aws-sdk-cognitoidentityprovider 1.25.0 → 1.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -476,6 +476,7 @@ module Aws::CognitoIdentityProvider
476
476
 
477
477
  AdminConfirmSignUpRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
478
478
  AdminConfirmSignUpRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
479
+ AdminConfirmSignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
479
480
  AdminConfirmSignUpRequest.struct_class = Types::AdminConfirmSignUpRequest
480
481
 
481
482
  AdminConfirmSignUpResponse.struct_class = Types::AdminConfirmSignUpResponse
@@ -493,6 +494,7 @@ module Aws::CognitoIdentityProvider
493
494
  AdminCreateUserRequest.add_member(:force_alias_creation, Shapes::ShapeRef.new(shape: ForceAliasCreation, location_name: "ForceAliasCreation"))
494
495
  AdminCreateUserRequest.add_member(:message_action, Shapes::ShapeRef.new(shape: MessageActionType, location_name: "MessageAction"))
495
496
  AdminCreateUserRequest.add_member(:desired_delivery_mediums, Shapes::ShapeRef.new(shape: DeliveryMediumListType, location_name: "DesiredDeliveryMediums"))
497
+ AdminCreateUserRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
496
498
  AdminCreateUserRequest.struct_class = Types::AdminCreateUserRequest
497
499
 
498
500
  AdminCreateUserResponse.add_member(:user, Shapes::ShapeRef.new(shape: UserType, location_name: "User"))
@@ -614,6 +616,7 @@ module Aws::CognitoIdentityProvider
614
616
 
615
617
  AdminResetUserPasswordRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
616
618
  AdminResetUserPasswordRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
619
+ AdminResetUserPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
617
620
  AdminResetUserPasswordRequest.struct_class = Types::AdminResetUserPasswordRequest
618
621
 
619
622
  AdminResetUserPasswordResponse.struct_class = Types::AdminResetUserPasswordResponse
@@ -625,6 +628,7 @@ module Aws::CognitoIdentityProvider
625
628
  AdminRespondToAuthChallengeRequest.add_member(:session, Shapes::ShapeRef.new(shape: SessionType, location_name: "Session"))
626
629
  AdminRespondToAuthChallengeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
627
630
  AdminRespondToAuthChallengeRequest.add_member(:context_data, Shapes::ShapeRef.new(shape: ContextDataType, location_name: "ContextData"))
631
+ AdminRespondToAuthChallengeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
628
632
  AdminRespondToAuthChallengeRequest.struct_class = Types::AdminRespondToAuthChallengeRequest
629
633
 
630
634
  AdminRespondToAuthChallengeResponse.add_member(:challenge_name, Shapes::ShapeRef.new(shape: ChallengeNameType, location_name: "ChallengeName"))
@@ -675,6 +679,7 @@ module Aws::CognitoIdentityProvider
675
679
  AdminUpdateUserAttributesRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
676
680
  AdminUpdateUserAttributesRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
677
681
  AdminUpdateUserAttributesRequest.add_member(:user_attributes, Shapes::ShapeRef.new(shape: AttributeListType, required: true, location_name: "UserAttributes"))
682
+ AdminUpdateUserAttributesRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
678
683
  AdminUpdateUserAttributesRequest.struct_class = Types::AdminUpdateUserAttributesRequest
679
684
 
680
685
  AdminUpdateUserAttributesResponse.struct_class = Types::AdminUpdateUserAttributesResponse
@@ -808,6 +813,7 @@ module Aws::CognitoIdentityProvider
808
813
  ConfirmForgotPasswordRequest.add_member(:password, Shapes::ShapeRef.new(shape: PasswordType, required: true, location_name: "Password"))
809
814
  ConfirmForgotPasswordRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
810
815
  ConfirmForgotPasswordRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
816
+ ConfirmForgotPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
811
817
  ConfirmForgotPasswordRequest.struct_class = Types::ConfirmForgotPasswordRequest
812
818
 
813
819
  ConfirmForgotPasswordResponse.struct_class = Types::ConfirmForgotPasswordResponse
@@ -819,6 +825,7 @@ module Aws::CognitoIdentityProvider
819
825
  ConfirmSignUpRequest.add_member(:force_alias_creation, Shapes::ShapeRef.new(shape: ForceAliasCreation, location_name: "ForceAliasCreation"))
820
826
  ConfirmSignUpRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
821
827
  ConfirmSignUpRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
828
+ ConfirmSignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
822
829
  ConfirmSignUpRequest.struct_class = Types::ConfirmSignUpRequest
823
830
 
824
831
  ConfirmSignUpResponse.struct_class = Types::ConfirmSignUpResponse
@@ -1078,6 +1085,7 @@ module Aws::CognitoIdentityProvider
1078
1085
  ForgotPasswordRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
1079
1086
  ForgotPasswordRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
1080
1087
  ForgotPasswordRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
1088
+ ForgotPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1081
1089
  ForgotPasswordRequest.struct_class = Types::ForgotPasswordRequest
1082
1090
 
1083
1091
  ForgotPasswordResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1126,6 +1134,7 @@ module Aws::CognitoIdentityProvider
1126
1134
 
1127
1135
  GetUserAttributeVerificationCodeRequest.add_member(:access_token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "AccessToken"))
1128
1136
  GetUserAttributeVerificationCodeRequest.add_member(:attribute_name, Shapes::ShapeRef.new(shape: AttributeNameType, required: true, location_name: "AttributeName"))
1137
+ GetUserAttributeVerificationCodeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1129
1138
  GetUserAttributeVerificationCodeRequest.struct_class = Types::GetUserAttributeVerificationCodeRequest
1130
1139
 
1131
1140
  GetUserAttributeVerificationCodeResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1410,6 +1419,7 @@ module Aws::CognitoIdentityProvider
1410
1419
  ResendConfirmationCodeRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
1411
1420
  ResendConfirmationCodeRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
1412
1421
  ResendConfirmationCodeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
1422
+ ResendConfirmationCodeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1413
1423
  ResendConfirmationCodeRequest.struct_class = Types::ResendConfirmationCodeRequest
1414
1424
 
1415
1425
  ResendConfirmationCodeResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1438,6 +1448,7 @@ module Aws::CognitoIdentityProvider
1438
1448
  RespondToAuthChallengeRequest.add_member(:challenge_responses, Shapes::ShapeRef.new(shape: ChallengeResponsesType, location_name: "ChallengeResponses"))
1439
1449
  RespondToAuthChallengeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
1440
1450
  RespondToAuthChallengeRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
1451
+ RespondToAuthChallengeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1441
1452
  RespondToAuthChallengeRequest.struct_class = Types::RespondToAuthChallengeRequest
1442
1453
 
1443
1454
  RespondToAuthChallengeResponse.add_member(:challenge_name, Shapes::ShapeRef.new(shape: ChallengeNameType, location_name: "ChallengeName"))
@@ -1531,6 +1542,7 @@ module Aws::CognitoIdentityProvider
1531
1542
  SignUpRequest.add_member(:validation_data, Shapes::ShapeRef.new(shape: AttributeListType, location_name: "ValidationData"))
1532
1543
  SignUpRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
1533
1544
  SignUpRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
1545
+ SignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1534
1546
  SignUpRequest.struct_class = Types::SignUpRequest
1535
1547
 
1536
1548
  SignUpResponse.add_member(:user_confirmed, Shapes::ShapeRef.new(shape: BooleanType, required: true, location_name: "UserConfirmed"))
@@ -1579,7 +1591,7 @@ module Aws::CognitoIdentityProvider
1579
1591
  SupportedIdentityProvidersListType.member = Shapes::ShapeRef.new(shape: ProviderNameType)
1580
1592
 
1581
1593
  TagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "ResourceArn"))
1582
- TagResourceRequest.add_member(:tags, Shapes::ShapeRef.new(shape: UserPoolTagsType, location_name: "Tags"))
1594
+ TagResourceRequest.add_member(:tags, Shapes::ShapeRef.new(shape: UserPoolTagsType, required: true, location_name: "Tags"))
1583
1595
  TagResourceRequest.struct_class = Types::TagResourceRequest
1584
1596
 
1585
1597
  TagResourceResponse.struct_class = Types::TagResourceResponse
@@ -1609,7 +1621,7 @@ module Aws::CognitoIdentityProvider
1609
1621
  UnsupportedUserStateException.struct_class = Types::UnsupportedUserStateException
1610
1622
 
1611
1623
  UntagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "ResourceArn"))
1612
- UntagResourceRequest.add_member(:tag_keys, Shapes::ShapeRef.new(shape: UserPoolTagsListType, location_name: "TagKeys"))
1624
+ UntagResourceRequest.add_member(:tag_keys, Shapes::ShapeRef.new(shape: UserPoolTagsListType, required: true, location_name: "TagKeys"))
1613
1625
  UntagResourceRequest.struct_class = Types::UntagResourceRequest
1614
1626
 
1615
1627
  UntagResourceResponse.struct_class = Types::UntagResourceResponse
@@ -1661,6 +1673,7 @@ module Aws::CognitoIdentityProvider
1661
1673
 
