SDK for PHP V3

AWS Sign-In Service 2023-01-01

Client: Aws\Signin\SigninClient
Service ID: signin
Version: 2023-01-01

This page describes the parameters and results for the operations of the AWS Sign-In Service (2023-01-01), and shows how to use the Aws\Signin\SigninClient object to call the described operations. This documentation is specific to the 2023-01-01 API version of the service.

Operation Summary

Each of the following operations can be created from a client using $client->getCommand('CommandName'), where "CommandName" is the name of one of the following operations. Note: a command is a value that encapsulates an operation and the parameters used to create an HTTP request.

You can also create and send a command immediately using the magic methods available on a client object: $client->commandName(/* parameters */). You can send the command asynchronously (returning a promise) by appending the word "Async" to the operation name: $client->commandNameAsync(/* parameters */).

CreateOAuth2Token ( array $params = [] )
CreateOAuth2Token API Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded This API implements OAuth 2.
DeleteConsoleAuthorizationConfiguration ( array $params = [] )
Delete console authorization configuration with automatic scope detection
DeleteResourcePermissionStatement ( array $params = [] )
Remove a permission statement from the account's SignIn resource-based policy
GetConsoleAuthorizationConfiguration ( array $params = [] )
Get console authorization configuration with automatic scope detection
GetResourcePolicy ( array $params = [] )
Retrieve the account's consolidated SignIn resource-based policy
ListResourcePermissionStatements ( array $params = [] )
Retrieve all permission statements in the account's SignIn resource-based policy
PutConsoleAuthorizationConfiguration ( array $params = [] )
Enable console authorization configuration with automatic scope detection
PutResourcePermissionStatement ( array $params = [] )
Create a permission statement in the account's SignIn resource-based policy

Paginators

Paginators handle automatically iterating over paginated API results. Paginators are associated with specific API operations, and they accept the parameters that the corresponding API operation accepts. You can get a paginator from a client class using getPaginator($paginatorName, $operationParameters). This client supports the following paginators:

ListResourcePermissionStatements

Operations

CreateOAuth2Token 

$result = $client->createOAuth2Token([/* ... */]);
$promise = $client->createOAuth2TokenAsync([/* ... */]);

CreateOAuth2Token API

Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:

  1. Authorization code redemption (grant_type=authorization_code) - NOT idempotent
  2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

The operation behavior is determined by the grant_type parameter in the request body:

Authorization Code Flow (NOT Idempotent):

  • JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier
  • Returns access_token, token_type, expires_in, refresh_token, and id_token
  • Each authorization code can only be used ONCE for security (prevents replay attacks)

Token Refresh Flow (Idempotent):

  • JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token
  • Returns access_token, token_type, expires_in, and refresh_token (no id_token)
  • Multiple calls with same refresh_token return consistent results within validity window

Authentication and authorization:

  • Confidential clients: sigv4 signing required with signin:ExchangeToken permissions
  • CLI clients (public): authn/authz skipped based on client_id & grant_type

Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

Parameter Syntax

$result = $client->createOAuth2Token([
    'tokenInput' => [ // REQUIRED
        'clientId' => '<string>', // REQUIRED
        'code' => '<string>',
        'codeVerifier' => '<string>',
        'grantType' => '<string>', // REQUIRED
        'redirectUri' => '<string>',
        'refreshToken' => '<string>',
    ],
]);

Parameter Details

Members
tokenInput
Required: Yes
Type: CreateOAuth2TokenRequestBody structure

Flattened token operation inputs The specific operation is determined by grant_type in the request body

Result Syntax

[
    'tokenOutput' => [
        'accessToken' => [
            'accessKeyId' => '<string>',
            'secretAccessKey' => '<string>',
            'sessionToken' => '<string>',
        ],
        'expiresIn' => <integer>,
        'idToken' => '<string>',
        'refreshToken' => '<string>',
        'tokenType' => '<string>',
    ],
]

