aws-sdk-cognitoidentityprovider 1.41.0 → 1.46.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -14,6 +14,7 @@ module Aws::CognitoIdentityProvider
14
14
  include Seahorse::Model
15
15
 
16
16
  AWSAccountIdType = Shapes::StringShape.new(name: 'AWSAccountIdType')
17
+ AccessTokenValidityType = Shapes::IntegerShape.new(name: 'AccessTokenValidityType')
17
18
  AccountRecoverySettingType = Shapes::StructureShape.new(name: 'AccountRecoverySettingType')
18
19
  AccountTakeoverActionNotifyType = Shapes::BooleanShape.new(name: 'AccountTakeoverActionNotifyType')
19
20
  AccountTakeoverActionType = Shapes::StructureShape.new(name: 'AccountTakeoverActionType')
@@ -243,6 +244,7 @@ module Aws::CognitoIdentityProvider
243
244
  HexStringType = Shapes::StringShape.new(name: 'HexStringType')
244
245
  HttpHeader = Shapes::StructureShape.new(name: 'HttpHeader')
245
246
  HttpHeaderList = Shapes::ListShape.new(name: 'HttpHeaderList')
247
+ IdTokenValidityType = Shapes::IntegerShape.new(name: 'IdTokenValidityType')
246
248
  IdentityProviderType = Shapes::StructureShape.new(name: 'IdentityProviderType')
247
249
  IdentityProviderTypeType = Shapes::StringShape.new(name: 'IdentityProviderTypeType')
248
250
  IdpIdentifierType = Shapes::StringShape.new(name: 'IdpIdentifierType')
@@ -389,7 +391,9 @@ module Aws::CognitoIdentityProvider
389
391
  TagResourceResponse = Shapes::StructureShape.new(name: 'TagResourceResponse')
390
392
  TagValueType = Shapes::StringShape.new(name: 'TagValueType')
391
393
  TemporaryPasswordValidityDaysType = Shapes::IntegerShape.new(name: 'TemporaryPasswordValidityDaysType')
394
+ TimeUnitsType = Shapes::StringShape.new(name: 'TimeUnitsType')
392
395
  TokenModelType = Shapes::StringShape.new(name: 'TokenModelType')
396
+ TokenValidityUnitsType = Shapes::StructureShape.new(name: 'TokenValidityUnitsType')
393
397
  TooManyFailedAttemptsException = Shapes::StructureShape.new(name: 'TooManyFailedAttemptsException')
394
398
  TooManyRequestsException = Shapes::StructureShape.new(name: 'TooManyRequestsException')
395
399
  UICustomizationType = Shapes::StructureShape.new(name: 'UICustomizationType')
@@ -709,9 +713,10 @@ module Aws::CognitoIdentityProvider
709
713
  AliasExistsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
710
714
  AliasExistsException.struct_class = Types::AliasExistsException
711
715
 
712
- AnalyticsConfigurationType.add_member(:application_id, Shapes::ShapeRef.new(shape: HexStringType, required: true, location_name: "ApplicationId"))
713
- AnalyticsConfigurationType.add_member(:role_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "RoleArn"))
714
- AnalyticsConfigurationType.add_member(:external_id, Shapes::ShapeRef.new(shape: StringType, required: true, location_name: "ExternalId"))
716
+ AnalyticsConfigurationType.add_member(:application_id, Shapes::ShapeRef.new(shape: HexStringType, location_name: "ApplicationId"))
717
+ AnalyticsConfigurationType.add_member(:application_arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "ApplicationArn"))
718
+ AnalyticsConfigurationType.add_member(:role_arn, Shapes::ShapeRef.new(shape: ArnType, location_name: "RoleArn"))
719
+ AnalyticsConfigurationType.add_member(:external_id, Shapes::ShapeRef.new(shape: StringType, location_name: "ExternalId"))
715
720
  AnalyticsConfigurationType.add_member(:user_data_shared, Shapes::ShapeRef.new(shape: BooleanType, location_name: "UserDataShared"))
716
721
  AnalyticsConfigurationType.struct_class = Types::AnalyticsConfigurationType
717
722
 
@@ -893,6 +898,9 @@ module Aws::CognitoIdentityProvider
893
898
  CreateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, required: true, location_name: "ClientName"))
894
899
  CreateUserPoolClientRequest.add_member(:generate_secret, Shapes::ShapeRef.new(shape: GenerateSecret, location_name: "GenerateSecret"))
895
900
  CreateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
901
+ CreateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
902
+ CreateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
903
+ CreateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
896
904
  CreateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
897
905
  CreateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
898
906
  CreateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1622,6 +1630,11 @@ module Aws::CognitoIdentityProvider
1622
1630
 
1623
1631
  TagResourceResponse.struct_class = Types::TagResourceResponse
1624
1632
 
1633
+ TokenValidityUnitsType.add_member(:access_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "AccessToken"))
1634
+ TokenValidityUnitsType.add_member(:id_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "IdToken"))
1635
+ TokenValidityUnitsType.add_member(:refresh_token, Shapes::ShapeRef.new(shape: TimeUnitsType, location_name: "RefreshToken"))
1636
+ TokenValidityUnitsType.struct_class = Types::TokenValidityUnitsType
1637
+
1625
1638
  TooManyFailedAttemptsException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
1626
1639
  TooManyFailedAttemptsException.struct_class = Types::TooManyFailedAttemptsException
1627
1640
 
@@ -1709,6 +1722,9 @@ module Aws::CognitoIdentityProvider
1709
1722
  UpdateUserPoolClientRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
