SignInService / Client / create_o_auth2_token

create_o_auth2_token

SignInService.Client.create_o_auth2_token(**kwargs)

CreateOAuth2Token API

Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:

• Authorization code redemption (grant_type=authorization_code) - NOT idempotent

• Token refresh (grant_type=refresh_token) - Idempotent within token validity window

The operation behavior is determined by the grant_type parameter in the request body:

Authorization Code Flow (NOT Idempotent):

• JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier

• Returns access_token, token_type, expires_in, refresh_token, and id_token

• Each authorization code can only be used ONCE for security (prevents replay attacks)

Token Refresh Flow (Idempotent):

• JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token

• Returns access_token, token_type, expires_in, and refresh_token (no id_token)

• Multiple calls with same refresh_token return consistent results within validity window

Authentication and authorization:

• Confidential clients: sigv4 signing required with signin:ExchangeToken permissions

• CLI clients (public): authn/authz skipped based on client_id & grant_type

Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

See also: AWS API Documentation

Request Syntax

response = client.create_o_auth2_token(
    tokenInput={
        'clientId': 'string',
        'grantType': 'string',
        'code': 'string',
        'redirectUri': 'string',
        'codeVerifier': 'string',
        'refreshToken': 'string'
    }
)

Parameters:

tokenInput (dict) –

[REQUIRED]

Flattened token operation inputs The specific operation is determined by grant_type in the request body

• clientId (string) – [REQUIRED]

  The client identifier (ARN) used during Sign-In onboarding Required for both authorization code and refresh token flows

• grantType (string) – [REQUIRED]

  OAuth 2.0 grant type - determines which flow is used Must be “authorization_code” or “refresh_token”

• code (string) –

  The authorization code received from /v1/authorize Required only when grant_type=authorization_code

• redirectUri (string) –

  The redirect URI that must match the original authorization request Required only when grant_type=authorization_code

• codeVerifier (string) –

  PKCE code verifier to prove possession of the original code challenge Required only when grant_type=authorization_code

• refreshToken (string) –

  The refresh token returned from auth_code redemption Required only when grant_type=refresh_token

Return type:

dict

Returns:

Response Syntax

{
    'tokenOutput': {
        'accessToken': {
            'accessKeyId': 'string',
            'secretAccessKey': 'string',
            'sessionToken': 'string'
        },
        'tokenType': 'string',
        'expiresIn': 123,
        'refreshToken': 'string',
        'idToken': 'string'
    }
}

Response Structure

• (dict) –

  Output structure for CreateOAuth2Token operation

  Contains flattened token operation outputs for both authorization code and refresh token flows. The response content depends on the grant_type from the original request.

  • tokenOutput (dict) –

    Flattened token operation outputs The specific response fields depend on the grant_type used in the request

    • accessToken (dict) –

      Scoped-down AWS credentials (15 minute duration) Present for both authorization code redemption and token refresh

      • accessKeyId (string) –

        AWS access key ID for temporary credentials

      • secretAccessKey (string) –

        AWS secret access key for temporary credentials

      • sessionToken (string) –

        AWS session token for temporary credentials

    • tokenType (string) –

      Token type indicating this is AWS SigV4 credentials Value is “aws_sigv4” for both flows

    • expiresIn (integer) –

      Time to expiry in seconds (maximum 900) Present for both authorization code redemption and token refresh

    • refreshToken (string) –

      Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk) Always present in responses (required for both flows)

    • idToken (string) –

      ID token containing user identity information Present only in authorization code redemption response (grant_type=authorization_code) Not included in token refresh responses

Exceptions

• SignInService.Client.exceptions.TooManyRequestsError

• SignInService.Client.exceptions.InternalServerException

• SignInService.Client.exceptions.ValidationException

• SignInService.Client.exceptions.AccessDeniedException