createIdentitySource method
Adds an identity source to a policy store–an Amazon Cognito user pool or OpenID Connect (OIDC) identity provider (IdP).
After you create an identity source, you can use the identities provided
by the IdP as proxies for the principal in authorization queries that use
the IsAuthorizedWithToken
or BatchIsAuthorizedWithToken
API operations. These identities take the form of tokens that contain
claims about the user, such as IDs, attributes and group memberships.
Identity sources provide identity (ID) tokens and access tokens. Verified
Permissions derives information about your user and session from token
claims. Access tokens provide action context to your
policies, and ID tokens provide principal Attributes.
-
Amazon Cognito user pool:
Namespace::\[Entity type\]::\[User pool ID\]|\[user principal attribute\], for exampleMyCorp::User::us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111. -
OpenID Connect (OIDC) provider:
Namespace::\[Entity type\]::\[entityIdPrefix\]|\[user principal attribute\], for exampleMyCorp::User::MyOIDCProvider|a1b2c3d4-5678-90ab-cdef-EXAMPLE22222.
May throw ConflictException.
May throw ResourceNotFoundException.
May throw ServiceQuotaExceededException.
Parameter configuration :
Specifies the details required to communicate with the identity provider
(IdP) associated with this identity source.
Parameter policyStoreId :
Specifies the ID of the policy store in which you want to store this
identity source. Only policies and requests made using this policy store
can reference identities from the identity provider configured in the new
identity source.
To specify a policy store, use its ID or alias name. When using an alias
name, prefix it with policy-store-alias/. For example:
-
ID:
PSEXAMPLEabcdefg111111 -
Alias name:
policy-store-alias/example-policy-store
Parameter clientToken :
Specifies a unique, case-sensitive ID that you provide to ensure the
idempotency of the request. This lets you safely retry the request without
accidentally performing the same operation a second time. Passing the same
value to a later call to an operation requires that you also pass the same
value for all other parameters. We recommend that you use a UUID type
of value..
If you don't provide this value, then Amazon Web Services generates a random one for you.
If you retry the operation with the same ClientToken, but
with different parameters, the retry fails with an
ConflictException error.
Verified Permissions recognizes a ClientToken for eight
hours. After eight hours, the next request with the same parameters
performs the operation again regardless of the value of
ClientToken.
Parameter principalEntityType :
Specifies the namespace and data type of the principals generated for
identities authenticated by the new identity source.
Implementation
Future<CreateIdentitySourceOutput> createIdentitySource({
required Configuration configuration,
required String policyStoreId,
String? clientToken,
String? principalEntityType,
}) async {
final headers = <String, String>{
'Content-Type': 'application/x-amz-json-1.0',
'X-Amz-Target': 'VerifiedPermissions.CreateIdentitySource'
};
final jsonResponse = await _protocol.send(
method: 'POST',
requestUri: '/',
exceptionFnMap: _exceptionFns,
// TODO queryParams
headers: headers,
payload: {
'configuration': configuration,
'policyStoreId': policyStoreId,
'clientToken': clientToken ?? _s.generateIdempotencyToken(),
if (principalEntityType != null)
'principalEntityType': principalEntityType,
},
);
return CreateIdentitySourceOutput.fromJson(jsonResponse.body);
}