1710
1723
  UpdateUserPoolClientRequest.add_member(:client_name, Shapes::ShapeRef.new(shape: ClientNameType, location_name: "ClientName"))
1711
1724
  UpdateUserPoolClientRequest.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
1725
+ UpdateUserPoolClientRequest.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
1726
+ UpdateUserPoolClientRequest.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
1727
+ UpdateUserPoolClientRequest.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
1712
1728
  UpdateUserPoolClientRequest.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
1713
1729
  UpdateUserPoolClientRequest.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
1714
1730
  UpdateUserPoolClientRequest.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -1809,6 +1825,9 @@ module Aws::CognitoIdentityProvider
1809
1825
  UserPoolClientType.add_member(:last_modified_date, Shapes::ShapeRef.new(shape: DateType, location_name: "LastModifiedDate"))
1810
1826
  UserPoolClientType.add_member(:creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "CreationDate"))
1811
1827
  UserPoolClientType.add_member(:refresh_token_validity, Shapes::ShapeRef.new(shape: RefreshTokenValidityType, location_name: "RefreshTokenValidity"))
1828
+ UserPoolClientType.add_member(:access_token_validity, Shapes::ShapeRef.new(shape: AccessTokenValidityType, location_name: "AccessTokenValidity"))
1829
+ UserPoolClientType.add_member(:id_token_validity, Shapes::ShapeRef.new(shape: IdTokenValidityType, location_name: "IdTokenValidity"))
1830
+ UserPoolClientType.add_member(:token_validity_units, Shapes::ShapeRef.new(shape: TokenValidityUnitsType, location_name: "TokenValidityUnits"))
1812
1831
  UserPoolClientType.add_member(:read_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "ReadAttributes"))
1813
1832
  UserPoolClientType.add_member(:write_attributes, Shapes::ShapeRef.new(shape: ClientPermissionListType, location_name: "WriteAttributes"))
1814
1833
  UserPoolClientType.add_member(:explicit_auth_flows, Shapes::ShapeRef.new(shape: ExplicitAuthFlowsListType, location_name: "ExplicitAuthFlows"))
@@ -2397,6 +2416,7 @@ module Aws::CognitoIdentityProvider
2397
2416
  o.http_request_uri = "/"
2398
2417
  o.input = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenRequest)
2399
2418
  o.output = Shapes::ShapeRef.new(shape: AssociateSoftwareTokenResponse)
2419
+ o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
2400
2420
  o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
2401
2421
  o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
2402
2422
  o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
@@ -431,10 +431,11 @@ module Aws::CognitoIdentityProvider
431
431
  # An array of name-value pairs that contain user attributes and
432
432
  # attribute values to be set for the user to be created. You can
433
433
  # create a user without specifying any attributes other than
434
- # `Username`. However, any attributes that you specify as required (in
435
- # or in the **Attributes** tab of the console) must be supplied either
436
- # by you (in your call to `AdminCreateUser`) or by the user (when he
437
- # or she signs up in response to your welcome message).
434
+ # `Username`. However, any attributes that you specify as required
435
+ # (when creating a user pool or in the **Attributes** tab of the
436
+ # console) must be supplied either by you (in your call to
437
+ # `AdminCreateUser`) or by the user (when he or she signs up in
438
+ # response to your welcome message).
438
439
  #
439
440
  # For custom attributes, you must prepend the `custom:` prefix to the
440
441
  # attribute name.
@@ -446,7 +447,8 @@ module Aws::CognitoIdentityProvider
446
447
  #
447
448
  # In your call to `AdminCreateUser`, you can set the `email_verified`
448
449
  # attribute to `True`, and you can set the `phone_number_verified`
449
- # attribute to `True`. (You can also do this by calling .)
450
+ # attribute to `True`. (You can also do this by calling
451
+ # [AdminUpdateUserAttributes][1].)
450
452
  #
451
453
  # * **email**\: The email address of the user to whom the message that
452
454
  # contains the code and username will be sent. Required if the
@@ -457,6 +459,10 @@ module Aws::CognitoIdentityProvider
457
459
  # message that contains the code and username will be sent. Required
458
460
  # if the `phone_number_verified` attribute is set to `True`, or if
459
461
  # `"SMS"` is specified in the `DesiredDeliveryMediums` parameter.
462
+ #
463
+ #
464
+ #
465
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
460
466
  # @return [Array<Types::AttributeType>]
461
467
  #
462
468
  # @!attribute [rw] validation_data
@@ -926,8 +932,8 @@ module Aws::CognitoIdentityProvider
926
932
  # *This response parameter is no longer supported.* It provides
927
933
  # information only about SMS MFA configurations. It doesn't provide
928
934
  # information about TOTP software token MFA configurations. To look up
929
- # information about either type of MFA configuration, use the
930
- # AdminGetUserResponse$UserMFASettingList response instead.
935
+ # information about either type of MFA configuration, use
936
+ # UserMFASettingList instead.
