aws-sdk-core 3.152.0 → 3.234.0

data/lib/aws-sdk-ssooidc/types.rb

@@ -13,15 +13,24 @@ module Aws::SSOOIDC
     # You do not have sufficient access to perform this action.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `access_denied`.
+    #   @return [String]
+    #
+    # @!attribute [rw] reason
+    #   A string that uniquely identifies a reason for the error.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/AccessDeniedException AWS API Documentation
     #
     class AccessDeniedException < Struct.new(
       :error,
+      :reason,
       :error_description)
       SENSITIVE = []
       include Aws::Structure
@@ -31,9 +40,13 @@ module Aws::SSOOIDC
     # session token is pending.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `authorization_pending`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/AuthorizationPendingException AWS API Documentation
@@ -45,23 +58,34 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateTokenRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_id: "ClientId", # required
-    #         client_secret: "ClientSecret", # required
-    #         grant_type: "GrantType", # required
-    #         device_code: "DeviceCode",
-    #         code: "AuthCode",
-    #         refresh_token: "RefreshToken",
-    #         scope: ["Scope"],
-    #         redirect_uri: "URI",
-    #       }
+    # This structure contains Amazon Web Services-specific parameter
+    # extensions and the [identity context][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/singlesignon/latest/userguide/trustedidentitypropagation-overview.html
+    #
+    # @!attribute [rw] identity_context
+    #   The trusted context assertion is signed and encrypted by STS. It
+    #   provides access to `sts:identity_context` claim in the `idToken`
+    #   without JWT parsing
     #
+    #   Identity context comprises information that Amazon Web Services
+    #   services use to make authorization decisions when they receive
+    #   requests.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/AwsAdditionalDetails AWS API Documentation
+    #
+    class AwsAdditionalDetails < Struct.new(
+      :identity_context)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] client_id
-    #   The unique identifier string for each client. This value should come
-    #   from the persisted result of the RegisterClient API.
+    #   The unique identifier string for the client or application. This
+    #   value comes from the result of the RegisterClient API.
     #   @return [String]
     #
     # @!attribute [rw] client_secret
@@ -70,39 +94,61 @@ module Aws::SSOOIDC
     #   @return [String]
     #
     # @!attribute [rw] grant_type
-    #   Supports grant types for authorization code, refresh token, and
-    #   device code request.
+    #   Supports the following OAuth grant types: Authorization Code, Device
+    #   Code, and Refresh Token. Specify one of the following values,
+    #   depending on the grant type that you want:
+    #
+    #   * Authorization Code - `authorization_code`
+    #
+    #   * Device Code - `urn:ietf:params:oauth:grant-type:device_code`
+    #
+    #   * Refresh Token - `refresh_token`
     #   @return [String]
     #
     # @!attribute [rw] device_code
-    #   Used only when calling this API for the device code grant type. This
-    #   short-term code is used to identify this authentication attempt.
-    #   This should come from an in-memory reference to the result of the
-    #   StartDeviceAuthorization API.
+    #   Used only when calling this API for the Device Code grant type. This
+    #   short-lived code is used to identify this authorization request.
+    #   This comes from the result of the StartDeviceAuthorization API.
     #   @return [String]
     #
     # @!attribute [rw] code
-    #   The authorization code received from the authorization service. This
-    #   parameter is required to perform an authorization grant request to
-    #   get access to a token.
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. The short-lived code is used to identify this authorization
+    #   request.
     #   @return [String]
     #
     # @!attribute [rw] refresh_token
-    #   The token used to obtain an access token in the event that the
-    #   access token is invalid or expired. This token is not issued by the
-    #   service.
+    #   Used only when calling this API for the Refresh Token grant type.
+    #   This token is used to refresh short-lived tokens, such as the access
+    #   token, that might expire.
+    #
+    #   For more information about the features and limitations of the
+    #   current IAM Identity Center OIDC implementation, see *Considerations
+    #   for Using this Guide* in the [IAM Identity Center OIDC API
+    #   Reference][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #   @return [String]
     #
     # @!attribute [rw] scope
-    #   The list of scopes that is defined by the client. Upon
-    #   authorization, this list is used to restrict permissions when
-    #   granting an access token.
