aws-sdk-core 3.133.0 → 3.136.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9754ce1d6124cd05648525d279d71ce70a559c647d63ba1bedf89d57860db757
-  data.tar.gz: 0f324b45cd2550ac44a3e7b2f33198c57ab40f68b24bd8ebcf3b08e08a985a93
+  metadata.gz: 4eff23899ad65b2216827b94ccd1dac1af4bb745f8e2fa678cd1d03cabecd695
+  data.tar.gz: b8ab13643d0608277ca9f73e7205f48c892e6d2701b106d70e06faf5d5b6caff
 SHA512:
-  metadata.gz: 5e7ae00a8ff1b94081534c5a0cb2c49f0b7b5f51b346e879755c087e90b91b36be6fba0177ddde266dd1094a8819945e02f6f0c61a540ff1c11fceddf1c93998
-  data.tar.gz: 012eaa760fe82f0f6c3b1a62ec00689fa0cf6fd283a438cd9ef290eff2816fac2cf08f5eaab618c0a8437d209cb46de43b8a0639fb13cddfaa129a82a576b8be
+  metadata.gz: cad017d37382b5d9bd75029f288cc5bf0955d5badb2746e45d077ca92d79733355e1c9cadd92da668b094c3144c770b15dade821d0a2eb3da87f9bc160b6a325
+  data.tar.gz: eb6f1a7c8521c612ffa96a6735adb9a126f11b4e3c2110aa4d74d3a10fa27aa7d5582cc43f04ecb7529fb00a2c441a97b24aa33ef9d5e10bb1643814ff08cec0

data/CHANGELOG.md

@@ -1,6 +1,24 @@
 Unreleased Changes
 ------------------
 
+3.136.0 (2022-08-25)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.135.0 (2022-08-24)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+3.134.0 (2022-08-23)
+------------------
+
+* Feature - Updated Aws::SSO::Client with the latest API changes.
+
+* Feature - Add support for Bearer Token Authentication and TokenProviders.
+* Issue - Validate that `_X_AMZN_TRACE_ID` ENV value contains only valid, non-control characters.
+
 3.133.0 (2022-08-22)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-3.133.0
+3.136.0

data/lib/aws-sdk-core/errors.rb

@@ -210,6 +210,19 @@ module Aws
     # Raised when SSO Credentials are invalid
     class InvalidSSOCredentials < RuntimeError; end
 
+    # Raised when SSO Token is invalid
+    class InvalidSSOToken < RuntimeError; end
+
+    # Raised when a client is unable to sign a request because
+    # the bearer token is not configured or available
+    class MissingBearerTokenError < RuntimeError
+      def initialize(*args)
+        msg = 'unable to sign request without token set'
+        super(msg)
+      end
+    end
+
+
     # Raised when there is a circular reference in chained
     # source_profiles
     class SourceProfileCircularReferenceError < RuntimeError; end