931
937
  # @return [Array<Types::MFAOptionType>]
932
938
  #
933
939
  # @!attribute [rw] preferred_mfa_setting
@@ -1042,18 +1048,20 @@ module Aws::CognitoIdentityProvider
1042
1048
  #
1043
1049
  # * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
1044
1050
  # `SECRET_HASH` (required if the app client is configured with a
1045
- # client secret), `DEVICE_KEY`
1051
+ # client secret), `DEVICE_KEY`.
1046
1052
  #
1047
1053
  # * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
1048
1054
  # (required), `SECRET_HASH` (required if the app client is
1049
- # configured with a client secret), `DEVICE_KEY`
1055
+ # configured with a client secret), `DEVICE_KEY`.
1050
1056
  #
1051
1057
  # * For `ADMIN_NO_SRP_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if
1052
1058
  # app client is configured with client secret), `PASSWORD`
1053
- # (required), `DEVICE_KEY`
1059
+ # (required), `DEVICE_KEY`.
1054
1060
  #
1055
1061
  # * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
1056
- # client is configured with client secret), `DEVICE_KEY`
1062
+ # client is configured with client secret), `DEVICE_KEY`. To start
1063
+ # the authentication flow with password verification, include
1064
+ # `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
1057
1065
  # @return [Hash<String,String>]
1058
1066
  #
1059
1067
  # @!attribute [rw] client_metadata
@@ -1637,7 +1645,12 @@ module Aws::CognitoIdentityProvider
1637
1645
  # @return [String]
1638
1646
  #
1639
1647
  # @!attribute [rw] challenge_name
1640
- # The challenge name. For more information, see .
1648
+ # The challenge name. For more information, see
1649
+ # [AdminInitiateAuth][1].
1650
+ #
1651
+ #
1652
+ #
1653
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
1641
1654
  # @return [String]
1642
1655
  #
1643
1656
  # @!attribute [rw] challenge_responses
@@ -1745,19 +1758,29 @@ module Aws::CognitoIdentityProvider
1745
1758
  # Responds to the authentication challenge, as an administrator.
1746
1759
  #
1747
1760
  # @!attribute [rw] challenge_name
1748
- # The name of the challenge. For more information, see .
1761
+ # The name of the challenge. For more information, see
1762
+ # [AdminInitiateAuth][1].
1763
+ #
1764
+ #
1765
+ #
1766
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
1749
1767
  # @return [String]
1750
1768
  #
1751
1769
  # @!attribute [rw] session
1752
1770
  # The session which should be passed both ways in challenge-response
1753
- # calls to the service. If the or API call determines that the caller
1754
- # needs to go through another challenge, they return a session with
1755
- # other challenge parameters. This session should be passed as it is
1756
- # to the next `RespondToAuthChallenge` API call.
1771
+ # calls to the service. If the caller needs to go through another
1772
+ # challenge, they return a session with other challenge parameters.
1773
+ # This session should be passed as it is to the next
1774
+ # `RespondToAuthChallenge` API call.
1757
1775
  # @return [String]
1758
1776
  #
1759
1777
  # @!attribute [rw] challenge_parameters
1760
- # The challenge parameters. For more information, see .
1778
+ # The challenge parameters. For more information, see
1779
+ # [AdminInitiateAuth][1].
1780
+ #
1781
+ #
1782
+ #
1783
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
1761
1784
  # @return [Hash<String,String>]
1762
1785
  #
1763
1786
  # @!attribute [rw] authentication_result
@@ -2147,9 +2170,10 @@ module Aws::CognitoIdentityProvider
2147
2170
  # The Amazon Pinpoint analytics configuration for collecting metrics for
2148
2171
  # a user pool.
2149
2172
  #
2150
- # <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
2151
- # projects in the US East (N. Virginia) us-east-1 Region, regardless of
2152
- # the region in which the user pool resides.
2173
+ # <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
2174
+ # supports sending events to Amazon Pinpoint projects in us-east-1. In
2175
+ # regions where Pinpoint is available, Cognito User Pools will support
2176
+ # sending events to Amazon Pinpoint projects within that same region.
2153
2177
  #
2154
2178
  # </note>
2155
2179
  #
@@ -2157,9 +2181,10 @@ module Aws::CognitoIdentityProvider
2157
2181
  # data as a hash:
2158
2182
  #
2159
2183
  # {
2160
- # application_id: "HexStringType", # required
2161
- # role_arn: "ArnType", # required
2162
- # external_id: "StringType", # required
2184
+ # application_id: "HexStringType",
2185
+ # application_arn: "ArnType",
2186
+ # role_arn: "ArnType",
2187
+ # external_id: "StringType",
2163
2188
  # user_data_shared: false,
2164
2189
  # }
2165
2190
  #
@@ -2167,6 +2192,13 @@ module Aws::CognitoIdentityProvider
2167
2192
  # The application ID for an Amazon Pinpoint application.
2168
2193
  # @return [String]
2169
2194
  #
2195
+ # @!attribute [rw] application_arn
2196
+ # The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
2197
+ # can use the Amazon Pinpoint project for Pinpoint integration with
2198
+ # the chosen User Pool Client. Amazon Cognito publishes events to the
2199
+ # pinpoint project declared by the app ARN.
