@aws-sdk/client-sso-oidc 3.451.0 → 3.454.0

package/dist-es/endpoint/EndpointParameters.js

@@ -3,6 +3,6 @@ export const resolveClientEndpointParameters = (options) => {
         ...options,
         useDualstackEndpoint: options.useDualstackEndpoint ?? false,
         useFipsEndpoint: options.useFipsEndpoint ?? false,
-        defaultSigningName: "awsssooidc",
+        defaultSigningName: "sso-oauth",
     };
 };

package/dist-es/models/models_0.js

@@ -1,3 +1,4 @@
+import { SENSITIVE_STRING } from "@smithy/smithy-client";
 import { SSOOIDCServiceException as __BaseException } from "./SSOOIDCServiceException";
 export class AccessDeniedException extends __BaseException {
     constructor(opts) {
@@ -153,6 +154,22 @@ export class UnsupportedGrantTypeException extends __BaseException {
         this.error_description = opts.error_description;
     }
 }
+export class InvalidRequestRegionException extends __BaseException {
+    constructor(opts) {
+        super({
+            name: "InvalidRequestRegionException",
+            $fault: "client",
+            ...opts,
+        });
+        this.name = "InvalidRequestRegionException";
+        this.$fault = "client";
+        Object.setPrototypeOf(this, InvalidRequestRegionException.prototype);
+        this.error = opts.error;
+        this.error_description = opts.error_description;
+        this.endpoint = opts.endpoint;
+        this.region = opts.region;
+    }
+}
 export class InvalidClientMetadataException extends __BaseException {
     constructor(opts) {
         super({
@@ -167,3 +184,34 @@ export class InvalidClientMetadataException extends __BaseException {
         this.error_description = opts.error_description;
     }
 }
+export const CreateTokenRequestFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.clientSecret && { clientSecret: SENSITIVE_STRING }),
+    ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }),
+});
+export const CreateTokenResponseFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.accessToken && { accessToken: SENSITIVE_STRING }),
+    ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }),
+    ...(obj.idToken && { idToken: SENSITIVE_STRING }),
+});
+export const CreateTokenWithIAMRequestFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }),
+    ...(obj.assertion && { assertion: SENSITIVE_STRING }),
+    ...(obj.subjectToken && { subjectToken: SENSITIVE_STRING }),
+});
+export const CreateTokenWithIAMResponseFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.accessToken && { accessToken: SENSITIVE_STRING }),
+    ...(obj.refreshToken && { refreshToken: SENSITIVE_STRING }),
+    ...(obj.idToken && { idToken: SENSITIVE_STRING }),
+});
+export const RegisterClientResponseFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.clientSecret && { clientSecret: SENSITIVE_STRING }),
+});
+export const StartDeviceAuthorizationRequestFilterSensitiveLog = (obj) => ({
+    ...obj,
+    ...(obj.clientSecret && { clientSecret: SENSITIVE_STRING }),
+});