data/lib/aws-sdk-core/plugins/bearer_authorization.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  module Plugins
+    # @api private
+    class BearerAuthorization < Seahorse::Client::Plugin
+
+      option(:token_provider,
+             required: false,
+             doc_type: 'Aws::TokenProvider',
+             docstring: <<-DOCS
+A Bearer Token Provider. This can be an instance of any one of the
+following classes:
+
+* `Aws::StaticTokenProvider` - Used for configuring static, non-refreshing
+  tokens.
+
+* `Aws::SSOTokenProvider` - Used for loading tokens from AWS SSO using an
+  access token generated from `aws login`.
+
+When `:token_provider` is not configured directly, the `Aws::TokenProviderChain`
+will be used to search for tokens configured for your profile in shared configuration files.
+      DOCS
+      ) do |config|
+        if config.stub_responses
+          StaticTokenProvider.new('token')
+        else
+          TokenProviderChain.new(config).resolve
+        end
+      end
+
+
+      def add_handlers(handlers, cfg)
+        bearer_operations =
+          if cfg.api.metadata['signatureVersion'] == 'bearer'
+            # select operations where authtype is either not set or is bearer
+            cfg.api.operation_names.select do |o|
+              !cfg.api.operation(o)['authtype'] || cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          else # service is not bearer auth
+            # select only operations where authtype is explicitly bearer
+            cfg.api.operation_names.select do |o|
+              cfg.api.operation(o)['authtype'] == 'bearer'
+            end
+          end
+        handlers.add(Handler, step: :sign, operations: bearer_operations)
+      end
+
+      class Handler < Seahorse::Client::Handler
+        def call(context)
+          if context.http_request.endpoint.scheme != 'https'
+            raise ArgumentError, 'Unable to use bearer authorization on non https endpoint.'
+          end
+
+          token_provider = context.config.token_provider
+          if token_provider && token_provider.set?
+            context.http_request.headers['Authorization'] = "Bearer #{token_provider.token.token}"
+          else
+            raise Errors::MissingBearerTokenError
+          end
+          @handler.call(context)
+        end
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/plugins/recursion_detection.rb

@@ -11,12 +11,21 @@ module Aws
 
           unless context.http_request.headers.key?('x-amzn-trace-id')
             if ENV['AWS_LAMBDA_FUNCTION_NAME'] &&
-              (trace_id = ENV['_X_AMZN_TRACE_ID'])
+              (trace_id = validate_header(ENV['_X_AMZN_TRACE_ID']))
               context.http_request.headers['x-amzn-trace-id'] = trace_id
             end
           end
           @handler.call(context)
         end
+
+        private
+        def validate_header(header_value)
+          if (header_value.chars & (0..31).map(&:chr)).any?
+            raise ArgumentError, 'Invalid _X_AMZN_TRACE_ID value: '\
+              'contains ASCII control characters'
+          end
+          header_value
+        end
       end
 
       # should be at the end of build so that

data/lib/aws-sdk-core/plugins/signature_v4.rb

@@ -7,6 +7,8 @@ module Aws
     # @api private
     class SignatureV4 < Seahorse::Client::Plugin
 
+      V4_AUTH = %w[v4 v4-unsigned-payload v4-unsigned-body]
+
       option(:sigv4_signer) do |cfg|
         SignatureV4.build_signer(cfg)
       end
@@ -32,13 +34,16 @@ module Aws
       end
 
       option(:unsigned_operations) do |cfg|
-        cfg.api.operation_names.inject([]) do |unsigned, operation_name|
-          if cfg.api.operation(operation_name)['authtype'] == 'none' ||
-             cfg.api.operation(operation_name)['authtype'] == 'custom'
-            # Unsign requests that has custom apigateway authorizer as well
-            unsigned << operation_name
-          else
-            unsigned
+        if cfg.api.metadata['signatureVersion'] == 'v4'
+          # select operations where authtype is set and is not v4
+          cfg.api.operation_names.select do |o|
+            cfg.api.operation(o)['authtype'] && !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
+          end
+        else # service is not v4 auth
+          # select all operations where authtype is not v4
+          # (includes operations with no explicit authtype)
+          cfg.api.operation_names.select do |o|
+            !V4_AUTH.include?(cfg.api.operation(o)['authtype'])
           end
         end
       end