2200
+ # @return [String]
2201
+ #
2170
2202
  # @!attribute [rw] role_arn
2171
2203
  # The ARN of an IAM role that authorizes Amazon Cognito to publish
2172
2204
  # events to Amazon Pinpoint analytics.
@@ -2185,6 +2217,7 @@ module Aws::CognitoIdentityProvider
2185
2217
  #
2186
2218
  class AnalyticsConfigurationType < Struct.new(
2187
2219
  :application_id,
2220
+ :application_arn,
2188
2221
  :role_arn,
2189
2222
  :external_id,
2190
2223
  :user_data_shared)
@@ -2662,7 +2695,11 @@ module Aws::CognitoIdentityProvider
2662
2695
  #
2663
2696
  # @!attribute [rw] confirmation_code
2664
2697
  # The confirmation code sent by a user's request to retrieve a
2665
- # forgotten password. For more information, see
2698
+ # forgotten password. For more information, see [ForgotPassword][1].
2699
+ #
2700
+ #
2701
+ #
2702
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
2666
2703
  # @return [String]
2667
2704
  #
2668
2705
  # @!attribute [rw] password
@@ -3020,7 +3057,7 @@ module Aws::CognitoIdentityProvider
3020
3057
  # The identity provider details. The following list describes the
3021
3058
  # provider detail keys for each identity provider type.
3022
3059
  #
3023
- # * For Google, Facebook and Login with Amazon:
3060
+ # * For Google and Login with Amazon:
3024
3061
  #
3025
3062
  # * client\_id
3026
3063
  #
@@ -3028,6 +3065,16 @@ module Aws::CognitoIdentityProvider
3028
3065
  #
3029
3066
  # * authorize\_scopes
3030
3067
  #
3068
+ # * For Facebook:
3069
+ #
3070
+ # * client\_id
3071
+ #
3072
+ # * client\_secret
3073
+ #
3074
+ # * authorize\_scopes
3075
+ #
3076
+ # * api\_version
3077
+ #
3031
3078
  # * For Sign in with Apple:
3032
3079
  #
3033
3080
  # * client\_id
@@ -3064,8 +3111,6 @@ module Aws::CognitoIdentityProvider
3064
3111
  # * jwks\_uri *if not available from discovery URL specified by
3065
3112
  # oidc\_issuer key*
3066
3113
  #
3067
- # * authorize\_scopes
3068
- #
3069
3114
  # * For SAML providers:
3070
3115
  #
3071
3116
  # * MetadataFile OR MetadataURL
@@ -3224,6 +3269,13 @@ module Aws::CognitoIdentityProvider
3224
3269
  # client_name: "ClientNameType", # required
3225
3270
  # generate_secret: false,
3226
3271
  # refresh_token_validity: 1,
3272
+ # access_token_validity: 1,
3273
+ # id_token_validity: 1,
3274
+ # token_validity_units: {
3275
+ # access_token: "seconds", # accepts seconds, minutes, hours, days
3276
+ # id_token: "seconds", # accepts seconds, minutes, hours, days
3277
+ # refresh_token: "seconds", # accepts seconds, minutes, hours, days
3278
+ # },
3227
3279
  # read_attributes: ["ClientPermissionType"],
3228
3280
  # write_attributes: ["ClientPermissionType"],
3229
3281
  # explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -3235,9 +3287,10 @@ module Aws::CognitoIdentityProvider
3235
3287
  # allowed_o_auth_scopes: ["ScopeType"],
3236
3288
  # allowed_o_auth_flows_user_pool_client: false,
3237
3289
  # analytics_configuration: {
3238
- # application_id: "HexStringType", # required
3239
- # role_arn: "ArnType", # required
3240
- # external_id: "StringType", # required
3290
+ # application_id: "HexStringType",
3291
+ # application_arn: "ArnType",
3292
+ # role_arn: "ArnType",
3293
+ # external_id: "StringType",
3241
3294
  # user_data_shared: false,
3242
3295
  # },
3243
3296
  # prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
@@ -3262,6 +3315,24 @@ module Aws::CognitoIdentityProvider
3262
3315
  # valid and cannot be used.
3263
3316
  # @return [Integer]
3264
3317
  #
3318
+ # @!attribute [rw] access_token_validity
3319
+ # The time limit, between 5 minutes and 1 day, after which the access
3320
+ # token is no longer valid and cannot be used. This value will be
3321
+ # overridden if you have entered a value in TokenValidityUnits.
3322
+ # @return [Integer]
3323
+ #
3324
+ # @!attribute [rw] id_token_validity
3325
+ # The time limit, between 5 minutes and 1 day, after which the ID
3326
+ # token is no longer valid and cannot be used. This value will be
3327
+ # overridden if you have entered a value in TokenValidityUnits.
3328
+ # @return [Integer]
3329
+ #
3330
+ # @!attribute [rw] token_validity_units
3331
+ # The units in which the validity times are represented in. Default
3332
+ # for RefreshToken is days, and default for ID and access tokens are
3333
+ # hours.
3334
+ # @return [Types::TokenValidityUnitsType]
3335
+ #
3265
3336
  # @!attribute [rw] read_attributes
3266
3337
  # The read attributes.
3267
3338
  # @return [Array<String>]
@@ -3398,9 +3469,10 @@ module Aws::CognitoIdentityProvider
3398
3469
  # The Amazon Pinpoint analytics configuration for collecting metrics
3399
3470
  # for this user pool.
3400
3471
  #
3401
- # <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
3402
- # projects in the US East (N. Virginia) us-east-1 Region, regardless
3403
- # of the region in which the user pool resides.
