ssooidc

package module
v1.23.4 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 29, 2024 License: Apache-2.0 Imports: 37 Imported by: 20

Documentation

Overview

Package ssooidc provides the API client, operations, and parameter types for AWS SSO OIDC.

IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI or a native application) to register with IAM Identity Center. The service also enables the client to fetch the user’s access token upon successful authentication and authorization with IAM Identity Center. IAM Identity Center uses the sso and identitystore API namespaces. Considerations for Using This Guide Before you begin using this guide, we recommend that you first review the following important information about how the IAM Identity Center OIDC service works.

  • The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization Grant standard ( https://tools.ietf.org/html/rfc8628 (https://tools.ietf.org/html/rfc8628) ) that are necessary to enable single sign-on authentication with the CLI.
  • With older versions of the CLI, the service only emits OIDC access tokens, so to obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that supports token refresh and doesn’t require re-authentication, update to the latest CLI version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and configurable IAM Identity Center session durations. For more information, see Configure Amazon Web Services access portal session duration (https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html) .
  • The access tokens provided by this service grant access to all Amazon Web Services account entitlements assigned to an IAM Identity Center user, not just a particular application.
  • The documentation in this guide does not describe the mechanism to convert the access token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service endpoints. For more information, see GetRoleCredentials (https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html) in the IAM Identity Center Portal API Reference Guide.

For general information about IAM Identity Center, see What is IAM Identity Center? (https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html) in the IAM Identity Center User Guide.

Index

Constants

View Source 
const ServiceAPIVersion = "2019-06-10"
View Source 
const ServiceID = "SSO OIDC"

Variables

This section is empty.

Functions

func NewDefaultEndpointResolver 

func NewDefaultEndpointResolver() *internalendpoints.Resolver

NewDefaultEndpointResolver constructs a new service endpoint resolver

func WithAPIOptions added in v1.0.0 

func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options)

WithAPIOptions returns a functional option for setting the Client's APIOptions option.

func WithEndpointResolver deprecated 

func WithEndpointResolver(v EndpointResolver) func(*Options)

Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for this field will likely prevent you from using any endpoint-related service features released after the introduction of EndpointResolverV2 and BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom endpoint, set the client option BaseEndpoint instead.

func WithEndpointResolverV2 added in v1.15.0 

func WithEndpointResolverV2(v EndpointResolverV2) func(*Options)

WithEndpointResolverV2 returns a functional option for setting the Client's EndpointResolverV2 option.

func WithSigV4SigningName added in v1.19.2 

func WithSigV4SigningName(name string) func(*Options)

WithSigV4SigningName applies an override to the authentication workflow to use the given signing name for SigV4-authenticated operations.

This is an advanced setting. The value here is FINAL, taking precedence over the resolved signing name from both auth scheme resolution and endpoint resolution.

func WithSigV4SigningRegion added in v1.19.2 

func WithSigV4SigningRegion(region string) func(*Options)

WithSigV4SigningRegion applies an override to the authentication workflow to use the given signing region for SigV4-authenticated operations.

This is an advanced setting. The value here is FINAL, taking precedence over the resolved signing region from both auth scheme resolution and endpoint resolution.

Types

type AuthResolverParameters added in v1.19.2 

type AuthResolverParameters struct {
	// The name of the operation being invoked.
	Operation string

	// The region in which the operation is being invoked.
	Region string
}

AuthResolverParameters contains the set of inputs necessary for auth scheme resolution.

type AuthSchemeResolver added in v1.19.2 

type AuthSchemeResolver interface {
	ResolveAuthSchemes(context.Context, *AuthResolverParameters) ([]*smithyauth.Option, error)
}

AuthSchemeResolver returns a set of possible authentication options for an operation.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client provides the API client to make operations call for AWS SSO OIDC.