data/lib/aws-sdk-core/refreshing_token.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+require 'thread'
+
+module Aws
+
+  # Module/mixin used by token provider classes that can be refreshed. This
+  # provides basic refresh logic in a thread-safe manner. Classes mixing in
+  # this module are expected to implement a #refresh method that populates
+  # the following instance variable:
+  #
+  # * `@token` [Token] - {Aws::Token} object with the `expiration` and `token`
+  #       fields set.
+  #
+  # @api private
+  module RefreshingToken
+
+    def initialize(options = {})
+      @mutex = Mutex.new
+      @before_refresh = options.delete(:before_refresh) if Hash === options
+
+      @before_refresh.call(self) if @before_refresh
+      refresh
+    end
+
+    # @return [Token]
+    def token
+      refresh_if_near_expiration
+      @token
+    end
+
+    # @return [Time,nil]
+    def expiration
+      refresh_if_near_expiration
+      @expiration
+    end
+
+    # Refresh token.
+    # @return [void]
+    def refresh!
+      @mutex.synchronize do
+        @before_refresh.call(self) if @before_refresh
+        refresh
+      end
+    end
+
+    private
+
+    # Refreshes token if it is within
+    # 5 minutes of expiration.
+    def refresh_if_near_expiration
+      if near_expiration?
+        @mutex.synchronize do
+          if near_expiration?
+            @before_refresh.call(self) if @before_refresh
+            refresh
+          end
+        end
+      end
+    end
+
+    def near_expiration?
+      if @token && @token.expiration
+        # are we within 5 minutes of expiration?
+        (Time.now.to_i + 5 * 60) > @token.expiration.to_i
+      else
+        true
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/shared_config.rb

@@ -4,6 +4,9 @@ module Aws
   # @api private
   class SharedConfig
     SSO_PROFILE_KEYS = %w[sso_start_url sso_region sso_account_id sso_role_name].freeze
+    SSO_TOKEN_PROFILE_KEYS = %w[sso_session].freeze
+    SSO_SESSION_KEYS = %w[sso_region]
+
 
     # @return [String]
     attr_reader :credentials_path
@@ -151,6 +154,18 @@ module Aws
       credentials
     end
 
+    # Attempts to load from shared config or shared credentials file.
+    # Will always attempt first to load from the shared credentials
+    # file, if present.
+    def sso_token_from_config(opts = {})
+      p = opts[:profile] || @profile_name
+      token = sso_token_from_profile(@parsed_credentials, p)
+      if @parsed_config
+        token ||= sso_token_from_profile(@parsed_config, p)
+      end
+      token
+    end
+
     # Add an accessor method (similar to attr_reader) to return a configuration value
     # Uses the get_config_value below to control where
     # values are loaded from
@@ -327,6 +342,32 @@ module Aws
       end
     end
 
+    # If the required sso_ profile values are present, attempt to construct
+    # SSOTokenProvider
+    def sso_token_from_profile(cfg, profile)
+      if @parsed_config &&
+        (prof_config = cfg[profile]) &&
+        !(prof_config.keys & SSO_TOKEN_PROFILE_KEYS).empty?
+
+        sso_session_name = prof_config['sso_session']
+        sso_session = cfg["sso-session #{sso_session_name}"]
+        unless sso_session
+          raise ArgumentError,
+                "sso-session #{sso_session_name} must be defined in the config file." /
+                  "Referenced by profile #{profile}"
+        end
+
+        unless sso_session['sso_region']
+          raise ArgumentError, "sso-session #{sso_session_name} missing required parameter: sso_region"
+        end
+
+        SSOTokenProvider.new(
+          sso_session: sso_session_name,
+          sso_region: sso_session['sso_region']
+        )
+      end
+    end
+
     def credentials_from_profile(prof_config)
       creds = Credentials.new(
         prof_config['aws_access_key_id'],