3472
+ # <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
3473
+ # supports sending events to Amazon Pinpoint projects in us-east-1. In
3474
+ # regions where Pinpoint is available, Cognito User Pools will support
3475
+ # sending events to Amazon Pinpoint projects within that same region.
3404
3476
  #
3405
3477
  # </note>
3406
3478
  # @return [Types::AnalyticsConfigurationType]
@@ -3423,24 +3495,6 @@ module Aws::CognitoIdentityProvider
3423
3495
  # * `LEGACY` - This represents the old behavior of Cognito where user
3424
3496
  # existence related errors are not prevented.
3425
3497
  #
3426
- # This setting affects the behavior of following APIs:
3427
- #
3428
- # * AdminInitiateAuth
3429
- #
3430
- # * AdminRespondToAuthChallenge
3431
- #
3432
- # * InitiateAuth
3433
- #
3434
- # * RespondToAuthChallenge
3435
- #
3436
- # * ForgotPassword
3437
- #
3438
- # * ConfirmForgotPassword
3439
- #
3440
- # * ConfirmSignUp
3441
- #
3442
- # * ResendConfirmationCode
3443
- #
3444
3498
  # <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
3445
3499
  # will default to `ENABLED` for newly created user pool clients if no
3446
3500
  # value is provided.
@@ -3455,6 +3509,9 @@ module Aws::CognitoIdentityProvider
3455
3509
  :client_name,
3456
3510
  :generate_secret,
3457
3511
  :refresh_token_validity,
3512
+ :access_token_validity,
3513
+ :id_token_validity,
3514
+ :token_validity_units,
3458
3515
  :read_attributes,
3459
3516
  :write_attributes,
3460
3517
  :explicit_auth_flows,
@@ -3756,7 +3813,11 @@ module Aws::CognitoIdentityProvider
3756
3813
  # selected sign-in option. For example, when this is set to `False`,
3757
3814
  # users will be able to sign in using either "username" or
3758
3815
  # "Username". This configuration is immutable once it has been set.
3759
- # For more information, see .
3816
+ # For more information, see [UsernameConfigurationType][1].
3817
+ #
3818
+ #
3819
+ #
3820
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
3760
3821
  # @return [Types::UsernameConfigurationType]
3761
3822
  #
3762
3823
  # @!attribute [rw] account_recovery_setting
@@ -3768,13 +3829,6 @@ module Aws::CognitoIdentityProvider
3768
3829
  # enabled. In the absence of this setting, Cognito uses the legacy
3769
3830
  # behavior to determine the recovery method where SMS is preferred
3770
3831
  # over email.
3771
- #
3772
- # <note markdown="1"> Starting February 1, 2020, the value of `AccountRecoverySetting`
3773
- # will default to `verified_email` first and `verified_phone_number`
3774
- # as the second option for newly created user pools if no value is
3775
- # provided.
3776
- #
3777
- # </note>
3778
3832
  # @return [Types::AccountRecoverySettingType]
3779
3833
  #
3780
3834
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolRequest AWS API Documentation
@@ -5255,8 +5309,8 @@ module Aws::CognitoIdentityProvider
5255
5309
  # *This response parameter is no longer supported.* It provides
5256
5310
  # information only about SMS MFA configurations. It doesn't provide
5257
5311
  # information about TOTP software token MFA configurations. To look up
5258
- # information about either type of MFA configuration, use the use the
5259
- # GetUserResponse$UserMFASettingList response instead.
5312
+ # information about either type of MFA configuration, use
5313
+ # UserMFASettingList instead.
5260
5314
  # @return [Array<Types::MFAOptionType>]
5261
5315
  #
5262
5316
  # @!attribute [rw] preferred_mfa_setting
@@ -5426,7 +5480,15 @@ module Aws::CognitoIdentityProvider
5426
5480
  # The identity provider details. The following list describes the
5427
5481
  # provider detail keys for each identity provider type.
5428
5482
  #
5429
- # * For Google, Facebook and Login with Amazon:
5483
+ # * For Google and Login with Amazon:
5484
+ #
5485
+ # * client\_id
5486
+ #
5487
+ # * client\_secret
5488
+ #
5489
+ # * authorize\_scopes
5490
+ #
5491
+ # * For Facebook:
5430
5492
  #
5431
5493
  # * client\_id
5432
5494
  #
@@ -5434,6 +5496,8 @@ module Aws::CognitoIdentityProvider
5434
5496
  #
5435
5497
  # * authorize\_scopes
5436
5498
  #
5499
+ # * api\_version
5500
+ #
5437
5501
  # * For Sign in with Apple:
5438
5502
  #
5439
5503
  # * client\_id
@@ -5578,14 +5642,16 @@ module Aws::CognitoIdentityProvider
5578
5642
  #
5579
5643
  # * For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
5580
5644
  # `SECRET_HASH` (required if the app client is configured with a
5581
- # client secret), `DEVICE_KEY`
5645
+ # client secret), `DEVICE_KEY`.
