AWS SSO OIDC Update: Updated request parameters for PKCE support.

AWS · AWS · commit 92d548605b0e · 2024-05-10T18:24:23.000Z
diff --git a/.changes/next-release/feature-AWSSSOOIDC-e0032a4.json b/.changes/next-release/feature-AWSSSOOIDC-e0032a4.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS SSO OIDC",
+    "contributor": "",
+    "description": "Updated request parameters for PKCE support."
+}
diff --git a/services/ssooidc/src/main/resources/codegen-resources/service-2.json b/services/ssooidc/src/main/resources/codegen-resources/service-2.json
@@ -5,6 +5,7 @@
     "endpointPrefix":"oidc",
     "jsonVersion":"1.1",
     "protocol":"rest-json",
+    "protocols":["rest-json"],
     "serviceAbbreviation":"SSO OIDC",
     "serviceFullName":"AWS SSO OIDC",
     "serviceId":"SSO OIDC",
@@ -59,7 +60,7 @@
         {"shape":"InternalServerException"},
         {"shape":"InvalidRequestRegionException"}
       ],
-      "documentation":"<p>Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using <code>bearer</code> authentication.</p>"
+      "documentation":"<p>Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned Amazon Web Services accounts or to access application APIs using <code>bearer</code> authentication.</p>"
     },
     "RegisterClient":{
       "name":"RegisterClient",
@@ -73,7 +74,9 @@
         {"shape":"InvalidRequestException"},
         {"shape":"InvalidScopeException"},
         {"shape":"InvalidClientMetadataException"},
-        {"shape":"InternalServerException"}
+        {"shape":"InternalServerException"},
+        {"shape":"InvalidRedirectUriException"},
+        {"shape":"UnsupportedGrantTypeException"}
       ],
       "documentation":"<p>Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.</p>",
       "authtype":"none"
@@ -118,6 +121,7 @@
       "type":"string",
       "sensitive":true
     },
+    "ArnType":{"type":"string"},
     "Assertion":{
       "type":"string",
       "sensitive":true
@@ -146,6 +150,10 @@
       "sensitive":true
     },
     "ClientType":{"type":"string"},
+    "CodeVerifier":{
+      "type":"string",
+      "sensitive":true
+    },
     "CreateTokenRequest":{
       "type":"structure",
       "required":[
@@ -185,6 +193,10 @@
         "redirectUri":{
           "shape":"URI",
           "documentation":"<p>Used only when calling this API for the Authorization Code grant type. This value specifies the location of the client or application that has registered to receive the authorization code.</p>"
+        },
+        "codeVerifier":{
+          "shape":"CodeVerifier",
+          "documentation":"<p>Used only when calling this API for the Authorization Code grant type. This value is generated by the client and presented to validate the original code challenge value the client passed at authorization time.</p>"
         }
       }
     },
@@ -193,7 +205,7 @@
       "members":{
         "accessToken":{
           "shape":"AccessToken",
-          "documentation":"<p>A bearer token to access AWS accounts and applications assigned to a user.</p>"
+          "documentation":"<p>A bearer token to access Amazon Web Services accounts and applications assigned to a user.</p>"
         },
         "tokenType":{
           "shape":"TokenType",
@@ -259,6 +271,10 @@
         "requestedTokenType":{
           "shape":"TokenTypeURI",
           "documentation":"<p>Used only when calling this API for the Token Exchange grant type. This value specifies the type of token that the requester can receive. The following values are supported:</p> <p>* Access Token - <code>urn:ietf:params:oauth:token-type:access_token</code> </p> <p>* Refresh Token - <code>urn:ietf:params:oauth:token-type:refresh_token</code> </p>"
+        },
+        "codeVerifier":{
+          "shape":"CodeVerifier",
+          "documentation":"<p>Used only when calling this API for the Authorization Code grant type. This value is generated by the client and presented to validate the original code challenge value the client passed at authorization time.</p>"
         }
       }
     },
@@ -267,7 +283,7 @@
       "members":{
         "accessToken":{
           "shape":"AccessToken",
-          "documentation":"<p>A bearer token to access AWS accounts and applications assigned to a user.</p>"
+          "documentation":"<p>A bearer token to access Amazon Web Services accounts and applications assigned to a user.</p>"
         },
         "tokenType":{
           "shape":"TokenType",
@@ -316,6 +332,10 @@
       "exception":true
     },
     "GrantType":{"type":"string"},
+    "GrantTypes":{
+      "type":"list",
+      "member":{"shape":"GrantType"}
+    },
     "IdToken":{
       "type":"string",
       "sensitive":true
@@ -386,6 +406,22 @@
       "error":{"httpStatusCode":400},
       "exception":true
     },
+    "InvalidRedirectUriException":{
+      "type":"structure",
+      "members":{
+        "error":{
+          "shape":"Error",
+          "documentation":"<p>Single error code. For this exception the value will be <code>invalid_redirect_uri</code>.</p>"
+        },
+        "error_description":{
+          "shape":"ErrorDescription",
+          "documentation":"<p>Human-readable text providing additional information, used to assist the client developer in understanding the error that occurred.</p>"
+        }
+      },
+      "documentation":"<p>Indicates that one or more redirect URI in the request is not supported for this operation.</p>",
+      "error":{"httpStatusCode":400},
+      "exception":true
+    },
     "InvalidRequestException":{
       "type":"structure",
       "members":{
@@ -444,6 +480,10 @@
     },
     "Location":{"type":"string"},
     "LongTimeStampType":{"type":"long"},
+    "RedirectUris":{
+      "type":"list",
+      "member":{"shape":"URI"}
+    },
     "RefreshToken":{
       "type":"string",
       "sensitive":true
@@ -467,6 +507,22 @@
         "scopes":{
           "shape":"Scopes",
           "documentation":"<p>The list of scopes that are defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.</p>"
+        },
+        "redirectUris":{
+          "shape":"RedirectUris",
+          "documentation":"<p>The list of redirect URI that are defined by the client. At completion of authorization, this list is used to restrict what locations the user agent can be redirected back to.</p>"
+        },
+        "grantTypes":{
+          "shape":"GrantTypes",
+          "documentation":"<p>The list of OAuth 2.0 grant types that are defined by the client. This list is used to restrict the token granting flows available to the client.</p>"
+        },
+        "issuerUrl":{
+          "shape":"URI",
+          "documentation":"<p>The IAM Identity Center Issuer URL associated with an instance of IAM Identity Center. This value is needed for user access to resources through the client.</p>"
+        },
+        "entitledApplicationArn":{
+          "shape":"ArnType",
+          "documentation":"<p>This IAM Identity Center application ARN is used to define administrator-managed configuration for public client access to resources. At authorization, the scopes, grants, and redirect URI available to this client will be restricted by this application resource.</p>"
         }
       }
     },