data/lib/aws-sdk-core/sso_token_provider.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+module Aws
+  class SSOTokenProvider
+
+    include TokenProvider
+    include RefreshingToken
+
+    # @api private
+    SSO_REQUIRED_OPTS = [:sso_region, :sso_session].freeze
+
+    # @api private
+    SSO_LOGIN_GUIDANCE = 'The SSO session associated with this profile has '\
+    'expired or is otherwise invalid. To refresh this SSO session run '\
+    'aws sso login with the corresponding profile.'.freeze
+
+    # @option options [required, String] :sso_region The AWS region where the
+    #   SSO directory for the given sso_start_url is hosted.
+    #
+    # @option options [required, String] :sso_session The SSO Session used to
+    #   for fetching this token.
+    #
+    # @option options [SSOOIDC::Client] :client Optional `SSOOIDC::Client`.  If not
+    #   provided, a client will be constructed.
+    #
+    # @option options [Callable] before_refresh Proc called before
+    #   credentials are refreshed. `before_refresh` is called
+    #   with an instance of this object when
+    #   AWS credentials are required and need to be refreshed.
+    def initialize(options = {})
+
+      missing_keys = SSO_REQUIRED_OPTS.select { |k| options[k].nil? }
+      unless missing_keys.empty?
+        raise ArgumentError, "Missing required keys: #{missing_keys}"
+      end
+
+      @sso_session = options.delete(:sso_session)
+      @sso_region = options.delete(:sso_region)
+
+      options[:region] = @sso_region
+      options[:credentials] = nil
+      @client = options[:client] || Aws::SSOOIDC::Client.new(options)
+
+      super
+    end
+
+    # @return [SSO::Client]
+    attr_reader :client
+
+    private
+
+    def refresh
+      # token is valid and not in refresh window - do not refresh it.
+      return if @token && @token.expiration && !near_expiration?
+
+      # token may not exist or is out of the expiration window
+      # attempt to refresh from disk first (another process/application may have refreshed already)
+      token_json = read_cached_token
+      @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+      return if @token && @token.expiration && !near_expiration?
+
+      # The token is expired and needs to be refreshed
+      if can_refresh_token?(token_json)
+        begin
+          current_time = Time.now
+          resp = @client.create_token(
+            grant_type: 'refresh_token',
+            client_id: token_json['clientId'],
+            client_secret: token_json['client_secret'],
+            refresh_token: token_json['refreshToken']
+          )
+          token_json['accessToken'] = resp.access_token
+          token_json['expiresAt'] = current_time + resp.expires_in
+          @token = Token.new(token_json['accessToken'], token_json['expiresAt'])
+
+          if resp.refresh_token
+            token_json['refreshToken'] = resp.refresh_token
+          else
+            token_json.delete('refreshToken')
+          end
+
+          update_token_cache(token_json)
+        rescue
+          # refresh has failed, continue attempting to use the token if its not hard expired
+        end
+      end
+
+      if !@token.expiration || @token.expiration < Time.now
+        # Token is hard expired, raise an exception
+        raise Errors::InvalidSSOToken, 'Token is invalid and failed to refresh.'
+      end
+    end
+
+    def read_cached_token
+      cached_token = Json.load(File.read(sso_cache_file))
+      # validation
+      unless cached_token['accessToken'] && cached_token['expiresAt']
+        raise ArgumentError, 'Missing required field(s)'
+      end
+      cached_token['expiresAt'] = Time.parse(cached_token['expiresAt'])
+      cached_token
+    rescue Errno::ENOENT, Aws::Json::ParseError, ArgumentError
+      raise Errors::InvalidSSOToken, SSO_LOGIN_GUIDANCE
+    end
+
+    def update_token_cache(token_json)
+      cached_token = token_json.dup
+      cached_token['expiresAt'] = cached_token['expiresAt'].iso8601
+      File.write(sso_cache_file, Json.dump(cached_token))
+    end
+
+    def sso_cache_file
+      sso_session_sha1 = OpenSSL::Digest::SHA1.hexdigest(@sso_session.encode('utf-8'))
+      File.join(Dir.home, '.aws', 'sso', 'cache', "#{sso_session_sha1}.json")
+    rescue ArgumentError
+      # Dir.home raises ArgumentError when ENV['home'] is not set
+      raise ArgumentError, "Unable to load sso_cache_file: ENV['HOME'] is not set."
+    end
+
+    # return true if all required fields are present
+    # return false if registrationExpiresAt exists and is later than now
+    def can_refresh_token?(token_json)
+      if token_json['clientId'] &&
+        token_json['clientSecret'] &&
+        token_json['refreshToken']
+
+        return !token_json['registrationExpiresAt'] ||
+          Time.parse(token_json['registrationExpiresAt']) > Time.now
+      else
+        false
+      end
+    end
+  end
+end