5582
5646
  #
5583
5647
  # * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
5584
5648
  # (required), `SECRET_HASH` (required if the app client is
5585
- # configured with a client secret), `DEVICE_KEY`
5649
+ # configured with a client secret), `DEVICE_KEY`.
5586
5650
  #
5587
5651
  # * For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
5588
- # client is configured with client secret), `DEVICE_KEY`
5652
+ # client is configured with client secret), `DEVICE_KEY`. To start
5653
+ # the authentication flow with password verification, include
5654
+ # `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
5589
5655
  # @return [Hash<String,String>]
5590
5656
  #
5591
5657
  # @!attribute [rw] client_metadata
@@ -5717,10 +5783,10 @@ module Aws::CognitoIdentityProvider
5717
5783
  #
5718
5784
  # @!attribute [rw] session
5719
5785
  # The session which should be passed both ways in challenge-response
5720
- # calls to the service. If the or API call determines that the caller
5721
- # needs to go through another challenge, they return a session with
5722
- # other challenge parameters. This session should be passed as it is
5723
- # to the next `RespondToAuthChallenge` API call.
5786
+ # calls to the service. If the caller needs to go through another
5787
+ # challenge, they return a session with other challenge parameters.
5788
+ # This session should be passed as it is to the next
5789
+ # `RespondToAuthChallenge` API call.
5724
5790
  # @return [String]
5725
5791
  #
5726
5792
  # @!attribute [rw] challenge_parameters
@@ -6581,13 +6647,6 @@ module Aws::CognitoIdentityProvider
6581
6647
  # MFA configurations. You can't use it for TOTP software token MFA
6582
6648
  # configurations.
6583
6649
  #
6584
- # To set either type of MFA configuration, use the
6585
- # AdminSetUserMFAPreference or SetUserMFAPreference actions.
6586
- #
6587
- # To look up information about either type of MFA configuration, use the
6588
- # AdminGetUserResponse$UserMFASettingList or
6589
- # GetUserResponse$UserMFASettingList responses.
6590
- #
6591
6650
  # @note When making an API call, you may pass MFAOptionType
6592
6651
  # data as a hash:
6593
6652
  #
@@ -7214,9 +7273,13 @@ module Aws::CognitoIdentityProvider
7214
7273
  # @return [String]
7215
7274
  #
7216
7275
  # @!attribute [rw] challenge_name
7217
- # The challenge name. For more information, see .
7276
+ # The challenge name. For more information, see [InitiateAuth][1].
7218
7277
  #
7219
7278
  # `ADMIN_NO_SRP_AUTH` is not a valid value.
7279
+ #
7280
+ #
7281
+ #
7282
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
7220
7283
  # @return [String]
7221
7284
  #
7222
7285
  # @!attribute [rw] session
@@ -7324,19 +7387,28 @@ module Aws::CognitoIdentityProvider
7324
7387
  # The response to respond to the authentication challenge.
7325
7388
  #
7326
7389
  # @!attribute [rw] challenge_name
7327
- # The challenge name. For more information, see .
7390
+ # The challenge name. For more information, see [InitiateAuth][1].
7391
+ #
7392
+ #
7393
+ #
7394
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
7328
7395
  # @return [String]
7329
7396
  #
7330
7397
  # @!attribute [rw] session
7331
7398
  # The session which should be passed both ways in challenge-response
7332
- # calls to the service. If the or API call determines that the caller
7333
- # needs to go through another challenge, they return a session with
7334
- # other challenge parameters. This session should be passed as it is
7335
- # to the next `RespondToAuthChallenge` API call.
7399
+ # calls to the service. If the caller needs to go through another
7400
+ # challenge, they return a session with other challenge parameters.
7401
+ # This session should be passed as it is to the next
7402
+ # `RespondToAuthChallenge` API call.
7336
7403
  # @return [String]
7337
7404
  #
7338
7405
  # @!attribute [rw] challenge_parameters
7339
- # The challenge parameters. For more information, see .
7406
+ # The challenge parameters. For more information, see
7407
+ # [InitiateAuth][1].
7408
+ #
7409
+ #
7410
+ #
7411
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
7340
7412
  # @return [Hash<String,String>]
7341
7413
  #
7342
7414
  # @!attribute [rw] authentication_result
@@ -7493,8 +7565,9 @@ module Aws::CognitoIdentityProvider
7493
7565
  # Specifies whether the attribute type is developer only. This
7494
7566
  # attribute can only be modified by an administrator. Users will not
7495
7567
  # be able to modify this attribute using their access token. For
7496
- # example, `DeveloperOnlyAttribute` can be modified using the API but
7497
- # cannot be updated using the API.
7568
+ # example, `DeveloperOnlyAttribute` can be modified using
7569
+ # AdminUpdateUserAttributes but cannot be updated using
7570
+ # UpdateUserAttributes.
7498
7571
  #
7499
7572
  #
7500
7573
  #
@@ -8311,6 +8384,43 @@ module Aws::CognitoIdentityProvider
8311
8384
  #
8312
8385
  class TagResourceResponse < Aws::EmptyStructure; end
8313
8386
 
8387
+ # The data type for TokenValidityUnits that specifics the time
8388
+ # measurements for token validity.
