aws-sdk-cognitoidentityprovider 1.27.0 → 1.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: c61021bd9eb04d38a294367ad4fce2dcdcd77e2f
-  data.tar.gz: 518e71cb755bb218db2b30497a9dff87e91e6ae1
+  metadata.gz: 201c2dae29af53f1d9b0a56accf6abd58bfe4063
+  data.tar.gz: e7c0371129e3e44fd16d55a738fa887d3c79235a
 SHA512:
-  metadata.gz: 7513a1c1f7578ed52bbc0bad0456585d83c01f4e00635d3ccb57445e3b48d649a73675ba496fe02147aa6c4b9f5e857172f7e38f319feb88e2b8157d91dd536f
-  data.tar.gz: d834b929aa4ab2ff16dfa3f2298e165e3159c2849ea46c1d716fd90d0b36db3a389df64169fa9ed7f1291b0e04e8a3d9e58bdb10d0ed8e10a07eff5bf6965222
+  metadata.gz: ad161717df9a0fa462795286b7b488f4e452837fdf755eba0f95f7f2f7dc0b8764c1d06a22f1740b748ede3fcf3a00f47dcaad5417b32ed7876707236ea74b98
+  data.tar.gz: d0984dc7926258b3bb85c70f346322a27bde345cad6804d18f8a048a8d3f225c71e549cc5f26d7775d887fddf5965259416eb584f57b4017880d027b9e80874a

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-cognitoidentityprovider/customizations'
 # @service
 module Aws::CognitoIdentityProvider
 
-  GEM_VERSION = '1.27.0'
+  GEM_VERSION = '1.28.0'
 
 end

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -975,6 +975,11 @@ module Aws::CognitoIdentityProvider
     #     set, this flow will invoke the user migration Lambda if the USERNAME
     #     is not found in the user pool.
     #
+    #   * `ADMIN_USER_PASSWORD_AUTH`\: Admin-based user password
+    #     authentication. This replaces the `ADMIN_NO_SRP_AUTH` authentication
+    #     flow. In this flow, Cognito receives the password in the request
+    #     instead of using the SRP process to verify passwords.
+    #
     # @option params [Hash<String,String>] :auth_parameters
     #   The authentication parameters. These are inputs corresponding to the
     #   `AuthFlow` that you are invoking. The required values depend on the
@@ -1079,7 +1084,7 @@ module Aws::CognitoIdentityProvider
     #   resp = client.admin_initiate_auth({
     #     user_pool_id: "UserPoolIdType", # required
     #     client_id: "ClientIdType", # required
-    #     auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH
+    #     auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH, ADMIN_USER_PASSWORD_AUTH
     #     auth_parameters: {
     #       "StringType" => "StringType",
     #     },
@@ -2126,14 +2131,14 @@ module Aws::CognitoIdentityProvider
     #
     #   You create custom workflows by assigning AWS Lambda functions to user
     #   pool triggers. When you use the ConfirmForgotPassword API action,
-    #   Amazon Cognito invokes the functions that are assigned to the *post
-    #   confirmation* and *pre mutation* triggers. When Amazon Cognito invokes
-    #   either of these functions, it passes a JSON payload, which the
-    #   function receives as input. This payload contains a `clientMetadata`
-    #   attribute, which provides the data that you assigned to the
-    #   ClientMetadata parameter in your ConfirmForgotPassword request. In
-    #   your function code in AWS Lambda, you can process the `clientMetadata`
-    #   value to enhance your workflow for your specific needs.
+    #   Amazon Cognito invokes the function that is assigned to the *post
+    #   confirmation* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   ConfirmForgotPassword request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with Lambda
     #   Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -2826,7 +2831,29 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
     #
     # @option params [Array<String>] :explicit_auth_flows
-    #   The explicit authentication flows.
+    #   The authentication flows that are supported by the user pool clients.
+    #   Flow names without the `ALLOW_` prefix are deprecated in favor of new
+    #   names with the `ALLOW_` prefix. Note that values with `ALLOW_` prefix
+    #   cannot be used along with values without `ALLOW_` prefix.
+    #
+    #   Valid values include:
+    #
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user password
+    #     authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting
+    #     replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication
+    #     flow, Cognito receives the password in the request instead of using
+    #     the SRP (Secure Remote Password protocol) protocol to verify
+    #     passwords.
+    #
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Cognito receives the password in the
+    #     request instead of using the SRP protocol to verify passwords.
+    #
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP based authentication.
+    #
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
     # @option params [Array<String>] :supported_identity_providers
     #   A list of provider names for the identity providers that are supported
@@ -2902,6 +2929,48 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics for
     #   this user pool.
     #
+    # @option params [String] :prevent_user_existence_errors
+    #   Use this setting to choose which errors and responses are returned by
+    #   Cognito APIs during authentication, account confirmation, and password
+    #   recovery when the user does not exist in the user pool. When set to
+    #   `ENABLED` and the user does not exist, authentication returns an error
+    #   indicating either the username or password was incorrect, and account
+    #   confirmation and password recovery return a response indicating a code
+    #   was sent to a simulated destination. When set to `LEGACY`, those APIs
+    #   will return a `UserNotFoundException` exception if the user does not
+    #   exist in the user pool.
+    #
+    #   Valid values include:
+    #
+    #   * `ENABLED` - This prevents user existence-related errors.
+    #
+    #   * `LEGACY` - This represents the old behavior of Cognito where user
+    #     existence related errors are not prevented.
+    #
+    #   This setting affects the behavior of following APIs:
+    #
+    #   * AdminInitiateAuth
+    #
+    #   * AdminRespondToAuthChallenge
+    #
+    #   * InitiateAuth
+    #
+    #   * RespondToAuthChallenge
+    #
+    #   * ForgotPassword
+    #
+    #   * ConfirmForgotPassword
+    #
+    #   * ConfirmSignUp
+    #
+    #   * ResendConfirmationCode
+    #
+    #   <note markdown="1"> After January 1st 2020, the value of `PreventUserExistenceErrors` will
+    #   default to `ENABLED` for newly created user pool clients if no value
+    #   is provided.
+    #
+    #    </note>
+    #
     # @return [Types::CreateUserPoolClientResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateUserPoolClientResponse#user_pool_client #user_pool_client} => Types::UserPoolClientType
@@ -2915,7 +2984,7 @@ module Aws::CognitoIdentityProvider
     #     refresh_token_validity: 1,
     #     read_attributes: ["ClientPermissionType"],
     #     write_attributes: ["ClientPermissionType"],
-    #     explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH
+    #     explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
     #     supported_identity_providers: ["ProviderNameType"],
     #     callback_urls: ["RedirectUrlType"],
     #     logout_urls: ["RedirectUrlType"],
@@ -2929,6 +2998,7 @@ module Aws::CognitoIdentityProvider
     #       external_id: "StringType", # required
     #       user_data_shared: false,
     #     },
+    #     prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #   })
     #
     # @example Response structure
@@ -2945,7 +3015,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.write_attributes #=> Array
     #   resp.user_pool_client.write_attributes[0] #=> String
     #   resp.user_pool_client.explicit_auth_flows #=> Array
-    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH"
+    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH", "ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"
     #   resp.user_pool_client.supported_identity_providers #=> Array
     #   resp.user_pool_client.supported_identity_providers[0] #=> String
     #   resp.user_pool_client.callback_urls #=> Array
@@ -2962,6 +3032,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.analytics_configuration.role_arn #=> String
     #   resp.user_pool_client.analytics_configuration.external_id #=> String
     #   resp.user_pool_client.analytics_configuration.user_data_shared #=> Boolean
+    #   resp.user_pool_client.prevent_user_existence_errors #=> String, one of "LEGACY", "ENABLED"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClient AWS API Documentation
     #
@@ -3543,7 +3614,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.write_attributes #=> Array
     #   resp.user_pool_client.write_attributes[0] #=> String
     #   resp.user_pool_client.explicit_auth_flows #=> Array
-    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH"
+    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH", "ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"
     #   resp.user_pool_client.supported_identity_providers #=> Array
     #   resp.user_pool_client.supported_identity_providers[0] #=> String
     #   resp.user_pool_client.callback_urls #=> Array
@@ -3560,6 +3631,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.analytics_configuration.role_arn #=> String
     #   resp.user_pool_client.analytics_configuration.external_id #=> String
     #   resp.user_pool_client.analytics_configuration.user_data_shared #=> Boolean
+    #   resp.user_pool_client.prevent_user_existence_errors #=> String, one of "LEGACY", "ENABLED"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeUserPoolClient AWS API Documentation
