View a markdown version of this page

Sign-In with OAuth 2.0 - AWS Sign-In

Sign-In with OAuth 2.0

OAuth overview

With AWS Sign-In industry-standard OAuth 2.0 support, agents and applications can access supported AWS services using OAuth authorization.

OAuth integrates with your existing AWS identities and authorization model. Applications obtain short-lived OAuth tokens through AWS Sign-In. OAuth tokens work with your existing IAM identities, policies, service control policies (SCPs), resource control policies (RCPs), and other AWS authorization controls. OAuth introduces a standards-based authorization model without changing how access to AWS resources is governed.

With AWS Sign-In, you can authorize applications through a browser (interactive), or applications with existing AWS credentials can obtain OAuth access tokens programmatically (non-interactive).

Supported capabilities

AWS Sign-In provides the following OAuth capabilities.

Capability Description
Interactive authorization Browser-based OAuth authorization for users.
Non-interactive authorization OAuth authorization for agents and applications using existing AWS credentials without requiring a browser.
Token management Issue and introspect access and refresh tokens, and revoke refresh tokens.
Dynamic client registration Register approved OAuth-compatible applications with AWS Sign-In.
IAM integration Govern OAuth authorization using IAM permissions, resources, and condition keys.
CloudTrail integration Audit OAuth authorization and token lifecycle events using AWS CloudTrail.

How OAuth works

OAuth authorization in AWS Sign-In follows the OAuth 2.0 standard.

  1. An agent or application requests authorization to access a supported AWS service.

  2. AWS Sign-In authenticates the user.

  3. AWS Sign-In issues OAuth tokens that authorize the application to access the requested AWS service on behalf of the user.

  4. The AWS service evaluates every request using the existing AWS authorization model, including IAM policies, service control policies (SCPs), resource control policies (RCPs), permission boundaries, and other applicable controls.

OAuth tokens authorize an application to access a supported AWS service. They do not grant additional AWS permissions. Applications can perform only the actions already permitted by the authenticated IAM identity.

Authorization models

AWS Sign-In supports two OAuth authorization models.

Interactive authorization

Interactive authorization is intended for developers using browser-based authentication.

AWS Sign-In enforces the OAuth 2.1 Authorization Code Grant with Proof Key for Code Exchange (PKCE). When an application requires authorization, it redirects the user to AWS Sign-In, where the user authenticates, reviews the authorization request, and grants consent.

After successful authorization, AWS Sign-In issues:

  • Access tokens – Short-lived OAuth tokens (up to one hour) that authorize applications to access supported AWS services.

  • Refresh tokens – Used to obtain new access tokens without requiring the user to authenticate again. AWS Sign-In automatically manages token refresh for authorized applications.

Interactive authorization supports:

  • IAM users

  • AWS account root users

  • IAM Identity Center users

  • SAML and Custom Identity broker users

For a walkthrough of connecting an agent using interactive authorization, see AWS MCP Server.

Non-interactive authorization

Non-interactive authorization is intended for agents and applications that already possess AWS credentials and cannot perform browser-based authentication.

AWS Sign-In implements the OAuth 2.0 Client Credentials Grant using AWS Signature Version 4 (SigV4) credentials instead of a static OAuth client secret. Applications authenticate to the AWS Sign-In token endpoint using existing AWS credentials and receive a short-lived OAuth access token that can be used to access supported AWS services.

The client credentials grant issues only access tokens (no refresh tokens). Request a new access token when the current token expires.

For a walkthrough of connecting an application using non-interactive authorization, see AWS MCP Server.

Security model

OAuth authorization integrates with the existing AWS security model. AWS Sign-In extends this authorization model with OAuth-specific capabilities, including:

These capabilities allow administrators to govern OAuth authorization using the same IAM authorization model they already use across AWS.

OAuth endpoints

AWS Sign-In provides the following OAuth endpoints.

Endpoint Path Description
Authorization /v1/authorize Initiates the interactive authorization flow.
Token /v1/token Exchanges authorization codes, refresh tokens, or client credentials for OAuth tokens.
Introspection /v1/introspect Returns metadata about an OAuth token.
Revocation /v1/revoke Revokes a refresh token.
Dynamic Client Registration /v1/register Registers approved OAuth clients with AWS Sign-In. Only allowlisted redirect URIs are accepted.

Use this regional endpoint for the OAuth flow at https://{region}.oauth.signin.aws. For a list of possible region values, see the Region column in AWS Sign-In endpoints.