8389
+ #
8390
+ # @note When making an API call, you may pass TokenValidityUnitsType
8391
+ # data as a hash:
8392
+ #
8393
+ # {
8394
+ # access_token: "seconds", # accepts seconds, minutes, hours, days
8395
+ # id_token: "seconds", # accepts seconds, minutes, hours, days
8396
+ # refresh_token: "seconds", # accepts seconds, minutes, hours, days
8397
+ # }
8398
+ #
8399
+ # @!attribute [rw] access_token
8400
+ # A time unit in “seconds”, “minutes”, “hours” or “days” for the value
8401
+ # in AccessTokenValidity, defaults to hours.
8402
+ # @return [String]
8403
+ #
8404
+ # @!attribute [rw] id_token
8405
+ # A time unit in “seconds”, “minutes”, “hours” or “days” for the value
8406
+ # in IdTokenValidity, defaults to hours.
8407
+ # @return [String]
8408
+ #
8409
+ # @!attribute [rw] refresh_token
8410
+ # A time unit in “seconds”, “minutes”, “hours” or “days” for the value
8411
+ # in RefreshTokenValidity, defaults to days.
8412
+ # @return [String]
8413
+ #
8414
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
8415
+ #
8416
+ class TokenValidityUnitsType < Struct.new(
8417
+ :access_token,
8418
+ :id_token,
8419
+ :refresh_token)
8420
+ SENSITIVE = []
8421
+ include Aws::Structure
8422
+ end
8423
+
8314
8424
  # This exception is thrown when the user has made too many failed
8315
8425
  # attempts for a given action (e.g., sign in).
8316
8426
  #
@@ -8578,7 +8688,11 @@ module Aws::CognitoIdentityProvider
8578
8688
  #
8579
8689
  # @!attribute [rw] precedence
8580
8690
  # The new precedence value for the group. For more information about
8581
- # this parameter, see .
8691
+ # this parameter, see [CreateGroup][1].
8692
+ #
8693
+ #
8694
+ #
8695
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html
8582
8696
  # @return [Integer]
8583
8697
  #
8584
8698
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateGroupRequest AWS API Documentation
@@ -8823,6 +8937,13 @@ module Aws::CognitoIdentityProvider
8823
8937
  # client_id: "ClientIdType", # required
8824
8938
  # client_name: "ClientNameType",
8825
8939
  # refresh_token_validity: 1,
8940
+ # access_token_validity: 1,
8941
+ # id_token_validity: 1,
8942
+ # token_validity_units: {
8943
+ # access_token: "seconds", # accepts seconds, minutes, hours, days
8944
+ # id_token: "seconds", # accepts seconds, minutes, hours, days
8945
+ # refresh_token: "seconds", # accepts seconds, minutes, hours, days
8946
+ # },
8826
8947
  # read_attributes: ["ClientPermissionType"],
8827
8948
  # write_attributes: ["ClientPermissionType"],
8828
8949
  # explicit_auth_flows: ["ADMIN_NO_SRP_AUTH"], # accepts ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH
@@ -8834,9 +8955,10 @@ module Aws::CognitoIdentityProvider
8834
8955
  # allowed_o_auth_scopes: ["ScopeType"],
8835
8956
  # allowed_o_auth_flows_user_pool_client: false,
8836
8957
  # analytics_configuration: {
8837
- # application_id: "HexStringType", # required
8838
- # role_arn: "ArnType", # required
8839
- # external_id: "StringType", # required
8958
+ # application_id: "HexStringType",
8959
+ # application_arn: "ArnType",
8960
+ # role_arn: "ArnType",
8961
+ # external_id: "StringType",
8840
8962
  # user_data_shared: false,
8841
8963
  # },
8842
8964
  # prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
@@ -8860,6 +8982,22 @@ module Aws::CognitoIdentityProvider
8860
8982
  # valid and cannot be used.
8861
8983
  # @return [Integer]
8862
8984
  #
8985
+ # @!attribute [rw] access_token_validity
8986
+ # The time limit, after which the access token is no longer valid and
8987
+ # cannot be used.
8988
+ # @return [Integer]
8989
+ #
8990
+ # @!attribute [rw] id_token_validity
8991
+ # The time limit, after which the ID token is no longer valid and
8992
+ # cannot be used.
8993
+ # @return [Integer]
8994
+ #
8995
+ # @!attribute [rw] token_validity_units
8996
+ # The units in which the validity times are represented in. Default
8997
+ # for RefreshToken is days, and default for ID and access tokens are
8998
+ # hours.
8999
+ # @return [Types::TokenValidityUnitsType]
9000
+ #
8863
9001
  # @!attribute [rw] read_attributes
8864
9002
  # The read-only attributes of the user pool.
8865
9003
  # @return [Array<String>]
@@ -8982,9 +9120,10 @@ module Aws::CognitoIdentityProvider
8982
9120
  # The Amazon Pinpoint analytics configuration for collecting metrics
8983
9121
  # for this user pool.
8984
9122
  #
8985
- # <note markdown="1"> Cognito User Pools only supports sending events to Amazon Pinpoint
8986
- # projects in the US East (N. Virginia) us-east-1 Region, regardless
8987
- # of the region in which the user pool resides.