     #
@@ -4166,6 +4238,11 @@ module Aws::CognitoIdentityProvider
     #     set, this flow will invoke the user migration Lambda if the USERNAME
     #     is not found in the user pool.
     #
+    #   * `ADMIN_USER_PASSWORD_AUTH`\: Admin-based user password
+    #     authentication. This replaces the `ADMIN_NO_SRP_AUTH` authentication
+    #     flow. In this flow, Cognito receives the password in the request
+    #     instead of using the SRP process to verify passwords.
+    #
     #   `ADMIN_NO_SRP_AUTH` is not a valid value.
     #
     # @option params [Hash<String,String>] :auth_parameters
@@ -4269,7 +4346,7 @@ module Aws::CognitoIdentityProvider
     # @example Request syntax with placeholder values
     #
     #   resp = client.initiate_auth({
-    #     auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH
+    #     auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH, ADMIN_USER_PASSWORD_AUTH
     #     auth_parameters: {
     #       "StringType" => "StringType",
     #     },
@@ -5774,6 +5851,9 @@ module Aws::CognitoIdentityProvider
     #
     # Calling this action requires developer credentials.
     #
+    # If you don't provide a value for an attribute, it will be set to the
+    # default value.
+    #
     # @option params [required, String] :group_name
     #   The name of the group.
     #
@@ -5886,6 +5966,9 @@ module Aws::CognitoIdentityProvider
     # Updates the name and scopes of resource server. All other fields are
     # read-only.
     #
+    # If you don't provide a value for an attribute, it will be set to the
+    # default value.
+    #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
     #
@@ -5951,14 +6034,14 @@ module Aws::CognitoIdentityProvider
     #
     #   You create custom workflows by assigning AWS Lambda functions to user
     #   pool triggers. When you use the UpdateUserAttributes API action,
-    #   Amazon Cognito invokes the functions that are assigned to the *custom
-    #   message* and *pre mutation* triggers. When Amazon Cognito invokes
-    #   either of these functions, it passes a JSON payload, which the
-    #   function receives as input. This payload contains a `clientMetadata`
-    #   attribute, which provides the data that you assigned to the
-    #   ClientMetadata parameter in your UpdateUserAttributes request. In your
-    #   function code in AWS Lambda, you can process the `clientMetadata`
-    #   value to enhance your workflow for your specific needs.
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it passes
+    #   a JSON payload, which the function receives as input. This payload
+    #   contains a `clientMetadata` attribute, which provides the data that
+    #   you assigned to the ClientMetadata parameter in your
+    #   UpdateUserAttributes request. In your function code in AWS Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with Lambda
     #   Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -6018,9 +6101,11 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Updates the specified user pool with the specified attributes. If you
-    # don't provide a value for an attribute, it will be set to the default
-    # value. You can get a list of the current user pool settings with .
+    # Updates the specified user pool with the specified attributes. You can
+    # get a list of the current user pool settings with .
+    #
+    # If you don't provide a value for an attribute, it will be set to the
+    # default value.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool you want to update.
@@ -6166,9 +6251,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # Updates the specified user pool app client with the specified
-    # attributes. If you don't provide a value for an attribute, it will be
-    # set to the default value. You can get a list of the current user pool
-    # app client settings with .
+    # attributes. You can get a list of the current user pool app client
+    # settings with .
+    #
+    # If you don't provide a value for an attribute, it will be set to the
+    # default value.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to update the user
@@ -6191,7 +6278,29 @@ module Aws::CognitoIdentityProvider
     #   The writeable attributes of the user pool.
     #
     # @option params [Array<String>] :explicit_auth_flows
-    #   Explicit authentication flows.
+    #   The authentication flows that are supported by the user pool clients.
+    #   Flow names without the `ALLOW_` prefix are deprecated in favor of new
+    #   names with the `ALLOW_` prefix. Note that values with `ALLOW_` prefix
+    #   cannot be used along with values without `ALLOW_` prefix.