+    #   The list of scopes for which authorization is requested. This
+    #   parameter has no effect; the access token will always include all
+    #   scopes configured during client registration.
     #   @return [Array<String>]
     #
     # @!attribute [rw] redirect_uri
-    #   The location of the application that will receive the authorization
-    #   code. Users authorize the service to send the request to this
-    #   location.
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. This value specifies the location of the client or application
+    #   that has registered to receive the authorization code.
+    #   @return [String]
+    #
+    # @!attribute [rw] code_verifier
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. This value is generated by the client and presented to
+    #   validate the original code challenge value the client passed at
+    #   authorization time.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenRequest AWS API Documentation
@@ -115,18 +161,20 @@ module Aws::SSOOIDC
       :code,
       :refresh_token,
       :scope,
-      :redirect_uri)
-      SENSITIVE = []
+      :redirect_uri,
+      :code_verifier)
+      SENSITIVE = [:client_secret, :refresh_token, :code_verifier]
       include Aws::Structure
     end
 
     # @!attribute [rw] access_token
-    #   An opaque token to access AWS SSO resources assigned to a user.
+    #   A bearer token to access Amazon Web Services accounts and
+    #   applications assigned to a user.
     #   @return [String]
     #
     # @!attribute [rw] token_type
     #   Used to notify the client that the returned token is an access
-    #   token. The supported type is `BearerToken`.
+    #   token. The supported token type is `Bearer`.
     #   @return [String]
     #
     # @!attribute [rw] expires_in
@@ -136,11 +184,29 @@ module Aws::SSOOIDC
     # @!attribute [rw] refresh_token
     #   A token that, if present, can be used to refresh a previously issued
     #   access token that might have expired.
+    #
+    #   For more information about the features and limitations of the
+    #   current IAM Identity Center OIDC implementation, see *Considerations
+    #   for Using this Guide* in the [IAM Identity Center OIDC API
+    #   Reference][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #   @return [String]
     #
     # @!attribute [rw] id_token
-    #   The identifier of the user that associated with the access token, if
-    #   present.
+    #   The `idToken` is not implemented or supported. For more information
+    #   about the features and limitations of the current IAM Identity
+    #   Center OIDC implementation, see *Considerations for Using this
+    #   Guide* in the [IAM Identity Center OIDC API Reference][1].
+    #
+    #   A JSON Web Token (JWT) that identifies who is associated with the
+    #   issued access token.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenResponse AWS API Documentation
@@ -151,7 +217,190 @@ module Aws::SSOOIDC
       :expires_in,
       :refresh_token,
       :id_token)
-      SENSITIVE = []
+      SENSITIVE = [:access_token, :refresh_token, :id_token]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] client_id
+    #   The unique identifier string for the client or application. This
+    #   value is an application ARN that has OAuth grants configured.
+    #   @return [String]
+    #
+    # @!attribute [rw] grant_type
+    #   Supports the following OAuth grant types: Authorization Code,
+    #   Refresh Token, JWT Bearer, and Token Exchange. Specify one of the
+    #   following values, depending on the grant type that you want:
+    #
+    #   * Authorization Code - `authorization_code`
+    #
+    #   * Refresh Token - `refresh_token`
+    #
+    #   * JWT Bearer - `urn:ietf:params:oauth:grant-type:jwt-bearer`
+    #
+    #   * Token Exchange -
+    #   `urn:ietf:params:oauth:grant-type:token-exchange`
+    #   @return [String]
+    #
+    # @!attribute [rw] code
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. This short-lived code is used to identify this authorization
+    #   request. The code is obtained through a redirect from IAM Identity
+    #   Center to a redirect URI persisted in the Authorization Code
+    #   GrantOptions for the application.
+    #   @return [String]
+    #
+    # @!attribute [rw] refresh_token
+    #   Used only when calling this API for the Refresh Token grant type.
+    #   This token is used to refresh short-lived tokens, such as the access
+    #   token, that might expire.