data/lib/aws-sdk-core/static_token_provider.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module Aws
+  class StaticTokenProvider
+
+    include TokenProvider
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = Token.new(token, expiration)
+    end
+  end
+end

data/lib/aws-sdk-core/token.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Aws
+  class Token
+
+    # @param [String] token
+    # @param [Time] expiration
+    def initialize(token, expiration=nil)
+      @token = token
+      @expiration = expiration
+    end
+
+    # @return [String, nil]
+    attr_reader :token
+
+    # @return [Time, nil]
+    attr_reader :expiration
+
+    # @return [Boolean] Returns `true` if token is set
+    def set?
+      !token.nil? && !token.empty?
+    end
+
+    # Removing the token from the default inspect string.
+    # @api private
+    def inspect
+      "#<#{self.class.name} token=[FILTERED]> expiration=#{expiration}>"
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Aws
+  module TokenProvider
+
+    # @return [Token]
+    attr_reader :token
+
+    # @return [Boolean]
+    def set?
+      !!token && token.set?
+    end
+
+  end
+end

data/lib/aws-sdk-core/token_provider_chain.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+module Aws
+  # @api private
+  class TokenProviderChain
+    def initialize(config = nil)
+      @config = config
+    end
+
+    # @return [TokenProvider, nil]
+    def resolve
+      providers.each do |method_name, options|
+        provider = send(method_name, options.merge(config: @config))
+        return provider if provider && provider.set?
+      end
+      nil
+    end
+
+    private
+
+    def providers
+      [
+        [:static_profile_sso_token, {}],
+        [:sso_token, {}]
+      ]
+    end
+
+    def static_profile_sso_token(options)
+      if Aws.shared_config.config_enabled? && options[:config] && options[:config].profile
+        Aws.shared_config.sso_token_from_config(
+          profile: options[:config].profile
+        )
+      end
+    end
+
+
+    def sso_token(options)
+      profile_name = determine_profile_name(options)
+      if Aws.shared_config.config_enabled?
+        Aws.shared_config.sso_token_from_config(profile: profile_name)
+      end
+    rescue Errors::NoSuchProfileError
+      nil
+    end
+
+    def determine_profile_name(options)
+      (options[:config] && options[:config].profile) || ENV['AWS_PROFILE'] || ENV['AWS_DEFAULT_PROFILE'] || 'default'
+    end
+
+  end
+end

data/lib/aws-sdk-core.rb

@@ -20,6 +20,15 @@ require_relative 'aws-sdk-core/shared_credentials'
 require_relative 'aws-sdk-core/process_credentials'
 require_relative 'aws-sdk-core/sso_credentials'
 
+# tokens and token providers
+require_relative 'aws-sdk-core/token'
+require_relative 'aws-sdk-core/token_provider'
+require_relative 'aws-sdk-core/static_token_provider'
+require_relative 'aws-sdk-core/refreshing_token'
+require_relative 'aws-sdk-core/sso_token_provider'
+require_relative 'aws-sdk-core/token_provider_chain'
+require_relative 'aws-sdk-core/plugins/bearer_authorization'
+
 # client modules
 
 require_relative 'aws-sdk-core/client_stubs'

data/lib/aws-sdk-sso/client.rb

@@ -573,7 +573,7 @@ module Aws::SSO
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.133.0'
+      context[:gem_version] = '3.136.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sso.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
 # @!group service
 module Aws::SSO
 