func New 

func New(options Options, optFns ...func(*Options)) *Client

New returns an initialized Client based on the functional options. Provide additional functional options to further configure the behavior of the client, such as changing the client's endpoint or adding custom middleware behavior.

func NewFromConfig 

func NewFromConfig(cfg aws.Config, optFns ...func(*Options)) *Client

NewFromConfig returns a new client from the provided config.

func (*Client) CreateToken 

func (c *Client) CreateToken(ctx context.Context, params *CreateTokenInput, optFns ...func(*Options)) (*CreateTokenOutput, error)

Creates and returns access and refresh tokens for clients that are authenticated using client secrets. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using bearer authentication.

func (*Client) CreateTokenWithIAM added in v1.20.0 

func (c *Client) CreateTokenWithIAM(ctx context.Context, params *CreateTokenWithIAMInput, optFns ...func(*Options)) (*CreateTokenWithIAMOutput, error)

Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using bearer authentication.

func (*Client) Options added in v1.21.0 

func (c *Client) Options() Options

Options returns a copy of the client configuration.

Callers SHOULD NOT perform mutations on any inner structures within client config. Config overrides should instead be made on a per-operation basis through functional options.

func (*Client) RegisterClient 

func (c *Client) RegisterClient(ctx context.Context, params *RegisterClientInput, optFns ...func(*Options)) (*RegisterClientOutput, error)

Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.

func (*Client) StartDeviceAuthorization 

func (c *Client) StartDeviceAuthorization(ctx context.Context, params *StartDeviceAuthorizationInput, optFns ...func(*Options)) (*StartDeviceAuthorizationOutput, error)

Initiates device authorization by requesting a pair of verification codes from the authorization service.

type CreateTokenInput 

type CreateTokenInput struct {

	// The unique identifier string for the client or application. This value comes
	// from the result of the RegisterClient API.
	//
	// This member is required.
	ClientId *string

	// A secret string generated for the client. This value should come from the
	// persisted result of the RegisterClient API.
	//
	// This member is required.
	ClientSecret *string

	// Supports the following OAuth grant types: Device Code and Refresh Token.
	// Specify either of the following values, depending on the grant type that you
	// want: * Device Code - urn:ietf:params:oauth:grant-type:device_code * Refresh
	// Token - refresh_token For information about how to obtain the device code, see
	// the StartDeviceAuthorization topic.
	//
	// This member is required.
	GrantType *string

	// Used only when calling this API for the Authorization Code grant type. The
	// short-term code is used to identify this authorization request. This grant type
	// is currently unsupported for the CreateToken API.
	Code *string

	// Used only when calling this API for the Device Code grant type. This short-term
	// code is used to identify this authorization request. This comes from the result
	// of the StartDeviceAuthorization API.
	DeviceCode *string

	// Used only when calling this API for the Authorization Code grant type. This
	// value specifies the location of the client or application that has registered to
	// receive the authorization code.
	RedirectUri *string

	// Used only when calling this API for the Refresh Token grant type. This token is
	// used to refresh short-term tokens, such as the access token, that might expire.
	// For more information about the features and limitations of the current IAM
	// Identity Center OIDC implementation, see Considerations for Using this Guide in
	// the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
	// .
	RefreshToken *string

	// The list of scopes for which authorization is requested. The access token that
	// is issued is limited to the scopes that are granted. If this value is not
	// specified, IAM Identity Center authorizes all scopes that are configured for the
	// client during the call to RegisterClient .
	Scope []string
	// contains filtered or unexported fields
}

type CreateTokenOutput 

type CreateTokenOutput struct {

	// A bearer token to access AWS accounts and applications assigned to a user.
	AccessToken *string

	// Indicates the time in seconds when an access token will expire.
	ExpiresIn int32

	// The idToken is not implemented or supported. For more information about the
	// features and limitations of the current IAM Identity Center OIDC implementation,
	// see Considerations for Using this Guide in the IAM Identity Center OIDC API
	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
	// . A JSON Web Token (JWT) that identifies who is associated with the issued
	// access token.
	IdToken *string

	// A token that, if present, can be used to refresh a previously issued access
	// token that might have expired. For more information about the features and
	// limitations of the current IAM Identity Center OIDC implementation, see
	// Considerations for Using this Guide in the IAM Identity Center OIDC API
	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
	// .
	RefreshToken *string

	// Used to notify the client that the returned token is an access token. The
	// supported token type is Bearer .
	TokenType *string

	// Metadata pertaining to the operation's result.
	ResultMetadata middleware.Metadata
	// contains filtered or unexported fields
}

type CreateTokenWithIAMInput added in v1.20.0 

type CreateTokenWithIAMInput struct {

	// The unique identifier string for the client or application. This value is an
	// application ARN that has OAuth grants configured.
	//
	// This member is required.
	ClientId *string

	// Supports the following OAuth grant types: Authorization Code, Refresh Token,
	// JWT Bearer, and Token Exchange. Specify one of the following values, depending
	// on the grant type that you want: * Authorization Code - authorization_code *
	// Refresh Token - refresh_token * JWT Bearer -
	// urn:ietf:params:oauth:grant-type:jwt-bearer * Token Exchange -
	// urn:ietf:params:oauth:grant-type:token-exchange
	//
	// This member is required.
	GrantType *string

	// Used only when calling this API for the JWT Bearer grant type. This value
	// specifies the JSON Web Token (JWT) issued by a trusted token issuer. To
	// authorize a trusted token issuer, configure the JWT Bearer GrantOptions for the
	// application.
	Assertion *string

	// Used only when calling this API for the Authorization Code grant type. This
	// short-term code is used to identify this authorization request. The code is
	// obtained through a redirect from IAM Identity Center to a redirect URI persisted
	// in the Authorization Code GrantOptions for the application.
	Code *string

	// Used only when calling this API for the Authorization Code grant type. This
	// value specifies the location of the client or application that has registered to
	// receive the authorization code.
	RedirectUri *string

	// Used only when calling this API for the Refresh Token grant type. This token is
	// used to refresh short-term tokens, such as the access token, that might expire.
	// For more information about the features and limitations of the current IAM
	// Identity Center OIDC implementation, see Considerations for Using this Guide in
	// the IAM Identity Center OIDC API Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
	// .
	RefreshToken *string

	// Used only when calling this API for the Token Exchange grant type. This value
	// specifies the type of token that the requester can receive. The following values
	// are supported: * Access Token - urn:ietf:params:oauth:token-type:access_token *
	// Refresh Token - urn:ietf:params:oauth:token-type:refresh_token
	RequestedTokenType *string

	// The list of scopes for which authorization is requested. The access token that
	// is issued is limited to the scopes that are granted. If the value is not
	// specified, IAM Identity Center authorizes all scopes configured for the
	// application, including the following default scopes: openid , aws ,
	// sts:identity_context .
	Scope []string

	// Used only when calling this API for the Token Exchange grant type. This value
	// specifies the subject of the exchange. The value of the subject token must be an
	// access token issued by IAM Identity Center to a different client or application.
	// The access token must have authorized scopes that indicate the requested
	// application as a target audience.
	SubjectToken *string

	// Used only when calling this API for the Token Exchange grant type. This value
	// specifies the type of token that is passed as the subject of the exchange. The
	// following value is supported: * Access Token -
	// urn:ietf:params:oauth:token-type:access_token
	SubjectTokenType *string
	// contains filtered or unexported fields
}

type CreateTokenWithIAMOutput added in v1.20.0 

type CreateTokenWithIAMOutput struct {

	// A bearer token to access AWS accounts and applications assigned to a user.
	AccessToken *string

	// Indicates the time in seconds when an access token will expire.
	ExpiresIn int32

	// A JSON Web Token (JWT) that identifies the user associated with the issued
	// access token.
	IdToken *string

