aws-sdk-verifiedpermissions 1.23.0 → 1.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -500,9 +500,8 @@ module Aws::VerifiedPermissions
500
500
  # to an Amazon Cognito user pool used as an identity provider for
501
501
  # Verified Permissions.
502
502
  #
503
- # This data type is used as a field that is part of an
504
- # [Configuration][1] structure that is used as a parameter to
505
- # [CreateIdentitySource][2].
503
+ # This data type part of a [Configuration][1] structure that is used as
504
+ # a parameter to [CreateIdentitySource][2].
506
505
  #
507
506
  # Example:`"CognitoUserPoolConfiguration":\{"UserPoolArn":"arn:aws:cognito-idp:us-east-1:123456789012:userpool/us-east-1_1a2b3c4d5","ClientIds":
508
507
  # ["a1b2c3d4e5f6g7h8i9j0kalbmc"],"groupConfiguration":
@@ -670,13 +669,6 @@ module Aws::VerifiedPermissions
670
669
  # Contains configuration information used when creating a new identity
671
670
  # source.
672
671
  #
673
- # <note markdown="1"> At this time, the only valid member of this structure is a Amazon
674
- # Cognito user pool configuration.
675
- #
676
- # Specifies a `userPoolArn`, a `groupConfiguration`, and a `ClientId`.
677
- #
678
- # </note>
679
- #
680
672
  # This data type is used as a request parameter for the
681
673
  # [CreateIdentitySource][1] operation.
682
674
  #
@@ -702,16 +694,28 @@ module Aws::VerifiedPermissions
702
694
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
703
695
  # @return [Types::CognitoUserPoolConfiguration]
704
696
  #
697
+ # @!attribute [rw] open_id_connect_configuration
698
+ # Contains configuration details of an OpenID Connect (OIDC) identity
699
+ # provider, or identity source, that Verified Permissions can use to
700
+ # generate entities from authenticated identities. It specifies the
701
+ # issuer URL, token type that you want to use, and policy store entity
702
+ # details.
703
+ #
704
+ # Example:`"configuration":\{"openIdConnectConfiguration":\{"issuer":"https://auth.example.com","tokenSelection":\{"accessTokenOnly":\{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"\}\},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":\{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"\}\}\}`
705
+ # @return [Types::OpenIdConnectConfiguration]
706
+ #
705
707
  # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/Configuration AWS API Documentation
706
708
  #
707
709
  class Configuration < Struct.new(
708
710
  :cognito_user_pool_configuration,
711
+ :open_id_connect_configuration,
709
712
  :unknown)
710
713
  SENSITIVE = []
711
714
  include Aws::Structure
712
715
  include Aws::Structure::Union
713
716
 
714
717
  class CognitoUserPoolConfiguration < Configuration; end
718
+ class OpenIdConnectConfiguration < Configuration; end
715
719
  class Unknown < Configuration; end
716
720
  end
717
721
 
@@ -743,16 +747,28 @@ module Aws::VerifiedPermissions
743
747
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
744
748
  # @return [Types::CognitoUserPoolConfigurationDetail]
745
749
  #
750
+ # @!attribute [rw] open_id_connect_configuration
751
+ # Contains configuration details of an OpenID Connect (OIDC) identity
752
+ # provider, or identity source, that Verified Permissions can use to
753
+ # generate entities from authenticated identities. It specifies the
754
+ # issuer URL, token type that you want to use, and policy store entity
755
+ # details.
756
+ #
757
+ # Example:`"configuration":\{"openIdConnectConfiguration":\{"issuer":"https://auth.example.com","tokenSelection":\{"accessTokenOnly":\{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"\}\},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":\{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"\}\}\}`
758
+ # @return [Types::OpenIdConnectConfigurationDetail]
759
+ #
746
760
  # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/ConfigurationDetail AWS API Documentation
747
761
  #
748
762
  class ConfigurationDetail < Struct.new(
749
763
  :cognito_user_pool_configuration,
764
+ :open_id_connect_configuration,
750
765
  :unknown)
751
766
  SENSITIVE = []
752
767
  include Aws::Structure
753
768
  include Aws::Structure::Union
754
769
 
755
770
  class CognitoUserPoolConfiguration < ConfigurationDetail; end
771
+ class OpenIdConnectConfiguration < ConfigurationDetail; end
756
772
  class Unknown < ConfigurationDetail; end
757
773
  end
758
774
 
@@ -784,16 +800,28 @@ module Aws::VerifiedPermissions
784
800
  # [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
785
801
  # @return [Types::CognitoUserPoolConfigurationItem]
786
802
  #
803
+ # @!attribute [rw] open_id_connect_configuration
804
+ # Contains configuration details of an OpenID Connect (OIDC) identity
805
+ # provider, or identity source, that Verified Permissions can use to
806
+ # generate entities from authenticated identities. It specifies the
807
+ # issuer URL, token type that you want to use, and policy store entity
808
+ # details.
