CreateToken

Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.

Request Syntax

POST /token HTTP/1.1
Content-type: application/json

{
   "clientId": "string",
   "clientSecret": "string",
   "code": "string",
   "deviceCode": "string",
   "grantType": "string",
   "redirectUri": "string",
   "refreshToken": "string",
   "scope": [ "string" ]
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

clientId

The unique identifier string for each client. This value should come from the persisted result of the RegisterClient API.

Type: String

Required: Yes

clientSecret

A secret string generated for the client. This value should come from the persisted result of the RegisterClient API.

Type: String

Required: Yes

code

The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token.

Type: String

Required: No

deviceCode

Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the StartDeviceAuthorization API.

Type: String

Required: Yes

grantType

Supports grant types for authorization code, refresh token, and device code request.

Type: String

Required: Yes

redirectUri

The location of the application that will receive the authorization code. Users authorize the service to send the request to this location.

Type: String

Required: No

refreshToken

Currently, refreshToken is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.

The token used to obtain an access token in the event that the access token is invalid or expired.

Type: String

Required: No

scope

The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.

Type: Array of strings

Required: No

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "accessToken": "string",
   "expiresIn": number,
   "idToken": "string",
   "refreshToken": "string",
   "tokenType": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

accessToken

An opaque token to access AWS SSO resources assigned to a user.

Type: String

expiresIn

Indicates the time in seconds when an access token will expire.

Type: Integer

idToken

Currently, idToken is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.

The identifier of the user that associated with the access token, if present.

Type: String

refreshToken

Currently, refreshToken is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.

A token that, if present, can be used to refresh a previously issued access token that might have expired.

Type: String

tokenType

Used to notify the client that the returned token is an access token. The supported type is BearerToken.

Type: String

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

You do not have sufficient access to perform this action.

HTTP Status Code: 400

AuthorizationPendingException

Indicates that a request to authorize a client with an access user session token is pending.

HTTP Status Code: 400

ExpiredTokenException

Indicates that the token issued by the service is expired and is no longer valid.

HTTP Status Code: 400

InternalServerException

Indicates that an error from the service occurred while trying to process a request.

HTTP Status Code: 500

InvalidClientException

Indicates that the clientId or clientSecret in the request is invalid. For example, this can occur when a client sends an incorrect clientId or an expired clientSecret.

HTTP Status Code: 401

InvalidGrantException

Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken request with an invalid grant type.

HTTP Status Code: 400

InvalidRequestException

Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.

HTTP Status Code: 400

InvalidScopeException

Indicates that the scope provided in the request is invalid.

HTTP Status Code: 400

SlowDownException

Indicates that the client is making the request too frequently and is more than the service can handle.

HTTP Status Code: 400

UnauthorizedClientException

Indicates that the client is not currently authorized to make the request. This can happen when a clientId is not issued for a public client.

HTTP Status Code: 400

UnsupportedGrantTypeException

Indicates that the grant type in the request is not supported by the service.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

• AWS Command Line Interface

• AWS SDK for .NET

• AWS SDK for C++

• AWS SDK for Go

• AWS SDK for Java V2

• AWS SDK for JavaScript

• AWS SDK for PHP V3

• AWS SDK for Python

• AWS SDK for Ruby V3