Interface SigninAsyncClient

All Superinterfaces:
AutoCloseable, AwsClient, SdkAutoCloseable, SdkClient
@Generated("software.amazon.awssdk:codegen") @SdkPublicApi @ThreadSafe public interface SigninAsyncClient extends AwsClient
Service client for accessing AWS Sign-In Service asynchronously. This can be created using the static builder() method.The asynchronous client performs non-blocking I/O when configured with any SdkAsyncHttpClient supported in the SDK. However, full non-blocking is not guaranteed as the async client may perform blocking calls in some cases such as credentials retrieval and endpoint discovery as part of the async API call.

AWS Sign-In manages authentication for AWS services. This service provides secure authentication flows for accessing AWS resources from the console and developer tools.

  • Field Details

  • Method Details

    • createOAuth2Token

      default CompletableFuture<CreateOAuth2TokenResponse> createOAuth2Token(CreateOAuth2TokenRequest createOAuth2TokenRequest)

      CreateOAuth2Token API

      Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

      This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:

      1. Authorization code redemption (grant_type=authorization_code) - NOT idempotent
      2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

      The operation behavior is determined by the grant_type parameter in the request body:

      Authorization Code Flow (NOT Idempotent):

      • JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier
      • Returns access_token, token_type, expires_in, refresh_token, and id_token
      • Each authorization code can only be used ONCE for security (prevents replay attacks)

      Token Refresh Flow (Idempotent):

      • JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token
      • Returns access_token, token_type, expires_in, and refresh_token (no id_token)
      • Multiple calls with same refresh_token return consistent results within validity window

      Authentication and authorization:

      • Confidential clients: sigv4 signing required with signin:ExchangeToken permissions
      • CLI clients (public): authn/authz skipped based on client_id & grant_type

      Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.

      Parameters:
      createOAuth2TokenRequest - Input structure for CreateOAuth2Token operation

      Contains flattened token operation inputs for both authorization code and refresh token flows. The operation type is determined by the grant_type parameter in the request body.

      Returns:
      A Java Future containing the result of the CreateOAuth2Token operation returned by the service.
      The CompletableFuture returned by this method can be completed exceptionally with the following exceptions. The exception returned is wrapped with CompletionException, so you need to invoke Throwable.getCause() to retrieve the underlying exception.
      • TooManyRequestsErrorException Error thrown when rate limit is exceeded

        HTTP Status Code: 429 Too Many Requests

        Possible OAuth2ErrorCode values:

        • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

        Possible causes:

        • Too many token requests from the same client
        • Rate limiting based on client_id or IP address
        • Abuse prevention mechanisms triggered
        • Service protection against excessive token generation
        • InternalServerException Error thrown when an internal server error occurs

          HTTP Status Code: 500 Internal Server Error

          Used for unexpected server-side errors that prevent request processing.

        • ValidationException Error thrown when request validation fails

          HTTP Status Code: 400 Bad Request

          Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

        • AccessDeniedException Error thrown for access denied scenarios with flexible HTTP status mapping

          Runtime HTTP Status Code Mapping:

          • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
          • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

          The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

        • SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.
        • SdkClientException If any client side error occurs such as an IO related failure, failure to get credentials, etc.
        • SigninException Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
      See Also:

    • createOAuth2Token

      default CompletableFuture<CreateOAuth2TokenResponse> createOAuth2Token(Consumer<CreateOAuth2TokenRequest.Builder> createOAuth2TokenRequest)

      CreateOAuth2Token API

      Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded

      This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:

      1. Authorization code redemption (grant_type=authorization_code) - NOT idempotent
      2. Token refresh (grant_type=refresh_token) - Idempotent within token validity window

      The operation behavior is determined by the grant_type parameter in the request body:

      Authorization Code Flow (NOT Idempotent):

      • JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier
      • Returns access_token, token_type, expires_in, refresh_token, and id_token
      • Each authorization code can only be used ONCE for security (prevents replay attacks)

      Token Refresh Flow (Idempotent):

      • JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token
      • Returns access_token, token_type, expires_in, and refresh_token (no id_token)
      • Multiple calls with same refresh_token return consistent results within validity window

      Authentication and authorization:

      • Confidential clients: sigv4 signing required with signin:ExchangeToken permissions
      • CLI clients (public): authn/authz skipped based on client_id & grant_type

      Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.


      This is a convenience which creates an instance of the CreateOAuth2TokenRequest.Builder avoiding the need to create one manually via CreateOAuth2TokenRequest.builder()

      Parameters:
      createOAuth2TokenRequest - A Consumer that will call methods on CreateOAuth2TokenRequest.Builder to create a request. Input structure for CreateOAuth2Token operation

      Contains flattened token operation inputs for both authorization code and refresh token flows. The operation type is determined by the grant_type parameter in the request body.

      Returns:
      A Java Future containing the result of the CreateOAuth2Token operation returned by the service.
      The CompletableFuture returned by this method can be completed exceptionally with the following exceptions. The exception returned is wrapped with CompletionException, so you need to invoke Throwable.getCause() to retrieve the underlying exception.
      • TooManyRequestsErrorException Error thrown when rate limit is exceeded

        HTTP Status Code: 429 Too Many Requests

        Possible OAuth2ErrorCode values:

        • INVALID_REQUEST: Rate limiting, too many requests, abuse prevention

        Possible causes:

        • Too many token requests from the same client
        • Rate limiting based on client_id or IP address
        • Abuse prevention mechanisms triggered
        • Service protection against excessive token generation
        • InternalServerException Error thrown when an internal server error occurs

          HTTP Status Code: 500 Internal Server Error

          Used for unexpected server-side errors that prevent request processing.

        • ValidationException Error thrown when request validation fails

          HTTP Status Code: 400 Bad Request

          Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.

        • AccessDeniedException Error thrown for access denied scenarios with flexible HTTP status mapping

          Runtime HTTP Status Code Mapping:

          • HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED
          • HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS

          The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.

        • SdkException Base class for all exceptions that can be thrown by the SDK (both service and client). Can be used for catch all scenarios.
        • SdkClientException If any client side error occurs such as an IO related failure, failure to get credentials, etc.
        • SigninException Base class for all service exceptions. Unknown exceptions will be thrown as an instance of this type.
      See Also:

    • serviceClientConfiguration

      default SigninServiceClientConfiguration serviceClientConfiguration()
      Description copied from interface: SdkClient
      The SDK service client configuration exposes client settings to the user, e.g., ClientOverrideConfiguration
      Specified by:
      serviceClientConfiguration in interface AwsClient
      Specified by:
      serviceClientConfiguration in interface SdkClient
      Returns:
      SdkServiceClientConfiguration

    • create

      static SigninAsyncClient create()
      Create a SigninAsyncClient with the region loaded from the DefaultAwsRegionProviderChain and credentials loaded from the DefaultCredentialsProvider.

    • builder

      static SigninAsyncClientBuilder builder()
      Create a builder that can be used to configure and create a SigninAsyncClient.