809
+ #
810
+ # Example:`"configuration":\{"openIdConnectConfiguration":\{"issuer":"https://auth.example.com","tokenSelection":\{"accessTokenOnly":\{"audiences":["https://myapp.example.com","https://myapp2.example.com"],"principalIdClaim":"sub"\}\},"entityIdPrefix":"MyOIDCProvider","groupConfiguration":\{"groupClaim":"groups","groupEntityType":"MyCorp::UserGroup"\}\}\}`
811
+ # @return [Types::OpenIdConnectConfigurationItem]
812
+ #
787
813
  # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/ConfigurationItem AWS API Documentation
788
814
  #
789
815
  class ConfigurationItem < Struct.new(
790
816
  :cognito_user_pool_configuration,
817
+ :open_id_connect_configuration,
791
818
  :unknown)
792
819
  SENSITIVE = []
793
820
  include Aws::Structure
794
821
  include Aws::Structure::Union
795
822
 
796
823
  class CognitoUserPoolConfiguration < ConfigurationItem; end
824
+ class OpenIdConnectConfiguration < ConfigurationItem; end
797
825
  class Unknown < ConfigurationItem; end
798
826
  end
799
827
 
@@ -851,7 +879,7 @@ module Aws::VerifiedPermissions
851
879
  class ContextDefinition < Struct.new(
852
880
  :context_map,
853
881
  :unknown)
854
- SENSITIVE = []
882
+ SENSITIVE = [:context_map]
855
883
  include Aws::Structure
856
884
  include Aws::Structure::Union
857
885
 
@@ -897,13 +925,6 @@ module Aws::VerifiedPermissions
897
925
  # @!attribute [rw] configuration
898
926
  # Specifies the details required to communicate with the identity
899
927
  # provider (IdP) associated with this identity source.
900
- #
901
- # <note markdown="1"> At this time, the only valid member of this structure is a Amazon
902
- # Cognito user pool configuration.
903
- #
904
- # You must specify a `UserPoolArn`, and optionally, a `ClientId`.
905
- #
906
- # </note>
907
928
  # @return [Types::Configuration]
908
929
  #
909
930
  # @!attribute [rw] principal_entity_type
@@ -1430,7 +1451,15 @@ module Aws::VerifiedPermissions
1430
1451
  # @return [Hash<String,Types::AttributeValue>]
1431
1452
  #
1432
1453
  # @!attribute [rw] parents
1433
- # The parents in the hierarchy that contains the entity.
1454
+ # The parent entities in the hierarchy that contains the entity. A
1455
+ # principal or resource entity can be defined with at most 99
1456
+ # *transitive parents* per authorization request.
1457
+ #
1458
+ # A transitive parent is an entity in the hierarchy of entities
1459
+ # including all direct parents, and parents of parents. For example, a
1460
+ # user can be a member of 91 groups if one of those groups is a member
1461
+ # of eight groups, for a total of 100: one entity, 91 entity parents,
1462
+ # and eight parents of parents.
1434
1463
  # @return [Array<Types::EntityIdentifier>]
1435
1464
  #
1436
1465
  # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/EntityItem AWS API Documentation
@@ -2437,6 +2466,582 @@ module Aws::VerifiedPermissions
2437
2466
  include Aws::Structure
2438
2467
  end
2439
2468
 
2469
+ # The configuration of an OpenID Connect (OIDC) identity source for
2470
+ # handling access token claims. Contains the claim that you want to
2471
+ # identify as the principal in an authorization request, and the values
2472
+ # of the `aud` claim, or audiences, that you want to accept.
2473
+ #
2474
+ # This data type is part of a [OpenIdConnectTokenSelection][1]
2475
+ # structure, which is a parameter of [CreateIdentitySource][2].
2476
+ #
2477
+ #
2478
+ #
2479
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html
2480
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html
2481
+ #
2482
+ # @!attribute [rw] principal_id_claim
2483
+ # The claim that determines the principal in OIDC access tokens. For
2484
+ # example, `sub`.
2485
+ # @return [String]
2486
+ #
2487
+ # @!attribute [rw] audiences
2488
+ # The access token `aud` claim values that you want to accept in your
2489
+ # policy store. For example, `https://myapp.example.com,
2490
+ # https://myapp2.example.com`.
2491
+ # @return [Array<String>]
2492
+ #
2493
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectAccessTokenConfiguration AWS API Documentation
2494
+ #
2495
+ class OpenIdConnectAccessTokenConfiguration < Struct.new(
2496
+ :principal_id_claim,
2497
+ :audiences)
2498
+ SENSITIVE = [:principal_id_claim]
2499
+ include Aws::Structure
2500
+ end
2501
+
2502
+ # The configuration of an OpenID Connect (OIDC) identity source for
2503
+ # handling access token claims. Contains the claim that you want to
2504
+ # identify as the principal in an authorization request, and the values
2505
+ # of the `aud` claim, or audiences, that you want to accept.
2506
+ #
2507
+ # This data type is part of a [OpenIdConnectTokenSelectionDetail][1]
2508
+ # structure, which is a parameter of [GetIdentitySource][2].
2509
+ #
2510
+ #
2511
+ #
2512
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelectionDetail.html
2513
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html
2514
+ #
2515
+ # @!attribute [rw] principal_id_claim
2516
+ # The claim that determines the principal in OIDC access tokens. For
2517
+ # example, `sub`.
2518
+ # @return [String]
2519
+ #
2520
+ # @!attribute [rw] audiences
2521
+ # The access token `aud` claim values that you want to accept in your
2522
+ # policy store. For example, `https://myapp.example.com,
2523
+ # https://myapp2.example.com`.
2524
+ # @return [Array<String>]
2525
+ #
2526
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectAccessTokenConfigurationDetail AWS API Documentation
2527
+ #
2528
+ class OpenIdConnectAccessTokenConfigurationDetail < Struct.new(
2529
+ :principal_id_claim,
2530
+ :audiences)
2531
+ SENSITIVE = [:principal_id_claim]
2532
+ include Aws::Structure
2533
+ end
2534
+
2535
+ # The configuration of an OpenID Connect (OIDC) identity source for
2536
+ # handling access token claims. Contains the claim that you want to
2537
+ # identify as the principal in an authorization request, and the values
2538
+ # of the `aud` claim, or audiences, that you want to accept.
2539
+ #
2540
+ # This data type is part of a [OpenIdConnectTokenSelectionItem][1]
2541
+ # structure, which is a parameter of [ListIdentitySources][2].