1662
1674
  UpdateUserAttributesRequest.add_member(:user_attributes, Shapes::ShapeRef.new(shape: AttributeListType, required: true, location_name: "UserAttributes"))
1663
1675
  UpdateUserAttributesRequest.add_member(:access_token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "AccessToken"))
1676
+ UpdateUserAttributesRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
1664
1677
  UpdateUserAttributesRequest.struct_class = Types::UpdateUserAttributesRequest
1665
1678
 
1666
1679
  UpdateUserAttributesResponse.add_member(:code_delivery_details_list, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsListType, location_name: "CodeDeliveryDetailsList"))
@@ -2856,6 +2869,7 @@ module Aws::CognitoIdentityProvider
2856
2869
  o.input = Shapes::ShapeRef.new(shape: GetSigningCertificateRequest)
2857
2870
  o.output = Shapes::ShapeRef.new(shape: GetSigningCertificateResponse)
2858
2871
  o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
2872
+ o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
2859
2873
  o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
2860
2874
  end)
2861
2875
 
@@ -2960,6 +2974,8 @@ module Aws::CognitoIdentityProvider
2960
2974
  o.errors << Shapes::ShapeRef.new(shape: UserNotFoundException)
2961
2975
  o.errors << Shapes::ShapeRef.new(shape: UserNotConfirmedException)
2962
2976
  o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
2977
+ o.errors << Shapes::ShapeRef.new(shape: InvalidSmsRoleAccessPolicyException)
2978
+ o.errors << Shapes::ShapeRef.new(shape: InvalidSmsRoleTrustRelationshipException)
2963
2979
  end)
2964
2980
 
2965
2981
  api.add_operation(:list_devices, Seahorse::Model::Operation.new.tap do |o|
@@ -3110,6 +3126,12 @@ module Aws::CognitoIdentityProvider
3110
3126
  o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
3111
3127
  o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
3112
3128
  o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
3129
+ o[:pager] = Aws::Pager.new(
3130
+ limit_key: "limit",
3131
+ tokens: {
3132
+ "pagination_token" => "pagination_token"
3133
+ }
3134
+ )
3113
3135
  end)
3114
3136
 
3115
3137
  api.add_operation(:list_users_in_group, Seahorse::Model::Operation.new.tap do |o|
@@ -232,6 +232,9 @@ module Aws::CognitoIdentityProvider
232
232
  # {
233
233
  # user_pool_id: "UserPoolIdType", # required
234
234
  # username: "UsernameType", # required
235
+ # client_metadata: {
236
+ # "StringType" => "StringType",
237
+ # },
235
238
  # }
236
239
  #
237
240
  # @!attribute [rw] user_pool_id
@@ -242,11 +245,50 @@ module Aws::CognitoIdentityProvider
242
245
  # The user name for which you want to confirm user registration.
243
246
  # @return [String]
244
247
  #
248
+ # @!attribute [rw] client_metadata
249
+ # A map of custom key-value pairs that you can provide as input for
250
+ # any custom workflows that this action triggers.
251
+ #
252
+ # If your user pool configuration includes triggers, the
253
+ # AdminConfirmSignUp API action invokes the AWS Lambda function that
254
+ # is specified for the *post confirmation* trigger. When Amazon
255
+ # Cognito invokes this function, it passes a JSON payload, which the
256
+ # function receives as input. In this payload, the `clientMetadata`
257
+ # attribute provides the data that you assigned to the ClientMetadata
258
+ # parameter in your AdminConfirmSignUp request. In your function code
259
+ # in AWS Lambda, you can process the ClientMetadata value to enhance
260
+ # your workflow for your specific needs.
261
+ #
262
+ # For more information, see [Customizing User Pool Workflows with
263
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
264
+ #
265
+ # <note markdown="1"> Take the following limitations into consideration when you use the
266
+ # ClientMetadata parameter:
267
+ #
268
+ # * Amazon Cognito does not store the ClientMetadata value. This data
269
+ # is available only to AWS Lambda triggers that are assigned to a
270
+ # user pool to support custom workflows. If your user pool
271
+ # configuration does not include triggers, the ClientMetadata
272
+ # parameter serves no purpose.
273
+ #
274
+ # * Amazon Cognito does not validate the ClientMetadata value.
275
+ #
276
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
277
+ # don't use it to provide sensitive information.
278
+ #
279
+ # </note>
280
+ #
281
+ #
282
+ #
283
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
284
+ # @return [Hash<String,String>]
285
+ #
245
286
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminConfirmSignUpRequest AWS API Documentation
246
287
  #
247
288
  class AdminConfirmSignUpRequest < Struct.new(
248
289
  :user_pool_id,
249
- :username)
290
+ :username,
291
+ :client_metadata)
250
292
  include Aws::Structure
251
293
  end
252
294
 
@@ -299,7 +341,7 @@ module Aws::CognitoIdentityProvider
299
341
  #
300
342
  #
301
343
  #
302
- # [1]: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization
344
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization
303
345
  # @return [Types::MessageTemplateType]
304
346
  #
305
347
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminCreateUserConfigType AWS API Documentation
@@ -335,6 +377,9 @@ module Aws::CognitoIdentityProvider
335
377
  # force_alias_creation: false,
336
378
  # message_action: "RESEND", # accepts RESEND, SUPPRESS
337
379
  # desired_delivery_mediums: ["SMS"], # accepts SMS, EMAIL
380
+ # client_metadata: {
381
+ # "StringType" => "StringType",
382
+ # },
338
383
  # }
339
384
  #
340
385
  # @!attribute [rw] user_pool_id
@@ -442,6 +487,45 @@ module Aws::CognitoIdentityProvider
442
487
  # is `"SMS"`. More than one value can be specified.
443
488
  # @return [Array<String>]
444
489
  #
490
+ # @!attribute [rw] client_metadata
491
+ # A map of custom key-value pairs that you can provide as input for
492
+ # any custom workflows that this action triggers.
493
+ #
494
+ # You create custom workflows by assigning AWS Lambda functions to
495
+ # user pool triggers. When you use the AdminCreateUser API action,
496
+ # Amazon Cognito invokes the function that is assigned to the *pre
497
+ # sign-up* trigger. When Amazon Cognito invokes this function, it
498
+ # passes a JSON payload, which the function receives as input. This
499
+ # payload contains a `clientMetadata` attribute, which provides the
500
+ # data that you assigned to the ClientMetadata parameter in your
501
+ # AdminCreateUser request. In your function code in AWS Lambda, you
502
+ # can process the `clientMetadata` value to enhance your workflow for
503
+ # your specific needs.
504
+ #
505
+ # For more information, see [Customizing User Pool Workflows with
506
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
507
+ #
508
+ # <note markdown="1"> Take the following limitations into consideration when you use the
509
+ # ClientMetadata parameter:
510
+ #
511
+ # * Amazon Cognito does not store the ClientMetadata value. This data
512
+ # is available only to AWS Lambda triggers that are assigned to a
513
+ # user pool to support custom workflows. If your user pool
514
+ # configuration does not include triggers, the ClientMetadata
515
+ # parameter serves no purpose.
516
+ #
517
+ # * Amazon Cognito does not validate the ClientMetadata value.
518
+ #
519
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
520
+ # don't use it to provide sensitive information.
521
+ #
522
+ # </note>
523
+ #
524
+ #
525
+ #
526
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
527
+ # @return [Hash<String,String>]
528
+ #
445
529
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminCreateUserRequest AWS API Documentation
446
530
  #
447
531
  class AdminCreateUserRequest < Struct.new(
@@ -452,7 +536,8 @@ module Aws::CognitoIdentityProvider
452
536
  :temporary_password,
453
537
  :force_alias_creation,
454
538
  :message_action,
455
- :desired_delivery_mediums)
539
+ :desired_delivery_mediums,
540
+ :client_metadata)
456
541
  include Aws::Structure
457
542
  end
458
543
 
