aws-sdk-cognitoidentityprovider 1.65.0 → 1.66.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-cognitoidentityprovider/client.rb +363 -190
- data/lib/aws-sdk-cognitoidentityprovider/client_api.rb +11 -0
- data/lib/aws-sdk-cognitoidentityprovider/types.rb +581 -299
- data/lib/aws-sdk-cognitoidentityprovider.rb +1 -1
- metadata +2 -2
@@ -52,7 +52,7 @@ module Aws::CognitoIdentityProvider
|
|
52
52
|
#
|
53
53
|
# @!attribute [rw] event_action
|
54
54
|
# The action to take in response to the account takeover action. Valid
|
55
|
-
# values are:
|
55
|
+
# values are as follows:
|
56
56
|
#
|
57
57
|
# * `BLOCK` Choosing this action will block the request.
|
58
58
|
#
|
@@ -354,11 +354,11 @@ module Aws::CognitoIdentityProvider
|
|
354
354
|
# @return [Boolean]
|
355
355
|
#
|
356
356
|
# @!attribute [rw] unused_account_validity_days
|
357
|
-
# The user account expiration limit, in days, after which
|
358
|
-
# is no longer usable. To reset the
|
359
|
-
#
|
360
|
-
# `MessageAction` parameter. The
|
361
|
-
# 7.
|
357
|
+
# The user account expiration limit, in days, after which a new
|
358
|
+
# account that hasn't signed in is no longer usable. To reset the
|
359
|
+
# account after that time limit, you must call `AdminCreateUser`
|
360
|
+
# again, specifying `"RESEND"` for the `MessageAction` parameter. The
|
361
|
+
# default value for this parameter is 7.
|
362
362
|
#
|
363
363
|
# <note markdown="1"> If you set a value for `TemporaryPasswordValidityDays` in
|
364
364
|
# `PasswordPolicy`, that value will be used, and
|
@@ -1185,9 +1185,21 @@ module Aws::CognitoIdentityProvider
|
|
1185
1185
|
# enabled to use this flow.
|
1186
1186
|
#
|
1187
1187
|
# * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
|
1188
|
-
# their passwords after successful first login.
|
1189
|
-
#
|
1190
|
-
#
|
1188
|
+
# their passwords after successful first login. Respond to this
|
1189
|
+
# challenge with `NEW_PASSWORD` and any required attributes that
|
1190
|
+
# Amazon Cognito returned in the `requiredAttributes` parameter. You
|
1191
|
+
# can also set values for attributes that aren't required by your
|
1192
|
+
# user pool and that your app client can write. For more
|
1193
|
+
# information, see [AdminRespondToAuthChallenge][1].
|
1194
|
+
#
|
1195
|
+
# <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
|
1196
|
+
# a required attribute that already has a value. In
|
1197
|
+
# `AdminRespondToAuthChallenge`, set a value for any keys that
|
1198
|
+
# Amazon Cognito returned in the `requiredAttributes` parameter,
|
1199
|
+
# then use the `AdminUpdateUserAttributes` API operation to modify
|
1200
|
+
# the value of any additional attributes.
|
1201
|
+
#
|
1202
|
+
# </note>
|
1191
1203
|
#
|
1192
1204
|
# * `MFA_SETUP`\: For users who are required to set up an MFA factor
|
1193
1205
|
# before they can sign in. The MFA types activated for the user pool
|
@@ -1200,6 +1212,10 @@ module Aws::CognitoIdentityProvider
|
|
1200
1212
|
# complete sign-in. To set up SMS MFA, users will need help from an
|
1201
1213
|
# administrator to add a phone number to their account and then call
|
1202
1214
|
# `InitiateAuth` again to restart sign-in.
|
1215
|
+
#
|
1216
|
+
#
|
1217
|
+
#
|
1218
|
+