+    #
+    #   Valid values include:
+    #
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user password
+    #     authentication flow `ADMIN_USER_PASSWORD_AUTH`. This setting
+    #     replaces the `ADMIN_NO_SRP_AUTH` setting. With this authentication
+    #     flow, Cognito receives the password in the request instead of using
+    #     the SRP (Secure Remote Password protocol) protocol to verify
+    #     passwords.
+    #
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Cognito receives the password in the
+    #     request instead of using the SRP protocol to verify passwords.
+    #
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP based authentication.
+    #
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #
     # @option params [Array<String>] :supported_identity_providers
     #   A list of provider names for the identity providers that are supported
@@ -6263,6 +6372,48 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics configuration for collecting metrics for
     #   this user pool.
     #
+    # @option params [String] :prevent_user_existence_errors
+    #   Use this setting to choose which errors and responses are returned by
+    #   Cognito APIs during authentication, account confirmation, and password
+    #   recovery when the user does not exist in the user pool. When set to
+    #   `ENABLED` and the user does not exist, authentication returns an error
+    #   indicating either the username or password was incorrect, and account
+    #   confirmation and password recovery return a response indicating a code
+    #   was sent to a simulated destination. When set to `LEGACY`, those APIs
+    #   will return a `UserNotFoundException` exception if the user does not
+    #   exist in the user pool.
+    #
+    #   Valid values include:
+    #
+    #   * `ENABLED` - This prevents user existence-related errors.
+    #
+    #   * `LEGACY` - This represents the old behavior of Cognito where user
+    #     existence related errors are not prevented.
+    #
+    #   This setting affects the behavior of following APIs:
+    #
+    #   * AdminInitiateAuth
+    #
+    #   * AdminRespondToAuthChallenge
+    #
+    #   * InitiateAuth
+    #
+    #   * RespondToAuthChallenge
+    #
+    #   * ForgotPassword
+    #
+    #   * ConfirmForgotPassword
+    #
+    #   * ConfirmSignUp
+    #
+    #   * ResendConfirmationCode
+    #
+    #   <note markdown="1"> After January 1st 2020, the value of `PreventUserExistenceErrors` will
+    #   default to `ENABLED` for newly created user pool clients if no value
+    #   is provided.
+    #
+    #    </note>
+    #
     # @return [Types::UpdateUserPoolClientResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateUserPoolClientResponse#user_pool_client #user_pool_client} => Types::UserPoolClientType
@@ -6276,7 +6427,7 @@ module Aws::CognitoIdentityProvider
     #     refresh_token_validity: 1,
     #     read_attributes: ["ClientPermissionType"],
     #     write_attributes: ["ClientPermissionType"],
-    #     explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH
+    #     explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
     #     supported_identity_providers: ["ProviderNameType"],
     #     callback_urls: ["RedirectUrlType"],
     #     logout_urls: ["RedirectUrlType"],
@@ -6290,6 +6441,7 @@ module Aws::CognitoIdentityProvider
     #       external_id: "StringType", # required
     #       user_data_shared: false,
     #     },
+    #     prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #   })
     #
     # @example Response structure
@@ -6306,7 +6458,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.write_attributes #=> Array
     #   resp.user_pool_client.write_attributes[0] #=> String
     #   resp.user_pool_client.explicit_auth_flows #=> Array
-    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH"
+    #   resp.user_pool_client.explicit_auth_flows[0] #=> String, one of "ADMIN_NO_SRP_AUTH", "CUSTOM_AUTH_FLOW_ONLY", "USER_PASSWORD_AUTH", "ALLOW_ADMIN_USER_PASSWORD_AUTH", "ALLOW_CUSTOM_AUTH", "ALLOW_USER_PASSWORD_AUTH", "ALLOW_USER_SRP_AUTH", "ALLOW_REFRESH_TOKEN_AUTH"
     #   resp.user_pool_client.supported_identity_providers #=> Array
     #   resp.user_pool_client.supported_identity_providers[0] #=> String