+    #
+    #   For more information about the features and limitations of the
+    #   current IAM Identity Center OIDC implementation, see *Considerations
+    #   for Using this Guide* in the [IAM Identity Center OIDC API
+    #   Reference][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
+    #   @return [String]
+    #
+    # @!attribute [rw] assertion
+    #   Used only when calling this API for the JWT Bearer grant type. This
+    #   value specifies the JSON Web Token (JWT) issued by a trusted token
+    #   issuer. To authorize a trusted token issuer, configure the JWT
+    #   Bearer GrantOptions for the application.
+    #   @return [String]
+    #
+    # @!attribute [rw] scope
+    #   The list of scopes for which authorization is requested. The access
+    #   token that is issued is limited to the scopes that are granted. If
+    #   the value is not specified, IAM Identity Center authorizes all
+    #   scopes configured for the application, including the following
+    #   default scopes: `openid`, `aws`, `sts:identity_context`.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] redirect_uri
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. This value specifies the location of the client or application
+    #   that has registered to receive the authorization code.
+    #   @return [String]
+    #
+    # @!attribute [rw] subject_token
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the subject of the exchange. The value of the
+    #   subject token must be an access token issued by IAM Identity Center
+    #   to a different client or application. The access token must have
+    #   authorized scopes that indicate the requested application as a
+    #   target audience.
+    #   @return [String]
+    #
+    # @!attribute [rw] subject_token_type
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the type of token that is passed as the subject
+    #   of the exchange. The following value is supported:
+    #
+    #   * Access Token - `urn:ietf:params:oauth:token-type:access_token`
+    #   @return [String]
+    #
+    # @!attribute [rw] requested_token_type
+    #   Used only when calling this API for the Token Exchange grant type.
+    #   This value specifies the type of token that the requester can
+    #   receive. The following values are supported:
+    #
+    #   * Access Token - `urn:ietf:params:oauth:token-type:access_token`
+    #
+    #   * Refresh Token - `urn:ietf:params:oauth:token-type:refresh_token`
+    #   @return [String]
+    #
+    # @!attribute [rw] code_verifier
+    #   Used only when calling this API for the Authorization Code grant
+    #   type. This value is generated by the client and presented to
+    #   validate the original code challenge value the client passed at
+    #   authorization time.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAMRequest AWS API Documentation
+    #
+    class CreateTokenWithIAMRequest < Struct.new(
+      :client_id,
+      :grant_type,
+      :code,
+      :refresh_token,
+      :assertion,
+      :scope,
+      :redirect_uri,
+      :subject_token,
+      :subject_token_type,
+      :requested_token_type,
+      :code_verifier)
+      SENSITIVE = [:refresh_token, :assertion, :subject_token, :code_verifier]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] access_token
+    #   A bearer token to access Amazon Web Services accounts and
+    #   applications assigned to a user.
+    #   @return [String]
+    #
+    # @!attribute [rw] token_type
+    #   Used to notify the requester that the returned token is an access
+    #   token. The supported token type is `Bearer`.
+    #   @return [String]
+    #
+    # @!attribute [rw] expires_in
+    #   Indicates the time in seconds when an access token will expire.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] refresh_token
+    #   A token that, if present, can be used to refresh a previously issued
+    #   access token that might have expired.
+    #
+    #   For more information about the features and limitations of the
+    #   current IAM Identity Center OIDC implementation, see *Considerations
+    #   for Using this Guide* in the [IAM Identity Center OIDC API
+    #   Reference][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/singlesignon/latest/OIDCAPIReference/Welcome.html
+    #   @return [String]
+    #
+    # @!attribute [rw] id_token
+    #   A JSON Web Token (JWT) that identifies the user associated with the
+    #   issued access token.
+    #   @return [String]
+    #
+    # @!attribute [rw] issued_token_type
+    #   Indicates the type of tokens that are issued by IAM Identity Center.