@@ -792,7 +877,11 @@ module Aws::CognitoIdentityProvider
792
877
  # @return [String]
793
878
  #
794
879
  # @!attribute [rw] mfa_options
795
- # Specifies the options for MFA (e.g., email or phone number).
880
+ # *This response parameter is no longer supported.* It provides
881
+ # information only about SMS MFA configurations. It doesn't provide
882
+ # information about TOTP software token MFA configurations. To look up
883
+ # information about either type of MFA configuration, use the
884
+ # AdminGetUserResponse$UserMFASettingList response instead.
796
885
  # @return [Array<Types::MFAOptionType>]
797
886
  #
798
887
  # @!attribute [rw] preferred_mfa_setting
@@ -800,7 +889,8 @@ module Aws::CognitoIdentityProvider
800
889
  # @return [String]
801
890
  #
802
891
  # @!attribute [rw] user_mfa_setting_list
803
- # The list of the user's MFA settings.
892
+ # The MFA options that are enabled for the user. The possible values
893
+ # in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
804
894
  # @return [Array<String>]
805
895
  #
806
896
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserResponse AWS API Documentation
@@ -914,10 +1004,67 @@ module Aws::CognitoIdentityProvider
914
1004
  # @return [Hash<String,String>]
915
1005
  #
916
1006
  # @!attribute [rw] client_metadata
917
- # This is a random key-value pair map which can contain any key and
918
- # will be passed to your PreAuthentication Lambda trigger as-is. It
919
- # can be used to implement additional validations around
920
- # authentication.
1007
+ # A map of custom key-value pairs that you can provide as input for
1008
+ # certain custom workflows that this action triggers.
1009
+ #
1010
+ # You create custom workflows by assigning AWS Lambda functions to
1011
+ # user pool triggers. When you use the AdminInitiateAuth API action,
1012
+ # Amazon Cognito invokes the AWS Lambda functions that are specified
1013
+ # for various triggers. The ClientMetadata value is passed as input to
1014
+ # the functions for only the following triggers:
1015
+ #
1016
+ # * Pre signup
1017
+ #
1018
+ # * Pre authentication
1019
+ #
1020
+ # * User migration
1021
+ #
1022
+ # When Amazon Cognito invokes the functions for these triggers, it
1023
+ # passes a JSON payload, which the function receives as input. This
1024
+ # payload contains a `validationData` attribute, which provides the
1025
+ # data that you assigned to the ClientMetadata parameter in your
1026
+ # AdminInitiateAuth request. In your function code in AWS Lambda, you
1027
+ # can process the `validationData` value to enhance your workflow for
1028
+ # your specific needs.
1029
+ #
1030
+ # When you use the AdminInitiateAuth API action, Amazon Cognito also
1031
+ # invokes the functions for the following triggers, but it does not
1032
+ # provide the ClientMetadata value as input:
1033
+ #
1034
+ # * Post authentication
1035
+ #
1036
+ # * Custom message
1037
+ #
1038
+ # * Pre token generation
1039
+ #
1040
+ # * Create auth challenge
1041
+ #
1042
+ # * Define auth challenge
1043
+ #
1044
+ # * Verify auth challenge
1045
+ #
1046
+ # For more information, see [Customizing User Pool Workflows with
1047
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
1048
+ #
1049
+ # <note markdown="1"> Take the following limitations into consideration when you use the
1050
+ # ClientMetadata parameter:
1051
+ #
1052
+ # * Amazon Cognito does not store the ClientMetadata value. This data
1053
+ # is available only to AWS Lambda triggers that are assigned to a
1054
+ # user pool to support custom workflows. If your user pool
1055
+ # configuration does not include triggers, the ClientMetadata
1056
+ # parameter serves no purpose.
1057
+ #
1058
+ # * Amazon Cognito does not validate the ClientMetadata value.
1059
+ #
1060
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
1061
+ # don't use it to provide sensitive information.
1062
+ #
1063
+ # </note>
1064
+ #
1065
+ #
1066
+ #
1067
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
921
1068
  # @return [Hash<String,String>]
922
1069
  #
923
1070
  # @!attribute [rw] analytics_metadata
@@ -1314,6 +1461,9 @@ module Aws::CognitoIdentityProvider
1314
1461
  # {
1315
1462
  # user_pool_id: "UserPoolIdType", # required
1316
1463
  # username: "UsernameType", # required
1464
+ # client_metadata: {
1465
+ # "StringType" => "StringType",
1466
+ # },
1317
1467
  # }
1318
1468
  #
1319
1469
  # @!attribute [rw] user_pool_id
@@ -1325,11 +1475,51 @@ module Aws::CognitoIdentityProvider
1325
1475
  # The user name of the user whose password you wish to reset.
1326
1476
  # @return [String]
1327
1477
  #
1478
+ # @!attribute [rw] client_metadata
1479
+ # A map of custom key-value pairs that you can provide as input for
1480
+ # any custom workflows that this action triggers.
1481
+ #
1482
+ # You create custom workflows by assigning AWS Lambda functions to
1483
+ # user pool triggers. When you use the AdminResetUserPassword API
1484
+ # action, Amazon Cognito invokes the function that is assigned to the
1485
+ # *custom message* trigger. When Amazon Cognito invokes this function,
1486
+ # it passes a JSON payload, which the function receives as input. This
1487
+ # payload contains a `clientMetadata` attribute, which provides the
1488
+ # data that you assigned to the ClientMetadata parameter in your
1489
+ # AdminResetUserPassword request. In your function code in AWS Lambda,
1490
+ # you can process the `clientMetadata` value to enhance your workflow
1491
+ # for your specific needs.
1492
+ #
1493
+ # For more information, see [Customizing User Pool Workflows with
1494
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
1495
+ #
1496
+ # <note markdown="1"> Take the following limitations into consideration when you use the
1497
+ # ClientMetadata parameter:
1498
+ #
1499
+ # * Amazon Cognito does not store the ClientMetadata value. This data
1500
+ # is available only to AWS Lambda triggers that are assigned to a
1501
+ # user pool to support custom workflows. If your user pool
1502
+ # configuration does not include triggers, the ClientMetadata
1503
+ # parameter serves no purpose.
1504
+ #
1505
+ # * Amazon Cognito does not validate the ClientMetadata value.
1506
+ #
1507
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
1508
+ # don't use it to provide sensitive information.
1509
+ #
1510
+ # </note>
1511
+ #
1512
+ #
1513
+ #
1514
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
1515
+ # @return [Hash<String,String>]
1516
+ #
1328
1517
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminResetUserPasswordRequest AWS API Documentation
1329
1518
  #
1330
1519
  class AdminResetUserPasswordRequest < Struct.new(
1331
1520
  :user_pool_id,
1332
- :username)
1521
+ :username,
1522
+ :client_metadata)
1333
1523
  include Aws::Structure
1334
1524
  end
1335
1525
 
@@ -1369,6 +1559,9 @@ module Aws::CognitoIdentityProvider
1369
1559
  # ],
1370
1560
  # encoded_data: "StringType",
1371
1561
  # },
1562
+ # client_metadata: {
1563
+ # "StringType" => "StringType",
1564
+ # },
1372
1565
  # }
1373
1566
  #
1374
1567
  # @!attribute [rw] user_pool_id
@@ -1428,6 +1621,48 @@ module Aws::CognitoIdentityProvider
1428
1621
  # Amazon Cognito advanced security.
1429
1622
  # @return [Types::ContextDataType]
1430
1623
  #
1624
+ # @!attribute [rw] client_metadata
1625
+ # A map of custom key-value pairs that you can provide as input for
1626
+ # any custom workflows that this action triggers.
1627
+ #
1628
+ # You create custom workflows by assigning AWS Lambda functions to
1629
+ # user pool triggers. When you use the AdminRespondToAuthChallenge API
1630
+ # action, Amazon Cognito invokes any functions that are assigned to
1631
+ # the following triggers: *pre sign-up*, *custom message*, *post
1632
+ # authentication*, *user migration*, *pre token generation*, *define
1633
+ # auth challenge*, *create auth challenge*, and *verify auth challenge
1634
+ # response*. When Amazon Cognito invokes any of these functions, it
1635
+ # passes a JSON payload, which the function receives as input. This
1636
+ # payload contains a `clientMetadata` attribute, which provides the
1637
+ # data that you assigned to the ClientMetadata parameter in your
1638
+ # AdminRespondToAuthChallenge request. In your function code in AWS
1639
+ # Lambda, you can process the `clientMetadata` value to enhance your
1640
+ # workflow for your specific needs.
1641
+ #
1642
+ # For more information, see [Customizing User Pool Workflows with
1643
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
1644
+ #
1645
+ # <note markdown="1"> Take the following limitations into consideration when you use the
1646
+ # ClientMetadata parameter:
1647
+ #
1648
+ # * Amazon Cognito does not store the ClientMetadata value. This data
1649
+ # is available only to AWS Lambda triggers that are assigned to a
1650
+ # user pool to support custom workflows. If your user pool
1651
+ # configuration does not include triggers, the ClientMetadata
1652
+ # parameter serves no purpose.
1653
+ #
1654
+ # * Amazon Cognito does not validate the ClientMetadata value.
1655
+ #
1656
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
1657
+ # don't use it to provide sensitive information.
1658
+ #
1659
+ # </note>
1660
+ #
1661
+ #
1662
+ #
1663
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
1664
+ # @return [Hash<String,String>]
1665
+ #
1431
1666
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminRespondToAuthChallengeRequest AWS API Documentation
1432
1667
  #
1433
1668
  class AdminRespondToAuthChallengeRequest < Struct.new(
@@ -1437,7 +1672,8 @@ module Aws::CognitoIdentityProvider
1437
1672
  :challenge_responses,
1438
1673
  :session,
1439
1674
  :analytics_metadata,
1440
- :context_data)
1675
+ :context_data,
1676
+ :client_metadata)
1441
1677
  include Aws::Structure
1442
1678
  end
1443
1679
 