# [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
|
1203
1219
|
# @return [String]
|
1204
1220
|
#
|
1205
1221
|
# @!attribute [rw] session
|
@@ -1267,12 +1283,11 @@ module Aws::CognitoIdentityProvider
|
|
1267
1283
|
#
|
1268
1284
|
# @!attribute [rw] destination_user
|
1269
1285
|
# The existing user in the user pool that you want to assign to the
|
1270
|
-
# external
|
1271
|
-
#
|
1272
|
-
#
|
1273
|
-
#
|
1274
|
-
#
|
1275
|
-
# attribute) signs in.
|
1286
|
+
# external IdP user account. This user can be a native (Username +
|
1287
|
+
# Password) Amazon Cognito user pools user or a federated user (for
|
1288
|
+
# example, a SAML or Facebook user). If the user doesn't exist,
|
1289
|
+
# Amazon Cognito generates an exception. Amazon Cognito returns this
|
1290
|
+
# user when the new user (with the linked IdP attribute) signs in.
|
1276
1291
|
#
|
1277
1292
|
# For a native username + password user, the `ProviderAttributeValue`
|
1278
1293
|
# for the `DestinationUser` should be the username in the user pool.
|
@@ -1289,30 +1304,29 @@ module Aws::CognitoIdentityProvider
|
|
1289
1304
|
# @return [Types::ProviderUserIdentifierType]
|
1290
1305
|
#
|
1291
1306
|
# @!attribute [rw] source_user
|
1292
|
-
# An external
|
1293
|
-
#
|
1294
|
-
#
|
1307
|
+
# An external IdP account for a user who doesn't exist yet in the
|
1308
|
+
# user pool. This user must be a federated user (for example, a SAML
|
1309
|
+
# or Facebook user), not another native user.
|
1295
1310
|
#
|
1296
|
-
# If the `SourceUser` is using a federated social
|
1297
|
-
#
|
1298
|
-
# `ProviderAttributeName` to `Cognito_Subject`. For social
|
1299
|
-
#
|
1300
|
-
#
|
1301
|
-
#
|
1302
|
-
#
|
1303
|
-
#
|
1304
|
-
#
|
1311
|
+
# If the `SourceUser` is using a federated social IdP, such as
|
1312
|
+
# Facebook, Google, or Login with Amazon, you must set the
|
1313
|
+
# `ProviderAttributeName` to `Cognito_Subject`. For social IdPs, the
|
1314
|
+
# `ProviderName` will be `Facebook`, `Google`, or `LoginWithAmazon`,
|
1315
|
+
# and Amazon Cognito will automatically parse the Facebook, Google,
|
1316
|
+
# and Login with Amazon tokens for `id`, `sub`, and `user_id`,
|
1317
|
+
# respectively. The `ProviderAttributeValue` for the user must be the
|
1318
|
+
# same value as the `id`, `sub`, or `user_id` value found in the
|
1319
|
+
# social IdP token.
|
1305
1320
|
#
|
1306
1321
|
#
|
1307
1322
|
#
|
1308
1323
|
# For SAML, the `ProviderAttributeName` can be any value that matches
|
1309
1324
|
# a claim in the SAML assertion. If you want to link SAML users based
|
1310
1325
|
# on the subject of the SAML assertion, you should map the subject to
|
1311
|
-
# a claim through the SAML
|
1312
|
-
#
|
1313
|
-
# `
|
1314
|
-
#
|
1315
|
-
# subject from the SAML token.
|
1326
|
+
# a claim through the SAML IdP and submit that claim name as the
|
1327
|
+
# `ProviderAttributeName`. If you set `ProviderAttributeName` to
|
1328
|
+
# `Cognito_Subject`, Amazon Cognito will automatically parse the
|
1329
|
+
# default unique identifier found in the subject from the SAML token.
|
1316
1330
|
# @return [Types::ProviderUserIdentifierType]
|
1317
1331
|
#
|
1318
1332
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminLinkProviderForUserRequest AWS API Documentation