2542
+ #
2543
+ #
2544
+ #
2545
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelectionItem.html
2546
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html
2547
+ #
2548
+ # @!attribute [rw] principal_id_claim
2549
+ # The claim that determines the principal in OIDC access tokens. For
2550
+ # example, `sub`.
2551
+ # @return [String]
2552
+ #
2553
+ # @!attribute [rw] audiences
2554
+ # The access token `aud` claim values that you want to accept in your
2555
+ # policy store. For example, `https://myapp.example.com,
2556
+ # https://myapp2.example.com`.
2557
+ # @return [Array<String>]
2558
+ #
2559
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectAccessTokenConfigurationItem AWS API Documentation
2560
+ #
2561
+ class OpenIdConnectAccessTokenConfigurationItem < Struct.new(
2562
+ :principal_id_claim,
2563
+ :audiences)
2564
+ SENSITIVE = [:principal_id_claim]
2565
+ include Aws::Structure
2566
+ end
2567
+
2568
+ # Contains configuration details of an OpenID Connect (OIDC) identity
2569
+ # provider, or identity source, that Verified Permissions can use to
2570
+ # generate entities from authenticated identities. It specifies the
2571
+ # issuer URL, token type that you want to use, and policy store entity
2572
+ # details.
2573
+ #
2574
+ # This data type is part of a [Configuration][1] structure, which is a
2575
+ # parameter to [CreateIdentitySource][2].
2576
+ #
2577
+ #
2578
+ #
2579
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html
2580
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html
2581
+ #
2582
+ # @!attribute [rw] issuer
2583
+ # The issuer URL of an OIDC identity provider. This URL must have an
2584
+ # OIDC discovery endpoint at the path
2585
+ # `.well-known/openid-configuration`.
2586
+ # @return [String]
2587
+ #
2588
+ # @!attribute [rw] entity_id_prefix
2589
+ # A descriptive string that you want to prefix to user entities from
2590
+ # your OIDC identity provider. For example, if you set an
2591
+ # `entityIdPrefix` of `MyOIDCProvider`, you can reference principals
2592
+ # in your policies in the format
2593
+ # `MyCorp::User::MyOIDCProvider|Carlos`.
2594
+ # @return [String]
2595
+ #
2596
+ # @!attribute [rw] group_configuration
2597
+ # The claim in OIDC identity provider tokens that indicates a user's
2598
+ # group membership, and the entity type that you want to map it to.
2599
+ # For example, this object can map the contents of a `groups` claim to
2600
+ # `MyCorp::UserGroup`.
2601
+ # @return [Types::OpenIdConnectGroupConfiguration]
2602
+ #
2603
+ # @!attribute [rw] token_selection
2604
+ # The token type that you want to process from your OIDC identity
2605
+ # provider. Your policy store can process either identity (ID) or
2606
+ # access tokens from a given OIDC identity source.
2607
+ # @return [Types::OpenIdConnectTokenSelection]
2608
+ #
2609
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectConfiguration AWS API Documentation
2610
+ #
2611
+ class OpenIdConnectConfiguration < Struct.new(
2612
+ :issuer,
2613
+ :entity_id_prefix,
2614
+ :group_configuration,
2615
+ :token_selection)
2616
+ SENSITIVE = [:entity_id_prefix]
2617
+ include Aws::Structure
2618
+ end
2619
+
2620
+ # Contains configuration details of an OpenID Connect (OIDC) identity
2621
+ # provider, or identity source, that Verified Permissions can use to
2622
+ # generate entities from authenticated identities. It specifies the
2623
+ # issuer URL, token type that you want to use, and policy store entity
2624
+ # details.
2625
+ #
2626
+ # This data type is part of a [ConfigurationDetail][1] structure, which
2627
+ # is a parameter to [GetIdentitySource][2].
2628
+ #
2629
+ #
2630
+ #
2631
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationDetail.html
2632
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html
2633
+ #
2634
+ # @!attribute [rw] issuer
2635
+ # The issuer URL of an OIDC identity provider. This URL must have an
2636
+ # OIDC discovery endpoint at the path
2637
+ # `.well-known/openid-configuration`.
2638
+ # @return [String]
2639
+ #
2640
+ # @!attribute [rw] entity_id_prefix
2641
+ # A descriptive string that you want to prefix to user entities from
2642
+ # your OIDC identity provider. For example, if you set an
2643
+ # `entityIdPrefix` of `MyOIDCProvider`, you can reference principals
2644
+ # in your policies in the format
2645
+ # `MyCorp::User::MyOIDCProvider|Carlos`.
2646
+ # @return [String]
2647
+ #
2648
+ # @!attribute [rw] group_configuration
2649
+ # The claim in OIDC identity provider tokens that indicates a user's
2650
+ # group membership, and the entity type that you want to map it to.
2651
+ # For example, this object can map the contents of a `groups` claim to
2652
+ # `MyCorp::UserGroup`.
2653
+ # @return [Types::OpenIdConnectGroupConfigurationDetail]
2654
+ #
2655
+ # @!attribute [rw] token_selection
2656
+ # The token type that you want to process from your OIDC identity
2657
+ # provider. Your policy store can process either identity (ID) or
2658
+ # access tokens from a given OIDC identity source.
2659
+ # @return [Types::OpenIdConnectTokenSelectionDetail]
2660
+ #
2661
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectConfigurationDetail AWS API Documentation
2662
+ #
2663
+ class OpenIdConnectConfigurationDetail < Struct.new(
2664
+ :issuer,
2665
+ :entity_id_prefix,
2666
+ :group_configuration,
2667
+ :token_selection)
2668
+ SENSITIVE = [:entity_id_prefix]
2669
+ include Aws::Structure
2670
+ end
2671
+
2672
+ # Contains configuration details of an OpenID Connect (OIDC) identity
2673
+ # provider, or identity source, that Verified Permissions can use to
2674
+ # generate entities from authenticated identities. It specifies the
2675
+ # issuer URL, token type that you want to use, and policy store entity
2676
+ # details.
