shell bypass 403
UnknownSec Shell
:
/
snap
/
aws-cli
/
current
/
aws
/
dist
/
awscli
/
botocore
/
data
/
signin
/
2023-01-01
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
service-2.json
{ "version":"2.0", "metadata":{ "apiVersion":"2023-01-01", "auth":["aws.auth#sigv4"], "endpointPrefix":"signin", "protocol":"rest-json", "protocols":["rest-json"], "serviceFullName":"AWS Sign-In Service", "serviceId":"Signin", "signatureVersion":"v4", "signingName":"signin", "uid":"signin-2023-01-01" }, "operations":{ "CreateOAuth2Token":{ "name":"CreateOAuth2Token", "http":{ "method":"POST", "requestUri":"/v1/token", "responseCode":200 }, "input":{"shape":"CreateOAuth2TokenRequest"}, "output":{"shape":"CreateOAuth2TokenResponse"}, "errors":[ {"shape":"TooManyRequestsError"}, {"shape":"InternalServerException"}, {"shape":"ValidationException"}, {"shape":"AccessDeniedException"} ], "documentation":"<p>CreateOAuth2Token API</p> <p>Path: /v1/token Request Method: POST Content-Type: application/json or application/x-www-form-urlencoded</p> <p>This API implements OAuth 2.0 flows for AWS Sign-In CLI clients, supporting both:</p> <ol> <li>Authorization code redemption (grant_type=authorization_code) - NOT idempotent</li> <li>Token refresh (grant_type=refresh_token) - Idempotent within token validity window</li> </ol> <p>The operation behavior is determined by the grant_type parameter in the request body:</p> <p><strong>Authorization Code Flow (NOT Idempotent):</strong></p> <ul> <li>JSON or form-encoded body with client_id, grant_type=authorization_code, code, redirect_uri, code_verifier</li> <li>Returns access_token, token_type, expires_in, refresh_token, and id_token</li> <li>Each authorization code can only be used ONCE for security (prevents replay attacks)</li> </ul> <p><strong>Token Refresh Flow (Idempotent):</strong></p> <ul> <li>JSON or form-encoded body with client_id, grant_type=refresh_token, refresh_token</li> <li>Returns access_token, token_type, expires_in, and refresh_token (no id_token)</li> <li>Multiple calls with same refresh_token return consistent results within validity window</li> </ul> <p>Authentication and authorization:</p> <ul> <li>Confidential clients: sigv4 signing required with signin:ExchangeToken permissions</li> <li>CLI clients (public): authn/authz skipped based on client_id & grant_type</li> </ul> <p>Note: This operation cannot be marked as @idempotent because it handles both idempotent (token refresh) and non-idempotent (auth code redemption) flows in a single endpoint.</p>", "auth":["smithy.api#noAuth"], "authtype":"none" } }, "shapes":{ "AccessDeniedException":{ "type":"structure", "required":[ "error", "message" ], "members":{ "error":{ "shape":"OAuth2ErrorCode", "documentation":"<p>OAuth 2.0 error code indicating the specific type of access denial Can be TOKEN_EXPIRED, AUTHCODE_EXPIRED, USER_CREDENTIALS_CHANGED, or INSUFFICIENT_PERMISSIONS</p>" }, "message":{ "shape":"String", "documentation":"<p>Detailed message explaining the access denial Provides specific information about why access was denied</p>" } }, "documentation":"<p>Error thrown for access denied scenarios with flexible HTTP status mapping</p> <p>Runtime HTTP Status Code Mapping:</p> <ul> <li>HTTP 401 (Unauthorized): TOKEN_EXPIRED, AUTHCODE_EXPIRED</li> <li>HTTP 403 (Forbidden): USER_CREDENTIALS_CHANGED, INSUFFICIENT_PERMISSIONS</li> </ul> <p>The specific HTTP status code is determined at runtime based on the error enum value. Consumers should use the error field to determine the specific access denial reason.</p>", "exception":true }, "AccessToken":{ "type":"structure", "required":[ "accessKeyId", "secretAccessKey", "sessionToken" ], "members":{ "accessKeyId":{ "shape":"String", "documentation":"<p>AWS access key ID for temporary credentials</p>", "locationName":"accessKeyId" }, "secretAccessKey":{ "shape":"String", "documentation":"<p>AWS secret access key for temporary credentials</p>", "locationName":"secretAccessKey" }, "sessionToken":{ "shape":"String", "documentation":"<p>AWS session token for temporary credentials</p>", "locationName":"sessionToken" } }, "documentation":"<p>AWS credentials structure containing temporary access credentials</p> <p>The scoped-down, 15 minute duration AWS credentials. Scoping down will be based on CLI policy (CLI team needs to create it). Similar to cloud shell implementation.</p>", "sensitive":true }, "AuthorizationCode":{ "type":"string", "documentation":"<p>Authorization code received from AWS Sign-In /v1/authorize endpoint</p> <p>The authorization code received from AWS Sign-In from /v1/authorize. Used in auth code redemption flow only.</p>", "max":512, "min":1 }, "ClientId":{ "type":"string", "documentation":"<p>Client identifier pattern for AWS Sign-In devtools clients</p> <p>The ARN used by client as part of Sign-In onboarding. Expected values:</p> <ul> <li>arn:aws:signin:::devtools/cross-device (for cross-device devtools login)</li> <li>arn:aws:signin:::devtools/same-device (for same-device devtools login)</li> </ul> <p>This will be finalized after consulting with UX as this is visible to end customer.