@aws-sdk/client-sso-oidc 3.451.0 → 3.455.0

package/dist-types/commands/CreateTokenWithIAMCommand.d.ts

@@ -0,0 +1,258 @@
+import { EndpointParameterInstructions } from "@smithy/middleware-endpoint";
+import { Command as $Command } from "@smithy/smithy-client";
+import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@smithy/types";
+import { CreateTokenWithIAMRequest, CreateTokenWithIAMResponse } from "../models/models_0";
+import { ServiceInputTypes, ServiceOutputTypes, SSOOIDCClientResolvedConfig } from "../SSOOIDCClient";
+/**
+ * @public
+ */
+export { __MetadataBearer, $Command };
+/**
+ * @public
+ *
+ * The input for {@link CreateTokenWithIAMCommand}.
+ */
+export interface CreateTokenWithIAMCommandInput extends CreateTokenWithIAMRequest {
+}
+/**
+ * @public
+ *
+ * The output of {@link CreateTokenWithIAMCommand}.
+ */
+export interface CreateTokenWithIAMCommandOutput extends CreateTokenWithIAMResponse, __MetadataBearer {
+}
+/**
+ * @public
+ * <p>Creates and returns access and refresh tokens for clients and applications that are
+ *       authenticated using IAM entities. The access token can be used to fetch short-term credentials
+ *       for the assigned AWS accounts or to access application APIs using <code>bearer</code>
+ *       authentication.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { SSOOIDCClient, CreateTokenWithIAMCommand } from "@aws-sdk/client-sso-oidc"; // ES Modules import
+ * // const { SSOOIDCClient, CreateTokenWithIAMCommand } = require("@aws-sdk/client-sso-oidc"); // CommonJS import
+ * const client = new SSOOIDCClient(config);
+ * const input = { // CreateTokenWithIAMRequest
+ *   clientId: "STRING_VALUE", // required
+ *   grantType: "STRING_VALUE", // required
+ *   code: "STRING_VALUE",
+ *   refreshToken: "STRING_VALUE",
+ *   assertion: "STRING_VALUE",
+ *   scope: [ // Scopes
+ *     "STRING_VALUE",
+ *   ],
+ *   redirectUri: "STRING_VALUE",
+ *   subjectToken: "STRING_VALUE",
+ *   subjectTokenType: "STRING_VALUE",
+ *   requestedTokenType: "STRING_VALUE",
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * // { // CreateTokenWithIAMResponse
+ * //   accessToken: "STRING_VALUE",
+ * //   tokenType: "STRING_VALUE",
+ * //   expiresIn: Number("int"),
+ * //   refreshToken: "STRING_VALUE",
+ * //   idToken: "STRING_VALUE",
+ * //   issuedTokenType: "STRING_VALUE",
+ * //   scope: [ // Scopes
+ * //     "STRING_VALUE",
+ * //   ],
+ * // };
+ *
+ * ```
+ *
+ * @param CreateTokenWithIAMCommandInput - {@link CreateTokenWithIAMCommandInput}
+ * @returns {@link CreateTokenWithIAMCommandOutput}
+ * @see {@link CreateTokenWithIAMCommandInput} for command's `input` shape.
+ * @see {@link CreateTokenWithIAMCommandOutput} for command's `response` shape.
+ * @see {@link SSOOIDCClientResolvedConfig | config} for SSOOIDCClient's `config` shape.
+ *
+ * @throws {@link AccessDeniedException} (client fault)
+ *  <p>You do not have sufficient access to perform this action.</p>
+ *
+ * @throws {@link AuthorizationPendingException} (client fault)
+ *  <p>Indicates that a request to authorize a client with an access user session token is
+ *       pending.</p>
+ *
+ * @throws {@link ExpiredTokenException} (client fault)
+ *  <p>Indicates that the token issued by the service is expired and is no longer valid.</p>
+ *
+ * @throws {@link InternalServerException} (server fault)
+ *  <p>Indicates that an error from the service occurred while trying to process a
+ *       request.</p>
+ *
+ * @throws {@link InvalidClientException} (client fault)
+ *  <p>Indicates that the <code>clientId</code> or <code>clientSecret</code> in the request is
+ *       invalid. For example, this can occur when a client sends an incorrect <code>clientId</code> or
+ *       an expired <code>clientSecret</code>.</p>
+ *
+ * @throws {@link InvalidGrantException} (client fault)
+ *  <p>Indicates that a request contains an invalid grant. This can occur if a client makes a
+ *         <a>CreateToken</a> request with an invalid grant type.</p>
+ *
+ * @throws {@link InvalidRequestException} (client fault)
+ *  <p>Indicates that something is wrong with the input to the request. For example, a required
+ *       parameter might be missing or out of range.</p>
+ *
+ * @throws {@link InvalidRequestRegionException} (client fault)
+ *  <p>Indicates that a token provided as input to the request was issued by and is only usable
+ *       by calling IAM Identity Center endpoints in another region.</p>
+ *
+ * @throws {@link InvalidScopeException} (client fault)
+ *  <p>Indicates that the scope provided in the request is invalid.</p>
+ *
+ * @throws {@link SlowDownException} (client fault)
+ *  <p>Indicates that the client is making the request too frequently and is more than the
+ *       service can handle. </p>
+ *
+ * @throws {@link UnauthorizedClientException} (client fault)
+ *  <p>Indicates that the client is not currently authorized to make the request. This can happen
+ *       when a <code>clientId</code> is not issued for a public client.</p>
+ *
+ * @throws {@link UnsupportedGrantTypeException} (client fault)
+ *  <p>Indicates that the grant type in the request is not supported by the service.</p>
+ *
+ * @throws {@link SSOOIDCServiceException}
+ * <p>Base exception class for all service exceptions from SSOOIDC service.</p>
+ *
+ * @example Call OAuth/OIDC /token endpoint for Authorization Code grant with IAM authentication
+ * ```javascript
+ * //
+ * const input = {
+ *   "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
+ *   "code": "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzg0In0EXAMPLEAUTHCODE",
+ *   "grantType": "authorization_code",
+ *   "redirectUri": "https://mywebapp.example/redirect",
+ *   "scope": [
+ *     "openid",
+ *     "aws",
+ *     "sts:identity_context"
+ *   ]
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN",
+ *   "expiresIn": 1579729529,
+ *   "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsInN0czphdWRpdF9jb250ZXh0IjoiRVhBTVBMRUFVRElUQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.Xyah6qbk78qThzJ41iFU2yfGuRqqtKXHrJYwQ8L9Ip0",
+ *   "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token",
+ *   "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN",
+ *   "scope": [
+ *     "openid",
+ *     "aws",
+ *     "sts:identity_context"
+ *   ],
+ *   "tokenType": "Bearer"
+ * }
+ * *\/
+ * // example id: create-token-with-iam-for-auth-code
+ * ```
+ *
+ * @example Call OAuth/OIDC /token endpoint for Refresh Token grant with IAM authentication
+ * ```javascript
+ * //
+ * const input = {
+ *   "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
+ *   "grantType": "refresh_token",
+ *   "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN"
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN",
+ *   "expiresIn": 1579729529,
+ *   "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token",
+ *   "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN",
+ *   "scope": [
+ *     "openid",
+ *     "aws",
+ *     "sts:identity_context"
+ *   ],
+ *   "tokenType": "Bearer"
+ * }
+ * *\/
+ * // example id: create-token-with-iam-for-refresh-token
+ * ```
+ *
+ * @example Call OAuth/OIDC /token endpoint for JWT Bearer grant with IAM authentication
+ * ```javascript
+ * //
+ * const input = {
+ *   "assertion": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkVKVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjVhZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNjI3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJlTGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02NmYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNXTVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlqZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n-55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcpL1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC-T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9-ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP-KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw",
+ *   "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
+ *   "grantType": "urn:ietf:params:oauth:grant-type:jwt-bearer"
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN",
+ *   "expiresIn": 1579729529,
+ *   "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsInN0czphdWRpdF9jb250ZXh0IjoiRVhBTVBMRUFVRElUQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.Xyah6qbk78qThzJ41iFU2yfGuRqqtKXHrJYwQ8L9Ip0",
+ *   "issuedTokenType": "urn:ietf:params:oauth:token-type:refresh_token",
+ *   "refreshToken": "aorvJYubGpU6i91YnH7Mfo-AT2fIVa1zCfA_Rvq9yjVKIP3onFmmykuQ7E93y2I-9Nyj-A_sVvMufaLNL0bqnDRtgAkc0:MGUCMFrRsktMRVlWaOR70XGMFGLL0SlcCw4DiYveIiOVx1uK9BbD0gvAddsW3UTLozXKMgIxAJ3qxUvjpnlLIOaaKOoa/FuNgqJVvr9GMwDtnAtlh9iZzAkEXAMPLEREFRESHTOKEN",
+ *   "scope": [
+ *     "openid",
+ *     "aws",
+ *     "sts:identity_context"
+ *   ],
+ *   "tokenType": "Bearer"
+ * }
+ * *\/
+ * // example id: create-token-with-iam-for-jwt-bearer
+ * ```
+ *
+ * @example Call OAuth/OIDC /token endpoint for Token Exchange grant with IAM authentication
+ * ```javascript
+ * //
+ * const input = {
+ *   "clientId": "arn:aws:sso::123456789012:application/ssoins-111111111111/apl-222222222222",
+ *   "grantType": "urn:ietf:params:oauth:grant-type:token-exchange",
+ *   "requestedTokenType": "urn:ietf:params:oauth:token-type:access_token",
+ *   "subjectToken": "aoak-Hig8TUDPNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZDIFFERENTACCESSTOKEN",
+ *   "subjectTokenType": "urn:ietf:params:oauth:token-type:access_token"
+ * };
+ * const command = new CreateTokenWithIAMCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "accessToken": "aoal-YigITUDiNX1xZwOMXM5MxOWDL0E0jg9P6_C_jKQPxS_SKCP6f0kh1Up4g7TtvQqkMnD-GJiU_S1gvug6SrggAkc0:MGYCMQD3IatVjV7jAJU91kK3PkS/SfA2wtgWzOgZWDOR7sDGN9t0phCZz5It/aes/3C1Zj0CMQCKWOgRaiz6AIhza3DSXQNMLjRKXC8F8ceCsHlgYLMZ7hZidEXAMPLEACCESSTOKEN",
+ *   "expiresIn": 1579729529,
+ *   "idToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhd3M6aWRlbnRpdHlfc3RvcmVfaWQiOiJkLTMzMzMzMzMzMzMiLCJzdWIiOiI3MzA0NDhmMi1lMGExLTcwYTctYzk1NC0wMDAwMDAwMDAwMDAiLCJhd3M6aW5zdGFuY2VfYWNjb3VudCI6IjExMTExMTExMTExMSIsInN0czppZGVudGl0eV9jb250ZXh0IjoiRVhBTVBMRUlERU5USVRZQ09OVEVYVCIsImlzcyI6Imh0dHBzOi8vaWRlbnRpdHljZW50ZXIuYW1hem9uYXdzLmNvbS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmlkZW50aXR5X3N0b3JlX2FybiI6ImFybjphd3M6aWRlbnRpdHlzdG9yZTo6MTExMTExMTExMTExOmlkZW50aXR5c3RvcmUvZC0zMzMzMzMzMzMzIiwiYXVkIjoiYXJuOmF3czpzc286OjEyMzQ1Njc4OTAxMjphcHBsaWNhdGlvbi9zc29pbnMtMTExMTExMTExMTExL2FwbC0yMjIyMjIyMjIyMjIiLCJhd3M6aW5zdGFuY2VfYXJuIjoiYXJuOmF3czpzc286OjppbnN0YW5jZS9zc29pbnMtMTExMTExMTExMTExIiwiYXdzOmNyZWRlbnRpYWxfaWQiOiJfWlIyTjZhVkJqMjdGUEtheWpfcEtwVjc3QVBERl80MXB4ZXRfWWpJdUpONlVJR2RBdkpFWEFNUExFQ1JFRElEIiwiYXV0aF90aW1lIjoiMjAyMC0wMS0yMlQxMjo0NToyOVoiLCJleHAiOjE1Nzk3Mjk1MjksImlhdCI6MTU3OTcyNTkyOX0.5SYiW1kMsuUr7nna-l5tlakM0GNbMHvIM2_n0QD23jM",
+ *   "issuedTokenType": "urn:ietf:params:oauth:token-type:access_token",
+ *   "scope": [
+ *     "openid",
+ *     "aws",
+ *     "sts:identity_context"
+ *   ],
+ *   "tokenType": "Bearer"
+ * }
+ * *\/
+ * // example id: create-token-with-iam-for-token-exchange
+ * ```
+ *
+ */
+export declare class CreateTokenWithIAMCommand extends $Command<CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput, SSOOIDCClientResolvedConfig> {
+    readonly input: CreateTokenWithIAMCommandInput;
+    static getEndpointParameterInstructions(): EndpointParameterInstructions;
+    /**
+     * @public
+     */
+    constructor(input: CreateTokenWithIAMCommandInput);
+    /**
+     * @internal
+     */
+    resolveMiddleware(clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>, configuration: SSOOIDCClientResolvedConfig, options?: __HttpHandlerOptions): Handler<CreateTokenWithIAMCommandInput, CreateTokenWithIAMCommandOutput>;
+    /**
+     * @internal
+     */
+    private serialize;
+    /**
+     * @internal
+     */
+    private deserialize;
+}

package/dist-types/commands/RegisterClientCommand.d.ts

@@ -75,6 +75,30 @@ export interface RegisterClientCommandOutput extends RegisterClientResponse, __M
  * @throws {@link SSOOIDCServiceException}
  * <p>Base exception class for all service exceptions from SSOOIDC service.</p>
  *
+ * @example Call OAuth/OIDC /register-client endpoint
+ * ```javascript
+ * //
+ * const input = {
+ *   "clientName": "My IDE Plugin",
+ *   "clientType": "public",
+ *   "scopes": [
+ *     "sso:account:access",
+ *     "codewhisperer:completions"
+ *   ]
+ * };
+ * const command = new RegisterClientCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "clientId": "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID",
+ *   "clientIdIssuedAt": 1579725929,
+ *   "clientSecret": "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0",
+ *   "clientSecretExpiresAt": 1587584729
+ * }
+ * *\/
+ * // example id: register-client
+ * ```
+ *
  */
 export declare class RegisterClientCommand extends $Command<RegisterClientCommandInput, RegisterClientCommandOutput, SSOOIDCClientResolvedConfig> {
     readonly input: RegisterClientCommandInput;

package/dist-types/commands/StartDeviceAuthorizationCommand.d.ts

@@ -79,6 +79,29 @@ export interface StartDeviceAuthorizationCommandOutput extends StartDeviceAuthor
  * @throws {@link SSOOIDCServiceException}
  * <p>Base exception class for all service exceptions from SSOOIDC service.</p>
  *
+ * @example Call OAuth/OIDC /start-device-authorization endpoint
+ * ```javascript
+ * //
+ * const input = {
+ *   "clientId": "_yzkThXVzLWVhc3QtMQEXAMPLECLIENTID",
+ *   "clientSecret": "VERYLONGSECRETeyJraWQiOiJrZXktMTU2NDAyODA5OSIsImFsZyI6IkhTMzg0In0",
+ *   "startUrl": "https://identitycenter.amazonaws.com/ssoins-111111111111"
+ * };
+ * const command = new StartDeviceAuthorizationCommand(input);
+ * const response = await client.send(command);
+ * /* response ==
+ * {
+ *   "deviceCode": "yJraWQiOiJrZXktMTU2Njk2ODA4OCIsImFsZyI6IkhTMzIn0EXAMPLEDEVICECODE",
+ *   "expiresIn": 1579729529,
+ *   "interval": 1,
+ *   "userCode": "makdfsk83yJraWQiOiJrZXktMTU2Njk2sImFsZyI6IkhTMzIn0EXAMPLEUSERCODE",
+ *   "verificationUri": "https://device.sso.us-west-2.amazonaws.com",
+ *   "verificationUriComplete": "https://device.sso.us-west-2.amazonaws.com?user_code=makdfsk83yJraWQiOiJrZXktMTU2Njk2sImFsZyI6IkhTMzIn0EXAMPLEUSERCODE"
+ * }
+ * *\/
+ * // example id: start-device-authorization
+ * ```
+ *
  */
 export declare class StartDeviceAuthorizationCommand extends $Command<StartDeviceAuthorizationCommandInput, StartDeviceAuthorizationCommandOutput, SSOOIDCClientResolvedConfig> {
     readonly input: StartDeviceAuthorizationCommandInput;

