ISSOOIDCClient
Interface in AWS.SSOOIDC
Interface for AWS IAM Identity Center OpenID Connect (OIDC) service client.
Methods
CreateToken
function CreateToken( const ARequest: ISSOOIDCCreateTokenRequest): ISSOOIDCCreateTokenResponse; overload;
ISSOOIDCCreateTokenRequest → ISSOOIDCCreateTokenResponse
Exchanges a valid client authentication (typically via client ID and secret) for access and refresh tokens using supported OAuth2 grant types. The access token can be used to obtain temporary AWS credentials for assigned IAM Identity Center accounts or to access integrated application APIs using Bearer authentication.
Parameters
| Name | Description |
|---|---|
ARequest | Arequest object containing client credentials and the grant type. |
Returns
Aresponse object containing the access and optionally refresh tokens.
function CreateToken(const AClientId, AClientSecret: string; const AScopes: TArray<string>): ISSOOIDCCreateTokenResponse; overload;
Requests an access token using the OAuth 2.0 client_credentials grant type.
This overload automatically sets:
grantType=client_credentials
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
AClientSecret | The secret associated with the registered client. |
AScopes | An array of scopes to include in the access token. Scope selection is required for most IAM Identity Center client credentials flows. |
Returns
A response containing the issued access token and optional refresh token.
function CreateToken(const AClientId, AClientSecret, ACode, ARedirectUri: string; const ACodeVerifier: string = ''): ISSOOIDCCreateTokenResponse; overload;
Exchanges an authorization code for an access token using the OAuth 2.0 authorization_code grant type.
This overload automatically sets:
grantType=authorization_code
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
AClientSecret | The secret associated with the registered client. |
ACode | The authorization code obtained from the authorization server. |
ARedirectUri | The redirect URI used during the authorization request. Must match the registered value. |
ACodeVerifier | (Optional) The PKCE code verifier used in the initial authorization request. Required if PKCE was used. |
Returns
A response containing the access token, refresh token, and token metadata.
function CreateToken(const AClientId, AClientSecret, ARefreshToken: string): ISSOOIDCCreateTokenResponse; overload;
Requests a new access token using a refresh token via the OAuth 2.0 refresh_token grant type.
This overload automatically sets:
grantType=refresh_token
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
AClientSecret | The secret associated with the registered client. |
ARefreshToken | A valid refresh token previously issued by IAM Identity Center. |
Returns
A response containing a new access token and possibly a new refresh token.
CreateTokenWithIAM
function CreateTokenWithIAM( const ARequest: ISSOOIDCCreateTokenWithIAMRequest): ISSOOIDCCreateTokenWithIAMResponse; overload;
ISSOOIDCCreateTokenWithIAMRequest → ISSOOIDCCreateTokenWithIAMResponse
Exchanges an AWS IAM-issued subject token for an access token using the OAuth2 token exchange grant type. This operation is authenticated via SigV4 and does not require a client secret. It enables programmatic access to IAM Identity Center-integrated applications and short-term AWS credentials for workloads authenticated via IAM.
This method requires valid credentials for SigV4 authentication.
Parameters
| Name | Description |
|---|---|
ARequest | Arequest object containing the client ID, subject token, and related token exchange parameters. |
Returns
Aresponse containing the access token and additional identity context for downstream AWS service calls.
function CreateTokenWithIAM( const AClientId, ASubjectToken: string): ISSOOIDCCreateTokenWithIAMResponse; overload;
ISSOOIDCCreateTokenWithIAMResponse
Exchanges an IAM-issued subject token for a standard OAuth 2.0 access token using the token exchange grant.
This overload automatically sets the following request parameters:n
grantType=urn:ietf:params:oauth:grant-type:token-exchangesubjectTokenType=urn:ietf:params:oauth:token-type:access_tokenrequestedTokenType=urn:ietf:params:oauth:token-type:access_token
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
ASubjectToken | The IAM-issued token representing the calling identity (e.g., a role or user). |
Returns
A response containing an OAuth 2.0 access token and any AWS identity metadata.
function CreateTokenWithIAM(const AClientId, ASubjectToken: string; const AScopes: TArray<string>): ISSOOIDCCreateTokenWithIAMResponse; overload;
ISSOOIDCCreateTokenWithIAMResponse
Exchanges an IAM-issued subject token for a scoped OAuth 2.0 access token using the token exchange grant.
This overload automatically sets:
grantType=urn:ietf:params:oauth:grant-type:token-exchangesubjectTokenType=urn:ietf:params:oauth:token-type:access_tokenrequestedTokenType=urn:ietf:params:oauth:token-type:access_token
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
ASubjectToken | The IAM-issued token representing the subject (user or role). |
AScopes | A list of scopes to apply to the access token. Common scopes include: |
Returns
A response containing the scoped access token and optional AWS identity metadata.
function CreateTokenWithIAM(const AClientId, ASubjectToken, ARequestedTokenType: string): ISSOOIDCCreateTokenWithIAMResponse; overload;
ISSOOIDCCreateTokenWithIAMResponse
Exchanges an IAM-issued subject token for a custom token type using the token exchange grant.
This overload automatically sets:
grantType=urn:ietf:params:oauth:grant-type:token-exchangesubjectTokenType=urn:ietf:params:oauth:token-type:access_token
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
ASubjectToken | The IAM-issued token representing the subject identity. |
ARequestedTokenType | The desired token type to be issued. Common values: |
Returns
A response containing the requested token and AWS metadata.
function CreateTokenWithIAM(const AClientId, ASubjectToken, ARequestedTokenType: string; const AScopes: TArray<string>): ISSOOIDCCreateTokenWithIAMResponse; overload;
ISSOOIDCCreateTokenWithIAMResponse
Exchanges an IAM-issued subject token for a custom token type with optional scopes using the token exchange grant.
Internally sets:
grantType=urn:ietf:params:oauth:grant-type:token-exchangesubjectTokenType=urn:ietf:params:oauth:token-type:access_token
Parameters
| Name | Description |
|---|---|
AClientId | The client identifier registered with IAM Identity Center. |
ASubjectToken | The IAM-issued token to be exchanged. |
ARequestedTokenType | The type of token to request (e.g.,). |
AScopes | A list of scopes to apply to the access token. |
Returns
A response containing the token and AWS identity metadata.
RegisterClient
function RegisterClient( const ARequest: ISSOOIDCRegisterClientRequest): ISSOOIDCRegisterClientResponse; overload;
ISSOOIDCRegisterClientRequest → ISSOOIDCRegisterClientResponse
Registers a client with IAM Identity Center (formerly AWS SSO) to initiate an OAuth 2.0 device authorization flow or access entitled applications.
This operation is typically used as the first step in initiating an Identity Center sign-in flow. The registered client may later be used with device authorization, token exchange, or federated identity scenarios. Required request parameters:
clientName– A user-friendly name for the client registration.clientType– Eitherpublicorconfidential. Optional request parameters:scopes– A list of OAuth scopes to register the client for (e.g.,openid,aws.cognito.signin.user.admin).entitledApplicationArn– An ARN scoping the client to a specific IAM Identity Center application.
Parameters
| Name | Description |
|---|---|
ARequest | Arequest containing the client name, client type, and optionally scopes and an entitled application ARN. |
Returns
Aresponse containing the client ID, client secret (for confidential clients), and expiration metadata.
function RegisterClient( const AClientName: string): ISSOOIDCRegisterClientResponse; overload;
ISSOOIDCRegisterClientResponse
Registers a public client with IAM Identity Center using only the client name.
This overload sets the following request values internally:
clientType=public
Parameters
| Name | Description |
|---|---|
AClientName | The human-readable name to assign to the client. This must be unique within the account. |
Returns
A response containing the registered client ID, secret (if applicable), and token expiration details.
function RegisterClient(const AClientName: string; const AScopes: TArray<string>): ISSOOIDCRegisterClientResponse; overload;
ISSOOIDCRegisterClientResponse
Registers a public client with specified scopes in IAM Identity Center.