-  GEM_VERSION = '3.133.0'
+  GEM_VERSION = '3.136.0'
 
 end

data/lib/aws-sdk-ssooidc/client.rb

@@ -353,7 +353,7 @@ module Aws::SSOOIDC
 
     # Creates and returns an access token for the authorized client. The
     # access token issued will be used to fetch short-term credentials for
-    # the assigned roles in the Amazon Web Services account.
+    # the assigned roles in the AWS account.
     #
     # @option params [required, String] :client_id
     #   The unique identifier string for each client. This value should come
@@ -364,16 +364,10 @@ module Aws::SSOOIDC
     #   the persisted result of the RegisterClient API.
     #
     # @option params [required, String] :grant_type
-    #   Supports grant types for the authorization code, refresh token, and
-    #   device code request. For device code requests, specify the following
-    #   value:
+    #   Supports grant types for authorization code, refresh token, and device
+    #   code request.
     #
-    #   `urn:ietf:params:oauth:grant-type:device_code `
-    #
-    #   For information about how to obtain the device code, see the
-    #   StartDeviceAuthorization topic.
-    #
-    # @option params [required, String] :device_code
+    # @option params [String] :device_code
     #   Used only when calling this API for the device code grant type. This
     #   short-term code is used to identify this authentication attempt. This
     #   should come from an in-memory reference to the result of the
@@ -385,18 +379,8 @@ module Aws::SSOOIDC
     #   access to a token.
     #
     # @option params [String] :refresh_token
-    #   Currently, `refreshToken` is not yet implemented and is not supported.
-    #   For more information about the features and limitations of the current
-    #   Amazon Web Services SSO OIDC implementation, see *Considerations for
-    #   Using this Guide* in the [Amazon Web Services SSO OIDC API
-    #   Reference][1].
-    #
     #   The token used to obtain an access token in the event that the access
-    #   token is invalid or expired.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
+    #   token is invalid or expired. This token is not issued by the service.
     #
     # @option params [Array<String>] :scope
     #   The list of scopes that is defined by the client. Upon authorization,
@@ -422,7 +406,7 @@ module Aws::SSOOIDC
     #     client_id: "ClientId", # required
     #     client_secret: "ClientSecret", # required
     #     grant_type: "GrantType", # required
-    #     device_code: "DeviceCode", # required
+    #     device_code: "DeviceCode",
     #     code: "AuthCode",
     #     refresh_token: "RefreshToken",
     #     scope: ["Scope"],
@@ -446,9 +430,9 @@ module Aws::SSOOIDC
       req.send_request(options)
     end
 
-    # Registers a client with Amazon Web Services SSO. This allows clients
-    # to initiate device authorization. The output should be persisted for
-    # reuse through many authentication requests.
+    # Registers a client with AWS SSO. This allows clients to initiate
+    # device authorization. The output should be persisted for reuse through
+    # many authentication requests.
     #
     # @option params [required, String] :client_name
     #   The friendly name of the client.
@@ -502,16 +486,16 @@ module Aws::SSOOIDC
     #
     # @option params [required, String] :client_id
     #   The unique identifier string for the client that is registered with
-    #   Amazon Web Services SSO. This value should come from the persisted
-    #   result of the RegisterClient API operation.
+    #   AWS SSO. This value should come from the persisted result of the
+    #   RegisterClient API operation.
     #
     # @option params [required, String] :client_secret
     #   A secret string that is generated for the client. This value should
     #   come from the persisted result of the RegisterClient API operation.
     #
     # @option params [required, String] :start_url
-    #   The URL for the AWS access portal. For more information, see [Using
-    #   the AWS access portal][1] in the *Amazon Web Services SSO User Guide*.
+    #   The URL for the AWS SSO user portal. For more information, see [Using
+    #   the User Portal][1] in the *AWS Single Sign-On User Guide*.
     #
     #
     #
@@ -565,7 +549,7 @@ module Aws::SSOOIDC
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.132.0'
+      context[:gem_version] = '3.136.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-ssooidc/client_api.rb

