@lap v0.3
# Machine-readable API spec. Each @endpoint block is one API call.
@api AWS SSO OIDC
@version 2019-06-10
@auth AWS SigV4
@endpoints 4
@toc token(1), token?aws_iam=t(1), client(1), device_authorization(1)

@group token
@endpoint POST /token
@desc Creates and returns access and refresh tokens for clients that are authenticated using client secrets. The access token can be used to fetch short-term credentials for the assigned AWS accounts or to access application APIs using bearer authentication.
@required {clientId: str, clientSecret: str, grantType: str}
@optional {deviceCode: str, code: str, refreshToken: str, scope: [str], redirectUri: str, codeVerifier: str}
@returns(200) {accessToken: str?, tokenType: str?, expiresIn: int?, refreshToken: str?, idToken: str?}

@endgroup

@group token?aws_iam=t
@endpoint POST /token?aws_iam=t
@desc Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. The access token can be used to fetch short-term credentials for the assigned Amazon Web Services accounts or to access application APIs using bearer authentication.
@required {clientId: str, grantType: str}
@optional {code: str, refreshToken: str, assertion: str, scope: [str], redirectUri: str, subjectToken: str, subjectTokenType: str, requestedTokenType: str, codeVerifier: str}
@returns(200) {accessToken: str?, tokenType: str?, expiresIn: int?, refreshToken: str?, idToken: str?, issuedTokenType: str?, scope: [str]?}

@endgroup

@group client
@endpoint POST /client/register
@desc Registers a client with IAM Identity Center. This allows clients to initiate device authorization. The output should be persisted for reuse through many authentication requests.
@required {clientName: str, clientType: str}
@optional {scopes: [str], redirectUris: [str], grantTypes: [str], issuerUrl: str, entitledApplicationArn: str}
@returns(200) {clientId: str?, clientSecret: str?, clientIdIssuedAt: int(i64)?, clientSecretExpiresAt: int(i64)?, authorizationEndpoint: str?, tokenEndpoint: str?}

@endgroup

@group device_authorization
@endpoint POST /device_authorization
@desc Initiates device authorization by requesting a pair of verification codes from the authorization service.
@required {clientId: str, clientSecret: str, startUrl: str}
@returns(200) {deviceCode: str?, userCode: str?, verificationUri: str?, verificationUriComplete: str?, expiresIn: int?, interval: int?}

@endgroup

@end