@@ -1531,15 +1767,20 @@ module Aws::CognitoIdentityProvider
1531
1767
  # }
1532
1768
  #
1533
1769
  # @!attribute [rw] user_pool_id
1770
+ # The user pool ID for the user pool where you want to set the user's
1771
+ # password.
1534
1772
  # @return [String]
1535
1773
  #
1536
1774
  # @!attribute [rw] username
1775
+ # The user name of the user whose password you wish to set.
1537
1776
  # @return [String]
1538
1777
  #
1539
1778
  # @!attribute [rw] password
1779
+ # The password for the user.
1540
1780
  # @return [String]
1541
1781
  #
1542
1782
  # @!attribute [rw] permanent
1783
+ # `True` if the password is permanent, `False` if it is temporary.
1543
1784
  # @return [Boolean]
1544
1785
  #
1545
1786
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserPasswordRequest AWS API Documentation
@@ -1556,7 +1797,8 @@ module Aws::CognitoIdentityProvider
1556
1797
  #
1557
1798
  class AdminSetUserPasswordResponse < Aws::EmptyStructure; end
1558
1799
 
1559
- # Represents the request to set user settings as an administrator.
1800
+ # You can use this parameter to set an MFA configuration that uses the
1801
+ # SMS delivery medium.
1560
1802
  #
1561
1803
  # @note When making an API call, you may pass AdminSetUserSettingsRequest
1562
1804
  # data as a hash:
@@ -1573,16 +1815,17 @@ module Aws::CognitoIdentityProvider
1573
1815
  # }
1574
1816
  #
1575
1817
  # @!attribute [rw] user_pool_id
1576
- # The user pool ID for the user pool where you want to set the user's
1577
- # settings, such as MFA options.
1818
+ # The ID of the user pool that contains the user that you are setting
1819
+ # options for.
1578
1820
  # @return [String]
1579
1821
  #
1580
1822
  # @!attribute [rw] username
1581
- # The user name of the user for whom you wish to set user settings.
1823
+ # The user name of the user that you are setting options for.
1582
1824
  # @return [String]
1583
1825
  #
1584
1826
  # @!attribute [rw] mfa_options
1585
- # Specifies the options for MFA (e.g., email or phone number).
1827
+ # You can use this parameter only to set an SMS configuration that
1828
+ # uses SMS for delivery.
1586
1829
  # @return [Array<Types::MFAOptionType>]
1587
1830
  #
1588
1831
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserSettingsRequest AWS API Documentation
@@ -1701,6 +1944,9 @@ module Aws::CognitoIdentityProvider
1701
1944
  # value: "AttributeValueType",
1702
1945
  # },
1703
1946
  # ],
1947
+ # client_metadata: {
1948
+ # "StringType" => "StringType",
1949
+ # },
1704
1950
  # }
1705
1951
  #
1706
1952
  # @!attribute [rw] user_pool_id
@@ -1720,12 +1966,52 @@ module Aws::CognitoIdentityProvider
1720
1966
  # attribute name.
1721
1967
  # @return [Array<Types::AttributeType>]
1722
1968
  #
1969
+ # @!attribute [rw] client_metadata
1970
+ # A map of custom key-value pairs that you can provide as input for
1971
+ # any custom workflows that this action triggers.
1972
+ #
1973
+ # You create custom workflows by assigning AWS Lambda functions to
1974
+ # user pool triggers. When you use the AdminUpdateUserAttributes API
1975
+ # action, Amazon Cognito invokes the function that is assigned to the
1976
+ # *custom message* trigger. When Amazon Cognito invokes this function,
1977
+ # it passes a JSON payload, which the function receives as input. This
1978
+ # payload contains a `clientMetadata` attribute, which provides the
1979
+ # data that you assigned to the ClientMetadata parameter in your
1980
+ # AdminUpdateUserAttributes request. In your function code in AWS
1981
+ # Lambda, you can process the `clientMetadata` value to enhance your
1982
+ # workflow for your specific needs.
1983
+ #
1984
+ # For more information, see [Customizing User Pool Workflows with
1985
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
1986
+ #
1987
+ # <note markdown="1"> Take the following limitations into consideration when you use the
1988
+ # ClientMetadata parameter:
1989
+ #
1990
+ # * Amazon Cognito does not store the ClientMetadata value. This data
1991
+ # is available only to AWS Lambda triggers that are assigned to a
1992
+ # user pool to support custom workflows. If your user pool
1993
+ # configuration does not include triggers, the ClientMetadata
1994
+ # parameter serves no purpose.
1995
+ #
1996
+ # * Amazon Cognito does not validate the ClientMetadata value.
1997
+ #
1998
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
1999
+ # don't use it to provide sensitive information.
2000
+ #
2001
+ # </note>
2002
+ #
2003
+ #
2004
+ #
2005
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
2006
+ # @return [Hash<String,String>]
2007
+ #
1723
2008
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUpdateUserAttributesRequest AWS API Documentation
1724
2009
  #
1725
2010
  class AdminUpdateUserAttributesRequest < Struct.new(
1726
2011
  :user_pool_id,
1727
2012
  :username,
1728
- :user_attributes)
2013
+ :user_attributes,
2014
+ :client_metadata)
1729
2015
  include Aws::Structure
1730
2016
  end
1731
2017
 
@@ -2251,6 +2537,9 @@ module Aws::CognitoIdentityProvider
2251
2537
  # user_context_data: {
2252
2538
  # encoded_data: "StringType",
2253
2539
  # },
2540
+ # client_metadata: {
2541
+ # "StringType" => "StringType",
2542
+ # },
2254
2543
  # }
2255
2544
  #
2256
2545
  # @!attribute [rw] client_id
@@ -2289,6 +2578,46 @@ module Aws::CognitoIdentityProvider
2289
2578
  # Amazon Cognito advanced security.
2290
2579
  # @return [Types::UserContextDataType]
2291
2580
  #
2581
+ # @!attribute [rw] client_metadata
2582
+ # A map of custom key-value pairs that you can provide as input for
2583
+ # any custom workflows that this action triggers.
2584
+ #
2585
+ # You create custom workflows by assigning AWS Lambda functions to
2586
+ # user pool triggers. When you use the ConfirmForgotPassword API
2587
+ # action, Amazon Cognito invokes the functions that are assigned to
2588
+ # the *post confirmation* and *pre mutation* triggers. When Amazon
2589
+ # Cognito invokes either of these functions, it passes a JSON payload,
2590
+ # which the function receives as input. This payload contains a
2591
+ # `clientMetadata` attribute, which provides the data that you
2592
+ # assigned to the ClientMetadata parameter in your
2593
+ # ConfirmForgotPassword request. In your function code in AWS Lambda,
2594
+ # you can process the `clientMetadata` value to enhance your workflow
2595
+ # for your specific needs.
2596
+ #
2597
+ # For more information, see [Customizing User Pool Workflows with
2598
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
2599
+ #
2600
+ # <note markdown="1"> Take the following limitations into consideration when you use the
2601
+ # ClientMetadata parameter:
2602
+ #
2603
+ # * Amazon Cognito does not store the ClientMetadata value. This data
2604
+ # is available only to AWS Lambda triggers that are assigned to a
2605
+ # user pool to support custom workflows. If your user pool
2606
+ # configuration does not include triggers, the ClientMetadata
2607
+ # parameter serves no purpose.
2608
+ #
2609
+ # * Amazon Cognito does not validate the ClientMetadata value.
2610
+ #
2611
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
2612
+ # don't use it to provide sensitive information.
2613
+ #
2614
+ # </note>
2615
+ #
2616
+ #
2617
+ #
2618
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
2619
+ # @return [Hash<String,String>]
2620
+ #
2292
2621
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmForgotPasswordRequest AWS API Documentation
2293
2622
  #
2294
2623
  class ConfirmForgotPasswordRequest < Struct.new(
@@ -2298,7 +2627,8 @@ module Aws::CognitoIdentityProvider
2298
2627
  :confirmation_code,
2299
2628
  :password,
2300
2629
  :analytics_metadata,
2301
- :user_context_data)
2630
+ :user_context_data,
2631
+ :client_metadata)
2302
2632
  include Aws::Structure
2303
2633
  end
2304
2634
 
@@ -2326,6 +2656,9 @@ module Aws::CognitoIdentityProvider
2326
2656
  # user_context_data: {
2327
2657
  # encoded_data: "StringType",
2328
2658
  # },
2659
+ # client_metadata: {
2660
+ # "StringType" => "StringType",
2661
+ # },
2329
2662
  # }
2330
2663
  #
2331
2664
  # @!attribute [rw] client_id
@@ -2368,6 +2701,45 @@ module Aws::CognitoIdentityProvider
2368
2701
  # Amazon Cognito advanced security.
2369
2702
  # @return [Types::UserContextDataType]
2370
2703
  #
2704
+ # @!attribute [rw] client_metadata
2705
+ # A map of custom key-value pairs that you can provide as input for
2706
+ # any custom workflows that this action triggers.
2707
+ #
2708
+ # You create custom workflows by assigning AWS Lambda functions to
2709
+ # user pool triggers. When you use the ConfirmSignUp API action,
2710
+ # Amazon Cognito invokes the function that is assigned to the *post
2711
+ # confirmation* trigger. When Amazon Cognito invokes this function, it
2712
+ # passes a JSON payload, which the function receives as input. This
2713
+ # payload contains a `clientMetadata` attribute, which provides the
2714
+ # data that you assigned to the ClientMetadata parameter in your
2715
+ # ConfirmSignUp request. In your function code in AWS Lambda, you can
2716
+ # process the `clientMetadata` value to enhance your workflow for your
2717
+ # specific needs.
2718
+ #
2719
+ # For more information, see [Customizing User Pool Workflows with
2720
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
2721
+ #
2722
+ # <note markdown="1"> Take the following limitations into consideration when you use the
2723
+ # ClientMetadata parameter:
2724
+ #
2725
+ # * Amazon Cognito does not store the ClientMetadata value. This data
2726
+ # is available only to AWS Lambda triggers that are assigned to a
2727
+ # user pool to support custom workflows. If your user pool
2728
+ # configuration does not include triggers, the ClientMetadata
2729
+ # parameter serves no purpose.
2730
+ #
2731
+ # * Amazon Cognito does not validate the ClientMetadata value.
2732
+ #
2733
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
2734
+ # don't use it to provide sensitive information.
2735
+ #
2736
+ # </note>
2737
+ #
2738
+ #
2739
+ #
2740
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
2741
+ # @return [Hash<String,String>]
2742
+ #
2371
2743
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmSignUpRequest AWS API Documentation
2372
2744
  #
2373
2745
  class ConfirmSignUpRequest < Struct.new(
@@ -2377,7 +2749,8 @@ module Aws::CognitoIdentityProvider
2377
2749
  :confirmation_code,
2378
2750
  :force_alias_creation,
2379
2751
  :analytics_metadata,
2380
- :user_context_data)
2752
+ :user_context_data,
2753
+ :client_metadata)
2381
2754
  include Aws::Structure
2382
2755
  end
2383
2756
 
@@ -2816,7 +3189,9 @@ module Aws::CognitoIdentityProvider
2816
3189
  #
2817
3190
  # @!attribute [rw] allowed_o_auth_scopes
2818
3191
  # A list of allowed `OAuth` scopes. Currently supported values are
2819
- # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
3192
+ # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
3193
+ # these values, custom scopes created in Resource Servers are also
3194
+ # supported.
2820
3195
  # @return [Array<String>]
2821
3196
  #
2822
3197
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -4008,6 +4383,9 @@ module Aws::CognitoIdentityProvider
4008
4383
  # analytics_metadata: {
4009
4384
  # analytics_endpoint_id: "StringType",
4010
4385
  # },
4386
+ # client_metadata: {
4387
+ # "StringType" => "StringType",
4388
+ # },
4011
4389
  # }
4012
4390
  #
4013
4391
  # @!attribute [rw] client_id
@@ -4036,6 +4414,46 @@ module Aws::CognitoIdentityProvider
4036
4414
  # `ForgotPassword` calls.
4037
4415
  # @return [Types::AnalyticsMetadataType]
4038
4416
  #
4417
+ # @!attribute [rw] client_metadata
4418
+ # A map of custom key-value pairs that you can provide as input for
4419
+ # any custom workflows that this action triggers.
4420
+ #
4421
+ # You create custom workflows by assigning AWS Lambda functions to
4422
+ # user pool triggers. When you use the ForgotPassword API action,
4423
+ # Amazon Cognito invokes any functions that are assigned to the
4424
+ # following triggers: *pre sign-up*, *custom message*, and *user
4425
+ # migration*. When Amazon Cognito invokes any of these functions, it
4426
+ # passes a JSON payload, which the function receives as input. This
4427
+ # payload contains a `clientMetadata` attribute, which provides the
4428
+ # data that you assigned to the ClientMetadata parameter in your
4429
+ # ForgotPassword request. In your function code in AWS Lambda, you can
4430
+ # process the `clientMetadata` value to enhance your workflow for your
4431
+ # specific needs.
4432
+ #
4433
+ # For more information, see [Customizing User Pool Workflows with
4434
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
4435
+ #
4436
+ # <note markdown="1"> Take the following limitations into consideration when you use the
4437
+ # ClientMetadata parameter:
4438
+ #
4439
+ # * Amazon Cognito does not store the ClientMetadata value. This data
4440
+ # is available only to AWS Lambda triggers that are assigned to a
4441
+ # user pool to support custom workflows. If your user pool
4442
+ # configuration does not include triggers, the ClientMetadata
4443
+ # parameter serves no purpose.
4444
+ #
4445
+ # * Amazon Cognito does not validate the ClientMetadata value.
4446
+ #
4447
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
4448
+ # don't use it to provide sensitive information.
4449
+ #
4450
+ # </note>
4451
+ #
4452
+ #
4453
+ #
4454
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
4455
+ # @return [Hash<String,String>]
4456
+ #
4039
4457
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ForgotPasswordRequest AWS API Documentation
4040
4458
  #
4041
4459
  class ForgotPasswordRequest < Struct.new(
@@ -4043,7 +4461,8 @@ module Aws::CognitoIdentityProvider
4043
4461
  :secret_hash,
4044
4462
  :user_context_data,
4045
4463
  :username,
4046
- :analytics_metadata)
4464
+ :analytics_metadata,
4465
+ :client_metadata)
4047
4466
  include Aws::Structure
4048
4467
  end
4049
4468
 
@@ -4289,6 +4708,9 @@ module Aws::CognitoIdentityProvider
4289
4708
  # {
4290
4709
  # access_token: "TokenModelType", # required
4291
4710
  # attribute_name: "AttributeNameType", # required
4711
+ # client_metadata: {
4712
+ # "StringType" => "StringType",
4713
+ # },
4292
4714
  # }
4293
4715
  #
4294
4716
  # @!attribute [rw] access_token
@@ -4301,11 +4723,52 @@ module Aws::CognitoIdentityProvider
4301
4723
  # attribute verification code.
4302
4724
  # @return [String]
4303
4725
  #
4726
+ # @!attribute [rw] client_metadata
4727
+ # A map of custom key-value pairs that you can provide as input for
4728
+ # any custom workflows that this action triggers.
4729
+ #
4730
+ # You create custom workflows by assigning AWS Lambda functions to
4731
+ # user pool triggers. When you use the
4732
+ # GetUserAttributeVerificationCode API action, Amazon Cognito invokes
4733
+ # the function that is assigned to the *custom message* trigger. When
4734
+ # Amazon Cognito invokes this function, it passes a JSON payload,
4735
+ # which the function receives as input. This payload contains a
4736
+ # `clientMetadata` attribute, which provides the data that you
4737
+ # assigned to the ClientMetadata parameter in your
4738
+ # GetUserAttributeVerificationCode request. In your function code in
4739
+ # AWS Lambda, you can process the `clientMetadata` value to enhance
4740
+ # your workflow for your specific needs.
4741
+ #
4742
+ # For more information, see [Customizing User Pool Workflows with
4743
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
4744
+ #
4745
+ # <note markdown="1"> Take the following limitations into consideration when you use the
4746
+ # ClientMetadata parameter:
4747
+ #
4748
+ # * Amazon Cognito does not store the ClientMetadata value. This data
4749
+ # is available only to AWS Lambda triggers that are assigned to a
4750
+ # user pool to support custom workflows. If your user pool
4751
+ # configuration does not include triggers, the ClientMetadata
4752
+ # parameter serves no purpose.
4753
+ #
4754
+ # * Amazon Cognito does not validate the ClientMetadata value.
4755
+ #
4756
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
4757
+ # don't use it to provide sensitive information.
4758
+ #
4759
+ # </note>
4760
+ #
4761
+ #
4762
+ #
4763
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
4764
+ # @return [Hash<String,String>]
4765
+ #
4304
4766
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserAttributeVerificationCodeRequest AWS API Documentation
4305
4767
  #
4306
4768
  class GetUserAttributeVerificationCodeRequest < Struct.new(
4307
4769
  :access_token,
4308
- :attribute_name)
4770
+ :attribute_name,
4771
+ :client_metadata)
4309
4772
  include Aws::Structure
4310
4773
  end
4311
4774
 
@@ -4351,7 +4814,14 @@ module Aws::CognitoIdentityProvider
4351
4814
  # @return [Types::SoftwareTokenMfaConfigType]
4352
4815
  #
4353
4816
  # @!attribute [rw] mfa_configuration
4354
- # The multi-factor (MFA) configuration.
4817
+ # The multi-factor (MFA) configuration. Valid values include:
4818
+ #
4819
+ # * `OFF` MFA will not be used for any users.
4820
+ #
4821
+ # * `ON` MFA is required for all users to sign in.
4822
+ #
4823
+ # * `OPTIONAL` MFA will be required only for individual users who have
4824
+ # an MFA factor enabled.
4355
4825
  # @return [String]
4356
4826
  #
4357
4827
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserPoolMfaConfigResponse AWS API Documentation
@@ -4400,7 +4870,11 @@ module Aws::CognitoIdentityProvider
4400
4870
  # @return [Array<Types::AttributeType>]
4401
4871
  #
4402
4872
  # @!attribute [rw] mfa_options
4403
- # Specifies the options for MFA (e.g., email or phone number).
4873
+ # *This response parameter is no longer supported.* It provides
4874
+ # information only about SMS MFA configurations. It doesn't provide
4875
+ # information about TOTP software token MFA configurations. To look up
4876
+ # information about either type of MFA configuration, use the use the
4877
+ # GetUserResponse$UserMFASettingList response instead.
4404
4878
  # @return [Array<Types::MFAOptionType>]
4405
4879
  #
4406
4880
  # @!attribute [rw] preferred_mfa_setting
@@ -4408,7 +4882,8 @@ module Aws::CognitoIdentityProvider
4408
4882
  # @return [String]
4409
4883
  #
4410
4884
  # @!attribute [rw] user_mfa_setting_list
4411
- # The list of the user's MFA settings.
4885
+ # The MFA options that are enabled for the user. The possible values
4886
+ # in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
4412
4887
  # @return [Array<String>]
4413
4888
  #
4414
4889
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserResponse AWS API Documentation
@@ -4668,10 +5143,67 @@ module Aws::CognitoIdentityProvider
4668
5143
  # @return [Hash<String,String>]
4669
5144
  #
4670
5145
  # @!attribute [rw] client_metadata
4671
- # This is a random key-value pair map which can contain any key and
4672
- # will be passed to your PreAuthentication Lambda trigger as-is. It
4673
- # can be used to implement additional validations around
4674
- # authentication.
5146
+ # A map of custom key-value pairs that you can provide as input for
5147
+ # certain custom workflows that this action triggers.
5148
+ #
5149
+ # You create custom workflows by assigning AWS Lambda functions to
5150
+ # user pool triggers. When you use the InitiateAuth API action, Amazon
5151
+ # Cognito invokes the AWS Lambda functions that are specified for
5152
+ # various triggers. The ClientMetadata value is passed as input to the
5153
+ # functions for only the following triggers:
5154
+ #
5155
+ # * Pre signup
5156
+ #
5157
+ # * Pre authentication
5158
+ #
5159
+ # * User migration
5160
+ #
5161
+ # When Amazon Cognito invokes the functions for these triggers, it
5162
+ # passes a JSON payload, which the function receives as input. This
5163
+ # payload contains a `validationData` attribute, which provides the
5164
+ # data that you assigned to the ClientMetadata parameter in your
5165
+ # InitiateAuth request. In your function code in AWS Lambda, you can
5166
+ # process the `validationData` value to enhance your workflow for your
5167
+ # specific needs.
5168
+ #
5169
+ # When you use the InitiateAuth API action, Amazon Cognito also
5170
+ # invokes the functions for the following triggers, but it does not
5171
+ # provide the ClientMetadata value as input:
5172
+ #
5173
+ # * Post authentication
5174
+ #
5175
+ # * Custom message
5176
+ #
5177
+ # * Pre token generation
5178
+ #
5179
+ # * Create auth challenge
5180
+ #
5181
+ # * Define auth challenge
5182
+ #
5183
+ # * Verify auth challenge
5184
+ #
5185
+ # For more information, see [Customizing User Pool Workflows with
5186
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
5187
+ #
5188
+ # <note markdown="1"> Take the following limitations into consideration when you use the
5189
+ # ClientMetadata parameter:
5190
+ #
5191
+ # * Amazon Cognito does not store the ClientMetadata value. This data
5192
+ # is available only to AWS Lambda triggers that are assigned to a
5193
+ # user pool to support custom workflows. If your user pool
5194
+ # configuration does not include triggers, the ClientMetadata
5195
+ # parameter serves no purpose.
5196
+ #
5197
+ # * Amazon Cognito does not validate the ClientMetadata value.
5198
+ #
5199
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
5200
+ # don't use it to provide sensitive information.
5201
+ #
5202
+ # </note>
5203
+ #
5204
+ #
5205
+ #
5206
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
4675
5207
  # @return [Hash<String,String>]
4676
5208
  #
4677
5209
  # @!attribute [rw] client_id
@@ -5515,8 +6047,8 @@ module Aws::CognitoIdentityProvider
5515
6047
  #
5516
6048
  #
5517
6049
  #
5518
- # [1]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
5519
- # [2]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
6050
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
6051
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
5520
6052
  # @return [String]
5521
6053
  #
5522
6054
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersRequest AWS API Documentation
@@ -5565,8 +6097,16 @@ module Aws::CognitoIdentityProvider
5565
6097
  include Aws::Structure
5566
6098
  end
5567
6099
 
5568
- # Specifies the different settings for multi-factor authentication
5569
- # (MFA).
6100
+ # *This data type is no longer supported.* You can use it only for SMS
6101
+ # MFA configurations. You can't use it for TOTP software token MFA
6102
+ # configurations.
6103
+ #
6104
+ # To set either type of MFA configuration, use the
6105
+ # AdminSetUserMFAPreference or SetUserMFAPreference actions.
6106
+ #
6107
+ # To look up information about either type of MFA configuration, use the
6108
+ # AdminGetUserResponse$UserMFASettingList or
6109
+ # GetUserResponse$UserMFASettingList responses.
5570
6110
  #
5571
6111
  # @note When making an API call, you may pass MFAOptionType
5572
6112
  # data as a hash:
@@ -5577,12 +6117,13 @@ module Aws::CognitoIdentityProvider
5577
6117
  # }
5578
6118
  #
5579
6119
  # @!attribute [rw] delivery_medium
5580
- # The delivery medium (email message or SMS message) to send the MFA
5581
- # code.
6120
+ # The delivery medium to send the MFA code. You can use this parameter
6121
+ # to set only the `SMS` delivery medium value.
5582
6122
  # @return [String]
5583
6123
  #
5584
6124
  # @!attribute [rw] attribute_name
5585
- # The attribute name of the MFA option type.
6125
+ # The attribute name of the MFA option type. The only valid value is
6126
+ # `phone_number`.
5586
6127
  # @return [String]
5587
6128
  #
5588
6129
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/MFAOptionType AWS API Documentation
@@ -5825,6 +6366,15 @@ module Aws::CognitoIdentityProvider
5825
6366
  # @return [Boolean]
5826
6367
  #
5827
6368
  # @!attribute [rw] temporary_password_validity_days
6369
+ # In the password policy you have set, refers to the number of days a
6370
+ # temporary password is valid. If the user does not sign-in during
6371
+ # this time, their password will need to be reset by an administrator.
6372
+ #
6373
+ # <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
6374
+ # will no longer be able to set the deprecated
6375
+ # `UnusedAccountValidityDays` value for that user pool.
6376
+ #
6377
+ # </note>
5828
6378
  # @return [Integer]
5829
6379
  #
5830
6380
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PasswordPolicyType AWS API Documentation
@@ -5944,6 +6494,9 @@ module Aws::CognitoIdentityProvider
5944
6494
  # analytics_metadata: {
5945
6495
  # analytics_endpoint_id: "StringType",
5946
6496
  # },
6497
+ # client_metadata: {
6498
+ # "StringType" => "StringType",
6499
+ # },
5947
6500
  # }
5948
6501
  #
5949
6502
  # @!attribute [rw] client_id
@@ -5972,6 +6525,45 @@ module Aws::CognitoIdentityProvider
5972
6525
  # `ResendConfirmationCode` calls.
5973
6526
  # @return [Types::AnalyticsMetadataType]
5974
6527
  #
6528
+ # @!attribute [rw] client_metadata
6529
+ # A map of custom key-value pairs that you can provide as input for
6530
+ # any custom workflows that this action triggers.
6531
+ #
6532
+ # You create custom workflows by assigning AWS Lambda functions to
6533
+ # user pool triggers. When you use the ResendConfirmationCode API
6534
+ # action, Amazon Cognito invokes the function that is assigned to the
6535
+ # *custom message* trigger. When Amazon Cognito invokes this function,
6536
+ # it passes a JSON payload, which the function receives as input. This
6537
+ # payload contains a `clientMetadata` attribute, which provides the
6538
+ # data that you assigned to the ClientMetadata parameter in your
6539
+ # ResendConfirmationCode request. In your function code in AWS Lambda,
6540
+ # you can process the `clientMetadata` value to enhance your workflow
6541
+ # for your specific needs.
6542
+ #
6543
+ # For more information, see [Customizing User Pool Workflows with
6544
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
6545
+ #
6546
+ # <note markdown="1"> Take the following limitations into consideration when you use the
6547
+ # ClientMetadata parameter:
6548
+ #
6549
+ # * Amazon Cognito does not store the ClientMetadata value. This data
6550
+ # is available only to AWS Lambda triggers that are assigned to a
6551
+ # user pool to support custom workflows. If your user pool
6552
+ # configuration does not include triggers, the ClientMetadata
6553
+ # parameter serves no purpose.
6554
+ #
6555
+ # * Amazon Cognito does not validate the ClientMetadata value.
6556
+ #
6557
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
6558
+ # don't use it to provide sensitive information.
6559
+ #
6560
+ # </note>
6561
+ #
6562
+ #
6563
+ #
6564
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
6565
+ # @return [Hash<String,String>]
6566
+ #
5975
6567
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ResendConfirmationCodeRequest AWS API Documentation
5976
6568
  #
5977
6569
  class ResendConfirmationCodeRequest < Struct.new(
@@ -5979,7 +6571,8 @@ module Aws::CognitoIdentityProvider
5979
6571
  :secret_hash,
5980
6572
  :user_context_data,
5981
6573
  :username,
5982
- :analytics_metadata)
6574
+ :analytics_metadata,
6575
+ :client_metadata)
5983
6576
  include Aws::Structure
5984
6577
  end
5985
6578
 
@@ -6085,6 +6678,9 @@ module Aws::CognitoIdentityProvider
6085
6678
  # user_context_data: {
6086
6679
  # encoded_data: "StringType",
6087
6680
  # },
6681
+ # client_metadata: {
6682
+ # "StringType" => "StringType",
6683
+ # },
6088
6684
  # }
6089
6685
  #
6090
6686
  # @!attribute [rw] client_id
@@ -6110,16 +6706,27 @@ module Aws::CognitoIdentityProvider
6110
6706
  # The challenge responses. These are inputs corresponding to the value
6111
6707
  # of `ChallengeName`, for example:
6112
6708
  #
6113
- # * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`, `SECRET_HASH` (if app
6114
- # client is configured with client secret).
6709
+ # <note markdown="1"> `SECRET_HASH` (if app client is configured with client secret)
6710
+ # applies to all inputs below (including `SOFTWARE_TOKEN_MFA`).
6711
+ #
6712
+ # </note>
6713
+ #
6714
+ # * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`.
6115
6715
  #
6116
6716
  # * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
6117
- # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`,
6118
- # `SECRET_HASH` (if app client is configured with client secret).
6717
+ # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
6119
6718
  #
6120
6719
  # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
6121
- # attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
6122
- # with client secret).
6720
+ # attributes, `USERNAME`.
6721
+ #
6722
+ # * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
6723
+ # are required attributes.
6724
+ #
6725
+ # * `DEVICE_SRP_AUTH` requires `USERNAME`, `DEVICE_KEY`, `SRP_A` (and
6726
+ # `SECRET_HASH`).
6727
+ #
6728
+ # * `DEVICE_PASSWORD_VERIFIER` requires everything that
6729
+ # `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
6123
6730
  # @return [Hash<String,String>]
6124
6731
  #
6125
6732
  # @!attribute [rw] analytics_metadata
@@ -6133,6 +6740,47 @@ module Aws::CognitoIdentityProvider
6133
6740
  # Amazon Cognito advanced security.
6134
6741
  # @return [Types::UserContextDataType]
6135
6742
  #
6743
+ # @!attribute [rw] client_metadata
6744
+ # A map of custom key-value pairs that you can provide as input for
6745
+ # any custom workflows that this action triggers.
6746
+ #
6747
+ # You create custom workflows by assigning AWS Lambda functions to
6748
+ # user pool triggers. When you use the RespondToAuthChallenge API
6749
+ # action, Amazon Cognito invokes any functions that are assigned to
6750
+ # the following triggers: *post authentication*, *pre token
6751
+ # generation*, *define auth challenge*, *create auth challenge*, and
6752
+ # *verify auth challenge*. When Amazon Cognito invokes any of these
6753
+ # functions, it passes a JSON payload, which the function receives as
6754
+ # input. This payload contains a `clientMetadata` attribute, which
6755
+ # provides the data that you assigned to the ClientMetadata parameter
6756
+ # in your RespondToAuthChallenge request. In your function code in AWS
6757
+ # Lambda, you can process the `clientMetadata` value to enhance your
6758
+ # workflow for your specific needs.
6759
+ #
6760
+ # For more information, see [Customizing User Pool Workflows with
6761
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
6762
+ #
6763
+ # <note markdown="1"> Take the following limitations into consideration when you use the
6764
+ # ClientMetadata parameter:
6765
+ #
6766
+ # * Amazon Cognito does not store the ClientMetadata value. This data
6767
+ # is available only to AWS Lambda triggers that are assigned to a
6768
+ # user pool to support custom workflows. If your user pool
6769
+ # configuration does not include triggers, the ClientMetadata
6770
+ # parameter serves no purpose.
6771
+ #
6772
+ # * Amazon Cognito does not validate the ClientMetadata value.
6773
+ #
6774
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
6775
+ # don't use it to provide sensitive information.
6776
+ #
6777
+ # </note>
6778
+ #
6779
+ #
6780
+ #
6781
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
6782
+ # @return [Hash<String,String>]
6783
+ #
6136
6784
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RespondToAuthChallengeRequest AWS API Documentation
6137
6785
  #
6138
6786
  class RespondToAuthChallengeRequest < Struct.new(
@@ -6141,7 +6789,8 @@ module Aws::CognitoIdentityProvider
6141
6789
  :session,
6142
6790
  :challenge_responses,
6143
6791
  :analytics_metadata,
6144
- :user_context_data)
6792
+ :user_context_data,
6793
+ :client_metadata)
6145
6794
  include Aws::Structure
6146
6795
  end
6147
6796
 
@@ -6248,7 +6897,7 @@ module Aws::CognitoIdentityProvider
6248
6897
  include Aws::Structure
6249
6898
  end
6250
6899
 
6251
- # The SMS multi-factor authentication (MFA) settings type.
6900
+ # The type used for enabling SMS MFA at the user level.
6252
6901
  #
6253
6902
  # @note When making an API call, you may pass SMSMfaSettingsType
6254
6903
  # data as a hash:
@@ -6263,7 +6912,7 @@ module Aws::CognitoIdentityProvider
6263
6912
  # @return [Boolean]
6264
6913
  #
6265
6914
  # @!attribute [rw] preferred_mfa
6266
- # The preferred MFA method.
6915
+ # Specifies whether SMS is the preferred MFA method.
6267
6916
  # @return [Boolean]
6268
6917
  #
6269
6918
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SMSMfaSettingsType AWS API Documentation
@@ -6536,7 +7185,7 @@ module Aws::CognitoIdentityProvider
6536
7185
  # @return [Types::SoftwareTokenMfaSettingsType]
6537
7186
  #
6538
7187
  # @!attribute [rw] access_token
6539
- # The access token.
7188
+ # The access token for the user.
6540
7189
  # @return [String]
6541
7190
  #
6542
7191
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
@@ -6583,7 +7232,14 @@ module Aws::CognitoIdentityProvider
6583
7232
  # @return [Types::SoftwareTokenMfaConfigType]
6584
7233
  #
6585
7234
  # @!attribute [rw] mfa_configuration
6586
- # The MFA configuration.
7235
+ # The MFA configuration. Valid values include:
7236
+ #
7237
+ # * `OFF` MFA will not be used for any users.
7238
+ #
7239
+ # * `ON` MFA is required for all users to sign in.
7240
+ #
7241
+ # * `OPTIONAL` MFA will be required only for individual users who have
7242
+ # an MFA factor enabled.
6587
7243
  # @return [String]
6588
7244
  #
6589
7245
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigRequest AWS API Documentation
@@ -6605,7 +7261,14 @@ module Aws::CognitoIdentityProvider
6605
7261
  # @return [Types::SoftwareTokenMfaConfigType]
6606
7262
  #
6607
7263
  # @!attribute [rw] mfa_configuration
6608
- # The MFA configuration.
7264
+ # The MFA configuration. Valid values include:
7265
+ #
7266
+ # * `OFF` MFA will not be used for any users.
7267
+ #
7268
+ # * `ON` MFA is required for all users to sign in.
7269
+ #
7270
+ # * `OPTIONAL` MFA will be required only for individual users who have
7271
+ # an MFA factor enabled.
6609
7272
  # @return [String]
6610
7273
  #
6611
7274
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigResponse AWS API Documentation
@@ -6637,7 +7300,8 @@ module Aws::CognitoIdentityProvider
6637
7300
  # @return [String]
6638
7301
  #
6639
7302
  # @!attribute [rw] mfa_options
6640
- # Specifies the options for MFA (e.g., email or phone number).
7303
+ # You can use this parameter only to set an SMS configuration that
7304
+ # uses SMS for delivery.
6641
7305
  # @return [Array<Types::MFAOptionType>]
6642
7306
  #
6643
7307
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserSettingsRequest AWS API Documentation
@@ -6682,6 +7346,9 @@ module Aws::CognitoIdentityProvider
6682
7346
  # user_context_data: {
6683
7347
  # encoded_data: "StringType",
6684
7348
  # },
7349
+ # client_metadata: {
7350
+ # "StringType" => "StringType",
7351
+ # },
6685
7352
  # }
6686
7353
  #
6687
7354
  # @!attribute [rw] client_id
@@ -6724,6 +7391,46 @@ module Aws::CognitoIdentityProvider
6724
7391
  # Amazon Cognito advanced security.
6725
7392
  # @return [Types::UserContextDataType]
6726
7393
  #
7394
+ # @!attribute [rw] client_metadata
7395
+ # A map of custom key-value pairs that you can provide as input for
7396
+ # any custom workflows that this action triggers.
7397
+ #
7398
+ # You create custom workflows by assigning AWS Lambda functions to
7399
+ # user pool triggers. When you use the SignUp API action, Amazon
7400
+ # Cognito invokes any functions that are assigned to the following
7401
+ # triggers: *pre sign-up*, *custom message*, and *post confirmation*.
7402
+ # When Amazon Cognito invokes any of these functions, it passes a JSON
7403
+ # payload, which the function receives as input. This payload contains
7404
+ # a `clientMetadata` attribute, which provides the data that you
7405
+ # assigned to the ClientMetadata parameter in your SignUp request. In
7406
+ # your function code in AWS Lambda, you can process the
7407
+ # `clientMetadata` value to enhance your workflow for your specific
7408
+ # needs.
7409
+ #
7410
+ # For more information, see [Customizing User Pool Workflows with
7411
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
7412
+ #
7413
+ # <note markdown="1"> Take the following limitations into consideration when you use the
7414
+ # ClientMetadata parameter:
7415
+ #
7416
+ # * Amazon Cognito does not store the ClientMetadata value. This data
7417
+ # is available only to AWS Lambda triggers that are assigned to a
7418
+ # user pool to support custom workflows. If your user pool
7419
+ # configuration does not include triggers, the ClientMetadata
7420
+ # parameter serves no purpose.
7421
+ #
7422
+ # * Amazon Cognito does not validate the ClientMetadata value.
7423
+ #
7424
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
7425
+ # don't use it to provide sensitive information.
7426
+ #
7427
+ # </note>
7428
+ #
7429
+ #
7430
+ #
7431
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
7432
+ # @return [Hash<String,String>]
7433
+ #
6727
7434
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SignUpRequest AWS API Documentation
6728
7435
  #
6729
7436
  class SignUpRequest < Struct.new(
@@ -6734,7 +7441,8 @@ module Aws::CognitoIdentityProvider
6734
7441
  :user_attributes,
6735
7442
  :validation_data,
6736
7443
  :analytics_metadata,
6737
- :user_context_data)
7444
+ :user_context_data,
7445
+ :client_metadata)
6738
7446
  include Aws::Structure
6739
7447
  end
6740
7448
 
