Amazon Web Services Single Sign On OpenID Connect (OIDC) is a web service that enables a client (such as Amazon Web Services CLI or a native application) to register with Amazon Web Services SSO. The service also enables the client to fetch the user’s access token upon successful authentication and authorization with Amazon Web Services SSO.
Although Amazon Web Services Single Sign-On was renamed, the sso and
identitystore API namespaces will continue to retain their original
name for backward compatibility purposes. For more information, see
Amazon Web Services SSO rename.
Considerations for Using This Guide
Before you begin using this guide, we recommend that you first review the following important information about how the Amazon Web Services SSO OIDC service works.
The Amazon Web Services SSO OIDC service currently implements only the portions of the OAuth 2.0 Device Authorization Grant standard (https://tools.ietf.org/html/rfc8628) that are necessary to enable single sign-on authentication with the AWS CLI. Support for other OIDC flows frequently needed for native applications, such as Authorization Code Flow (+ PKCE), will be addressed in future releases.
The service emits only OIDC access tokens, such that obtaining a new token (For example, token refresh) requires explicit user re-authentication.
The access tokens provided by this service grant access to all AWS account entitlements assigned to an Amazon Web Services SSO user, not just a particular application.
The documentation in this guide does not describe the mechanism to convert the access token into AWS Auth (“sigv4”) credentials for use with IAM-protected AWS service endpoints. For more information, see GetRoleCredentials in the Amazon Web Services SSO Portal API Reference Guide.
For general information about Amazon Web Services SSO, see What is Amazon Web Services SSO? in the Amazon Web Services SSO User Guide.
ssooidc(config = list())A client for the service. You can call the service's operations using
syntax like svc$operation(...), where svc is the name you've assigned
to the client. The available operations are listed in the
Operations section.
Optional configuration of credentials, endpoint, and/or region.
access_key_id: AWS access key ID
secret_access_key: AWS secret access key
session_token: AWS temporary session token
profile: The name of a profile to use. If not given, then the default profile is used.
anonymous: Set anonymous credentials.
endpoint: The complete URL to use for the constructed client.
region: The AWS Region used in instantiating the client.
close_connection: Immediately close all HTTP connections.
timeout: The time in seconds till a timeout exception is thrown when attempting to make a connection. The default is 60 seconds.
s3_force_path_style: Set this to true to force the request to use path-style addressing, i.e., http://s3.amazonaws.com/BUCKET/KEY.
svc <- ssooidc(
config = list(
credentials = list(
creds = list(
access_key_id = "string",
secret_access_key = "string",
session_token = "string"
),
profile = "string",
anonymous = "logical"
),
endpoint = "string",
region = "string",
close_connection = "logical",
timeout = "numeric",
s3_force_path_style = "logical"
)
)
| create_token | Creates and returns an access token for the authorized client |
| register_client | Registers a client with Amazon Web Services SSO |
| start_device_authorization | Initiates device authorization by requesting a pair of verification codes from the authorization service |
if (FALSE) {
svc <- ssooidc()
svc$create_token(
Foo = 123
)
}
Run the code above in your browser using DataLab