2677
+ #
2678
+ # This data type is part of a [ConfigurationItem][1] structure, which is
2679
+ # a parameter to [ListIdentitySources][2].
2680
+ #
2681
+ #
2682
+ #
2683
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ConfigurationDetail.html
2684
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html
2685
+ #
2686
+ # @!attribute [rw] issuer
2687
+ # The issuer URL of an OIDC identity provider. This URL must have an
2688
+ # OIDC discovery endpoint at the path
2689
+ # `.well-known/openid-configuration`.
2690
+ # @return [String]
2691
+ #
2692
+ # @!attribute [rw] entity_id_prefix
2693
+ # A descriptive string that you want to prefix to user entities from
2694
+ # your OIDC identity provider. For example, if you set an
2695
+ # `entityIdPrefix` of `MyOIDCProvider`, you can reference principals
2696
+ # in your policies in the format
2697
+ # `MyCorp::User::MyOIDCProvider|Carlos`.
2698
+ # @return [String]
2699
+ #
2700
+ # @!attribute [rw] group_configuration
2701
+ # The claim in OIDC identity provider tokens that indicates a user's
2702
+ # group membership, and the entity type that you want to map it to.
2703
+ # For example, this object can map the contents of a `groups` claim to
2704
+ # `MyCorp::UserGroup`.
2705
+ # @return [Types::OpenIdConnectGroupConfigurationItem]
2706
+ #
2707
+ # @!attribute [rw] token_selection
2708
+ # The token type that you want to process from your OIDC identity
2709
+ # provider. Your policy store can process either identity (ID) or
2710
+ # access tokens from a given OIDC identity source.
2711
+ # @return [Types::OpenIdConnectTokenSelectionItem]
2712
+ #
2713
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectConfigurationItem AWS API Documentation
2714
+ #
2715
+ class OpenIdConnectConfigurationItem < Struct.new(
2716
+ :issuer,
2717
+ :entity_id_prefix,
2718
+ :group_configuration,
2719
+ :token_selection)
2720
+ SENSITIVE = [:entity_id_prefix]
2721
+ include Aws::Structure
2722
+ end
2723
+
2724
+ # The claim in OIDC identity provider tokens that indicates a user's
2725
+ # group membership, and the entity type that you want to map it to. For
2726
+ # example, this object can map the contents of a `groups` claim to
2727
+ # `MyCorp::UserGroup`.
2728
+ #
2729
+ # This data type is part of a [OpenIdConnectConfiguration][1] structure,
2730
+ # which is a parameter of [CreateIdentitySource][2].
2731
+ #
2732
+ #
2733
+ #
2734
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html
2735
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html
2736
+ #
2737
+ # @!attribute [rw] group_claim
2738
+ # The token claim that you want Verified Permissions to interpret as
2739
+ # group membership. For example, `groups`.
2740
+ # @return [String]
2741
+ #
2742
+ # @!attribute [rw] group_entity_type
2743
+ # The policy store entity type that you want to map your users' group
2744
+ # claim to. For example, `MyCorp::UserGroup`. A group entity type is
2745
+ # an entity that can have a user entity type as a member.
2746
+ # @return [String]
2747
+ #
2748
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectGroupConfiguration AWS API Documentation
2749
+ #
2750
+ class OpenIdConnectGroupConfiguration < Struct.new(
2751
+ :group_claim,
2752
+ :group_entity_type)
2753
+ SENSITIVE = [:group_claim, :group_entity_type]
2754
+ include Aws::Structure
2755
+ end
2756
+
2757
+ # The claim in OIDC identity provider tokens that indicates a user's
2758
+ # group membership, and the entity type that you want to map it to. For
2759
+ # example, this object can map the contents of a `groups` claim to
2760
+ # `MyCorp::UserGroup`.
2761
+ #
2762
+ # This data type is part of a [OpenIdConnectConfigurationDetail][1]
2763
+ # structure, which is a parameter of [GetIdentitySource][2].
2764
+ #
2765
+ #
2766
+ #
2767
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfigurationDetail.html
2768
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html
2769
+ #
2770
+ # @!attribute [rw] group_claim
2771
+ # The token claim that you want Verified Permissions to interpret as
2772
+ # group membership. For example, `groups`.
2773
+ # @return [String]
2774
+ #
2775
+ # @!attribute [rw] group_entity_type
2776
+ # The policy store entity type that you want to map your users' group
2777
+ # claim to. For example, `MyCorp::UserGroup`. A group entity type is
2778
+ # an entity that can have a user entity type as a member.
2779
+ # @return [String]
2780
+ #
2781
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectGroupConfigurationDetail AWS API Documentation
2782
+ #
2783
+ class OpenIdConnectGroupConfigurationDetail < Struct.new(
2784
+ :group_claim,
2785
+ :group_entity_type)
2786
+ SENSITIVE = [:group_claim, :group_entity_type]
2787
+ include Aws::Structure
2788
+ end
2789
+
2790
+ # The claim in OIDC identity provider tokens that indicates a user's
2791
+ # group membership, and the entity type that you want to map it to. For
2792
+ # example, this object can map the contents of a `groups` claim to
2793
+ # `MyCorp::UserGroup`.
2794
+ #
2795
+ # This data type is part of a [OpenIdConnectConfigurationItem][1]
2796
+ # structure, which is a parameter of [ListIdentitySourcea][2].
2797
+ #
2798
+ #
2799
+ #
2800
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfigurationItem.html
2801
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html
2802
+ #
2803
+ # @!attribute [rw] group_claim
2804
+ # The token claim that you want Verified Permissions to interpret as
2805
+ # group membership. For example, `groups`.