     #   resp.user_pool_client.callback_urls #=> Array
@@ -6323,6 +6475,7 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.analytics_configuration.role_arn #=> String
     #   resp.user_pool_client.analytics_configuration.external_id #=> String
     #   resp.user_pool_client.analytics_configuration.user_data_shared #=> Boolean
+    #   resp.user_pool_client.prevent_user_existence_errors #=> String, one of "LEGACY", "ENABLED"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClient AWS API Documentation
     #
@@ -6500,7 +6653,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.27.0'
+      context[:gem_version] = '1.28.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -308,6 +308,7 @@ module Aws::CognitoIdentityProvider
     PreSignedUrlType = Shapes::StringShape.new(name: 'PreSignedUrlType')
     PrecedenceType = Shapes::IntegerShape.new(name: 'PrecedenceType')
     PreconditionNotMetException = Shapes::StructureShape.new(name: 'PreconditionNotMetException')
+    PreventUserExistenceErrorTypes = Shapes::StringShape.new(name: 'PreventUserExistenceErrorTypes')
     ProviderDescription = Shapes::StructureShape.new(name: 'ProviderDescription')
     ProviderDetailsType = Shapes::MapShape.new(name: 'ProviderDetailsType')
     ProviderNameType = Shapes::StringShape.new(name: 'ProviderNameType')
@@ -890,6 +891,7 @@ module Aws::CognitoIdentityProvider
     CreateUserPoolClientRequest.add_member(:allowed_o_auth_scopes, Shapes::ShapeRef.new(shape: ScopeListType, location_name: "AllowedOAuthScopes"))
     CreateUserPoolClientRequest.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient"))
     CreateUserPoolClientRequest.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
+    CreateUserPoolClientRequest.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
     CreateUserPoolClientRequest.struct_class = Types::CreateUserPoolClientRequest
 
     CreateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -1694,6 +1696,7 @@ module Aws::CognitoIdentityProvider
     UpdateUserPoolClientRequest.add_member(:allowed_o_auth_scopes, Shapes::ShapeRef.new(shape: ScopeListType, location_name: "AllowedOAuthScopes"))
     UpdateUserPoolClientRequest.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient"))
     UpdateUserPoolClientRequest.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
+    UpdateUserPoolClientRequest.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
     UpdateUserPoolClientRequest.struct_class = Types::UpdateUserPoolClientRequest
 
     UpdateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -1792,6 +1795,7 @@ module Aws::CognitoIdentityProvider
     UserPoolClientType.add_member(:allowed_o_auth_scopes, Shapes::ShapeRef.new(shape: ScopeListType, location_name: "AllowedOAuthScopes"))
     UserPoolClientType.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient", metadata: {"box"=>true}))
     UserPoolClientType.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
+    UserPoolClientType.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
     UserPoolClientType.struct_class = Types::UserPoolClientType
 
     UserPoolDescriptionType.add_member(:id, Shapes::ShapeRef.new(shape: UserPoolIdType, location_name: "Id"))

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -916,7 +916,7 @@ module Aws::CognitoIdentityProvider
     #       {
     #         user_pool_id: "UserPoolIdType", # required
     #         client_id: "ClientIdType", # required
-    #         auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH
+    #         auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH, ADMIN_USER_PASSWORD_AUTH
     #         auth_parameters: {
     #           "StringType" => "StringType",
     #         },
@@ -980,6 +980,12 @@ module Aws::CognitoIdentityProvider
     #     PASSWORD are passed directly. If a user migration Lambda trigger
     #     is set, this flow will invoke the user migration Lambda if the
     #     USERNAME is not found in the user pool.
+    #
+    #   * `ADMIN_USER_PASSWORD_AUTH`\: Admin-based user password
+    #     authentication. This replaces the `ADMIN_NO_SRP_AUTH`
+    #     authentication flow. In this flow, Cognito receives the password
+    #     in the request instead of using the SRP process to verify
+    #     passwords.