	// Indicates the type of tokens that are issued by IAM Identity Center. The
	// following values are supported: * Access Token -
	// urn:ietf:params:oauth:token-type:access_token * Refresh Token -
	// urn:ietf:params:oauth:token-type:refresh_token
	IssuedTokenType *string

	// A token that, if present, can be used to refresh a previously issued access
	// token that might have expired. For more information about the features and
	// limitations of the current IAM Identity Center OIDC implementation, see
	// Considerations for Using this Guide in the IAM Identity Center OIDC API
	// Reference (https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html)
	// .
	RefreshToken *string

	// The list of scopes for which authorization is granted. The access token that is
	// issued is limited to the scopes that are granted.
	Scope []string

	// Used to notify the requester that the returned token is an access token. The
	// supported token type is Bearer .
	TokenType *string

	// Metadata pertaining to the operation's result.
	ResultMetadata middleware.Metadata
	// contains filtered or unexported fields
}

type EndpointParameters added in v1.15.0 

type EndpointParameters struct {
	// The AWS region used to dispatch the request.
	//
	// Parameter is
	// required.
	//
	// AWS::Region
	Region *string

	// When true, use the dual-stack endpoint. If the configured endpoint does not
	// support dual-stack, dispatching the request MAY return an error.
	//
	// Defaults to
	// false if no value is provided.
	//
	// AWS::UseDualStack
	UseDualStack *bool

	// When true, send this request to the FIPS-compliant regional endpoint. If the
	// configured endpoint does not have a FIPS compliant endpoint, dispatching the
	// request will return an error.
	//
	// Defaults to false if no value is
	// provided.
	//
	// AWS::UseFIPS
	UseFIPS *bool

	// Override the endpoint used to send this request
	//
	// Parameter is
	// required.
	//
	// SDK::Endpoint
	Endpoint *string
}

EndpointParameters provides the parameters that influence how endpoints are resolved.

func (EndpointParameters) ValidateRequired added in v1.15.0 

func (p EndpointParameters) ValidateRequired() error

ValidateRequired validates required parameters are set.

func (EndpointParameters) WithDefaults added in v1.15.0 

func (p EndpointParameters) WithDefaults() EndpointParameters

WithDefaults returns a shallow copy of EndpointParameterswith default values applied to members where applicable.

type EndpointResolver 

type EndpointResolver interface {
	ResolveEndpoint(region string, options EndpointResolverOptions) (aws.Endpoint, error)
}

EndpointResolver interface for resolving service endpoints.

func EndpointResolverFromURL added in v1.1.0 

func EndpointResolverFromURL(url string, optFns ...func(*aws.Endpoint)) EndpointResolver

EndpointResolverFromURL returns an EndpointResolver configured using the provided endpoint url. By default, the resolved endpoint resolver uses the client region as signing region, and the endpoint source is set to EndpointSourceCustom.You can provide functional options to configure endpoint values for the resolved endpoint.

type EndpointResolverFunc 

type EndpointResolverFunc func(region string, options EndpointResolverOptions) (aws.Endpoint, error)

EndpointResolverFunc is a helper utility that wraps a function so it satisfies the EndpointResolver interface. This is useful when you want to add additional endpoint resolving logic, or stub out specific endpoints with custom values.

func (EndpointResolverFunc) ResolveEndpoint 

func (fn EndpointResolverFunc) ResolveEndpoint(region string, options EndpointResolverOptions) (endpoint aws.Endpoint, err error)

type EndpointResolverOptions added in v0.29.0 

type EndpointResolverOptions = internalendpoints.Options

EndpointResolverOptions is the service endpoint resolver options

type EndpointResolverV2 added in v1.15.0 

type EndpointResolverV2 interface {
	// ResolveEndpoint attempts to resolve the endpoint with the provided options,
	// returning the endpoint if found. Otherwise an error is returned.
	ResolveEndpoint(ctx context.Context, params EndpointParameters) (
		smithyendpoints.Endpoint, error,
	)
}