@@ -63,7 +63,7 @@ module Aws::SSOOIDC
     CreateTokenRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientId, required: true, location_name: "clientId"))
     CreateTokenRequest.add_member(:client_secret, Shapes::ShapeRef.new(shape: ClientSecret, required: true, location_name: "clientSecret"))
     CreateTokenRequest.add_member(:grant_type, Shapes::ShapeRef.new(shape: GrantType, required: true, location_name: "grantType"))
-    CreateTokenRequest.add_member(:device_code, Shapes::ShapeRef.new(shape: DeviceCode, required: true, location_name: "deviceCode"))
+    CreateTokenRequest.add_member(:device_code, Shapes::ShapeRef.new(shape: DeviceCode, location_name: "deviceCode"))
     CreateTokenRequest.add_member(:code, Shapes::ShapeRef.new(shape: AuthCode, location_name: "code"))
     CreateTokenRequest.add_member(:refresh_token, Shapes::ShapeRef.new(shape: RefreshToken, location_name: "refreshToken"))
     CreateTokenRequest.add_member(:scope, Shapes::ShapeRef.new(shape: Scopes, location_name: "scope"))

data/lib/aws-sdk-ssooidc/types.rb

@@ -52,7 +52,7 @@ module Aws::SSOOIDC
     #         client_id: "ClientId", # required
     #         client_secret: "ClientSecret", # required
     #         grant_type: "GrantType", # required
-    #         device_code: "DeviceCode", # required
+    #         device_code: "DeviceCode",
     #         code: "AuthCode",
     #         refresh_token: "RefreshToken",
     #         scope: ["Scope"],
@@ -70,14 +70,8 @@ module Aws::SSOOIDC
     #   @return [String]
     #
     # @!attribute [rw] grant_type
-    #   Supports grant types for the authorization code, refresh token, and
-    #   device code request. For device code requests, specify the following
-    #   value:
-    #
-    #   `urn:ietf:params:oauth:grant-type:device_code `
-    #
-    #   For information about how to obtain the device code, see the
-    #   StartDeviceAuthorization topic.
+    #   Supports grant types for authorization code, refresh token, and
+    #   device code request.
     #   @return [String]
     #
     # @!attribute [rw] device_code
@@ -94,18 +88,9 @@ module Aws::SSOOIDC
     #   @return [String]
     #
     # @!attribute [rw] refresh_token
-    #   Currently, `refreshToken` is not yet implemented and is not
-    #   supported. For more information about the features and limitations
-    #   of the current Amazon Web Services SSO OIDC implementation, see
-    #   *Considerations for Using this Guide* in the [Amazon Web Services
-    #   SSO OIDC API Reference][1].
-    #
     #   The token used to obtain an access token in the event that the
-    #   access token is invalid or expired.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
+    #   access token is invalid or expired. This token is not issued by the
+    #   service.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -136,8 +121,7 @@ module Aws::SSOOIDC
     end
 
     # @!attribute [rw] access_token
-    #   An opaque token to access Amazon Web Services SSO resources assigned
-    #   to a user.
+    #   An opaque token to access AWS SSO resources assigned to a user.
     #   @return [String]
     #
     # @!attribute [rw] token_type
@@ -150,33 +134,13 @@ module Aws::SSOOIDC
     #   @return [Integer]
     #
     # @!attribute [rw] refresh_token
-    #   Currently, `refreshToken` is not yet implemented and is not
-    #   supported. For more information about the features and limitations
-    #   of the current Amazon Web Services SSO OIDC implementation, see
-    #   *Considerations for Using this Guide* in the [Amazon Web Services
-    #   SSO OIDC API Reference][1].
-    #
     #   A token that, if present, can be used to refresh a previously issued
     #   access token that might have expired.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #   @return [String]
     #
     # @!attribute [rw] id_token
-    #   Currently, `idToken` is not yet implemented and is not supported.
-    #   For more information about the features and limitations of the
-    #   current Amazon Web Services SSO OIDC implementation, see
-    #   *Considerations for Using this Guide* in the [Amazon Web Services
-    #   SSO OIDC API Reference][1].
-    #
     #   The identifier of the user that associated with the access token, if
     #   present.
-    #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenResponse AWS API Documentation
@@ -421,8 +385,8 @@ module Aws::SSOOIDC
     #
     # @!attribute [rw] client_id
     #   The unique identifier string for the client that is registered with
-    #   Amazon Web Services SSO. This value should come from the persisted
-    #   result of the RegisterClient API operation.
+    #   AWS SSO. This value should come from the persisted result of the
+    #   RegisterClient API operation.
     #   @return [String]
     #
     # @!attribute [rw] client_secret
@@ -431,9 +395,8 @@ module Aws::SSOOIDC
     #   @return [String]
     #
     # @!attribute [rw] start_url
-    #   The URL for the AWS access portal. For more information, see [Using
-    #   the AWS access portal][1] in the *Amazon Web Services SSO User
-    #   Guide*.
+    #   The URL for the AWS SSO user portal. For more information, see
+    #   [Using the User Portal][1] in the *AWS Single Sign-On User Guide*.
     #
     #
     #