     #   @return [String]
     #
     # @!attribute [rw] auth_parameters
@@ -2584,15 +2590,14 @@ module Aws::CognitoIdentityProvider
     #
     #   You create custom workflows by assigning AWS Lambda functions to
     #   user pool triggers. When you use the ConfirmForgotPassword API
-    #   action, Amazon Cognito invokes the functions that are assigned to
-    #   the *post confirmation* and *pre mutation* triggers. When Amazon
-    #   Cognito invokes either of these functions, it passes a JSON payload,
-    #   which the function receives as input. This payload contains a
-    #   `clientMetadata` attribute, which provides the data that you
-    #   assigned to the ClientMetadata parameter in your
-    #   ConfirmForgotPassword request. In your function code in AWS Lambda,
-    #   you can process the `clientMetadata` value to enhance your workflow
-    #   for your specific needs.
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *post confirmation* trigger. When Amazon Cognito invokes this
+    #   function, it passes a JSON payload, which the function receives as
+    #   input. This payload contains a `clientMetadata` attribute, which
+    #   provides the data that you assigned to the ClientMetadata parameter
+    #   in your ConfirmForgotPassword request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -3061,7 +3066,7 @@ module Aws::CognitoIdentityProvider
     #         refresh_token_validity: 1,
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
-    #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH
+    #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
     #         supported_identity_providers: ["ProviderNameType"],
     #         callback_urls: ["RedirectUrlType"],
     #         logout_urls: ["RedirectUrlType"],
@@ -3075,6 +3080,7 @@ module Aws::CognitoIdentityProvider
     #           external_id: "StringType", # required
     #           user_data_shared: false,
     #         },
+    #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -3118,7 +3124,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The explicit authentication flows.
+    #   The authentication flows that are supported by the user pool
+    #   clients. Flow names without the `ALLOW_` prefix are deprecated in
+    #   favor of new names with the `ALLOW_` prefix. Note that values with
+    #   `ALLOW_` prefix cannot be used along with values without `ALLOW_`
+    #   prefix.
+    #
+    #   Valid values include:
+    #
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
+    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
+    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
+    #     authentication flow, Cognito receives the password in the request
+    #     instead of using the SRP (Secure Remote Password protocol)
+    #     protocol to verify passwords.
+    #
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Cognito receives the password in the
+    #     request instead of using the SRP protocol to verify passwords.
+    #
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP based authentication.
+    #
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -3204,6 +3233,49 @@ module Aws::CognitoIdentityProvider
     #   for this user pool.
     #   @return [Types::AnalyticsConfigurationType]
     #
+    # @!attribute [rw] prevent_user_existence_errors
+    #   Use this setting to choose which errors and responses are returned
+    #   by Cognito APIs during authentication, account confirmation, and
+    #   password recovery when the user does not exist in the user pool.
+    #   When set to `ENABLED` and the user does not exist, authentication
+    #   returns an error indicating either the username or password was
+    #   incorrect, and account confirmation and password recovery return a
+    #   response indicating a code was sent to a simulated destination. When
+    #   set to `LEGACY`, those APIs will return a `UserNotFoundException`
+    #   exception if the user does not exist in the user pool.
+    #
+    #   Valid values include:
+    #
+    #   * `ENABLED` - This prevents user existence-related errors.
+    #
+    #   * `LEGACY` - This represents the old behavior of Cognito where user
+    #     existence related errors are not prevented.
+    #
+    #   This setting affects the behavior of following APIs:
+    #
+    #   * AdminInitiateAuth
+    #
+    #   * AdminRespondToAuthChallenge
+    #
+    #   * InitiateAuth
+    #
+    #   * RespondToAuthChallenge
+    #
+    #   * ForgotPassword
+    #
+    #   * ConfirmForgotPassword
+    #
+    #   * ConfirmSignUp
+    #
+    #   * ResendConfirmationCode
+    #
+    #   <note markdown="1"> After January 1st 2020, the value of `PreventUserExistenceErrors`
+    #   will default to `ENABLED` for newly created user pool clients if no
+    #   value is provided.
+    #
+    #    </note>
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
     #
     class CreateUserPoolClientRequest < Struct.new(
@@ -3221,7 +3293,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows,
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
-      :analytics_configuration)
+      :analytics_configuration,
+      :prevent_user_existence_errors)
       include Aws::Structure
     end
 
@@ -5077,7 +5150,7 @@ module Aws::CognitoIdentityProvider
     #   data as a hash:
     #
     #       {
-    #         auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH
+    #         auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH, ADMIN_USER_PASSWORD_AUTH
     #         auth_parameters: {
     #           "StringType" => "StringType",
     #         },
@@ -5122,6 +5195,12 @@ module Aws::CognitoIdentityProvider
     #     is set, this flow will invoke the user migration Lambda if the
     #     USERNAME is not found in the user pool.
     #
+    #   * `ADMIN_USER_PASSWORD_AUTH`\: Admin-based user password
+    #     authentication. This replaces the `ADMIN_NO_SRP_AUTH`
+    #     authentication flow. In this flow, Cognito receives the password
+    #     in the request instead of using the SRP process to verify
+    #     passwords.