package/dist-es/protocols/Aws_restJson1.js

@@ -1,6 +1,6 @@
 import { HttpRequest as __HttpRequest } from "@smithy/protocol-http";
 import { _json, collectBody, decorateServiceException as __decorateServiceException, expectInt32 as __expectInt32, expectLong as __expectLong, expectNonNull as __expectNonNull, expectObject as __expectObject, expectString as __expectString, map, take, withBaseException, } from "@smithy/smithy-client";
-import { AccessDeniedException, AuthorizationPendingException, ExpiredTokenException, InternalServerException, InvalidClientException, InvalidClientMetadataException, InvalidGrantException, InvalidRequestException, InvalidScopeException, SlowDownException, UnauthorizedClientException, UnsupportedGrantTypeException, } from "../models/models_0";
+import { AccessDeniedException, AuthorizationPendingException, ExpiredTokenException, InternalServerException, InvalidClientException, InvalidClientMetadataException, InvalidGrantException, InvalidRequestException, InvalidRequestRegionException, InvalidScopeException, SlowDownException, UnauthorizedClientException, UnsupportedGrantTypeException, } from "../models/models_0";
 import { SSOOIDCServiceException as __BaseException } from "../models/SSOOIDCServiceException";
 export const se_CreateTokenCommand = async (input, context) => {
     const { hostname, protocol = "https", port, path: basePath } = await context.endpoint();
@@ -29,6 +29,39 @@ export const se_CreateTokenCommand = async (input, context) => {
         body,
     });
 };
+export const se_CreateTokenWithIAMCommand = async (input, context) => {
+    const { hostname, protocol = "https", port, path: basePath } = await context.endpoint();
+    const headers = {
+        "content-type": "application/json",
+    };
+    const resolvedPath = `${basePath?.endsWith("/") ? basePath.slice(0, -1) : basePath || ""}` + "/token";
+    const query = map({
+        aws_iam: [, "t"],
+    });
+    let body;
+    body = JSON.stringify(take(input, {
+        assertion: [],
+        clientId: [],
+        code: [],
+        grantType: [],
+        redirectUri: [],
+        refreshToken: [],
+        requestedTokenType: [],
+        scope: (_) => _json(_),
+        subjectToken: [],
+        subjectTokenType: [],
+    }));
+    return new __HttpRequest({
+        protocol,
+        hostname,
+        port,
+        method: "POST",
+        headers,
+        path: resolvedPath,
+        query,
+        body,
+    });
+};
 export const se_RegisterClientCommand = async (input, context) => {
     const { hostname, protocol = "https", port, path: basePath } = await context.endpoint();
     const headers = {
@@ -140,6 +173,78 @@ const de_CreateTokenCommandError = async (output, context) => {
             });
     }
 };
+export const de_CreateTokenWithIAMCommand = async (output, context) => {
+    if (output.statusCode !== 200 && output.statusCode >= 300) {
+        return de_CreateTokenWithIAMCommandError(output, context);
+    }
+    const contents = map({
+        $metadata: deserializeMetadata(output),
+    });
+    const data = __expectNonNull(__expectObject(await parseBody(output.body, context)), "body");
+    const doc = take(data, {
+        accessToken: __expectString,
+        expiresIn: __expectInt32,
+        idToken: __expectString,
+        issuedTokenType: __expectString,
+        refreshToken: __expectString,
+        scope: _json,
+        tokenType: __expectString,
+    });
+    Object.assign(contents, doc);
+    return contents;
+};
+const de_CreateTokenWithIAMCommandError = async (output, context) => {
+    const parsedOutput = {
+        ...output,
+        body: await parseErrorBody(output.body, context),
+    };
+    const errorCode = loadRestJsonErrorCode(output, parsedOutput.body);
+    switch (errorCode) {
+        case "AccessDeniedException":
+        case "com.amazonaws.ssooidc#AccessDeniedException":
+            throw await de_AccessDeniedExceptionRes(parsedOutput, context);
+        case "AuthorizationPendingException":
+        case "com.amazonaws.ssooidc#AuthorizationPendingException":
+            throw await de_AuthorizationPendingExceptionRes(parsedOutput, context);
+        case "ExpiredTokenException":
+        case "com.amazonaws.ssooidc#ExpiredTokenException":
+            throw await de_ExpiredTokenExceptionRes(parsedOutput, context);
+        case "InternalServerException":
+        case "com.amazonaws.ssooidc#InternalServerException":
+            throw await de_InternalServerExceptionRes(parsedOutput, context);
+        case "InvalidClientException":
+        case "com.amazonaws.ssooidc#InvalidClientException":
+            throw await de_InvalidClientExceptionRes(parsedOutput, context);
+        case "InvalidGrantException":
+        case "com.amazonaws.ssooidc#InvalidGrantException":
+            throw await de_InvalidGrantExceptionRes(parsedOutput, context);
+        case "InvalidRequestException":
+        case "com.amazonaws.ssooidc#InvalidRequestException":
+            throw await de_InvalidRequestExceptionRes(parsedOutput, context);
+        case "InvalidRequestRegionException":
+        case "com.amazonaws.ssooidc#InvalidRequestRegionException":
+            throw await de_InvalidRequestRegionExceptionRes(parsedOutput, context);
+        case "InvalidScopeException":
+        case "com.amazonaws.ssooidc#InvalidScopeException":
+            throw await de_InvalidScopeExceptionRes(parsedOutput, context);
+        case "SlowDownException":
+        case "com.amazonaws.ssooidc#SlowDownException":
+            throw await de_SlowDownExceptionRes(parsedOutput, context);
+        case "UnauthorizedClientException":
+        case "com.amazonaws.ssooidc#UnauthorizedClientException":
+            throw await de_UnauthorizedClientExceptionRes(parsedOutput, context);
+        case "UnsupportedGrantTypeException":
+        case "com.amazonaws.ssooidc#UnsupportedGrantTypeException":
+            throw await de_UnsupportedGrantTypeExceptionRes(parsedOutput, context);
+        default:
+            const parsedBody = parsedOutput.body;
+            return throwDefaultError({
+                output,
+                parsedBody,
+                errorCode,
+            });
+    }
+};
 export const de_RegisterClientCommand = async (output, context) => {
     if (output.statusCode !== 200 && output.statusCode >= 300) {
         return de_RegisterClientCommandError(output, context);
@@ -350,6 +455,22 @@ const de_InvalidRequestExceptionRes = async (parsedOutput, context) => {
     });
     return __decorateServiceException(exception, parsedOutput.body);
 };
+const de_InvalidRequestRegionExceptionRes = async (parsedOutput, context) => {
+    const contents = map({});
+    const data = parsedOutput.body;
+    const doc = take(data, {
+        endpoint: __expectString,
+        error: __expectString,
+        error_description: __expectString,
+        region: __expectString,
+    });
+    Object.assign(contents, doc);
+    const exception = new InvalidRequestRegionException({
+        $metadata: deserializeMetadata(parsedOutput),
+        ...contents,
+    });
+    return __decorateServiceException(exception, parsedOutput.body);
+};
 const de_InvalidScopeExceptionRes = async (parsedOutput, context) => {
     const contents = map({});
     const data = parsedOutput.body;