+    #   The following values are supported:
+    #
+    #   * Access Token - `urn:ietf:params:oauth:token-type:access_token`
+    #
+    #   * Refresh Token - `urn:ietf:params:oauth:token-type:refresh_token`
+    #   @return [String]
+    #
+    # @!attribute [rw] scope
+    #   The list of scopes for which authorization is granted. The access
+    #   token that is issued is limited to the scopes that are granted.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] aws_additional_details
+    #   A structure containing information from IAM Identity Center managed
+    #   user and group information.
+    #   @return [Types::AwsAdditionalDetails]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/CreateTokenWithIAMResponse AWS API Documentation
+    #
+    class CreateTokenWithIAMResponse < Struct.new(
+      :access_token,
+      :token_type,
+      :expires_in,
+      :refresh_token,
+      :id_token,
+      :issued_token_type,
+      :scope,
+      :aws_additional_details)
+      SENSITIVE = [:access_token, :refresh_token, :id_token]
       include Aws::Structure
     end
 
@@ -159,9 +408,13 @@ module Aws::SSOOIDC
     # longer valid.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `expired_token`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/ExpiredTokenException AWS API Documentation
@@ -177,9 +430,13 @@ module Aws::SSOOIDC
     # process a request.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `server_error`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InternalServerException AWS API Documentation
@@ -196,9 +453,13 @@ module Aws::SSOOIDC
     # `clientId` or an expired `clientSecret`.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_client`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidClientException AWS API Documentation
@@ -214,9 +475,13 @@ module Aws::SSOOIDC
     # registration is invalid.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_client_metadata`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidClientMetadataException AWS API Documentation
@@ -232,9 +497,13 @@ module Aws::SSOOIDC
     # a client makes a CreateToken request with an invalid grant type.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_grant`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidGrantException AWS API Documentation
@@ -246,30 +515,99 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
+    # Indicates that one or more redirect URI in the request is not
+    # supported for this operation.
+    #
+    # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_redirect_uri`.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidRedirectUriException AWS API Documentation
+    #
+    class InvalidRedirectUriException < Struct.new(
+      :error,
+      :error_description)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Indicates that something is wrong with the input to the request. For
     # example, a required parameter might be missing or out of range.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_request`.
+    #   @return [String]
+    #
+    # @!attribute [rw] reason
+    #   A string that uniquely identifies a reason for the error.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidRequestException AWS API Documentation
     #
     class InvalidRequestException < Struct.new(
       :error,
+      :reason,
       :error_description)
       SENSITIVE = []
       include Aws::Structure
     end
 
+    # Indicates that a token provided as input to the request was issued by
+    # and is only usable by calling IAM Identity Center endpoints in another
+    # region.
+    #
+    # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_request`.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
+    #   @return [String]
+    #
+    # @!attribute [rw] endpoint
+    #   Indicates the IAM Identity Center endpoint which the requester may
+    #   call with this token.
+    #   @return [String]
+    #
+    # @!attribute [rw] region
+    #   Indicates the region which the requester may call with this token.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidRequestRegionException AWS API Documentation
+    #
+    class InvalidRequestRegionException < Struct.new(
+      :error,
+      :error_description,
+      :endpoint,
+      :region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Indicates that the scope provided in the request is invalid.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `invalid_scope`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/InvalidScopeException AWS API Documentation
@@ -281,15 +619,6 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RegisterClientRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_name: "ClientName", # required
-    #         client_type: "ClientType", # required
-    #         scopes: ["Scope"],
-    #       }
-    #
     # @!attribute [rw] client_name
     #   The friendly name of the client.
     #   @return [String]
@@ -305,12 +634,49 @@ module Aws::SSOOIDC
     #   granting an access token.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] redirect_uris
+    #   The list of redirect URI that are defined by the client. At
+    #   completion of authorization, this list is used to restrict what
+    #   locations the user agent can be redirected back to.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] grant_types
+    #   The list of OAuth 2.0 grant types that are defined by the client.
+    #   This list is used to restrict the token granting flows available to
+    #   the client. Supports the following OAuth 2.0 grant types:
+    #   Authorization Code, Device Code, and Refresh Token.