</p>", "pattern":"arn:aws:signin:::devtools/(cross-device|same-device)" }, "CodeVerifier":{ "type":"string", "documentation":"<p>PKCE code verifier for OAuth 2.0 security</p> <p>PKCE code verifier to prove possession of the original code challenge. Used to prevent authorization code interception attacks in public clients. Must be 43-128 characters using unreserved characters [A-Z] / [a-z] / [0-9] / "-" / "." / "_" / "~"</p>", "max":128, "min":43, "pattern":"[A-Za-z0-9\\-._~]+" }, "CreateOAuth2TokenRequest":{ "type":"structure", "required":["tokenInput"], "members":{ "tokenInput":{ "shape":"CreateOAuth2TokenRequestBody", "documentation":"<p>Flattened token operation inputs The specific operation is determined by grant_type in the request body</p>" } }, "documentation":"<p>Input structure for CreateOAuth2Token operation</p> <p>Contains flattened token operation inputs for both authorization code and refresh token flows. The operation type is determined by the grant_type parameter in the request body.</p>", "payload":"tokenInput" }, "CreateOAuth2TokenRequestBody":{ "type":"structure", "required":[ "clientId", "grantType" ], "members":{ "clientId":{ "shape":"ClientId", "documentation":"<p>The client identifier (ARN) used during Sign-In onboarding Required for both authorization code and refresh token flows</p>", "locationName":"clientId" }, "grantType":{ "shape":"GrantType", "documentation":"<p>OAuth 2.0 grant type - determines which flow is used Must be "authorization_code" or "refresh_token"</p>", "locationName":"grantType" }, "code":{ "shape":"AuthorizationCode", "documentation":"<p>The authorization code received from /v1/authorize Required only when grant_type=authorization_code</p>" }, "redirectUri":{ "shape":"RedirectUri", "documentation":"<p>The redirect URI that must match the original authorization request Required only when grant_type=authorization_code</p>", "locationName":"redirectUri" }, "codeVerifier":{ "shape":"CodeVerifier", "documentation":"<p>PKCE code verifier to prove possession of the original code challenge Required only when grant_type=authorization_code</p>", "locationName":"codeVerifier" }, "refreshToken":{ "shape":"RefreshToken", "documentation":"<p>The refresh token returned from auth_code redemption Required only when grant_type=refresh_token</p>", "locationName":"refreshToken" } }, "documentation":"<p>Request body payload for CreateOAuth2Token operation</p> <p>The operation type is determined by the grant_type parameter:</p> <ul> <li>grant_type=authorization_code: Requires code, redirect_uri, code_verifier</li> <li>grant_type=refresh_token: Requires refresh_token</li> </ul>" }, "CreateOAuth2TokenResponse":{ "type":"structure", "required":["tokenOutput"], "members":{ "tokenOutput":{ "shape":"CreateOAuth2TokenResponseBody", "documentation":"<p>Flattened token operation outputs The specific response fields depend on the grant_type used in the request</p>" } }, "documentation":"<p>Output structure for CreateOAuth2Token operation</p> <p>Contains flattened token operation outputs for both authorization code and refresh token flows. The response content depends on the grant_type from the original request.</p>", "payload":"tokenOutput" }, "CreateOAuth2TokenResponseBody":{ "type":"structure", "required":[ "accessToken", "tokenType", "expiresIn", "refreshToken" ], "members":{ "accessToken":{ "shape":"AccessToken", "documentation":"<p>Scoped-down AWS credentials (15 minute duration) Present for both authorization code redemption and token refresh</p>", "locationName":"accessToken" }, "tokenType":{ "shape":"TokenType", "documentation":"<p>Token type indicating this is AWS SigV4 credentials Value is "aws_sigv4" for both flows</p>", "locationName":"tokenType" }, "expiresIn":{ "shape":"ExpiresIn", "documentation":"<p>Time to expiry in seconds (maximum 900) Present for both authorization code redemption and token refresh</p>", "locationName":"expiresIn" }, "refreshToken":{ "shape":"RefreshToken", "documentation":"<p>Encrypted refresh token with cnf.jkt (SHA-256 thumbprint of presented jwk) Always present in responses (required for both flows)</p>", "locationName":"refreshToken" }, "idToken":{ "shape":"IdToken", "documentation":"<p>ID token containing user identity information Present only in authorization code redemption response (grant_type=authorization_code) Not included in token refresh responses</p>", "locationName":"idToken" } }, "documentation":"<p>Response body payload for CreateOAuth2Token operation</p> <p>The response content depends on the grant_type from the request:</p> <ul> <li>grant_type=authorization_code: Returns all fields including refresh_token and id_token</li> <li>grant_type=refresh_token: Returns access_token, token_type, expires_in, refresh_token (no id_token)</li> </ul>" }, "ExpiresIn":{ "type":"integer", "documentation":"<p>Time to expiry in seconds</p> <p>The time to expiry in seconds, for these purposes will be at most 900 (15 minutes).