package/dist-es/runtimeConfig.browser.js

@@ -19,6 +19,7 @@ export const getRuntimeConfig = (config) => {
         runtime: "browser",
         defaultsMode,
         bodyLengthChecker: config?.bodyLengthChecker ?? calculateBodyLength,
+        credentialDefaultProvider: config?.credentialDefaultProvider ?? ((_) => () => Promise.reject(new Error("Credential is missing"))),
         defaultUserAgentProvider: config?.defaultUserAgentProvider ??
             defaultUserAgent({ serviceId: clientSharedValues.serviceId, clientVersion: packageInfo.version }),
         maxAttempts: config?.maxAttempts ?? DEFAULT_MAX_ATTEMPTS,

package/dist-es/runtimeConfig.js

@@ -1,5 +1,7 @@
 import packageInfo from "../package.json";
+import { decorateDefaultCredentialProvider } from "@aws-sdk/client-sts";
 import { emitWarningIfUnsupportedVersion as awsCheckVersion } from "@aws-sdk/core";
+import { defaultProvider as credentialDefaultProvider } from "@aws-sdk/credential-provider-node";
 import { defaultUserAgent } from "@aws-sdk/util-user-agent-node";
 import { NODE_REGION_CONFIG_FILE_OPTIONS, NODE_REGION_CONFIG_OPTIONS, NODE_USE_DUALSTACK_ENDPOINT_CONFIG_OPTIONS, NODE_USE_FIPS_ENDPOINT_CONFIG_OPTIONS, } from "@smithy/config-resolver";
 import { Hash } from "@smithy/hash-node";
@@ -24,6 +26,7 @@ export const getRuntimeConfig = (config) => {
         runtime: "node",
         defaultsMode,
         bodyLengthChecker: config?.bodyLengthChecker ?? calculateBodyLength,
+        credentialDefaultProvider: config?.credentialDefaultProvider ?? decorateDefaultCredentialProvider(credentialDefaultProvider),
         defaultUserAgentProvider: config?.defaultUserAgentProvider ??
             defaultUserAgent({ serviceId: clientSharedValues.serviceId, clientVersion: packageInfo.version }),
         maxAttempts: config?.maxAttempts ?? loadNodeConfig(NODE_MAX_ATTEMPT_CONFIG_OPTIONS),

