Skip to content

/AWS1/IF_SIS=>CREATEOAUTH2TOKEN()

About CreateOAuth2Token

CreateOAuth2Token API

Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both: 1. Authorization code redemption (grant_type=authorization_code) - NOT idempotent 2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

The operation behavior is determined by the grant_type parameter in the request body:

Authorization Code Flow (NOT Idempotent): - JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier - Returns access_token, token_type, expires_in, refresh_token, and id_token - Each authorization code can only be used ONCE for security (prevents replay attacks)

Token Refresh Flow (Idempotent): - JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token - Returns access_token, token_type, expires_in, and refresh_token (no id_token) - Multiple calls with same refresh_token return consistent results within validity window

Authentication and authorization: - Confidential clients: sigv4 signing required with signin:ExchangeToken permissions - CLI clients (public): authn/authz skipped based on client_id & grant_type

Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

Method Signature

METHODS /AWS1/IF_SIS~CREATEOAUTH2TOKEN
  IMPORTING
    !IO_TOKENINPUT TYPE REF TO /AWS1/CL_SISCREO2TOKENREQBODY OPTIONAL
  RETURNING
    VALUE(OO_OUTPUT) TYPE REF TO /aws1/cl_siscreateo2tokenrsp
  RAISING
    /AWS1/CX_SISACCESSDENIEDEX
    /AWS1/CX_SISINTERNALSERVEREX
    /AWS1/CX_SISTOOMANYREQSERROR
    /AWS1/CX_SISVLDTNEXCEPTION
    /AWS1/CX_SISCLIENTEXC
    /AWS1/CX_SISSERVEREXC
    /AWS1/CX_RT_TECHNICAL_GENERIC
    /AWS1/CX_RT_SERVICE_GENERIC.

IMPORTING

Required arguments:

io_tokeninput TYPE REF TO /AWS1/CL_SISCREO2TOKENREQBODY /AWS1/CL_SISCREO2TOKENREQBODY

Flattened token operation inputs The specific operation is determined by grant_type in the request body

RETURNING

oo_output TYPE REF TO /aws1/cl_siscreateo2tokenrsp /AWS1/CL_SISCREATEO2TOKENRSP

Domain /AWS1/RT_ACCOUNT_ID
Primitive Type NUMC

Examples

Syntax Example

This is an example of the syntax for calling the method. It includes every possible argument and initializes every possible value. The data provided is not necessarily semantically accurate (for example the value "string" may be provided for something that is intended to be an instance ID, or in some cases two arguments may be mutually exclusive). The syntax shows the ABAP syntax for creating the various data structures.

DATA(lo_result) = lo_client->createoauth2token(
  io_tokeninput = new /aws1/cl_siscreo2tokenreqbody(
    iv_clientid = |string|
    iv_code = |string|
    iv_codeverifier = |string|
    iv_granttype = |string|
    iv_redirecturi = |string|
    iv_refreshtoken = |string|
  )
).

This is an example of reading all possible response values

lo_result = lo_result.
IF lo_result IS NOT INITIAL.
  lo_createoauth2tokenrespon = lo_result->get_tokenoutput( ).
  IF lo_createoauth2tokenrespon IS NOT INITIAL.
    lo_accesstoken = lo_createoauth2tokenrespon->get_accesstoken( ).
    IF lo_accesstoken IS NOT INITIAL.
      lv_string = lo_accesstoken->get_accesskeyid( ).
      lv_string = lo_accesstoken->get_secretaccesskey( ).
      lv_string = lo_accesstoken->get_sessiontoken( ).
    ENDIF.
    lv_tokentype = lo_createoauth2tokenrespon->get_tokentype( ).
    lv_expiresin = lo_createoauth2tokenrespon->get_expiresin( ).
    lv_refreshtoken = lo_createoauth2tokenrespon->get_refreshtoken( ).
    lv_idtoken = lo_createoauth2tokenrespon->get_idtoken( ).
  ENDIF.
ENDIF.