CreateToken
Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.
Request Syntax
POST /token HTTP/1.1
Content-type: application/json
{
"clientId": "string
",
"clientSecret": "string
",
"code": "string
",
"deviceCode": "string
",
"grantType": "string
",
"redirectUri": "string
",
"refreshToken": "string
",
"scope": [ "string
" ]
}
URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
- clientId
-
The unique identifier string for each client. This value should come from the persisted result of the RegisterClient API.
Type: String
Required: Yes
- clientSecret
-
A secret string generated for the client. This value should come from the persisted result of the RegisterClient API.
Type: String
Required: Yes
- code
-
The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token.
Type: String
Required: No
- deviceCode
-
Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the StartDeviceAuthorization API.
Type: String
Required: Yes
- grantType
-
Supports grant types for authorization code, refresh token, and device code request.
Type: String
Required: Yes
- redirectUri
-
The location of the application that will receive the authorization code. Users authorize the service to send the request to this location.
Type: String
Required: No
- refreshToken
-
Currently,
refreshToken
is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.The token used to obtain an access token in the event that the access token is invalid or expired.
Type: String
Required: No
- scope
-
The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.
Type: Array of strings
Required: No
Response Syntax
HTTP/1.1 200
Content-type: application/json
{
"accessToken": "string",
"expiresIn": number,
"idToken": "string",
"refreshToken": "string",
"tokenType": "string"
}
Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
- accessToken
-
An opaque token to access AWS SSO resources assigned to a user.
Type: String
- expiresIn
-
Indicates the time in seconds when an access token will expire.
Type: Integer
- idToken
-
Currently,
idToken
is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.The identifier of the user that associated with the access token, if present.
Type: String
- refreshToken
-
Currently,
refreshToken
is not yet implemented and is not supported. For more information about the features and limitations of the current AWS SSO OIDC implementation, see AWS SSO OIDC API Reference.A token that, if present, can be used to refresh a previously issued access token that might have expired.
Type: String
- tokenType
-
Used to notify the client that the returned token is an access token. The supported type is
BearerToken
.Type: String
Errors
For information about the errors that are common to all actions, see Common Errors.
- AccessDeniedException
-
You do not have sufficient access to perform this action.
HTTP Status Code: 400
- AuthorizationPendingException
-
Indicates that a request to authorize a client with an access user session token is pending.
HTTP Status Code: 400
- ExpiredTokenException
-
Indicates that the token issued by the service is expired and is no longer valid.
HTTP Status Code: 400
- InternalServerException
-
Indicates that an error from the service occurred while trying to process a request.
HTTP Status Code: 500
- InvalidClientException
-
Indicates that the
clientId
orclientSecret
in the request is invalid. For example, this can occur when a client sends an incorrectclientId
or an expiredclientSecret
.HTTP Status Code: 401
- InvalidGrantException
-
Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken request with an invalid grant type.
HTTP Status Code: 400
- InvalidRequestException
-
Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.
HTTP Status Code: 400
- InvalidScopeException
-
Indicates that the scope provided in the request is invalid.
HTTP Status Code: 400
- SlowDownException
-
Indicates that the client is making the request too frequently and is more than the service can handle.
HTTP Status Code: 400
- UnauthorizedClientException
-
Indicates that the client is not currently authorized to make the request. This can happen when a
clientId
is not issued for a public client.HTTP Status Code: 400
- UnsupportedGrantTypeException
-
Indicates that the grant type in the request is not supported by the service.
HTTP Status Code: 400
See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following: