SSOOIDC

Client

class SSOOIDC.Client

A low-level client representing AWS SSO OIDC:

client = session.create_client('sso-oidc')

These are the available methods:

can_paginate(operation_name)

Check if an operation can be paginated.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Returns
True if the operation can be paginated, False otherwise.
create_token(**kwargs)

Creates and returns an access token for the authorized client. The access token issued will be used to fetch short-term credentials for the assigned roles in the AWS account.

See also: AWS API Documentation

Request Syntax

response = client.create_token(
    clientId='string',
    clientSecret='string',
    grantType='string',
    deviceCode='string',
    code='string',
    refreshToken='string',
    scope=[
        'string',
    ],
    redirectUri='string'
)
Parameters
  • clientId (string) --

    [REQUIRED]

    The unique identifier string for each client. This value should come from the persisted result of the RegisterClient API.

  • clientSecret (string) --

    [REQUIRED]

    A secret string generated for the client. This value should come from the persisted result of the RegisterClient API.

  • grantType (string) --

    [REQUIRED]

    Supports grant types for authorization code, refresh token, and device code request.

  • deviceCode (string) --

    [REQUIRED]

    Used only when calling this API for the device code grant type. This short-term code is used to identify this authentication attempt. This should come from an in-memory reference to the result of the StartDeviceAuthorization API.

  • code (string) -- The authorization code received from the authorization service. This parameter is required to perform an authorization grant request to get access to a token.
  • refreshToken (string) -- The token used to obtain an access token in the event that the access token is invalid or expired. This token is not issued by the service.
  • scope (list) --

    The list of scopes that is defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.

    • (string) --
  • redirectUri (string) -- The location of the application that will receive the authorization code. Users authorize the service to send the request to this location.
Return type

dict

Returns

Response Syntax

{
    'accessToken': 'string',
    'tokenType': 'string',
    'expiresIn': 123,
    'refreshToken': 'string',
    'idToken': 'string'
}

Response Structure

  • (dict) --

    • accessToken (string) --

      An opaque token to access AWS SSO resources assigned to a user.

    • tokenType (string) --

      Used to notify the client that the returned token is an access token. The supported type is BearerToken .

    • expiresIn (integer) --

      Indicates the time in seconds when an access token will expire.

    • refreshToken (string) --

      A token that, if present, can be used to refresh a previously issued access token that might have expired.

    • idToken (string) --

      The identifier of the user that associated with the access token, if present.

Exceptions

generate_presigned_url(ClientMethod, Params=None, ExpiresIn=3600, HttpMethod=None)

Generate a presigned url given a client, its method, and arguments

Parameters
  • ClientMethod (string) -- The client method to presign for
  • Params (dict) -- The parameters normally passed to ClientMethod.
  • ExpiresIn (int) -- The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds)
  • HttpMethod (string) -- The http method to use on the generated url. By default, the http method is whatever is used in the method's model.
Returns

The presigned url

get_paginator(operation_name)

Create a paginator for an operation.

Parameters
operation_name (string) -- The operation name. This is the same name as the method name on the client. For example, if the method name is create_foo, and you'd normally invoke the operation as client.create_foo(**kwargs), if the create_foo operation can be paginated, you can use the call client.get_paginator("create_foo").
Raises OperationNotPageableError
Raised if the operation is not pageable. You can use the client.can_paginate method to check if an operation is pageable.
Return type
L{botocore.paginate.Paginator}
Returns
A paginator object.
get_waiter(waiter_name)

Returns an object that can wait for some condition.

Parameters
waiter_name (str) -- The name of the waiter to get. See the waiters section of the service docs for a list of available waiters.
Returns
The specified waiter object.
Return type
botocore.waiter.Waiter
register_client(**kwargs)

Registers a client with AWS SSO. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.

See also: AWS API Documentation

Request Syntax

response = client.register_client(
    clientName='string',
    clientType='string',
    scopes=[
        'string',
    ]
)
Parameters
  • clientName (string) --

    [REQUIRED]

    The friendly name of the client.

  • clientType (string) --

    [REQUIRED]

    The type of client. The service supports only public as a client type. Anything other than public will be rejected by the service.

  • scopes (list) --

    The list of scopes that are defined by the client. Upon authorization, this list is used to restrict permissions when granting an access token.

    • (string) --
Return type

dict

Returns

Response Syntax

{
    'clientId': 'string',
    'clientSecret': 'string',
    'clientIdIssuedAt': 123,
    'clientSecretExpiresAt': 123,
    'authorizationEndpoint': 'string',
    'tokenEndpoint': 'string'
}

Response Structure

  • (dict) --

    • clientId (string) --

      The unique identifier string for each client. This client uses this identifier to get authenticated by the service in subsequent calls.

    • clientSecret (string) --

      A secret string generated for the client. The client will use this string to get authenticated by the service in subsequent calls.

    • clientIdIssuedAt (integer) --

      Indicates the time at which the clientId and clientSecret were issued.

    • clientSecretExpiresAt (integer) --

      Indicates the time at which the clientId and clientSecret will become invalid.

    • authorizationEndpoint (string) --

      The endpoint where the client can request authorization.