Result Details

Members
tokenOutput
Required: Yes
Type: CreateOAuth2TokenResponseBody structure

Flattened token operation outputs The specific response fields depend on the grant_type used in the request

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

DeleteConsoleAuthorizationConfiguration 

$result = $client->deleteConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->deleteConsoleAuthorizationConfigurationAsync([/* ... */]);

Delete console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->deleteConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

DeleteResourcePermissionStatement 

$result = $client->deleteResourcePermissionStatement([/* ... */]);
$promise = $client->deleteResourcePermissionStatementAsync([/* ... */]);

Remove a permission statement from the account's SignIn resource-based policy

Parameter Syntax

$result = $client->deleteResourcePermissionStatement([
    'clientToken' => '<string>',
    'statementId' => '<string>', // REQUIRED
]);

Parameter Details

Members
clientToken
Type: string

Idempotency token for the request

statementId
Required: Yes
Type: string

Unique identifier of the permission statement to delete

Result Syntax

[]

Result Details

The results for this operation are always empty.

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

GetConsoleAuthorizationConfiguration 

$result = $client->getConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->getConsoleAuthorizationConfigurationAsync([/* ... */]);

Get console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->getConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

GetResourcePolicy 

$result = $client->getResourcePolicy([/* ... */]);
$promise = $client->getResourcePolicyAsync([/* ... */]);

Retrieve the account's consolidated SignIn resource-based policy

Parameter Syntax

$result = $client->getResourcePolicy([
]);

Parameter Details

Members

Result Syntax

[
    'signinResourceBasedPolicy' => [
        'statement' => [
            [
                'action' => ['<string>', ...],
                'condition' => [
                    '<ConditionType>' => [
                        '<String>' => ['<string>', ...],
                        // ...
                    ],
                    // ...
                ],
                'effect' => '<string>',
                'principal' => ['<string>', ...],
                'resource' => '<string>',
            ],
            // ...
        ],
        'version' => '<string>',
    ],
]

Result Details

Members
signinResourceBasedPolicy
Required: Yes
Type: SigninResourceBasedPolicy structure

The account's SignIn resource-based policy

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

ListResourcePermissionStatements 

$result = $client->listResourcePermissionStatements([/* ... */]);
$promise = $client->listResourcePermissionStatementsAsync([/* ... */]);

Retrieve all permission statements in the account's SignIn resource-based policy

Parameter Syntax

$result = $client->listResourcePermissionStatements([
    'maxResults' => <integer>,
    'nextToken' => '<string>',
]);

Parameter Details

Members
maxResults
Type: int

Maximum number of results to return

nextToken
Type: string

Token for pagination

Result Syntax

[
    'nextToken' => '<string>',
    'permissionStatements' => [
        [
            'condition' => [
                '<ConditionType>' => [
                    '<String>' => ['<string>', ...],
                    // ...
                ],
                // ...
            ],
            'sid' => '<string>',
        ],
        // ...
    ],
]

Result Details

Members
nextToken
Type: string

Token for next page of results

permissionStatements
Required: Yes
Type: Array of PermissionStatementSummary structures

List of permission statement summaries

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

PutConsoleAuthorizationConfiguration 

$result = $client->putConsoleAuthorizationConfiguration([/* ... */]);
$promise = $client->putConsoleAuthorizationConfigurationAsync([/* ... */]);

Enable console authorization configuration with automatic scope detection

Parameter Syntax

$result = $client->putConsoleAuthorizationConfiguration([
    'targetId' => '<string>',
]);

Parameter Details

Members
targetId
Type: string

Target account identifier

Result Syntax

[
    'consoleAuthorizationEnabled' => true || false,
    'scope' => '<string>',
    'targetId' => '<string>',
]

Result Details

Members
consoleAuthorizationEnabled
Required: Yes
Type: boolean

Whether console authorization is enabled

scope
Required: Yes
Type: string

Authorization scope

targetId
Required: Yes
Type: string

Target account identifier

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ConflictException:

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

ResourceNotFoundException:

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

PutResourcePermissionStatement 

$result = $client->putResourcePermissionStatement([/* ... */]);
$promise = $client->putResourcePermissionStatementAsync([/* ... */]);

Create a permission statement in the account's SignIn resource-based policy

Parameter Syntax

$result = $client->putResourcePermissionStatement([
    'clientToken' => '<string>',
    'consoleSourceVpce' => '<string>',
    'excludedPrincipal' => '<string>',
    'requestedRegion' => '<string>',
    'signinSourceVpce' => '<string>',
    'sourceIp' => '<string>',
    'sourceVpc' => '<string>',
    'vpcSourceIp' => '<string>',
]);

Parameter Details

Members
clientToken
Type: string

Idempotency token for the request

consoleSourceVpce
Type: string

Console VPC endpoint identifier

excludedPrincipal
Type: string

Principal to exclude from the permission statement

requestedRegion
Type: string

AWS region where the VPC and VPC endpoint reside Required when sourceVpc or signinSourceVpce/consoleSourceVpce is provided

signinSourceVpce
Type: string

SignIn VPC endpoint identifier

sourceIp
Type: string

Source IP address

sourceVpc
Type: string

VPC identifier to restrict console access

vpcSourceIp
Type: string

Source IP address within VPC

Result Syntax

[
    'statementId' => '<string>',
]

Result Details

Members
statementId
Required: Yes
Type: string

Unique identifier for the created permission statement

Errors

TooManyRequestsError:

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
ConflictException:

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

ServiceQuotaExceededException:

Error thrown when service quota is exceeded

HTTP Status Code: 402 Payment Required (used as quota exceeded indicator)

Used when the request would cause a service quota to be exceeded

InternalServerException:

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

ValidationException:

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

AccessDeniedException:

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

Shapes

AccessDeniedException

Description

Error thrown for access denied scenarios with flexible HTTP status mapping

Runtime HTTP Status Code Mapping:

  • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
  • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating the specific type of access denial Can be TOKEN_EXPIRED, AUTHCODE_EXPIRED, USER_CREDENTIALS_CHANGED, or INSUFFICIENT_PERMISSIONS

message
Required: Yes
Type: string

Detailed message explaining the access denial Provides specific information about why access was denied

AccessToken

Description

AWS credentials structure containing temporary access credentials

The scoped-down, 15 minute duration AWS credentials. Scoping down will be based on CLI policy (CLI team needs to create it). Similar to cloud shell implementation.

Members
accessKeyId
Required: Yes
Type: string

AWS access key ID for temporary credentials

secretAccessKey
Required: Yes
Type: string

AWS secret access key for temporary credentials

sessionToken
Required: Yes
Type: string

AWS session token for temporary credentials

ConflictException

Description

Error thrown when request conflicts with current state

HTTP Status Code: 409 Conflict

Used when the request conflicts with the current state of the resource

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating conflict Will be CONFLICT

message
Required: Yes
Type: string

Detailed message explaining the conflict Provides specific information about what caused the conflict

CreateOAuth2TokenRequestBody

Description

Request body payload for CreateOAuth2Token operation

The operation type is determined by the grant_type parameter:

  • grant_type=authorization_code: Requires code, redirect_uri, code_verifier
  • grant_type=refresh_token: Requires refresh_token
Members
clientId
Required: Yes
Type: string

The client identifier (ARN) used during Sign-In onboarding Required for both authorization code and refresh token flows

code
Type: string

The authorization code received from /v1/authorize Required only when grant_type=authorization_code

codeVerifier
Type: string

PKCE code verifier to prove possession of the original code challenge Required only when grant_type=authorization_code

grantType
Required: Yes
Type: string

OAuth 2.0 grant type - determines which flow is used Must be "authorization_code" or "refresh_token"

redirectUri
Type: string

The redirect URI that must match the original authorization request Required only when grant_type=authorization_code

refreshToken
Type: string

The refresh token returned from auth_code redemption Required only when grant_type=refresh_token