9123
+ # <note markdown="1"> In regions where Pinpoint is not available, Cognito User Pools only
9124
+ # supports sending events to Amazon Pinpoint projects in us-east-1. In
9125
+ # regions where Pinpoint is available, Cognito User Pools will support
9126
+ # sending events to Amazon Pinpoint projects within that same region.
8988
9127
  #
8989
9128
  # </note>
8990
9129
  # @return [Types::AnalyticsConfigurationType]
@@ -9007,24 +9146,6 @@ module Aws::CognitoIdentityProvider
9007
9146
  # * `LEGACY` - This represents the old behavior of Cognito where user
9008
9147
  # existence related errors are not prevented.
9009
9148
  #
9010
- # This setting affects the behavior of following APIs:
9011
- #
9012
- # * AdminInitiateAuth
9013
- #
9014
- # * AdminRespondToAuthChallenge
9015
- #
9016
- # * InitiateAuth
9017
- #
9018
- # * RespondToAuthChallenge
9019
- #
9020
- # * ForgotPassword
9021
- #
9022
- # * ConfirmForgotPassword
9023
- #
9024
- # * ConfirmSignUp
9025
- #
9026
- # * ResendConfirmationCode
9027
- #
9028
9149
  # <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
9029
9150
  # will default to `ENABLED` for newly created user pool clients if no
9030
9151
  # value is provided.
@@ -9039,6 +9160,9 @@ module Aws::CognitoIdentityProvider
9039
9160
  :client_id,
9040
9161
  :client_name,
9041
9162
  :refresh_token_validity,
9163
+ :access_token_validity,
9164
+ :id_token_validity,
9165
+ :token_validity_units,
9042
9166
  :read_attributes,
9043
9167
  :write_attributes,
9044
9168
  :explicit_auth_flows,
@@ -9604,6 +9728,23 @@ module Aws::CognitoIdentityProvider
9604
9728
  # valid and cannot be used.
9605
9729
  # @return [Integer]
9606
9730
  #
9731
+ # @!attribute [rw] access_token_validity
9732
+ # The time limit, specified by tokenValidityUnits, defaulting to
9733
+ # hours, after which the access token is no longer valid and cannot be
9734
+ # used.
9735
+ # @return [Integer]
9736
+ #
9737
+ # @!attribute [rw] id_token_validity
9738
+ # The time limit, specified by tokenValidityUnits, defaulting to
9739
+ # hours, after which the refresh token is no longer valid and cannot
9740
+ # be used.
9741
+ # @return [Integer]
9742
+ #
9743
+ # @!attribute [rw] token_validity_units
9744
+ # The time units used to specify the token validity times of their
9745
+ # respective token.
9746
+ # @return [Types::TokenValidityUnitsType]
9747
+ #
9607
9748
  # @!attribute [rw] read_attributes
9608
9749
  # The Read-only attributes.
9609
9750
  # @return [Array<String>]
@@ -9751,24 +9892,6 @@ module Aws::CognitoIdentityProvider
9751
9892
  # * `LEGACY` - This represents the old behavior of Cognito where user
9752
9893
  # existence related errors are not prevented.
9753
9894
  #
9754
- # This setting affects the behavior of following APIs:
9755
- #
9756
- # * AdminInitiateAuth
9757
- #
9758
- # * AdminRespondToAuthChallenge
9759
- #
9760
- # * InitiateAuth
9761
- #
9762
- # * RespondToAuthChallenge
9763
- #
9764
- # * ForgotPassword
9765
- #
9766
- # * ConfirmForgotPassword
9767
- #
9768
- # * ConfirmSignUp
9769
- #
9770
- # * ResendConfirmationCode
9771
- #
9772
9895
  # <note markdown="1"> After February 15th 2020, the value of `PreventUserExistenceErrors`
9773
9896
  # will default to `ENABLED` for newly created user pool clients if no
9774
9897
  # value is provided.
@@ -9786,6 +9909,9 @@ module Aws::CognitoIdentityProvider
9786
9909
  :last_modified_date,
9787
9910
  :creation_date,
9788
9911
  :refresh_token_validity,
9912
+ :access_token_validity,
9913
+ :id_token_validity,
9914
+ :token_validity_units,
9789
9915
  :read_attributes,
9790
9916
  :write_attributes,
9791
9917
  :explicit_auth_flows,
@@ -10028,7 +10154,11 @@ module Aws::CognitoIdentityProvider
10028
10154
  # the selected sign-in option. For example, when this is set to
10029
10155
  # `False`, users will be able to sign in using either "username" or
10030
10156
  # "Username". This configuration is immutable once it has been set.
10031
- # For more information, see .
10157
+ # For more information, see [UsernameConfigurationType][1].
10158
+ #
10159
+ #
10160
+ #
10161
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UsernameConfigurationType.html
10032
10162
  # @return [Types::UsernameConfigurationType]
10033
10163
  #
10034
10164
  # @!attribute [rw] arn
@@ -10272,6 +10402,11 @@ module Aws::CognitoIdentityProvider
10272
10402
  #
10273
10403
  # @!attribute [rw] user_code
10274
10404
  # The one time password computed using the secret code returned by
10405
+ # [AssociateSoftwareToken"][1].
10406
+ #
10407
+ #
10408
+ #
10409
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html
10275
10410
  # @return [String]
10276
10411
  #
10277
10412
  # @!attribute [rw] friendly_device_name