EndpointResolverV2 provides the interface for resolving service endpoints.

func NewDefaultEndpointResolverV2 added in v1.15.0 

func NewDefaultEndpointResolverV2() EndpointResolverV2

type HTTPClient 

type HTTPClient interface {
	Do(*http.Request) (*http.Response, error)
}

type HTTPSignerV4 

type HTTPSignerV4 interface {
	SignHTTP(ctx context.Context, credentials aws.Credentials, r *http.Request, payloadHash string, service string, region string, signingTime time.Time, optFns ...func(*v4.SignerOptions)) error
}

type Options 

type Options struct {
	// Set of options to modify how an operation is invoked. These apply to all
	// operations invoked for this client. Use functional options on operation call to
	// modify this list for per operation behavior.
	APIOptions []func(*middleware.Stack) error

	// The optional application specific identifier appended to the User-Agent header.
	AppID string

	// This endpoint will be given as input to an EndpointResolverV2. It is used for
	// providing a custom base endpoint that is subject to modifications by the
	// processing EndpointResolverV2.
	BaseEndpoint *string

	// Configures the events that will be sent to the configured logger.
	ClientLogMode aws.ClientLogMode

	// The credentials object to use when signing requests.
	Credentials aws.CredentialsProvider

	// The configuration DefaultsMode that the SDK should use when constructing the
	// clients initial default settings.
	DefaultsMode aws.DefaultsMode

	// The endpoint options to be used when attempting to resolve an endpoint.
	EndpointOptions EndpointResolverOptions

	// The service endpoint resolver.
	//
	// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
	// value for this field will likely prevent you from using any endpoint-related
	// service features released after the introduction of EndpointResolverV2 and
	// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
	// endpoint, set the client option BaseEndpoint instead.
	EndpointResolver EndpointResolver

	// Resolves the endpoint used for a particular service operation. This should be
	// used over the deprecated EndpointResolver.
	EndpointResolverV2 EndpointResolverV2

	// Signature Version 4 (SigV4) Signer
	HTTPSignerV4 HTTPSignerV4

	// The logger writer interface to write logging messages to.
	Logger logging.Logger

	// The region to send requests to. (Required)
	Region string

	// RetryMaxAttempts specifies the maximum number attempts an API client will call
	// an operation that fails with a retryable error. A value of 0 is ignored, and
	// will not be used to configure the API client created default retryer, or modify
	// per operation call's retry max attempts. If specified in an operation call's
	// functional options with a value that is different than the constructed client's
	// Options, the Client's Retryer will be wrapped to use the operation's specific
	// RetryMaxAttempts value.
	RetryMaxAttempts int

	// RetryMode specifies the retry mode the API client will be created with, if
	// Retryer option is not also specified. When creating a new API Clients this
	// member will only be used if the Retryer Options member is nil. This value will
	// be ignored if Retryer is not nil. Currently does not support per operation call
	// overrides, may in the future.
	RetryMode aws.RetryMode

	// Retryer guides how HTTP requests should be retried in case of recoverable
	// failures. When nil the API client will use a default retryer. The kind of
	// default retry created by the API client can be changed with the RetryMode
	// option.
	Retryer aws.Retryer

	// The RuntimeEnvironment configuration, only populated if the DefaultsMode is set
	// to DefaultsModeAuto and is initialized using config.LoadDefaultConfig . You
	// should not populate this structure programmatically, or rely on the values here
	// within your applications.
	RuntimeEnvironment aws.RuntimeEnvironment

	// The HTTP client to invoke API calls with. Defaults to client's default HTTP
	// implementation if nil.
	HTTPClient HTTPClient

	// The auth scheme resolver which determines how to authenticate for each
	// operation.
	AuthSchemeResolver AuthSchemeResolver