package/dist-types/SSOOIDC.d.ts

@@ -1,5 +1,6 @@
 import { HttpHandlerOptions as __HttpHandlerOptions } from "@smithy/types";
 import { CreateTokenCommandInput, CreateTokenCommandOutput } from "./commands/CreateTokenCommand";
+import { CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput } from "./commands/CreateTokenWithIAMCommand";
 import { RegisterClientCommandInput, RegisterClientCommandOutput } from "./commands/RegisterClientCommand";
 import { StartDeviceAuthorizationCommandInput, StartDeviceAuthorizationCommandOutput } from "./commands/StartDeviceAuthorizationCommand";
 import { SSOOIDCClient } from "./SSOOIDCClient";
@@ -10,6 +11,12 @@ export interface SSOOIDC {
     createToken(args: CreateTokenCommandInput, options?: __HttpHandlerOptions): Promise<CreateTokenCommandOutput>;
     createToken(args: CreateTokenCommandInput, cb: (err: any, data?: CreateTokenCommandOutput) => void): void;
     createToken(args: CreateTokenCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: CreateTokenCommandOutput) => void): void;
+    /**
+     * @see {@link CreateTokenWithIAMCommand}
+     */
+    createTokenWithIAM(args: CreateTokenWithIAMCommandInput, options?: __HttpHandlerOptions): Promise<CreateTokenWithIAMCommandOutput>;
+    createTokenWithIAM(args: CreateTokenWithIAMCommandInput, cb: (err: any, data?: CreateTokenWithIAMCommandOutput) => void): void;
+    createTokenWithIAM(args: CreateTokenWithIAMCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: CreateTokenWithIAMCommandOutput) => void): void;
     /**
      * @see {@link RegisterClientCommand}
      */
@@ -25,14 +32,12 @@ export interface SSOOIDC {
 }
 /**
  * @public
- * <p>AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a client (such as AWS CLI
+ * <p>IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI
  *       or a native application) to register with IAM Identity Center. The service also enables the client to
  *       fetch the user’s access token upon successful authentication and authorization with
  *       IAM Identity Center.</p>
  *          <note>
- *             <p>Although AWS Single Sign-On was renamed, the <code>sso</code> and
- *         <code>identitystore</code> API namespaces will continue to retain their original name for
- *         backward compatibility purposes. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed">IAM Identity Center rename</a>.</p>
+ *             <p>IAM Identity Center uses the <code>sso</code> and <code>identitystore</code> API namespaces.</p>
  *          </note>
  *          <p>
  *             <b>Considerations for Using This Guide</b>
@@ -41,23 +46,24 @@ export interface SSOOIDC {
  *       important information about how the IAM Identity Center OIDC service works.</p>
  *          <ul>
  *             <li>
- *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0
- *           Device Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
- *           sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed
- *           for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in
- *           future releases.</p>
+ *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device
+ *           Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
+ *           sign-on authentication with the CLI. </p>
  *             </li>
  *             <li>
- *                <p>The service emits only OIDC access tokens, such that obtaining a new token (For
- *           example, token refresh) requires explicit user re-authentication.</p>
+ *                <p>With older versions of the CLI, the service only emits OIDC access tokens, so to
+ *           obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that
+ *           supports token refresh and doesn’t require re-authentication, update to the latest CLI
+ *           version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and
+ *           configurable IAM Identity Center session durations. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html">Configure Amazon Web Services access portal session duration </a>. </p>
  *             </li>
  *             <li>
- *                <p>The access tokens provided by this service grant access to all AWS account
+ *                <p>The access tokens provided by this service grant access to all Amazon Web Services account
  *           entitlements assigned to an IAM Identity Center user, not just a particular application.</p>
  *             </li>
  *             <li>
  *                <p>The documentation in this guide does not describe the mechanism to convert the access
- *           token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service
+ *           token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service
  *           endpoints. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html">GetRoleCredentials</a> in the <i>IAM Identity Center Portal API Reference
  *             Guide</i>.</p>
  *             </li>