CreateOAuth2TokenResponseBody

Description

Response body payload for CreateOAuth2Token operation

The response content depends on the grant_type from the request:

  • grant_type=authorization_code: Returns all fields including refresh_token and id_token
  • grant_type=refresh_token: Returns access_token, token_type, expires_in, refresh_token (no id_token)
Members
accessToken
Required: Yes
Type: AccessToken structure

Scoped-down AWS credentials (15 minute duration) Present for both authorization code redemption and token refresh

expiresIn
Required: Yes
Type: int

Time to expiry in seconds (maximum 900) Present for both authorization code redemption and token refresh

idToken
Type: string

ID token containing user identity information Present only in authorization code redemption response (grant_type=authorization_code) Not included in token refresh responses

refreshToken
Required: Yes
Type: string

Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk) Always present in responses (required for both flows)

tokenType
Required: Yes
Type: string

Token type indicating this is AWS SigV4 credentials Value is "aws_sigv4" for both flows

InternalServerException

Description

Error thrown when an internal server error occurs

HTTP Status Code: 500 Internal Server Error

Used for unexpected server-side errors that prevent request processing.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating server error Will be SERVER_ERROR for internal server errors

message
Required: Yes
Type: string

Detailed message explaining the server error May include error details for debugging purposes

PermissionStatementSummary

Description

Summary of a permission statement

Members
condition
Type: Associative array of custom strings keys (ConditionType) to maps

Condition block for the permission statement

sid
Required: Yes
Type: string

Unique identifier for the permission statement

PolicyStatement

Description

Individual policy statement within a resource-based policy

Members
action
Type: Array of strings

Actions the statement controls

condition
Type: Associative array of custom strings keys (ConditionType) to maps

Condition block for the statement

effect
Type: string

Effect of the policy statement (Allow/Deny)

principal
Type: Associative array of custom strings keys (String) to strings

Principal the statement applies to

resource
Type: string

Resource the statement applies to

ResourceNotFoundException

Description

Error thrown when requested resource is not found

HTTP Status Code: 404 Not Found

Used when the specified resource does not exist

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating resource not found Will be RESOURCE_NOT_FOUND

message
Required: Yes
Type: string

Detailed message explaining which resource was not found Provides specific information about the missing resource

ServiceQuotaExceededException

Description

Error thrown when service quota is exceeded

HTTP Status Code: 402 Payment Required (used as quota exceeded indicator)

Used when the request would cause a service quota to be exceeded

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating service quota exceeded Will be SERVICE_QUOTA_EXCEEDED

message
Required: Yes
Type: string

Detailed message explaining which quota was exceeded Provides specific information about the limit and current usage

SigninResourceBasedPolicy

Description

SignIn resource-based policy document

Members
statement
Type: Array of PolicyStatement structures

Policy statements

version
Type: string

Policy version

TooManyRequestsError

Description

Error thrown when rate limit is exceeded

HTTP Status Code: 429 Too Many Requests

Possible OAuth2ErrorCode values:

  • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

Possible causes:

  • Too many token requests from the same client
  • Rate limiting based on client_id or IP address
  • Abuse prevention mechanisms triggered
  • Service protection against excessive token generation
Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating the specific type of error Will be INVALID_REQUEST for rate limiting scenarios

message
Required: Yes
Type: string

Detailed message about the rate limiting May include retry-after information or rate limit details

ValidationException

Description

Error thrown when request validation fails

HTTP Status Code: 400 Bad Request

Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

Members
error
Required: Yes
Type: string

OAuth 2.0 error code indicating validation failure Will be INVALID_REQUEST for validation errors

message
Required: Yes
Type: string

Detailed message explaining the validation failure Provides specific information about which validation failed