|
@@ -1679,9 +1693,22 @@ module Aws::CognitoIdentityProvider
|
|
1679
1693
|
# * `ADMIN_NO_SRP_AUTH`\: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if
|
1680
1694
|
# app client is configured with client secret).
|
1681
1695
|
#
|
1682
|
-
# * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`,
|
1683
|
-
#
|
1684
|
-
#
|
1696
|
+
# * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
|
1697
|
+
# `SECRET_HASH` (if app client is configured with client secret). To
|
1698
|
+
# set any required attributes that Amazon Cognito returned as
|
1699
|
+
# `requiredAttributes` in the `AdminInitiateAuth` response, add a
|
1700
|
+
# `userAttributes.attributename ` parameter. This parameter can also
|
1701
|
+
# set values for writable attributes that aren't required by your
|
1702
|
+
# user pool.
|
1703
|
+
#
|
1704
|
+
# <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
|
1705
|
+
# a required attribute that already has a value. In
|
1706
|
+
# `AdminRespondToAuthChallenge`, set a value for any keys that
|
1707
|
+
# Amazon Cognito returned in the `requiredAttributes` parameter,
|
1708
|
+
# then use the `AdminUpdateUserAttributes` API operation to modify
|
1709
|
+
# the value of any additional attributes.
|
1710
|
+
#
|
1711
|
+
# </note>
|
1685
1712
|
#
|
1686
1713
|
# * `MFA_SETUP` requires `USERNAME`, plus you must use the session
|
1687
1714
|
# value returned by `VerifySoftwareToken` in the `Session`
|
@@ -2089,6 +2116,22 @@ module Aws::CognitoIdentityProvider
|
|
2089
2116
|
#
|
2090
2117
|
# For custom attributes, you must prepend the `custom:` prefix to the
|
2091
2118
|
# attribute name.
|
2119
|
+
#
|
2120
|
+
# If your user pool requires verification before Amazon Cognito
|
2121
|
+
# updates an attribute value that you specify in this request, Amazon
|
2122
|
+
# Cognito doesn’t immediately update the value of that attribute.
|
2123
|
+
# After your user receives and responds to a verification message to
|
2124
|
+
# verify the new value, Amazon Cognito updates the attribute value.
|
2125
|
+
# Your user can sign in and receive messages with the original
|
2126
|
+
# attribute value until they verify the new value.
|
2127
|
+
#
|
2128
|
+
# To update the value of an attribute that requires verification in
|
2129
|
+
# the same API request, include the `email_verified` or
|
2130
|
+
# `phone_number_verified` attribute, with a value of `true`. If you
|
2131
|
+
# set the `email_verified` or `phone_number_verified` value for an
|
2132
|
+
# `email` or `phone_number` attribute that requires verification to
|
2133
|
+
# `true`, Amazon Cognito doesn’t send a verification message to your
|
2134
|
+
# user.
|
2092
2135
|
# @return [Array<Types::AttributeType>]
|
2093
2136
|
#
|
2094
2137
|
# @!attribute [rw] client_metadata
|
@@ -2181,9 +2224,11 @@ module Aws::CognitoIdentityProvider
|
|
2181
2224
|
class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
|
2182
2225
|
|
2183
2226
|
# This exception is thrown when a user tries to confirm the account with
|
2184
|
-
# an email or phone number that has already been supplied as an
|
2185
|
-
# from a different account. This exception
|
2186
|
-
# with this email or phone already exists
|
2227
|
+
# an email address or phone number that has already been supplied as an
|
2228
|
+
# alias from a different account. This exception indicates that an
|
2229
|
+
# account with this email address or phone already exists in a user pool
|
2230
|
+
# that you've configured to use email address or phone number as a
|
2231
|
+
# sign-in alias.
|
2187
2232
|
#
|
2188
2233
|
# @!attribute [rw] message
|
2189
2234
|
# The message sent to the user when an alias exists.
|
@@ -2197,8 +2242,8 @@ module Aws::CognitoIdentityProvider
|
|
2197
2242
|
include Aws::Structure
|
2198
2243
|
end
|
2199
2244