+    #
+    #   * Authorization Code - `authorization_code`
+    #
+    #   * Device Code - `urn:ietf:params:oauth:grant-type:device_code`
+    #
+    #   * Refresh Token - `refresh_token`
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] issuer_url
+    #   The IAM Identity Center Issuer URL associated with an instance of
+    #   IAM Identity Center. This value is needed for user access to
+    #   resources through the client.
+    #   @return [String]
+    #
+    # @!attribute [rw] entitled_application_arn
+    #   This IAM Identity Center application ARN is used to define
+    #   administrator-managed configuration for public client access to
+    #   resources. At authorization, the scopes, grants, and redirect URI
+    #   available to this client will be restricted by this application
+    #   resource.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/RegisterClientRequest AWS API Documentation
     #
     class RegisterClientRequest < Struct.new(
       :client_name,
       :client_type,
-      :scopes)
+      :scopes,
+      :redirect_uris,
+      :grant_types,
+      :issuer_url,
+      :entitled_application_arn)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -336,11 +702,11 @@ module Aws::SSOOIDC
     #   @return [Integer]
     #
     # @!attribute [rw] authorization_endpoint
-    #   The endpoint where the client can request authorization.
+    #   An endpoint that the client can use to request authorization.
     #   @return [String]
     #
     # @!attribute [rw] token_endpoint
-    #   The endpoint where the client can get an access token.
+    #   An endpoint that the client can use to create tokens.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/RegisterClientResponse AWS API Documentation
@@ -352,7 +718,7 @@ module Aws::SSOOIDC
       :client_secret_expires_at,
       :authorization_endpoint,
       :token_endpoint)
-      SENSITIVE = []
+      SENSITIVE = [:client_secret]
       include Aws::Structure
     end
 
@@ -360,9 +726,12 @@ module Aws::SSOOIDC
     # more than the service can handle.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be `slow_down`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/SlowDownException AWS API Documentation
@@ -374,19 +743,10 @@ module Aws::SSOOIDC
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass StartDeviceAuthorizationRequest
-    #   data as a hash:
-    #
-    #       {
-    #         client_id: "ClientId", # required
-    #         client_secret: "ClientSecret", # required
-    #         start_url: "URI", # required
-    #       }
-    #
     # @!attribute [rw] client_id
     #   The unique identifier string for the client that is registered with
-    #   AWS SSO. This value should come from the persisted result of the
-    #   RegisterClient API operation.
+    #   IAM Identity Center. This value should come from the persisted
+    #   result of the RegisterClient API operation.
     #   @return [String]
     #
     # @!attribute [rw] client_secret
@@ -395,8 +755,9 @@ module Aws::SSOOIDC
     #   @return [String]
     #
     # @!attribute [rw] start_url
-    #   The URL for the AWS SSO user portal. For more information, see
-    #   [Using the User Portal][1] in the *AWS Single Sign-On User Guide*.
+    #   The URL for the Amazon Web Services access portal. For more
+    #   information, see [Using the Amazon Web Services access portal][1] in
+    #   the *IAM Identity Center User Guide*.
     #
     #
     #
@@ -409,7 +770,7 @@ module Aws::SSOOIDC
       :client_id,
       :client_secret,
       :start_url)
-      SENSITIVE = []
+      SENSITIVE = [:client_secret]
       include Aws::Structure
     end
 
@@ -462,9 +823,13 @@ module Aws::SSOOIDC
     # client.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `unauthorized_client`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/UnauthorizedClientException AWS API Documentation
@@ -480,9 +845,13 @@ module Aws::SSOOIDC
     # service.
     #
     # @!attribute [rw] error
+    #   Single error code. For this exception the value will be
+    #   `unsupported_grant_type`.
     #   @return [String]
     #
     # @!attribute [rw] error_description
+    #   Human-readable text providing additional information, used to assist
+    #   the client developer in understanding the error that occurred.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/sso-oidc-2019-06-10/UnsupportedGrantTypeException AWS API Documentation
@@ -496,3 +865,4 @@ module Aws::SSOOIDC
 
   end
 end
+