2806
+ # @return [String]
2807
+ #
2808
+ # @!attribute [rw] group_entity_type
2809
+ # The policy store entity type that you want to map your users' group
2810
+ # claim to. For example, `MyCorp::UserGroup`. A group entity type is
2811
+ # an entity that can have a user entity type as a member.
2812
+ # @return [String]
2813
+ #
2814
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectGroupConfigurationItem AWS API Documentation
2815
+ #
2816
+ class OpenIdConnectGroupConfigurationItem < Struct.new(
2817
+ :group_claim,
2818
+ :group_entity_type)
2819
+ SENSITIVE = [:group_claim, :group_entity_type]
2820
+ include Aws::Structure
2821
+ end
2822
+
2823
+ # The configuration of an OpenID Connect (OIDC) identity source for
2824
+ # handling identity (ID) token claims. Contains the claim that you want
2825
+ # to identify as the principal in an authorization request, and the
2826
+ # values of the `aud` claim, or audiences, that you want to accept.
2827
+ #
2828
+ # This data type is part of a [OpenIdConnectTokenSelection][1]
2829
+ # structure, which is a parameter of [CreateIdentitySource][2].
2830
+ #
2831
+ #
2832
+ #
2833
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html
2834
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html
2835
+ #
2836
+ # @!attribute [rw] principal_id_claim
2837
+ # The claim that determines the principal in OIDC access tokens. For
2838
+ # example, `sub`.
2839
+ # @return [String]
2840
+ #
2841
+ # @!attribute [rw] client_ids
2842
+ # The ID token audience, or client ID, claim values that you want to
2843
+ # accept in your policy store from an OIDC identity provider. For
2844
+ # example, `1example23456789, 2example10111213`.
2845
+ # @return [Array<String>]
2846
+ #
2847
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectIdentityTokenConfiguration AWS API Documentation
2848
+ #
2849
+ class OpenIdConnectIdentityTokenConfiguration < Struct.new(
2850
+ :principal_id_claim,
2851
+ :client_ids)
2852
+ SENSITIVE = [:principal_id_claim]
2853
+ include Aws::Structure
2854
+ end
2855
+
2856
+ # The configuration of an OpenID Connect (OIDC) identity source for
2857
+ # handling identity (ID) token claims. Contains the claim that you want
2858
+ # to identify as the principal in an authorization request, and the
2859
+ # values of the `aud` claim, or audiences, that you want to accept.
2860
+ #
2861
+ # This data type is part of a [OpenIdConnectTokenSelectionDetail][1]
2862
+ # structure, which is a parameter of [GetIdentitySource][2].
2863
+ #
2864
+ #
2865
+ #
2866
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelectionDetail.html
2867
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html
2868
+ #
2869
+ # @!attribute [rw] principal_id_claim
2870
+ # The claim that determines the principal in OIDC access tokens. For
2871
+ # example, `sub`.
2872
+ # @return [String]
2873
+ #
2874
+ # @!attribute [rw] client_ids
2875
+ # The ID token audience, or client ID, claim values that you want to
2876
+ # accept in your policy store from an OIDC identity provider. For
2877
+ # example, `1example23456789, 2example10111213`.
2878
+ # @return [Array<String>]
2879
+ #
2880
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectIdentityTokenConfigurationDetail AWS API Documentation
2881
+ #
2882
+ class OpenIdConnectIdentityTokenConfigurationDetail < Struct.new(
2883
+ :principal_id_claim,
2884
+ :client_ids)
2885
+ SENSITIVE = [:principal_id_claim]
2886
+ include Aws::Structure
2887
+ end
2888
+
2889
+ # The configuration of an OpenID Connect (OIDC) identity source for
2890
+ # handling identity (ID) token claims. Contains the claim that you want
2891
+ # to identify as the principal in an authorization request, and the
2892
+ # values of the `aud` claim, or audiences, that you want to accept.
2893
+ #
2894
+ # This data type is part of a [OpenIdConnectTokenSelectionItem][1]
2895
+ # structure, which is a parameter of [ListIdentitySources][2].
2896
+ #
2897
+ #
2898
+ #
2899
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelectionItem.html
2900
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html
2901
+ #
2902
+ # @!attribute [rw] principal_id_claim
2903
+ # The claim that determines the principal in OIDC access tokens. For
2904
+ # example, `sub`.
2905
+ # @return [String]
2906
+ #
2907
+ # @!attribute [rw] client_ids
2908
+ # The ID token audience, or client ID, claim values that you want to
2909
+ # accept in your policy store from an OIDC identity provider. For
2910
+ # example, `1example23456789, 2example10111213`.
2911
+ # @return [Array<String>]
2912
+ #
2913
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectIdentityTokenConfigurationItem AWS API Documentation
2914
+ #
2915
+ class OpenIdConnectIdentityTokenConfigurationItem < Struct.new(
2916
+ :principal_id_claim,
2917
+ :client_ids)
2918
+ SENSITIVE = [:principal_id_claim]
2919
+ include Aws::Structure
2920
+ end
2921
+
2922
+ # The token type that you want to process from your OIDC identity
2923
+ # provider. Your policy store can process either identity (ID) or access
2924
+ # tokens from a given OIDC identity source.
2925
+ #
2926
+ # This data type is part of a [OpenIdConnectConfiguration][1] structure,
2927
+ # which is a parameter of [CreateIdentitySource][2].
2928
+ #
2929
+ #
2930
+ #
2931
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html
2932
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html
2933
+ #
2934
+ # @note OpenIdConnectTokenSelection is a union - when making an API calls you must set exactly one of the members.
2935
+ #
2936
+ # @!attribute [rw] access_token_only
2937
+ # The OIDC configuration for processing access tokens. Contains
2938
+ # allowed audience claims, for example `https://auth.example.com`, and
2939
+ # the claim that you want to map to the principal, for example `sub`.
