GetResourceOauth2Token - Amazon Bedrock AgentCore Data Plane
Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse ElementsErrorsSee Also

GetResourceOauth2Token

Returns the OAuth 2.0 token of the provided resource.

Request Syntax

POST /identities/oauth2/token HTTP/1.1
Content-type: application/json

{
   "customParameters": { 
      "string" : "string" 
   },
   "customState": "string",
   "forceAuthentication": boolean,
   "oauth2Flow": "string",
   "resourceCredentialProviderName": "string",
   "resourceOauth2ReturnUrl": "string",
   "scopes": [ "string" ],
   "sessionUri": "string",
   "workloadIdentityToken": "string"
}

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

customParameters

A map of custom parameters to include in the authorization request to the resource credential provider. These parameters are in addition to the standard OAuth 2.0 flow parameters, and will not override them.

Type: String to string map

Key Length Constraints: Minimum length of 1. Maximum length of 256.

Key Pattern: [a-zA-Z0-9\-_\.]+

Value Length Constraints: Minimum length of 1. Maximum length of 2048.

Required: No

customState

An opaque string that will be sent back to the callback URL provided in resourceOauth2ReturnUrl. This state should be used to protect the callback URL of your application against CSRF attacks by ensuring the response corresponds to the original request.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 4096.

Required: No

forceAuthentication

Indicates whether to always initiate a new three-legged OAuth (3LO) flow, regardless of any existing session.

Type: Boolean

Required: No

oauth2Flow

The type of flow to be performed.

Type: String

Valid Values: USER_FEDERATION | M2M

Required: Yes

resourceCredentialProviderName

The name of the resource's credential provider.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 128.

Pattern: [a-zA-Z0-9\-_]+

Required: Yes

resourceOauth2ReturnUrl

The callback URL to redirect to after the OAuth 2.0 token retrieval is complete. This URL must be one of the provided URLs configured for the workload identity.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 2048.

Pattern: \w+:(\/?\/?)[^\s]+

Required: No

scopes

The OAuth scopes being requested.

Type: Array of strings

Length Constraints: Minimum length of 1. Maximum length of 128.

Required: Yes

sessionUri

Unique identifier for the user's authentication session for retrieving OAuth2 tokens. This ID tracks the authorization flow state across multiple requests and responses during the OAuth2 authentication process.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: urn:ietf:params:oauth:request_uri:[a-zA-Z0-9-._~]+

Required: No

workloadIdentityToken

The identity token of the workload from which you want to retrieve the OAuth2 token.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 131072.

Required: Yes

Response Syntax

HTTP/1.1 200
Content-type: application/json

{
   "accessToken": "string",
   "authorizationUrl": "string",
   "sessionStatus": "string",
   "sessionUri": "string"
}

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.

accessToken

The OAuth 2.0 access token to use.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 131072.

authorizationUrl

The URL to initiate the authorization process, provided when the access token requires user authorization.

Type: String

Length Constraints: Minimum length of 1.

sessionStatus

Status indicating whether the user's authorization session is in progress or has failed. This helps determine the next steps in the OAuth2 authentication flow.

Type: String

Valid Values: IN_PROGRESS | FAILED

sessionUri

Unique identifier for the user's authorization session for retrieving OAuth2 tokens. This matches the sessionId from the request and can be used to track the session state.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 1024.

Pattern: urn:ietf:params:oauth:request_uri:[a-zA-Z0-9-._~]+

Errors

For information about the errors that are common to all actions, see Common Errors.

AccessDeniedException

The exception that occurs when you do not have sufficient permissions to perform an action. Verify that your IAM policy includes the necessary permissions for the operation you are trying to perform.

HTTP Status Code: 403

InternalServerException

The exception that occurs when the service encounters an unexpected internal error. This is a temporary condition that will resolve itself with retries. We recommend implementing exponential backoff retry logic in your application.

HTTP Status Code: 500

ResourceNotFoundException

The exception that occurs when the specified resource does not exist. This can happen when using an invalid identifier or when trying to access a resource that has been deleted.

HTTP Status Code: 404

ThrottlingException

The exception that occurs when the request was denied due to request throttling. This happens when you exceed the allowed request rate for an operation. Reduce the frequency of requests or implement exponential backoff retry logic in your application.

HTTP Status Code: 429

UnauthorizedException

This exception is thrown when the JWT bearer token is invalid or not found for OAuth bearer token based access

HTTP Status Code: 401

ValidationException

The exception that occurs when the input fails to satisfy the constraints specified by the service. Check the error message for details about which input parameter is invalid and correct your request.

HTTP Status Code: 400

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: