AWS SDK Version 3 for .NET
API Reference

AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned Amazon Web Services accounts or to access application APIs using bearer authentication.

Note:

For .NET Core this operation is only available in asynchronous form. Please refer to CreateTokenWithIAMAsync.

Namespace: Amazon.SSOOIDC
Assembly: AWSSDK.SSOOIDC.dll
Version: 3.x.y.z

Syntax

C# 
public abstract CreateTokenWithIAMResponse CreateTokenWithIAM(
         CreateTokenWithIAMRequest request
)

Parameters

request
Type: Amazon.SSOOIDC.Model.CreateTokenWithIAMRequest

Container for the necessary parameters to execute the CreateTokenWithIAM service method.

Return Value


Type: CreateTokenWithIAMResponse
The response from the CreateTokenWithIAM service method, as returned by SSOOIDC.

Exceptions

ExceptionCondition
AccessDeniedException You do not have sufficient access to perform this action.
AuthorizationPendingException Indicates that a request to authorize a client with an access user session token is pending.
ExpiredTokenException Indicates that the token issued by the service is expired and is no longer valid.
InternalServerException Indicates that an error from the service occurred while trying to process a request.
InvalidClientException Indicates that the clientId or clientSecret in the request is invalid. For example, this can occur when a client sends an incorrect clientId or an expired clientSecret.
InvalidGrantException Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken request with an invalid grant type.
InvalidRequestException Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.
InvalidRequestRegionException Indicates that a token provided as input to the request was issued by and is only usable by calling IAM Identity Center endpoints in another region.
InvalidScopeException Indicates that the scope provided in the request is invalid.
SlowDownException Indicates that the client is making the request too frequently and is more than the service can handle.
UnauthorizedClientException Indicates that the client is not currently authorized to make the request. This can happen when a clientId is not issued for a public client.
UnsupportedGrantTypeException Indicates that the grant type in the request is not supported by the service.

Examples

Call OAuth/OIDC /token endpoint for Authorization Code grant with IAM authentication


var client = new AmazonSSOOIDCClient();
var response = client.CreateTokenWithIAM(new CreateTokenWithIAMRequest 
{
    ClientId = "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
    Code = "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzg0In0EXAMPLEAUTHCODE",
    GrantType = "authorization_code",
    RedirectUri = "https://mywebapp.example/redirect",
    Scope = new List<string> {
        "openid",
        "aws",
        "sts:identity_context"
    }
});

string accessToken = response.AccessToken;
int expiresIn = response.ExpiresIn;
string idToken = response.IdToken;
string issuedTokenType = response.IssuedTokenType;
string refreshToken = response.RefreshToken;
List<string> scope = response.Scope;
string tokenType = response.TokenType;

Call OAuth/OIDC /token endpoint for Refresh Token grant with IAM authentication


var client = new AmazonSSOOIDCClient();
var response = client.CreateTokenWithIAM(new CreateTokenWithIAMRequest 
{
    ClientId = "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
    GrantType = "refresh_token",
    RefreshToken = "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN"
});

string accessToken = response.AccessToken;
int expiresIn = response.ExpiresIn;
string issuedTokenType = response.IssuedTokenType;
string refreshToken = response.RefreshToken;
List<string> scope = response.Scope;
string tokenType = response.TokenType;

Call OAuth/OIDC /token endpoint for JWT Bearer grant with IAM authentication


var client = new AmazonSSOOIDCClient();
var response = client.CreateTokenWithIAM(new CreateTokenWithIAMRequest 
{
    Assertion = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw",
    ClientId = "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
    GrantType = "urn:ietf:params:oauth:grant-type:jwt-bearer"
});

string accessToken = response.AccessToken;
int expiresIn = response.ExpiresIn;
string idToken = response.IdToken;
string issuedTokenType = response.IssuedTokenType;
string refreshToken = response.RefreshToken;
List<string> scope = response.Scope;
string tokenType = response.TokenType;

Call OAuth/OIDC /token endpoint for Token Exchange grant with IAM authentication


var client = new AmazonSSOOIDCClient();
var response = client.CreateTokenWithIAM(new CreateTokenWithIAMRequest 
{
    ClientId = "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
    GrantType = "urn:ietf:params:oauth:grant-type:token-exchange",
    RequestedTokenType = "urn:ietf:params:oauth:token-type:access_token",
    SubjectToken = "aoak-Hig8TUDPNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZDIFFERENTACCESSTOKEN",
    SubjectTokenType = "urn:ietf:params:oauth:token-type:access_token"
});

string accessToken = response.AccessToken;
int expiresIn = response.ExpiresIn;
string idToken = response.IdToken;
string issuedTokenType = response.IssuedTokenType;
List<string> scope = response.Scope;
string tokenType = response.TokenType;

Version Information

.NET Framework:
Supported in: 4.5 and newer, 3.5

See Also

REST API Reference for CreateTokenWithIAM Operation