@@ -6764,7 +7472,11 @@ module Aws::CognitoIdentityProvider
6764
7472
  include Aws::Structure
6765
7473
  end
6766
7474
 
6767
- # The SMS configuration type.
7475
+ # The SMS configuration type that includes the settings the Cognito User
7476
+ # Pool needs to call for the Amazon SNS service to send an SMS message
7477
+ # from your AWS account. The Cognito User Pool makes the request to the
7478
+ # Amazon SNS Service by using an AWS IAM role that you provide for your
7479
+ # AWS account.
6768
7480
  #
6769
7481
  # @note When making an API call, you may pass SmsConfigurationType
6770
7482
  # data as a hash:
@@ -6776,11 +7488,20 @@ module Aws::CognitoIdentityProvider
6776
7488
  #
6777
7489
  # @!attribute [rw] sns_caller_arn
6778
7490
  # The Amazon Resource Name (ARN) of the Amazon Simple Notification
6779
- # Service (SNS) caller.
7491
+ # Service (SNS) caller. This is the ARN of the IAM role in your AWS
7492
+ # account which Cognito will use to send SMS messages.
6780
7493
  # @return [String]
6781
7494
  #
6782
7495
  # @!attribute [rw] external_id
6783
- # The external ID.
7496
+ # The external ID is a value that we recommend you use to add security
7497
+ # to your IAM role which is used to call Amazon SNS to send SMS
7498
+ # messages for your user pool. If you provide an `ExternalId`, the
7499
+ # Cognito User Pool will include it when attempting to assume your IAM
7500
+ # role, so that you can set your roles trust policy to require the
7501
+ # `ExternalID`. If you use the Cognito Management Console to create a
7502
+ # role for SMS MFA, Cognito will create a role with the required
7503
+ # permissions and a trust policy that demonstrates use of the
7504
+ # `ExternalId`.
6784
7505
  # @return [String]
6785
7506
  #
6786
7507
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SmsConfigurationType AWS API Documentation
@@ -6806,7 +7527,10 @@ module Aws::CognitoIdentityProvider
6806
7527
  # }
6807
7528
  #
6808
7529
  # @!attribute [rw] sms_authentication_message
6809
- # The SMS authentication message.
7530
+ # The SMS authentication message that will be sent to users with the
7531
+ # code they need to sign in. The message must contain the
7532
+ # ‘\\\{####\\}’ placeholder, which will be replaced with the code. If
7533
+ # the message is not included, and default message will be used.
6810
7534
  # @return [String]
6811
7535
  #
6812
7536
  # @!attribute [rw] sms_configuration
@@ -6869,7 +7593,7 @@ module Aws::CognitoIdentityProvider
6869
7593
  # @return [Boolean]
6870
7594
  #
6871
7595
  # @!attribute [rw] preferred_mfa
6872
- # The preferred MFA method.
7596
+ # Specifies whether software token MFA is the preferred MFA method.
6873
7597
  # @return [Boolean]
6874
7598
  #
6875
7599
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SoftwareTokenMfaSettingsType AWS API Documentation
@@ -6993,7 +7717,7 @@ module Aws::CognitoIdentityProvider
6993
7717
  #
6994
7718
  # {
6995
7719
  # resource_arn: "ArnType", # required
6996
- # tags: {
7720
+ # tags: { # required
6997
7721
  # "TagKeysType" => "TagValueType",
6998
7722
  # },
6999
7723
  # }
@@ -7139,7 +7863,7 @@ module Aws::CognitoIdentityProvider
7139
7863
  #
7140
7864
  # {
7141
7865
  # resource_arn: "ArnType", # required
7142
- # tag_keys: ["TagKeysType"],
7866
+ # tag_keys: ["TagKeysType"], # required
7143
7867
  # }
7144
7868
  #
7145
7869
  # @!attribute [rw] resource_arn
@@ -7425,6 +8149,9 @@ module Aws::CognitoIdentityProvider
7425
8149
  # },
7426
8150
  # ],
7427
8151
  # access_token: "TokenModelType", # required
8152
+ # client_metadata: {
8153
+ # "StringType" => "StringType",
8154
+ # },
7428
8155
  # }
7429
8156
  #
7430
8157
  # @!attribute [rw] user_attributes
@@ -7438,11 +8165,52 @@ module Aws::CognitoIdentityProvider
7438
8165
  # The access token for the request to update user attributes.
7439
8166
  # @return [String]
7440
8167
  #
8168
+ # @!attribute [rw] client_metadata
8169
+ # A map of custom key-value pairs that you can provide as input for
8170
+ # any custom workflows that this action triggers.
8171
+ #
8172
+ # You create custom workflows by assigning AWS Lambda functions to
8173
+ # user pool triggers. When you use the UpdateUserAttributes API
8174
+ # action, Amazon Cognito invokes the functions that are assigned to
8175
+ # the *custom message* and *pre mutation* triggers. When Amazon
8176
+ # Cognito invokes either of these functions, it passes a JSON payload,
8177
+ # which the function receives as input. This payload contains a
8178
+ # `clientMetadata` attribute, which provides the data that you
8179
+ # assigned to the ClientMetadata parameter in your
8180
+ # UpdateUserAttributes request. In your function code in AWS Lambda,
8181
+ # you can process the `clientMetadata` value to enhance your workflow
8182
+ # for your specific needs.
8183
+ #
8184
+ # For more information, see [Customizing User Pool Workflows with
8185
+ # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
8186
+ #
8187
+ # <note markdown="1"> Take the following limitations into consideration when you use the
8188
+ # ClientMetadata parameter:
8189
+ #
8190
+ # * Amazon Cognito does not store the ClientMetadata value. This data
8191
+ # is available only to AWS Lambda triggers that are assigned to a
8192
+ # user pool to support custom workflows. If your user pool
8193
+ # configuration does not include triggers, the ClientMetadata
8194
+ # parameter serves no purpose.
8195
+ #
8196
+ # * Amazon Cognito does not validate the ClientMetadata value.
8197
+ #
8198
+ # * Amazon Cognito does not encrypt the the ClientMetadata value, so
8199
+ # don't use it to provide sensitive information.
8200
+ #
8201
+ # </note>
8202
+ #
8203
+ #
8204
+ #
8205
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
8206
+ # @return [Hash<String,String>]
8207
+ #
7441
8208
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserAttributesRequest AWS API Documentation
7442
8209
  #
7443
8210
  class UpdateUserAttributesRequest < Struct.new(
7444
8211
  :user_attributes,
7445
- :access_token)
8212
+ :access_token,
8213
+ :client_metadata)
7446
8214
  include Aws::Structure
7447
8215
  end
7448
8216
 
@@ -7583,7 +8351,9 @@ module Aws::CognitoIdentityProvider
7583
8351
  #
7584
8352
  # @!attribute [rw] allowed_o_auth_scopes
7585
8353
  # A list of allowed `OAuth` scopes. Currently supported values are
7586
- # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
8354
+ # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
8355
+ # these values, custom scopes created in Resource Servers are also
8356
+ # supported.
7587
8357
  # @return [Array<String>]
7588
8358
  #
7589
8359
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -8210,7 +8980,9 @@ module Aws::CognitoIdentityProvider
8210
8980
  #
8211
8981
  # @!attribute [rw] allowed_o_auth_scopes
8212
8982
  # A list of allowed `OAuth` scopes. Currently supported values are
8213
- # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
8983
+ # `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
8984
+ # these values, custom scopes created in Resource Servers are also
8985
+ # supported.
8214
8986
  # @return [Array<String>]
8215
8987
  #
8216
8988
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client