    • tokenEndpoint (string) --

      The endpoint where the client can get an access token.

Exceptions

start_device_authorization(**kwargs)

Initiates device authorization by requesting a pair of verification codes from the authorization service.

See also: AWS API Documentation

Request Syntax

response = client.start_device_authorization(
    clientId='string',
    clientSecret='string',
    startUrl='string'
)
Parameters
  • clientId (string) --

    [REQUIRED]

    The unique identifier string for the client that is registered with AWS SSO. This value should come from the persisted result of the RegisterClient API operation.

  • clientSecret (string) --

    [REQUIRED]

    A secret string that is generated for the client. This value should come from the persisted result of the RegisterClient API operation.

  • startUrl (string) --

    [REQUIRED]

    The URL for the AWS SSO user portal. For more information, see Using the User Portal in the AWS Single Sign-On User Guide .

Return type

dict

Returns

Response Syntax

{
    'deviceCode': 'string',
    'userCode': 'string',
    'verificationUri': 'string',
    'verificationUriComplete': 'string',
    'expiresIn': 123,
    'interval': 123
}

Response Structure

  • (dict) --

    • deviceCode (string) --

      The short-lived code that is used by the device when polling for a session token.

    • userCode (string) --

      A one-time user verification code. This is needed to authorize an in-use device.

    • verificationUri (string) --

      The URI of the verification page that takes the userCode to authorize the device.

    • verificationUriComplete (string) --

      An alternate URL that the client can use to automatically launch a browser. This process skips the manual step in which the user visits the verification page and enters their code.

    • expiresIn (integer) --

      Indicates the number of seconds in which the verification code will become invalid.

    • interval (integer) --

      Indicates the number of seconds the client must wait between attempts when polling for a session.

Exceptions

Client Exceptions

Client exceptions are available on a client instance via the exceptions property. For more detailed instructions and examples on the exact usage of client exceptions, see the error handling user guide.

The available client exceptions are:

class SSOOIDC.Client.exceptions.AccessDeniedException

You do not have sufficient access to perform this action.

Example

try:
  ...
except client.exceptions.AccessDeniedException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    You do not have sufficient access to perform this action.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.AuthorizationPendingException

Indicates that a request to authorize a client with an access user session token is pending.

Example

try:
  ...
except client.exceptions.AuthorizationPendingException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that a request to authorize a client with an access user session token is pending.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.ExpiredTokenException

Indicates that the token issued by the service is expired and is no longer valid.

Example

try:
  ...
except client.exceptions.ExpiredTokenException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the token issued by the service is expired and is no longer valid.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InternalServerException

Indicates that an error from the service occurred while trying to process a request.

Example

try:
  ...
except client.exceptions.InternalServerException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that an error from the service occurred while trying to process a request.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InvalidClientException

Indicates that the clientId or clientSecret in the request is invalid. For example, this can occur when a client sends an incorrect clientId or an expired clientSecret .

Example

try:
  ...
except client.exceptions.InvalidClientException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the clientId or clientSecret in the request is invalid. For example, this can occur when a client sends an incorrect clientId or an expired clientSecret .

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InvalidClientMetadataException

Indicates that the client information sent in the request during registration is invalid.

Example

try:
  ...
except client.exceptions.InvalidClientMetadataException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the client information sent in the request during registration is invalid.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InvalidGrantException

Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken request with an invalid grant type.

Example

try:
  ...
except client.exceptions.InvalidGrantException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that a request contains an invalid grant. This can occur if a client makes a CreateToken request with an invalid grant type.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InvalidRequestException

Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.

Example

try:
  ...
except client.exceptions.InvalidRequestException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that something is wrong with the input to the request. For example, a required parameter might be missing or out of range.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.InvalidScopeException

Indicates that the scope provided in the request is invalid.

Example

try:
  ...
except client.exceptions.InvalidScopeException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the scope provided in the request is invalid.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.SlowDownException

Indicates that the client is making the request too frequently and is more than the service can handle.

Example

try:
  ...
except client.exceptions.SlowDownException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the client is making the request too frequently and is more than the service can handle.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.UnauthorizedClientException

Indicates that the client is not currently authorized to make the request. This can happen when a clientId is not issued for a public client.

Example

try:
  ...
except client.exceptions.UnauthorizedClientException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the client is not currently authorized to make the request. This can happen when a clientId is not issued for a public client.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.
class SSOOIDC.Client.exceptions.UnsupportedGrantTypeException

Indicates that the grant type in the request is not supported by the service.

Example

try:
  ...
except client.exceptions.UnsupportedGrantTypeException as e:
  print(e.response)
response

The parsed error response. All exceptions have a top level Error key that provides normalized access to common exception atrributes. All other keys are specific to this service or exception class.

Syntax

{
    'error': 'string',
    'error_description': 'string',
    'Error': {
        'Code': 'string',
        'Message': 'string'
    }
}

Structure

  • (dict) --

    Indicates that the grant type in the request is not supported by the service.

    • error (string) --
    • error_description (string) --
    • Error (dict) -- Normalized access to common exception attributes.
      • Code (string) -- An identifier specifying the exception type.
      • Message (string) -- A descriptive message explaining why the exception occured.

Paginators

The available paginators are: