Module Awso_signin_lwtSource

include module type of struct include Awso_signin.Values end
Sourceval service : Awso.Service.t
Sourceval apiVersion : string
Sourceval endpointPrefix : string
Sourceval serviceFullName : string
Sourceval signatureVersion : string
Sourceval protocol : string
Sourceval globalEndpoint : string
Sourceval simple_to_json : ('a -> Awso__Botodata.value) -> 'a -> Yojson.Safe.t
Sourceval composed_to_json : ('a -> Awso__Botodata.value) -> 'a -> Yojson.Safe.t
Sourceval to_query : ('a -> Awso.Client.Query.value) -> 'a -> Awso.Client.Query.t
Sourceval structure_to_value_aux : ('a * 'b option) list -> f:(('a * 'b) list -> 'c) -> [> `Structure of 'c ]
Sourceval structure_to_value : ('a * 'b option) list -> [> `Structure of ('a * 'b) list ]
Sourceval structure_to_wrapped_value : wrapper:'a -> response:'a -> ('b * 'c option) list -> [> `Structure of ('a * [> `Structure of ('b * 'c) list ]) list ]
Sourcemodule String_ = Awso_signin.Values.String_

AWS credentials structure containing temporary access credentials The scoped-down, 15 minute duration AWS credentials. Scoping down will be based on CLI policy (CLI team needs to create it). Similar to cloud shell implementation.

Time to expiry in seconds The time to expiry in seconds, for these purposes will be at most 900 (15 minutes).

ID token containing user identity information Encoded JWT token containing user identity claims and authentication context. Returned only in authorization code redemption responses (grant_type=authorization_code). Contains user identity information such as ARN and other identity claims.

Encrypted refresh token with cnf.jkt This is the encrypted refresh token returned from auth code redemption. The token content includes cnf.jkt (SHA-256 thumbprint of the presented jwk). Used in subsequent token refresh requests.

Token type parameter indicating credential usage A parameter which indicates to the client how the token must be used. Value is "aws_sigv4" (instead of typical "Bearer" for other OAuth systems) to indicate that the client must de-serialize the token and use it to generate a signature.

Authorization code received from AWS Sign-In /v1/authorize endpoint The authorization code received from AWS Sign-In from /v1/authorize. Used in auth code redemption flow only.

Client identifier pattern for AWS Sign-In devtools clients The ARN used by client as part of Sign-In onboarding. Expected values: arn:aws:signin:::devtools/cross-device (for cross-device devtools login) arn:aws:signin:::devtools/same-device (for same-device devtools login) This will be finalized after consulting with UX as this is visible to end customer.

PKCE code verifier for OAuth 2.0 security PKCE code verifier to prove possession of the original code challenge. Used to prevent authorization code interception attacks in public clients. Must be 43-128 characters using unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"

OAuth 2.0 grant type parameter For auth code redemption: Must be "authorization_code" For token refresh: Must be "refresh_token" Based on client_id & grant_type, authn/authz is skipped for CLI endpoints.

Redirect URI for OAuth 2.0 flow validation The same redirect URI used in the authorization request. This must match exactly what was sent in the original authorization request for security validation.

Sourcemodule AccessDeniedException = Awso_signin.Values.AccessDeniedException

Error thrown for access denied scenarios with flexible HTTP status mapping Runtime HTTP Status Code Mapping: HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

Sourcemodule CreateOAuth2TokenResponseBody = Awso_signin.Values.CreateOAuth2TokenResponseBody

Response body payload for CreateOAuth2Token operation The response content depends on the grant_type from the request: grant_type=authorization_code: Returns all fields including refresh_token and id_token grant_type=refresh_token: Returns access_token, token_type, expires_in, refresh_token (no id_token)

Sourcemodule InternalServerException = Awso_signin.Values.InternalServerException

Error thrown when an internal server error occurs HTTP Status Code: 500 Internal Server Error Used for unexpected server-side errors that prevent request processing.

Sourcemodule TooManyRequestsError = Awso_signin.Values.TooManyRequestsError

Error thrown when rate limit is exceeded HTTP Status Code: 429 Too Many Requests Possible OAuth2ErrorCode values: INVALID_REQUEST: Rate limiting, too many requests, abuse prevention Possible causes: Too many token requests from the same client Rate limiting based on client_id or IP address Abuse prevention mechanisms triggered Service protection against excessive token generation

Error thrown when request validation fails HTTP Status Code: 400 Bad Request Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

Sourcemodule CreateOAuth2TokenRequestBody = Awso_signin.Values.CreateOAuth2TokenRequestBody

Request body payload for CreateOAuth2Token operation The operation type is determined by the grant_type parameter: grant_type=authorization_code: Requires code, redirect_uri, code_verifier grant_type=refresh_token: Requires refresh_token

Sourcemodule CreateOAuth2TokenResponse = Awso_signin.Values.CreateOAuth2TokenResponse

Output structure for CreateOAuth2Token operation Contains flattened token operation outputs for both authorization code and refresh token flows. The response content depends on the grant_type from the original request.

Sourcemodule CreateOAuth2TokenRequest = Awso_signin.Values.CreateOAuth2TokenRequest

Input structure for CreateOAuth2Token operation Contains flattened token operation inputs for both authorization code and refresh token flows. The operation type is determined by the grant_type parameter in the request body.