPendingException":{},"SlowDownException":{},"AccessDeniedException":{},"ExpiredTokenException":{},"InternalServerException":{},"RegisterClientResponse":{"type":"object","properties":{"clientId":{"allOf":[{"$ref":"#/components/schemas/ClientId"},{"description":"The unique identifier string for each client. This client uses this identifier to get authenticated by the service in subsequent calls."}]},"clientSecret":{"allOf":[{"$ref":"#/components/schemas/ClientSecret"},{"description":"A secret string generated for the client. The client will use this string to get authenticated by the service in subsequent calls."}]},"clientIdIssuedAt":{"allOf":[{"$ref":"#/components/schemas/LongTimeStampType"},{"description":"Indicates the time at which the <code>clientId</code> and <code>clientSecret</code> were issued."}]},"clientSecretExpiresAt":{"allOf":[{"$ref":"#/components/schemas/LongTimeStampType"},{"description":"Indicates the time at which the <code>clientId</code> and <code>clientSecret</code> will become invalid."}]},"authorizationEndpoint":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"The endpoint where the client can request authorization."}]},"tokenEndpoint":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"The endpoint where the client can get an access token."}]}}},"InvalidClientMetadataException":{},"StartDeviceAuthorizationResponse":{"type":"object","properties":{"deviceCode":{"allOf":[{"$ref":"#/components/schemas/DeviceCode"},{"description":"The short-lived code that is used by the device when polling for a session token."}]},"userCode":{"allOf":[{"$ref":"#/components/schemas/UserCode"},{"description":"A one-time user verification code. This is needed to authorize an in-use device."}]},"verificationUri":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"The URI of the verification page that takes the <code>userCode</code> to authorize the device."}]},"verificationUriComplete":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"An alternate URL that the client can use to automatically launch a browser. This process skips the manual step in which the user visits the verification page and enters their code."}]},"expiresIn":{"allOf":[{"$ref":"#/components/schemas/ExpirationInSeconds"},{"description":"Indicates the number of seconds in which the verification code will become invalid."}]},"interval":{"allOf":[{"$ref":"#/components/schemas/IntervalInSeconds"},{"description":"Indicates the number of seconds the client must wait between attempts when polling for a session."}]}}},"AccessToken":{"type":"string"},"AuthCode":{"type":"string"},"ClientId":{"type":"string"},"ClientName":{"type":"string"},"ClientSecret":{"type":"string"},"ClientType":{"type":"string"},"GrantType":{"type":"string"},"DeviceCode":{"type":"string"},"RefreshToken":{"type":"string"},"Scopes":{"type":"array","items":{"$ref":"#/components/schemas/Scope"}},"URI":{"type":"string"},"CreateTokenRequest":{"type":"object","required":["clientId","clientSecret","grantType"],"title":"CreateTokenRequest","properties":{"clientId":{"allOf":[{"$ref":"#/components/schemas/ClientId"},{"description":"The unique identifier string for each client. This value should come from the persisted result of the <a>RegisterClient</a> API."}]},"clientSecret":{"allOf":[{"$ref":"#/components/schemas/ClientSecret"},{"description":"A secret string generated for the client. This value should come from the persisted result of the <a>RegisterClient</a> API."}]},"grantType":{"allOf":[{"$ref":"#/components/schemas/GrantType"},{"description":"<p>Supports grant types for the authorization code, refresh token, and device code request. For device code requests, specify the following value:</p> <p> <code>urn:ietf:params:oauth:grant-type:<i>device_code</i> </code> </p> <p>For information about how to obtain the device code, see the <a>StartDeviceAuthorization</a> topic.</p>"}]},"deviceCode":{"allOf":[{"$ref":"#/components/schemas/DeviceCode"},{"description":"Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the <a>StartDeviceAuthorization</a> API."}]},"code":{"allOf":[{"$ref":"#/components/schemas/AuthCode"},{"description":"The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token."}]},"refreshToken":{"allOf":[{"$ref":"#/components/schemas/RefreshToken"},{"description":"<p>Currently, <code>refreshToken</code> is not yet implemented and is not supported. For more information about the features and limitations of the current IAM Identity Center OIDC implementation, see <i>Considerations for Using this Guide</i> in the <a href=\"https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html\">IAM Identity Center OIDC API Reference</a>.</p> <p>The token used to obtain an access token in the event that the access token is invalid or expired.</p>"}]},"scope":{"allOf":[{"$ref":"#/components/schemas/Scopes"},{"description":"The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token."}]},"redirectUri":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"The location of the application that will receive the authorization code. Users authorize the service to send the request to this location."}]}}},"TokenType":{"type":"string"},"ExpirationInSeconds":{"type":"integer"},"IdToken":{"type":"string"},"IntervalInSeconds":{"type":"integer"},"LongTimeStampType":{"type":"integer"},"RegisterClientRequest":{"type":"object","required":["clientName","clientType"],"title":"RegisterClientRequest","properties":{"clientName":{"allOf":[{"$ref":"#/components/schemas/ClientName"},{"description":"The friendly name of the client."}]},"clientType":{"allOf":[{"$ref":"#/components/schemas/ClientType"},{"description":"The type of client. The service supports only <code>public</code> as a client type. Anything other than public will be rejected by the service."}]},"scopes":{"allOf":[{"$ref":"#/components/schemas/Scopes"},{"description":"The list of scopes that are defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token."}]}}},"StartDeviceAuthorizationRequest":{"type":"object","required":["clientId","clientSecret","startUrl"],"title":"StartDeviceAuthorizationRequest","properties":{"clientId":{"allOf":[{"$ref":"#/components/schemas/ClientId"},{"description":"The unique identifier string for the client that is registered with IAM Identity Center. This value should come from the persisted result of the <a>RegisterClient</a> API operation."}]},"clientSecret":{"allOf":[{"$ref":"#/components/schemas/ClientSecret"},{"description":"A secret string that is generated for the client. This value should come from the persisted result of the <a>RegisterClient</a> API operation."}]},"startUrl":{"allOf":[{"$ref":"#/components/schemas/URI"},{"description":"The URL for the AWS access portal. For more information, see <a href=\"https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html\">Using the AWS access portal</a> in the <i>IAM Identity Center User Guide</i>."}]}}},"UserCode":{"type":"string"}}},"security":[{"hmac":[]}]}