</p>", "box":true, "max":900, "min":1 }, "GrantType":{ "type":"string", "documentation":"<p>OAuth 2.0 grant type parameter</p> <p>For auth code redemption: Must be "authorization_code" For token refresh: Must be "refresh_token"</p> <p>Based on client_id & grant_type, authn/authz is skipped for CLI endpoints.</p>", "pattern":"(authorization_code|refresh_token)" }, "IdToken":{ "type":"string", "documentation":"<p>ID token containing user identity information</p> <p>Encoded JWT token containing user identity claims and authentication context. Returned only in authorization code redemption responses (grant_type=authorization_code). Contains user identity information such as ARN and other identity claims.</p>", "max":4096, "min":1 }, "InternalServerException":{ "type":"structure", "required":[ "error", "message" ], "members":{ "error":{ "shape":"OAuth2ErrorCode", "documentation":"<p>OAuth 2.0 error code indicating server error Will be SERVER_ERROR for internal server errors</p>" }, "message":{ "shape":"String", "documentation":"<p>Detailed message explaining the server error May include error details for debugging purposes</p>" } }, "documentation":"<p>Error thrown when an internal server error occurs</p> <p>HTTP Status Code: 500 Internal Server Error</p> <p>Used for unexpected server-side errors that prevent request processing.</p>", "error":{"httpStatusCode":500}, "exception":true, "fault":true }, "OAuth2ErrorCode":{ "type":"string", "documentation":"<p>OAuth 2.0 error codes returned by the server</p> <p>Standard OAuth 2.0 error codes used in error responses to indicate the specific type of error that occurred during token operations.</p>", "enum":[ "TOKEN_EXPIRED", "USER_CREDENTIALS_CHANGED", "INSUFFICIENT_PERMISSIONS", "AUTHCODE_EXPIRED", "server_error", "INVALID_REQUEST" ] }, "RedirectUri":{ "type":"string", "documentation":"<p>Redirect URI for OAuth 2.0 flow validation</p> <p>The same redirect URI used in the authorization request. This must match exactly what was sent in the original authorization request for security validation.</p>", "max":2048, "min":1 }, "RefreshToken":{ "type":"string", "documentation":"<p>Encrypted refresh token with cnf.jkt</p> <p>This is the encrypted refresh token returned from auth code redemption. The token content includes cnf.jkt (SHA-256 thumbprint of the presented jwk). Used in subsequent token refresh requests.</p>", "max":2048, "min":1, "sensitive":true }, "String":{"type":"string"}, "TokenType":{ "type":"string", "documentation":"<p>Token type parameter indicating credential usage</p> <p>A parameter which indicates to the client how the token must be used. Value is "aws_sigv4" (instead of typical "Bearer" for other OAuth systems) to indicate that the client must de-serialize the token and use it to generate a signature.</p>", "pattern":"aws_sigv4" }, "TooManyRequestsError":{ "type":"structure", "required":[ "error", "message" ], "members":{ "error":{ "shape":"OAuth2ErrorCode", "documentation":"<p>OAuth 2.0 error code indicating the specific type of error Will be INVALID_REQUEST for rate limiting scenarios</p>" }, "message":{ "shape":"String", "documentation":"<p>Detailed message about the rate limiting May include retry-after information or rate limit details</p>" } }, "documentation":"<p>Error thrown when rate limit is exceeded</p> <p>HTTP Status Code: 429 Too Many Requests</p> <p>Possible OAuth2ErrorCode values:</p> <ul> <li>INVALID_REQUEST: Rate limiting, too many requests, abuse prevention</li> </ul> <p>Possible causes:</p> <ul> <li>Too many token requests from the same client</li> <li>Rate limiting based on client_id or IP address</li> <li>Abuse prevention mechanisms triggered</li> <li>Service protection against excessive token generation</li> </ul>", "error":{ "httpStatusCode":429, "senderFault":true }, "exception":true }, "ValidationException":{ "type":"structure", "required":[ "error", "message" ], "members":{ "error":{ "shape":"OAuth2ErrorCode", "documentation":"<p>OAuth 2.0 error code indicating validation failure Will be INVALID_REQUEST for validation errors</p>" }, "message":{ "shape":"String", "documentation":"<p>Detailed message explaining the validation failure Provides specific information about which validation failed</p>" } }, "documentation":"<p>Error thrown when request validation fails</p> <p>HTTP Status Code: 400 Bad Request</p> <p>Used for request validation errors such as malformed parameters, missing required fields, or invalid parameter values.</p>", "error":{ "httpStatusCode":400, "senderFault":true }, "exception":true } }, "documentation":"<p>AWS Sign-In manages authentication for AWS services. This service provides secure authentication flows for accessing AWS resources from the console and developer tools.</p>" }
© 2026 UnknownSec