package/dist-types/SSOOIDCClient.d.ts

@@ -1,5 +1,7 @@
 import { HostHeaderInputConfig, HostHeaderResolvedConfig } from "@aws-sdk/middleware-host-header";
+import { AwsAuthInputConfig, AwsAuthResolvedConfig } from "@aws-sdk/middleware-signing";
 import { UserAgentInputConfig, UserAgentResolvedConfig } from "@aws-sdk/middleware-user-agent";
+import { Credentials as __Credentials } from "@aws-sdk/types";
 import { RegionInputConfig, RegionResolvedConfig } from "@smithy/config-resolver";
 import { EndpointInputConfig, EndpointResolvedConfig } from "@smithy/middleware-endpoint";
 import { RetryInputConfig, RetryResolvedConfig } from "@smithy/middleware-retry";
@@ -7,6 +9,7 @@ import { HttpHandler as __HttpHandler } from "@smithy/protocol-http";
 import { Client as __Client, DefaultsMode as __DefaultsMode, SmithyConfiguration as __SmithyConfiguration, SmithyResolvedConfiguration as __SmithyResolvedConfiguration } from "@smithy/smithy-client";
 import { BodyLengthCalculator as __BodyLengthCalculator, CheckOptionalClientConfig as __CheckOptionalClientConfig, ChecksumConstructor as __ChecksumConstructor, Decoder as __Decoder, Encoder as __Encoder, HashConstructor as __HashConstructor, HttpHandlerOptions as __HttpHandlerOptions, Logger as __Logger, Provider as __Provider, Provider, StreamCollector as __StreamCollector, UrlParser as __UrlParser, UserAgent as __UserAgent } from "@smithy/types";
 import { CreateTokenCommandInput, CreateTokenCommandOutput } from "./commands/CreateTokenCommand";
+import { CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput } from "./commands/CreateTokenWithIAMCommand";
 import { RegisterClientCommandInput, RegisterClientCommandOutput } from "./commands/RegisterClientCommand";
 import { StartDeviceAuthorizationCommandInput, StartDeviceAuthorizationCommandOutput } from "./commands/StartDeviceAuthorizationCommand";
 import { ClientInputEndpointParameters, ClientResolvedEndpointParameters, EndpointParameters } from "./endpoint/EndpointParameters";
@@ -15,11 +18,11 @@ export { __Client };
 /**
  * @public
  */
-export type ServiceInputTypes = CreateTokenCommandInput | RegisterClientCommandInput | StartDeviceAuthorizationCommandInput;
+export type ServiceInputTypes = CreateTokenCommandInput | CreateTokenWithIAMCommandInput | RegisterClientCommandInput | StartDeviceAuthorizationCommandInput;
 /**
  * @public
  */
-export type ServiceOutputTypes = CreateTokenCommandOutput | RegisterClientCommandOutput | StartDeviceAuthorizationCommandOutput;
+export type ServiceOutputTypes = CreateTokenCommandOutput | CreateTokenWithIAMCommandOutput | RegisterClientCommandOutput | StartDeviceAuthorizationCommandOutput;
 /**
  * @public
  */
@@ -96,6 +99,11 @@ export interface ClientDefaults extends Partial<__SmithyResolvedConfiguration<__
      * The AWS region to which this client will send requests
      */
     region?: string | __Provider<string>;
+    /**
+     * Default credentials provider; Not available in browser runtime.
+     * @internal
+     */
+    credentialDefaultProvider?: (input: any) => __Provider<__Credentials>;
     /**
      * The provider populating default tracking information to be sent with `user-agent`, `x-amz-user-agent` header
      * @internal
@@ -127,7 +135,7 @@ export interface ClientDefaults extends Partial<__SmithyResolvedConfiguration<__
 /**
  * @public
  */
-export type SSOOIDCClientConfigType = Partial<__SmithyConfiguration<__HttpHandlerOptions>> & ClientDefaults & RegionInputConfig & EndpointInputConfig<EndpointParameters> & RetryInputConfig & HostHeaderInputConfig & UserAgentInputConfig & ClientInputEndpointParameters;
+export type SSOOIDCClientConfigType = Partial<__SmithyConfiguration<__HttpHandlerOptions>> & ClientDefaults & RegionInputConfig & EndpointInputConfig<EndpointParameters> & RetryInputConfig & HostHeaderInputConfig & AwsAuthInputConfig & UserAgentInputConfig & ClientInputEndpointParameters;
 /**
  * @public
  *
@@ -138,7 +146,7 @@ export interface SSOOIDCClientConfig extends SSOOIDCClientConfigType {
 /**
  * @public
  */
-export type SSOOIDCClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHandlerOptions> & Required<ClientDefaults> & RuntimeExtensionsConfig & RegionResolvedConfig & EndpointResolvedConfig<EndpointParameters> & RetryResolvedConfig & HostHeaderResolvedConfig & UserAgentResolvedConfig & ClientResolvedEndpointParameters;
+export type SSOOIDCClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHandlerOptions> & Required<ClientDefaults> & RuntimeExtensionsConfig & RegionResolvedConfig & EndpointResolvedConfig<EndpointParameters> & RetryResolvedConfig & HostHeaderResolvedConfig & AwsAuthResolvedConfig & UserAgentResolvedConfig & ClientResolvedEndpointParameters;
 /**
  * @public
  *
@@ -148,14 +156,12 @@ export interface SSOOIDCClientResolvedConfig extends SSOOIDCClientResolvedConfig
 }
 /**
  * @public
- * <p>AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a client (such as AWS CLI
+ * <p>IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI
  *       or a native application) to register with IAM Identity Center. The service also enables the client to
  *       fetch the user’s access token upon successful authentication and authorization with
  *       IAM Identity Center.</p>
  *          <note>
- *             <p>Although AWS Single Sign-On was renamed, the <code>sso</code> and
- *         <code>identitystore</code> API namespaces will continue to retain their original name for
- *         backward compatibility purposes. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed">IAM Identity Center rename</a>.</p>
+ *             <p>IAM Identity Center uses the <code>sso</code> and <code>identitystore</code> API namespaces.</p>
  *          </note>
  *          <p>
  *             <b>Considerations for Using This Guide</b>
@@ -164,23 +170,24 @@ export interface SSOOIDCClientResolvedConfig extends SSOOIDCClientResolvedConfig
  *       important information about how the IAM Identity Center OIDC service works.</p>
  *          <ul>
  *             <li>
- *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0
- *           Device Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
- *           sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed
- *           for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in
- *           future releases.</p>
+ *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device
+ *           Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
+ *           sign-on authentication with the CLI. </p>
  *             </li>
  *             <li>
- *                <p>The service emits only OIDC access tokens, such that obtaining a new token (For
- *           example, token refresh) requires explicit user re-authentication.</p>
+ *                <p>With older versions of the CLI, the service only emits OIDC access tokens, so to
+ *           obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that
+ *           supports token refresh and doesn’t require re-authentication, update to the latest CLI
+ *           version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and
+ *           configurable IAM Identity Center session durations. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html">Configure Amazon Web Services access portal session duration </a>. </p>
  *             </li>
  *             <li>
- *                <p>The access tokens provided by this service grant access to all AWS account
+ *                <p>The access tokens provided by this service grant access to all Amazon Web Services account
  *           entitlements assigned to an IAM Identity Center user, not just a particular application.</p>
  *             </li>
  *             <li>
  *                <p>The documentation in this guide does not describe the mechanism to convert the access
- *           token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service
+ *           token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service
  *           endpoints. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html">GetRoleCredentials</a> in the <i>IAM Identity Center Portal API Reference
  *             Guide</i>.</p>
  *             </li>