+    #
     #   `ADMIN_NO_SRP_AUTH` is not a valid value.
     #   @return [String]
     #
@@ -8171,12 +8250,11 @@ module Aws::CognitoIdentityProvider
     #
     #   You create custom workflows by assigning AWS Lambda functions to
     #   user pool triggers. When you use the UpdateUserAttributes API
-    #   action, Amazon Cognito invokes the functions that are assigned to
-    #   the *custom message* and *pre mutation* triggers. When Amazon
-    #   Cognito invokes either of these functions, it passes a JSON payload,
-    #   which the function receives as input. This payload contains a
-    #   `clientMetadata` attribute, which provides the data that you
-    #   assigned to the ClientMetadata parameter in your
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
     #   UpdateUserAttributes request. In your function code in AWS Lambda,
     #   you can process the `clientMetadata` value to enhance your workflow
     #   for your specific needs.
@@ -8241,7 +8319,7 @@ module Aws::CognitoIdentityProvider
     #         refresh_token_validity: 1,
     #         read_attributes: ["ClientPermissionType"],
     #         write_attributes: ["ClientPermissionType"],
-    #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH
+    #         explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
     #         supported_identity_providers: ["ProviderNameType"],
     #         callback_urls: ["RedirectUrlType"],
     #         logout_urls: ["RedirectUrlType"],
@@ -8255,6 +8333,7 @@ module Aws::CognitoIdentityProvider
     #           external_id: "StringType", # required
     #           user_data_shared: false,
     #         },
+    #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -8284,7 +8363,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   Explicit authentication flows.
+    #   The authentication flows that are supported by the user pool
+    #   clients. Flow names without the `ALLOW_` prefix are deprecated in
+    #   favor of new names with the `ALLOW_` prefix. Note that values with
+    #   `ALLOW_` prefix cannot be used along with values without `ALLOW_`
+    #   prefix.
+    #
+    #   Valid values include:
+    #
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
+    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
+    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
+    #     authentication flow, Cognito receives the password in the request
+    #     instead of using the SRP (Secure Remote Password protocol)
+    #     protocol to verify passwords.
+    #
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Cognito receives the password in the
+    #     request instead of using the SRP protocol to verify passwords.
+    #
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP based authentication.
+    #
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -8366,6 +8468,49 @@ module Aws::CognitoIdentityProvider
     #   for this user pool.
     #   @return [Types::AnalyticsConfigurationType]
     #
+    # @!attribute [rw] prevent_user_existence_errors
+    #   Use this setting to choose which errors and responses are returned
+    #   by Cognito APIs during authentication, account confirmation, and
+    #   password recovery when the user does not exist in the user pool.
+    #   When set to `ENABLED` and the user does not exist, authentication
+    #   returns an error indicating either the username or password was
+    #   incorrect, and account confirmation and password recovery return a
+    #   response indicating a code was sent to a simulated destination. When
+    #   set to `LEGACY`, those APIs will return a `UserNotFoundException`
+    #   exception if the user does not exist in the user pool.
+    #
+    #   Valid values include:
+    #
+    #   * `ENABLED` - This prevents user existence-related errors.
+    #
+    #   * `LEGACY` - This represents the old behavior of Cognito where user
+    #     existence related errors are not prevented.
+    #
+    #   This setting affects the behavior of following APIs:
+    #
+    #   * AdminInitiateAuth
+    #
+    #   * AdminRespondToAuthChallenge
+    #
+    #   * InitiateAuth
+    #
+    #   * RespondToAuthChallenge
+    #
+    #   * ForgotPassword
+    #
+    #   * ConfirmForgotPassword
+    #
+    #   * ConfirmSignUp
+    #
+    #   * ResendConfirmationCode
+    #
+    #   <note markdown="1"> After January 1st 2020, the value of `PreventUserExistenceErrors`
+    #   will default to `ENABLED` for newly created user pool clients if no
+    #   value is provided.