data/lib/aws-sdk-ssooidc.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-ssooidc/customizations'
 # @!group service
 module Aws::SSOOIDC
 
-  GEM_VERSION = '3.132.0'
+  GEM_VERSION = '3.136.0'
 
 end

data/lib/aws-sdk-sts/client.rb

@@ -2299,7 +2299,7 @@ module Aws::STS
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-core'
-      context[:gem_version] = '3.133.0'
+      context[:gem_version] = '3.136.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-sts.rb

@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
 # @!group service
 module Aws::STS
 
-  GEM_VERSION = '3.133.0'
+  GEM_VERSION = '3.136.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-core
 version: !ruby/object:Gem::Version
-  version: 3.133.0
+  version: 3.136.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-08-22 00:00:00.000000000 Z
+date: 2022-08-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jmespath
@@ -145,6 +145,7 @@ files:
 - lib/aws-sdk-core/plugins/apig_authorizer_token.rb
 - lib/aws-sdk-core/plugins/apig_credentials_configuration.rb
 - lib/aws-sdk-core/plugins/apig_user_agent.rb
+- lib/aws-sdk-core/plugins/bearer_authorization.rb
 - lib/aws-sdk-core/plugins/checksum_algorithm.rb
 - lib/aws-sdk-core/plugins/client_metrics_plugin.rb
 - lib/aws-sdk-core/plugins/client_metrics_send_plugin.rb
@@ -189,6 +190,7 @@ files:
 - lib/aws-sdk-core/query/param_builder.rb
 - lib/aws-sdk-core/query/param_list.rb
 - lib/aws-sdk-core/refreshing_credentials.rb
+- lib/aws-sdk-core/refreshing_token.rb
 - lib/aws-sdk-core/resources/collection.rb
 - lib/aws-sdk-core/rest.rb
 - lib/aws-sdk-core/rest/handler.rb
@@ -204,6 +206,8 @@ files:
 - lib/aws-sdk-core/shared_config.rb
 - lib/aws-sdk-core/shared_credentials.rb
 - lib/aws-sdk-core/sso_credentials.rb
+- lib/aws-sdk-core/sso_token_provider.rb
+- lib/aws-sdk-core/static_token_provider.rb
 - lib/aws-sdk-core/structure.rb
 - lib/aws-sdk-core/stubbing/data_applicator.rb
 - lib/aws-sdk-core/stubbing/empty_stub.rb
@@ -216,6 +220,9 @@ files:
 - lib/aws-sdk-core/stubbing/protocols/rest_xml.rb
 - lib/aws-sdk-core/stubbing/stub_data.rb
 - lib/aws-sdk-core/stubbing/xml_error.rb
+- lib/aws-sdk-core/token.rb
+- lib/aws-sdk-core/token_provider.rb
+- lib/aws-sdk-core/token_provider_chain.rb
 - lib/aws-sdk-core/type_builder.rb
 - lib/aws-sdk-core/util.rb
 - lib/aws-sdk-core/waiters.rb