This overload sets the following request values internally:
clientType=public
Parameters
| Name | Description |
|---|---|
AClientName | The human-readable name to assign to the client. This must be unique within the account. |
AScopes | A list of scopes to include during client registration (e.g.,,). |
Returns
A response containing the registered client details.
function RegisterClient(const AClientName, AEntitledApplicationArn: string): ISSOOIDCRegisterClientResponse; overload;
ISSOOIDCRegisterClientResponse
Registers a public client for a specific entitled application in IAM Identity Center.
This overload sets the following request values internally:
clientType=public
Parameters
| Name | Description |
|---|---|
AClientName | The human-readable name to assign to the client. This must be unique within the account. |
AEntitledApplicationArn | The Amazon Resource Name (ARN) of the entitled application this client is scoped to access. |
Returns
A response containing the client ID and other registration details.
function RegisterClient(const AClientName: string; const AScopes: TArray<string>; const AEntitledApplicationArn: string): ISSOOIDCRegisterClientResponse; overload;
ISSOOIDCRegisterClientResponse
Registers a public client with specified scopes in IAM Identity Center.
This overload sets the following request values internally:
clientType=public
Parameters
| Name | Description |
|---|---|
AClientName | The human-readable name to assign to the client. This must be unique within the account. |
AScopes | A list of scopes to include during client registration (e.g.,,). |
AEntitledApplicationArn | The Amazon Resource Name (ARN) of the entitled application this client is scoped to access. |
Returns
A response containing the registered client details.
StartDeviceAuthorization
function StartDeviceAuthorization( const ARequest: ISSOOIDCStartDeviceAuthorizationRequest): ISSOOIDCStartDeviceAuthorizationResponse; overload;
ISSOOIDCStartDeviceAuthorizationRequest → ISSOOIDCStartDeviceAuthorizationResponse
Initiates the OAuth 2.0 device authorization flow with IAM Identity Center for a registered public client.
This operation starts a device authorization flow by generating a short-lived user code and verification URI. The client must display these to the user, who visits the URI and enters the code to authorize the device. Required request parameters:
clientId– The client ID received fromRegisterClient.clientSecret– The client secret if the client is confidential. Not required for public clients.startUrl– The IAM Identity Center start URL configured for the user’s account (e.g.,https://d-abc123.awsapps.com/start). This is the first step in the device authorization grant flow. Once the user completes verification, the client must pollCreateTokento retrieve an access token.
Parameters
| Name | Description |
|---|---|
ARequest | Arequest containing the client ID, client secret (if required), and the IAM Identity Center start URL associated with the user’s account. |
Returns
Aresponse containing a device code, user code, verification URIs, and expiration information.
function StartDeviceAuthorization( const AClientId, AStartUrl: string): ISSOOIDCStartDeviceAuthorizationResponse; overload;
ISSOOIDCStartDeviceAuthorizationResponse
Starts a device authorization flow using a registered public client and a configured IAM Identity Center start URL.
This overload is intended for use with public clients and does not require a client secret.
Parameters
| Name | Description |
|---|---|
AClientId | The public client identifier obtained from. |
AStartUrl | The IAM Identity Center start URL for the user’s organization (e.g.,). |
Returns
A response containing the device code, user code, verification URIs, and expiration details.
function StartDeviceAuthorization(const AClientId, AClientSecret, AStartUrl: string): ISSOOIDCStartDeviceAuthorizationResponse; overload;
ISSOOIDCStartDeviceAuthorizationResponse
Starts a device authorization flow using a confidential client and an IAM Identity Center start URL.
This overload is intended for confidential clients that require a client secret.
Parameters
| Name | Description |
|---|---|
AClientId | The confidential client identifier obtained from. |
AClientSecret | The client secret associated with the registered confidential client. |
AStartUrl | The IAM Identity Center start URL for the user’s organization (e.g.,). |
Returns
A response containing the device code, user code, verification URIs, and expiration details.