package/dist-types/commands/CreateTokenCommand.d.ts

@@ -23,9 +23,9 @@ export interface CreateTokenCommandOutput extends CreateTokenResponse, __Metadat
 }
 /**
  * @public
- * <p>Creates and returns an access token for the authorized client. The access token issued
- *       will be used to fetch short-term credentials for the assigned roles in the AWS
- *       account.</p>
+ * <p>Creates and returns access and refresh tokens for clients that are authenticated using
+ *       client secrets. The access token can be used to fetch short-term credentials for the assigned
+ *       AWS accounts or to access application APIs using <code>bearer</code> authentication.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript

package/dist-types/commands/CreateTokenWithIAMCommand.d.ts

@@ -0,0 +1,140 @@
+import { EndpointParameterInstructions } from "@smithy/middleware-endpoint";
+import { Command as $Command } from "@smithy/smithy-client";
+import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@smithy/types";
+import { CreateTokenWithIAMRequest, CreateTokenWithIAMResponse } from "../models/models_0";
+import { ServiceInputTypes, ServiceOutputTypes, SSOOIDCClientResolvedConfig } from "../SSOOIDCClient";
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link CreateTokenWithIAMCommand}.
+ */
+export interface CreateTokenWithIAMCommandInput extends CreateTokenWithIAMRequest {
+}
+/**
+ * @public
+ *
+ * The output of {@link CreateTokenWithIAMCommand}.
+ */
+export interface CreateTokenWithIAMCommandOutput extends CreateTokenWithIAMResponse, __MetadataBearer {
+}
+/**
+ * @public
+ * <p>Creates and returns access and refresh tokens for clients and applications that are
+ *       authenticated using IAM entities. The access token can be used to fetch short-term credentials
+ *       for the assigned AWS accounts or to access application APIs using <code>bearer</code>
+ *       authentication.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { SSOOIDCClient, CreateTokenWithIAMCommand } from "@aws-sdk/client-sso-oidc"; // ES Modules import
+ * // const { SSOOIDCClient, CreateTokenWithIAMCommand } = require("@aws-sdk/client-sso-oidc"); // CommonJS import
+ * const client = new SSOOIDCClient(config);
+ * const input = { // CreateTokenWithIAMRequest
+ *   clientId: "STRING_VALUE", // required
+ *   grantType: "STRING_VALUE", // required
+ *   code: "STRING_VALUE",
+ *   refreshToken: "STRING_VALUE",
+ *   assertion: "STRING_VALUE",
+ *   scope: [ // Scopes
+ *     "STRING_VALUE",
+ *   ],
+ *   redirectUri: "STRING_VALUE",
+ *   subjectToken: "STRING_VALUE",
+ *   subjectTokenType: "STRING_VALUE",
+ *   requestedTokenType: "STRING_VALUE",
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * // { // CreateTokenWithIAMResponse
+ * //   accessToken: "STRING_VALUE",
+ * //   tokenType: "STRING_VALUE",
+ * //   expiresIn: Number("int"),
+ * //   refreshToken: "STRING_VALUE",
+ * //   idToken: "STRING_VALUE",
+ * //   issuedTokenType: "STRING_VALUE",
+ * //   scope: [ // Scopes
+ * //     "STRING_VALUE",
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param CreateTokenWithIAMCommandInput - {@link CreateTokenWithIAMCommandInput}
+ * @returns {@link CreateTokenWithIAMCommandOutput}
+ * @see {@link CreateTokenWithIAMCommandInput} for command's `input` shape.
+ * @see {@link CreateTokenWithIAMCommandOutput} for command's `response` shape.
+ * @see {@link SSOOIDCClientResolvedConfig | config} for SSOOIDCClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link AuthorizationPendingException} (client fault)
+ *  <p>Indicates that a request to authorize a client with an access user session token is
+ *       pending.</p>
+ *
+ * @throws {@link ExpiredTokenException} (client fault)
+ *  <p>Indicates that the token issued by the service is expired and is no longer valid.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>Indicates that an error from the service occurred while trying to process a
+ *       request.</p>
+ *
+ * @throws {@link InvalidClientException} (client fault)
+ *  <p>Indicates that the <code>clientId</code> or <code>clientSecret</code> in the request is
+ *       invalid. For example, this can occur when a client sends an incorrect <code>clientId</code> or
+ *       an expired <code>clientSecret</code>.</p>
+ *
+ * @throws {@link InvalidGrantException} (client fault)
+ *  <p>Indicates that a request contains an invalid grant. This can occur if a client makes a
+ *         <a>CreateToken</a> request with an invalid grant type.</p>
+ *
+ * @throws {@link InvalidRequestException} (client fault)
+ *  <p>Indicates that something is wrong with the input to the request. For example, a required
+ *       parameter might be missing or out of range.</p>
+ *
+ * @throws {@link InvalidRequestRegionException} (client fault)
+ *  <p>Indicates that a token provided as input to the request was issued by and is only usable
+ *       by calling IAM Identity Center endpoints in another region.</p>
+ *
+ * @throws {@link InvalidScopeException} (client fault)
+ *  <p>Indicates that the scope provided in the request is invalid.</p>
+ *
+ * @throws {@link SlowDownException} (client fault)
+ *  <p>Indicates that the client is making the request too frequently and is more than the
+ *       service can handle. </p>
+ *
+ * @throws {@link UnauthorizedClientException} (client fault)
+ *  <p>Indicates that the client is not currently authorized to make the request. This can happen
+ *       when a <code>clientId</code> is not issued for a public client.</p>
+ *
+ * @throws {@link UnsupportedGrantTypeException} (client fault)
+ *  <p>Indicates that the grant type in the request is not supported by the service.</p>
+ *
+ * @throws {@link SSOOIDCServiceException}
+ * <p>Base exception class for all service exceptions from SSOOIDC service.</p>
+ *
+ */
+export declare class CreateTokenWithIAMCommand extends $Command<CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput, SSOOIDCClientResolvedConfig> {
+    readonly input: CreateTokenWithIAMCommandInput;
+    static getEndpointParameterInstructions(): EndpointParameterInstructions;
+    /**
+     * @public
+     */
+    constructor(input: CreateTokenWithIAMCommandInput);
+    /**
+     * @internal
+     */
+    resolveMiddleware(clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>, configuration: SSOOIDCClientResolvedConfig, options?: __HttpHandlerOptions): Handler<CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput>;
+    /**
+     * @internal
+     */
+    private serialize;
+    /**
+     * @internal
+     */
+    private deserialize;
+}

