SSOAdmin / Client / list_application_grants



List the grants associated with an application.

See also: AWS API Documentation

Request Syntax

response = client.list_application_grants(
  • ApplicationArn (string) –


    Specifies the ARN of the application whose grants you want to list.

  • NextToken (string) – Specifies that you want to receive the next page of results. Valid only if you received a NextToken response in the previous request. If you did, it indicates that more output is available. Set this parameter to the value provided by the previous call’s NextToken response to request the next page of results.

Return type:



Response Syntax

    'Grants': [
            'Grant': {
                'AuthorizationCode': {
                    'RedirectUris': [
                'JwtBearer': {
                    'AuthorizedTokenIssuers': [
                            'AuthorizedAudiences': [
                            'TrustedTokenIssuerArn': 'string'
                'RefreshToken': {},
                'TokenExchange': {}
            'GrantType': 'authorization_code'|'refresh_token'|'urn:ietf:params:oauth:grant-type:jwt-bearer'|'urn:ietf:params:oauth:grant-type:token-exchange'
    'NextToken': 'string'

Response Structure

  • (dict) –

    • Grants (list) –

      An array list of structures that describe the requested grants.

      • (dict) –

        A structure that defines a single grant and its configuration.

        • Grant (dict) –

          The configuration structure for the selected grant.


          This is a Tagged Union structure. Only one of the following top level keys will be set: AuthorizationCode, JwtBearer, RefreshToken, TokenExchange. If a client receives an unknown member it will set SDK_UNKNOWN_MEMBER as the top level key, which maps to the name or tag of the unknown member. The structure of SDK_UNKNOWN_MEMBER is as follows:

          'SDK_UNKNOWN_MEMBER': {'name': 'UnknownMemberName'}
          • AuthorizationCode (dict) –

            Configuration options for the authorization_code grant type.

            • RedirectUris (list) –

              A list of URIs that are valid locations to redirect a user’s browser after the user is authorized.

              • (string) –

          • JwtBearer (dict) –

            Configuration options for the urn:ietf:params:oauth:grant-type:jwt-bearer grant type.

            • AuthorizedTokenIssuers (list) –

              A list of allowed token issuers trusted by the Identity Center instances for this application.

              • (dict) –

                A structure that describes a trusted token issuer and associates it with a set of authorized audiences.

                • AuthorizedAudiences (list) –

                  An array list of authorized audiences, or applications, that can consume the tokens generated by the associated trusted token issuer.

                  • (string) –

                • TrustedTokenIssuerArn (string) –

                  The ARN of the trusted token issuer.

          • RefreshToken (dict) –

            Configuration options for the refresh_token grant type.

          • TokenExchange (dict) –

            Configuration options for the urn:ietf:params:oauth:grant-type:token-exchange grant type.

        • GrantType (string) –

          The type of the selected grant.

    • NextToken (string) –

      If present, this value indicates that more output is available than is included in the current response. Use this value in the NextToken request parameter in a subsequent call to the operation to get the next part of the output. You should repeat this until the NextToken response element comes back as null. This indicates that this is the last page of results.


  • SSOAdmin.Client.exceptions.ThrottlingException

  • SSOAdmin.Client.exceptions.InternalServerException

  • SSOAdmin.Client.exceptions.ResourceNotFoundException

  • SSOAdmin.Client.exceptions.AccessDeniedException

  • SSOAdmin.Client.exceptions.ValidationException