package/dist-types/commands/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./CreateTokenCommand";
+export * from "./CreateTokenWithIAMCommand";
 export * from "./RegisterClientCommand";
 export * from "./StartDeviceAuthorizationCommand";

package/dist-types/index.d.ts

@@ -1,12 +1,10 @@
 /**
- * <p>AWS IAM Identity Center (successor to AWS Single Sign-On) OpenID Connect (OIDC) is a web service that enables a client (such as AWS CLI
+ * <p>IAM Identity Center OpenID Connect (OIDC) is a web service that enables a client (such as CLI
  *       or a native application) to register with IAM Identity Center. The service also enables the client to
  *       fetch the user’s access token upon successful authentication and authorization with
  *       IAM Identity Center.</p>
  *          <note>
- *             <p>Although AWS Single Sign-On was renamed, the <code>sso</code> and
- *         <code>identitystore</code> API namespaces will continue to retain their original name for
- *         backward compatibility purposes. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html#renamed">IAM Identity Center rename</a>.</p>
+ *             <p>IAM Identity Center uses the <code>sso</code> and <code>identitystore</code> API namespaces.</p>
  *          </note>
  *          <p>
  *             <b>Considerations for Using This Guide</b>
@@ -15,23 +13,24 @@
  *       important information about how the IAM Identity Center OIDC service works.</p>
  *          <ul>
  *             <li>
- *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0
- *           Device Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
- *           sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed
- *           for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in
- *           future releases.</p>
+ *                <p>The IAM Identity Center OIDC service currently implements only the portions of the OAuth 2.0 Device
+ *           Authorization Grant standard (<a href="https://tools.ietf.org/html/rfc8628">https://tools.ietf.org/html/rfc8628</a>) that are necessary to enable single
+ *           sign-on authentication with the CLI. </p>
  *             </li>
  *             <li>
- *                <p>The service emits only OIDC access tokens, such that obtaining a new token (For
- *           example, token refresh) requires explicit user re-authentication.</p>
+ *                <p>With older versions of the CLI, the service only emits OIDC access tokens, so to
+ *           obtain a new token, users must explicitly re-authenticate. To access the OIDC flow that
+ *           supports token refresh and doesn’t require re-authentication, update to the latest CLI
+ *           version (1.27.10 for CLI V1 and 2.9.0 for CLI V2) with support for OIDC token refresh and
+ *           configurable IAM Identity Center session durations. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/userguide/configure-user-session.html">Configure Amazon Web Services access portal session duration </a>. </p>
  *             </li>
  *             <li>
- *                <p>The access tokens provided by this service grant access to all AWS account
+ *                <p>The access tokens provided by this service grant access to all Amazon Web Services account
  *           entitlements assigned to an IAM Identity Center user, not just a particular application.</p>
  *             </li>
  *             <li>
  *                <p>The documentation in this guide does not describe the mechanism to convert the access
- *           token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service
+ *           token into Amazon Web Services Auth (“sigv4”) credentials for use with IAM-protected Amazon Web Services service
  *           endpoints. For more information, see <a href="https://docs.aws.amazon.com/singlesignon/latest/PortalAPIReference/API_GetRoleCredentials.html">GetRoleCredentials</a> in the <i>IAM Identity Center Portal API Reference
  *             Guide</i>.</p>
  *             </li>