package/dist-types/commands/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./CreateTokenCommand";
+export * from "./CreateTokenWithIAMCommand";
 export * from "./RegisterClientCommand";
 export * from "./StartDeviceAuthorizationCommand";

package/dist-types/index.d.ts

@@ -1,12 +1,10 @@
 /**
- * <p>AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a client (such as AWS CLI
+ * <p>IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI
  *       or a native application) to register with IAM Identity Center. The service also enables the client to
  *       fetch the user’s access token upon successful authentication and authorization with
  *       IAM Identity Center.</p>
  *          <note>
- *             <p>Although AWS Single Sign-On was renamed, the <code>sso</code> and
- *         <code>identitystore</code> API namespaces will continue to retain their original name for
- *         backward compatibility purposes. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed">IAM Identity Center rename</a>.</p>
+ *             <p>IAM Identity Center uses the <code>sso</code> and <code>identitystore</code> API namespaces.</p>
  *          </note>
  *          <p>
  *             <b>Considerations for Using This Guide</b>
@@ -15,23 +13,24 @@
  *       important information about how the IAM Identity Center OIDC service works.</p>
  *          <ul>
  *             <li>
- *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0
- *           Device Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
- *           sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed
- *           for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in
- *           future releases.</p>
+ *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device
+ *           Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
+ *           sign-on authentication with the CLI. </p>
  *             </li>
  *             <li>
- *                <p>The service emits only OIDC access tokens, such that obtaining a new token (For
- *           example, token refresh) requires explicit user re-authentication.</p>
+ *                <p>With older versions of the CLI, the service only emits OIDC access tokens, so to
+ *           obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that
+ *           supports token refresh and doesn’t require re-authentication, update to the latest CLI
+ *           version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and
+ *           configurable IAM Identity Center session durations. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html">Configure Amazon Web Services access portal session duration </a>. </p>
  *             </li>
  *             <li>
- *                <p>The access tokens provided by this service grant access to all AWS account
+ *                <p>The access tokens provided by this service grant access to all Amazon Web Services account
  *           entitlements assigned to an IAM Identity Center user, not just a particular application.</p>
  *             </li>
  *             <li>
  *                <p>The documentation in this guide does not describe the mechanism to convert the access
- *           token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service
+ *           token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service
  *           endpoints. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html">GetRoleCredentials</a> in the <i>IAM Identity Center Portal API Reference
  *             Guide</i>.</p>
  *             </li>