2940
+ # @return [Types::OpenIdConnectAccessTokenConfiguration]
2941
+ #
2942
+ # @!attribute [rw] identity_token_only
2943
+ # The OIDC configuration for processing identity (ID) tokens. Contains
2944
+ # allowed client ID claims, for example `1example23456789`, and the
2945
+ # claim that you want to map to the principal, for example `sub`.
2946
+ # @return [Types::OpenIdConnectIdentityTokenConfiguration]
2947
+ #
2948
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectTokenSelection AWS API Documentation
2949
+ #
2950
+ class OpenIdConnectTokenSelection < Struct.new(
2951
+ :access_token_only,
2952
+ :identity_token_only,
2953
+ :unknown)
2954
+ SENSITIVE = []
2955
+ include Aws::Structure
2956
+ include Aws::Structure::Union
2957
+
2958
+ class AccessTokenOnly < OpenIdConnectTokenSelection; end
2959
+ class IdentityTokenOnly < OpenIdConnectTokenSelection; end
2960
+ class Unknown < OpenIdConnectTokenSelection; end
2961
+ end
2962
+
2963
+ # The token type that you want to process from your OIDC identity
2964
+ # provider. Your policy store can process either identity (ID) or access
2965
+ # tokens from a given OIDC identity source.
2966
+ #
2967
+ # This data type is part of a [OpenIdConnectConfigurationDetail][1]
2968
+ # structure, which is a parameter of [GetIdentitySource][2].
2969
+ #
2970
+ #
2971
+ #
2972
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfigurationDetail.html
2973
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_GetIdentitySource.html
2974
+ #
2975
+ # @note OpenIdConnectTokenSelectionDetail is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of OpenIdConnectTokenSelectionDetail corresponding to the set member.
2976
+ #
2977
+ # @!attribute [rw] access_token_only
2978
+ # The OIDC configuration for processing access tokens. Contains
2979
+ # allowed audience claims, for example `https://auth.example.com`, and
2980
+ # the claim that you want to map to the principal, for example `sub`.
2981
+ # @return [Types::OpenIdConnectAccessTokenConfigurationDetail]
2982
+ #
2983
+ # @!attribute [rw] identity_token_only
2984
+ # The OIDC configuration for processing identity (ID) tokens. Contains
2985
+ # allowed client ID claims, for example `1example23456789`, and the
2986
+ # claim that you want to map to the principal, for example `sub`.
2987
+ # @return [Types::OpenIdConnectIdentityTokenConfigurationDetail]
2988
+ #
2989
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectTokenSelectionDetail AWS API Documentation
2990
+ #
2991
+ class OpenIdConnectTokenSelectionDetail < Struct.new(
2992
+ :access_token_only,
2993
+ :identity_token_only,
2994
+ :unknown)
2995
+ SENSITIVE = []
2996
+ include Aws::Structure
2997
+ include Aws::Structure::Union
2998
+
2999
+ class AccessTokenOnly < OpenIdConnectTokenSelectionDetail; end
3000
+ class IdentityTokenOnly < OpenIdConnectTokenSelectionDetail; end
3001
+ class Unknown < OpenIdConnectTokenSelectionDetail; end
3002
+ end
3003
+
3004
+ # The token type that you want to process from your OIDC identity
3005
+ # provider. Your policy store can process either identity (ID) or access
3006
+ # tokens from a given OIDC identity source.
3007
+ #
3008
+ # This data type is part of a [OpenIdConnectConfigurationItem][1]
3009
+ # structure, which is a parameter of [ListIdentitySources][2].
3010
+ #
3011
+ #
3012
+ #
3013
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfigurationItem.html
3014
+ # [2]: http://amazonaws.com/verifiedpermissions/latest/apireference/API_ListIdentitySources.html
3015
+ #
3016
+ # @note OpenIdConnectTokenSelectionItem is a union - when returned from an API call exactly one value will be set and the returned type will be a subclass of OpenIdConnectTokenSelectionItem corresponding to the set member.
3017
+ #
3018
+ # @!attribute [rw] access_token_only
3019
+ # The OIDC configuration for processing access tokens. Contains
3020
+ # allowed audience claims, for example `https://auth.example.com`, and
3021
+ # the claim that you want to map to the principal, for example `sub`.
3022
+ # @return [Types::OpenIdConnectAccessTokenConfigurationItem]
3023
+ #
3024
+ # @!attribute [rw] identity_token_only
3025
+ # The OIDC configuration for processing identity (ID) tokens. Contains
3026
+ # allowed client ID claims, for example `1example23456789`, and the
3027
+ # claim that you want to map to the principal, for example `sub`.
3028
+ # @return [Types::OpenIdConnectIdentityTokenConfigurationItem]
3029
+ #
3030
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/OpenIdConnectTokenSelectionItem AWS API Documentation
3031
+ #
3032
+ class OpenIdConnectTokenSelectionItem < Struct.new(
3033
+ :access_token_only,
3034
+ :identity_token_only,
3035
+ :unknown)
3036
+ SENSITIVE = []
3037
+ include Aws::Structure
3038
+ include Aws::Structure::Union
3039
+
3040
+ class AccessTokenOnly < OpenIdConnectTokenSelectionItem; end
3041
+ class IdentityTokenOnly < OpenIdConnectTokenSelectionItem; end
3042
+ class Unknown < OpenIdConnectTokenSelectionItem; end
3043
+ end
3044
+
2440
3045
  # A structure that contains the details for a Cedar policy definition.
2441
3046
  # It includes the policy type, a description, and a policy body. This is
2442
3047
  # a top level data type used to create a policy.
@@ -3162,15 +3767,8 @@ module Aws::VerifiedPermissions
3162
3767
  include Aws::Structure
3163
3768
  end
3164
3769
 
3165
- # Contains an updated configuration to replace the configuration in an
3166
- # existing identity source.