	// The list of auth schemes supported by the client.
	AuthSchemes []smithyhttp.AuthScheme
	// contains filtered or unexported fields
}

func (Options) Copy 

func (o Options) Copy() Options

Copy creates a clone where the APIOptions list is deep copied.

func (Options) GetIdentityResolver added in v1.19.2 

func (o Options) GetIdentityResolver(schemeID string) smithyauth.IdentityResolver

type RegisterClientInput 

type RegisterClientInput struct {

	// The friendly name of the client.
	//
	// This member is required.
	ClientName *string

	// The type of client. The service supports only public as a client type. Anything
	// other than public will be rejected by the service.
	//
	// This member is required.
	ClientType *string

	// The list of scopes that are defined by the client. Upon authorization, this
	// list is used to restrict permissions when granting an access token.
	Scopes []string
	// contains filtered or unexported fields
}

type RegisterClientOutput 

type RegisterClientOutput struct {

	// An endpoint that the client can use to request authorization.
	AuthorizationEndpoint *string

	// The unique identifier string for each client. This client uses this identifier
	// to get authenticated by the service in subsequent calls.
	ClientId *string

	// Indicates the time at which the clientId and clientSecret were issued.
	ClientIdIssuedAt int64

	// A secret string generated for the client. The client will use this string to
	// get authenticated by the service in subsequent calls.
	ClientSecret *string

	// Indicates the time at which the clientId and clientSecret will become invalid.
	ClientSecretExpiresAt int64

	// An endpoint that the client can use to create tokens.
	TokenEndpoint *string

	// Metadata pertaining to the operation's result.
	ResultMetadata middleware.Metadata
	// contains filtered or unexported fields
}

type ResolveEndpoint 

type ResolveEndpoint struct {
	Resolver EndpointResolver
	Options  EndpointResolverOptions
}

func (*ResolveEndpoint) HandleSerialize 

func (m *ResolveEndpoint) HandleSerialize(ctx context.Context, in middleware.SerializeInput, next middleware.SerializeHandler) (
	out middleware.SerializeOutput, metadata middleware.Metadata, err error,
)

func (*ResolveEndpoint) ID 

func (*ResolveEndpoint) ID() string

type StartDeviceAuthorizationInput 

type StartDeviceAuthorizationInput struct {

	// The unique identifier string for the client that is registered with IAM
	// Identity Center. This value should come from the persisted result of the
	// RegisterClient API operation.
	//
	// This member is required.
	ClientId *string

	// A secret string that is generated for the client. This value should come from
	// the persisted result of the RegisterClient API operation.
	//
	// This member is required.
	ClientSecret *string

	// The URL for the Amazon Web Services access portal. For more information, see
	// Using the Amazon Web Services access portal (https://docs.aws.amazon.com/singlesignon/latest/userguide/using-the-portal.html)
	// in the IAM Identity Center User Guide.
	//
	// This member is required.
	StartUrl *string
	// contains filtered or unexported fields
}

type StartDeviceAuthorizationOutput 

type StartDeviceAuthorizationOutput struct {

	// The short-lived code that is used by the device when polling for a session
	// token.
	DeviceCode *string

	// Indicates the number of seconds in which the verification code will become
	// invalid.
	ExpiresIn int32

	// Indicates the number of seconds the client must wait between attempts when
	// polling for a session.
	Interval int32

	// A one-time user verification code. This is needed to authorize an in-use device.
	UserCode *string

	// The URI of the verification page that takes the userCode to authorize the
	// device.
	VerificationUri *string

	// An alternate URL that the client can use to automatically launch a browser.
	// This process skips the manual step in which the user visits the verification
	// page and enters their code.
	VerificationUriComplete *string

	// Metadata pertaining to the operation's result.
	ResultMetadata middleware.Metadata
	// contains filtered or unexported fields
}

Source Files

View all Source files

Directories

Path Synopsis
internal
endpoints

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.