+    #
+    #    </note>
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
     #
     class UpdateUserPoolClientRequest < Struct.new(
@@ -8383,7 +8528,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows,
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
-      :analytics_configuration)
+      :analytics_configuration,
+      :prevent_user_existence_errors)
       include Aws::Structure
     end
 
@@ -8910,7 +9056,30 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<String>]
     #
     # @!attribute [rw] explicit_auth_flows
-    #   The explicit authentication flows.
+    #   The authentication flows that are supported by the user pool
+    #   clients. Flow names without the `ALLOW_` prefix are deprecated in
+    #   favor of new names with the `ALLOW_` prefix. Note that values with
+    #   `ALLOW_` prefix cannot be used along with values without `ALLOW_`
+    #   prefix.
+    #
+    #   Valid values include:
+    #
+    #   * `ALLOW_ADMIN_USER_PASSWORD_AUTH`\: Enable admin based user
+    #     password authentication flow `ADMIN_USER_PASSWORD_AUTH`. This
+    #     setting replaces the `ADMIN_NO_SRP_AUTH` setting. With this
+    #     authentication flow, Cognito receives the password in the request
+    #     instead of using the SRP (Secure Remote Password protocol)
+    #     protocol to verify passwords.
+    #
+    #   * `ALLOW_CUSTOM_AUTH`\: Enable Lambda trigger based authentication.
+    #
+    #   * `ALLOW_USER_PASSWORD_AUTH`\: Enable user password-based
+    #     authentication. In this flow, Cognito receives the password in the
+    #     request instead of using the SRP protocol to verify passwords.
+    #
+    #   * `ALLOW_USER_SRP_AUTH`\: Enable SRP based authentication.
+    #
+    #   * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
     #   @return [Array<String>]
     #
     # @!attribute [rw] supported_identity_providers
@@ -8995,6 +9164,49 @@ module Aws::CognitoIdentityProvider
     #   client.
     #   @return [Types::AnalyticsConfigurationType]
     #
+    # @!attribute [rw] prevent_user_existence_errors
+    #   Use this setting to choose which errors and responses are returned
+    #   by Cognito APIs during authentication, account confirmation, and
+    #   password recovery when the user does not exist in the user pool.
+    #   When set to `ENABLED` and the user does not exist, authentication
+    #   returns an error indicating either the username or password was
+    #   incorrect, and account confirmation and password recovery return a
+    #   response indicating a code was sent to a simulated destination. When
+    #   set to `LEGACY`, those APIs will return a `UserNotFoundException`
+    #   exception if the user does not exist in the user pool.
+    #
+    #   Valid values include:
+    #
+    #   * `ENABLED` - This prevents user existence-related errors.
+    #
+    #   * `LEGACY` - This represents the old behavior of Cognito where user
+    #     existence related errors are not prevented.
+    #
+    #   This setting affects the behavior of following APIs:
+    #
+    #   * AdminInitiateAuth
+    #
+    #   * AdminRespondToAuthChallenge
+    #
+    #   * InitiateAuth
+    #
+    #   * RespondToAuthChallenge
+    #
+    #   * ForgotPassword
+    #
+    #   * ConfirmForgotPassword
+    #
+    #   * ConfirmSignUp
+    #
+    #   * ResendConfirmationCode
+    #
+    #   <note markdown="1"> After January 1st 2020, the value of `PreventUserExistenceErrors`
+    #   will default to `ENABLED` for newly created user pool clients if no
+    #   value is provided.
+    #
+    #    </note>
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
     #
     class UserPoolClientType < Struct.new(
@@ -9015,7 +9227,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_flows,
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
-      :analytics_configuration)
+      :analytics_configuration,
+      :prevent_user_existence_errors)
       include Aws::Structure
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-cognitoidentityprovider
 version: !ruby/object:Gem::Version
-  version: 1.27.0
+  version: 1.28.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-10-23 00:00:00.000000000 Z
+date: 2019-11-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core