3167
- #
3168
- # <note markdown="1"> At this time, the only valid member of this structure is a Amazon
3169
- # Cognito user pool configuration.
3170
- #
3171
- # You must specify a `userPoolArn`, and optionally, a `ClientId`.
3172
- #
3173
- # </note>
3770
+ # Contains an update to replace the configuration in an existing
3771
+ # identity source.
3174
3772
  #
3175
3773
  # @note UpdateConfiguration is a union - when making an API calls you must set exactly one of the members.
3176
3774
  #
@@ -3178,16 +3776,26 @@ module Aws::VerifiedPermissions
3178
3776
  # Contains configuration details of a Amazon Cognito user pool.
3179
3777
  # @return [Types::UpdateCognitoUserPoolConfiguration]
3180
3778
  #
3779
+ # @!attribute [rw] open_id_connect_configuration
3780
+ # Contains configuration details of an OpenID Connect (OIDC) identity
3781
+ # provider, or identity source, that Verified Permissions can use to
3782
+ # generate entities from authenticated identities. It specifies the
3783
+ # issuer URL, token type that you want to use, and policy store entity
3784
+ # details.
3785
+ # @return [Types::UpdateOpenIdConnectConfiguration]
3786
+ #
3181
3787
  # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateConfiguration AWS API Documentation
3182
3788
  #
3183
3789
  class UpdateConfiguration < Struct.new(
3184
3790
  :cognito_user_pool_configuration,
3791
+ :open_id_connect_configuration,
3185
3792
  :unknown)
3186
3793
  SENSITIVE = []
3187
3794
  include Aws::Structure
3188
3795
  include Aws::Structure::Union
3189
3796
 
3190
3797
  class CognitoUserPoolConfiguration < UpdateConfiguration; end
3798
+ class OpenIdConnectConfiguration < UpdateConfiguration; end
3191
3799
  class Unknown < UpdateConfiguration; end
3192
3800
  end
3193
3801
 
@@ -3258,6 +3866,198 @@ module Aws::VerifiedPermissions
3258
3866
  include Aws::Structure
3259
3867
  end
3260
3868
 
3869
+ # The configuration of an OpenID Connect (OIDC) identity source for
3870
+ # handling access token claims. Contains the claim that you want to
3871
+ # identify as the principal in an authorization request, and the values
3872
+ # of the `aud` claim, or audiences, that you want to accept.
3873
+ #
3874
+ # This data type is part of a [UpdateOpenIdConnectTokenSelection][1]
3875
+ # structure, which is a parameter to [UpdateIdentitySource][2].
3876
+ #
3877
+ #
3878
+ #
3879
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateOpenIdConnectTokenSelection.html
3880
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateIdentitySource.html
3881
+ #
3882
+ # @!attribute [rw] principal_id_claim
3883
+ # The claim that determines the principal in OIDC access tokens. For
3884
+ # example, `sub`.
3885
+ # @return [String]
3886
+ #
3887
+ # @!attribute [rw] audiences
3888
+ # The access token `aud` claim values that you want to accept in your
3889
+ # policy store. For example, `https://myapp.example.com,
3890
+ # https://myapp2.example.com`.
3891
+ # @return [Array<String>]
3892
+ #
3893
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateOpenIdConnectAccessTokenConfiguration AWS API Documentation
3894
+ #
3895
+ class UpdateOpenIdConnectAccessTokenConfiguration < Struct.new(
3896
+ :principal_id_claim,
3897
+ :audiences)
3898
+ SENSITIVE = [:principal_id_claim]
3899
+ include Aws::Structure
3900
+ end
3901
+
3902
+ # Contains configuration details of an OpenID Connect (OIDC) identity
3903
+ # provider, or identity source, that Verified Permissions can use to
3904
+ # generate entities from authenticated identities. It specifies the
3905
+ # issuer URL, token type that you want to use, and policy store entity
3906
+ # details.
3907
+ #
3908
+ # This data type is part of a [UpdateConfiguration][1] structure, which
3909
+ # is a parameter to [UpdateIdentitySource][2].
3910
+ #
3911
+ #
3912
+ #
3913
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateConfiguration.html
3914
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateIdentitySource.html
3915
+ #
3916
+ # @!attribute [rw] issuer
3917
+ # The issuer URL of an OIDC identity provider. This URL must have an
3918
+ # OIDC discovery endpoint at the path
3919
+ # `.well-known/openid-configuration`.
3920
+ # @return [String]
3921
+ #
3922
+ # @!attribute [rw] entity_id_prefix
3923
+ # A descriptive string that you want to prefix to user entities from
3924
+ # your OIDC identity provider. For example, if you set an
3925
+ # `entityIdPrefix` of `MyOIDCProvider`, you can reference principals
3926
+ # in your policies in the format
3927
+ # `MyCorp::User::MyOIDCProvider|Carlos`.
3928
+ # @return [String]
3929
+ #
3930
+ # @!attribute [rw] group_configuration
3931
+ # The claim in OIDC identity provider tokens that indicates a user's
3932
+ # group membership, and the entity type that you want to map it to.
3933
+ # For example, this object can map the contents of a `groups` claim to
3934
+ # `MyCorp::UserGroup`.
3935
+ # @return [Types::UpdateOpenIdConnectGroupConfiguration]
3936
+ #
3937
+ # @!attribute [rw] token_selection
3938
+ # The token type that you want to process from your OIDC identity
3939
+ # provider. Your policy store can process either identity (ID) or
3940
+ # access tokens from a given OIDC identity source.
3941
+ # @return [Types::UpdateOpenIdConnectTokenSelection]
3942
+ #
3943
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateOpenIdConnectConfiguration AWS API Documentation
3944
+ #
3945
+ class UpdateOpenIdConnectConfiguration < Struct.new(
3946
+ :issuer,
3947
+ :entity_id_prefix,
3948
+ :group_configuration,
3949
+ :token_selection)
3950
+ SENSITIVE = [:entity_id_prefix]
3951
+ include Aws::Structure
3952
+ end
3953
+
3954
+ # The claim in OIDC identity provider tokens that indicates a user's
3955
+ # group membership, and the entity type that you want to map it to. For
3956
+ # example, this object can map the contents of a `groups` claim to
3957
+ # `MyCorp::UserGroup`.
3958
+ #
3959
+ # This data type is part of a [UpdateOpenIdConnectConfiguration][1]
3960
+ # structure, which is a parameter to [UpdateIdentitySource][2].
3961
+ #
3962
+ #
3963
+ #
3964
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateOpenIdConnectConfiguration.html
3965
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateIdentitySource.html
3966
+ #
3967
+ # @!attribute [rw] group_claim
3968
+ # The token claim that you want Verified Permissions to interpret as
3969
+ # group membership. For example, `groups`.
3970
+ # @return [String]
3971
+ #
3972
+ # @!attribute [rw] group_entity_type
3973
+ # The policy store entity type that you want to map your users' group
3974
+ # claim to. For example, `MyCorp::UserGroup`. A group entity type is
3975
+ # an entity that can have a user entity type as a member.
3976
+ # @return [String]
3977
+ #
3978
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateOpenIdConnectGroupConfiguration AWS API Documentation
3979
+ #
3980
+ class UpdateOpenIdConnectGroupConfiguration < Struct.new(
3981
+ :group_claim,
3982
+ :group_entity_type)
3983
+ SENSITIVE = [:group_claim, :group_entity_type]
3984
+ include Aws::Structure
3985
+ end
3986
+
3987
+ # The configuration of an OpenID Connect (OIDC) identity source for
3988
+ # handling identity (ID) token claims. Contains the claim that you want
3989
+ # to identify as the principal in an authorization request, and the
3990
+ # values of the `aud` claim, or audiences, that you want to accept.
3991
+ #
3992
+ # This data type is part of a [UpdateOpenIdConnectTokenSelection][1]
3993
+ # structure, which is a parameter to [UpdateIdentitySource][2].
3994
+ #
3995
+ #
3996
+ #
3997
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateOpenIdConnectTokenSelection.html
3998
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateIdentitySource.html
3999
+ #
4000
+ # @!attribute [rw] principal_id_claim
4001
+ # The claim that determines the principal in OIDC access tokens. For
4002
+ # example, `sub`.
4003
+ # @return [String]
4004
+ #
4005
+ # @!attribute [rw] client_ids
4006
+ # The ID token audience, or client ID, claim values that you want to
4007
+ # accept in your policy store from an OIDC identity provider. For
4008
+ # example, `1example23456789, 2example10111213`.
4009
+ # @return [Array<String>]
4010
+ #
4011
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateOpenIdConnectIdentityTokenConfiguration AWS API Documentation
4012
+ #
4013
+ class UpdateOpenIdConnectIdentityTokenConfiguration < Struct.new(
4014
+ :principal_id_claim,
4015
+ :client_ids)
4016
+ SENSITIVE = [:principal_id_claim]
4017
+ include Aws::Structure
4018
+ end
4019
+
4020
+ # The token type that you want to process from your OIDC identity
4021
+ # provider. Your policy store can process either identity (ID) or access
4022
+ # tokens from a given OIDC identity source.
4023
+ #
4024
+ # This data type is part of a [UpdateOpenIdConnectConfiguration][1]
4025
+ # structure, which is a parameter to [UpdateIdentitySource][2].
4026
+ #
4027
+ #
4028
+ #
4029
+ # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateOpenIdConnectConfiguration.html
4030
+ # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_UpdateIdentitySource.html
4031
+ #
4032
+ # @note UpdateOpenIdConnectTokenSelection is a union - when making an API calls you must set exactly one of the members.
4033
+ #
4034
+ # @!attribute [rw] access_token_only
4035
+ # The OIDC configuration for processing access tokens. Contains
4036
+ # allowed audience claims, for example `https://auth.example.com`, and
4037
+ # the claim that you want to map to the principal, for example `sub`.
4038
+ # @return [Types::UpdateOpenIdConnectAccessTokenConfiguration]
4039
+ #
4040
+ # @!attribute [rw] identity_token_only
4041
+ # The OIDC configuration for processing identity (ID) tokens. Contains
4042
+ # allowed client ID claims, for example `1example23456789`, and the
4043
+ # claim that you want to map to the principal, for example `sub`.
4044
+ # @return [Types::UpdateOpenIdConnectIdentityTokenConfiguration]
4045
+ #
4046
+ # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/UpdateOpenIdConnectTokenSelection AWS API Documentation
4047
+ #
4048
+ class UpdateOpenIdConnectTokenSelection < Struct.new(
4049
+ :access_token_only,
4050
+ :identity_token_only,
4051
+ :unknown)
4052
+ SENSITIVE = []
4053
+ include Aws::Structure
4054
+ include Aws::Structure::Union
4055
+
4056
+ class AccessTokenOnly < UpdateOpenIdConnectTokenSelection; end
4057
+ class IdentityTokenOnly < UpdateOpenIdConnectTokenSelection; end
4058
+ class Unknown < UpdateOpenIdConnectTokenSelection; end
4059
+ end
4060
+
3261
4061
  # Contains information about updates to be applied to a policy.
3262
4062
  #
3263
4063
  # This data type is used as a request parameter in the [UpdatePolicy][1]