|
|
2200
|
-
# The Amazon Pinpoint analytics configuration
|
2201
|
-
# a user pool.
|
2245
|
+
# The Amazon Pinpoint analytics configuration necessary to collect
|
2246
|
+
# metrics for a user pool.
|
2202
2247
|
#
|
2203
2248
|
# <note markdown="1"> In Regions where Amazon Pinpointisn't available, user pools only
|
2204
2249
|
# support sending events to Amazon Pinpoint projects in us-east-1. In
|
@@ -2226,7 +2271,7 @@ module Aws::CognitoIdentityProvider
|
|
2226
2271
|
# The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
|
2227
2272
|
# can use the Amazon Pinpoint project to integrate with the chosen
|
2228
2273
|
# user pool Client. Amazon Cognito publishes events to the Amazon
|
2229
|
-
#
|
2274
|
+
# Pinpoint project that the app ARN declares.
|
2230
2275
|
# @return [String]
|
2231
2276
|
#
|
2232
2277
|
# @!attribute [rw] role_arn
|
@@ -2239,8 +2284,8 @@ module Aws::CognitoIdentityProvider
|
|
2239
2284
|
# @return [String]
|
2240
2285
|
#
|
2241
2286
|
# @!attribute [rw] user_data_shared
|
2242
|
-
# If `UserDataShared` is `true`, Amazon Cognito
|
2243
|
-
#
|
2287
|
+
# If `UserDataShared` is `true`, Amazon Cognito includes user data in
|
2288
|
+
# the events that it publishes to Amazon Pinpoint analytics.
|
2244
2289
|
# @return [Boolean]
|
2245
2290
|
#
|
2246
2291
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AnalyticsConfigurationType AWS API Documentation
|
@@ -2259,12 +2304,14 @@ module Aws::CognitoIdentityProvider
|
|
2259
2304
|
#
|
2260
2305
|
# An endpoint uniquely identifies a mobile device, email address, or
|
2261
2306
|
# phone number that can receive messages from Amazon Pinpoint analytics.
|
2307
|
+
# For more information about Amazon Web Services Regions that can
|
2308
|
+
# contain Amazon Pinpoint resources for use with Amazon Cognito user
|
2309
|
+
# pools, see [Using Amazon Pinpoint analytics with Amazon Cognito user
|
2310
|
+
# pools][1].
|
2262
2311
|
#
|
2263
|
-
# <note markdown="1"> Amazon Cognito user pools only support sending events to Amazon
|
2264
|
-
# Pinpoint projects in the US East (N. Virginia) us-east-1 Region,
|
2265
|
-
# regardless of the Region where the user pool resides.
|
2266
2312
|
#
|
2267
|
-
#
|
2313
|
+
#
|
2314
|
+
# [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html
|
2268
2315
|
#
|
2269
2316
|
# @note When making an API call, you may pass AnalyticsMetadataType
|
2270
2317
|
# data as a hash:
|
@@ -2294,7 +2341,8 @@ module Aws::CognitoIdentityProvider
|
|
2294
2341
|
# }
|
2295
2342
|
#
|
2296
2343
|
# @!attribute [rw] access_token
|
2297
|
-
#
|
2344
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
2345
|
+
# software token you want to generate.
|
2298
2346
|
# @return [String]
|
2299
2347
|
#
|
2300
2348
|
# @!attribute [rw] session
|
@@ -2414,7 +2462,8 @@ module Aws::CognitoIdentityProvider
|
|
2414
2462
|
# The authentication result.
|
2415
2463
|
#
|
2416
2464
|
# @!attribute [rw] access_token
|
2417
|
-
#
|
2465
|
+
# A valid access token that Amazon Cognito issued to the user who you
|
2466
|
+
# want to authenticate.
|
2418
2467
|
# @return [String]
|
2419
2468
|
#
|
2420
2469
|
# @!attribute [rw] expires_in
|
@@ -2489,7 +2538,8 @@ module Aws::CognitoIdentityProvider
|
|
2489
2538
|
# @return [String]
|
2490
2539
|
#
|
2491
2540
|
# @!attribute [rw] access_token
|
2492
|
-
#
|
2541
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
2542
|
+
# password you want to change.
|
2493
2543
|
# @return [String]
|
2494
2544
|
#
|
2495
2545
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ChangePasswordRequest AWS API Documentation
|
@@ -2508,18 +2558,21 @@ module Aws::CognitoIdentityProvider
|
|
2508
2558
|
#
|
2509
2559
|
class ChangePasswordResponse < Aws::EmptyStructure; end
|
2510
2560
|
|
2511
|
-
# The
|
2561
|
+
# The delivery details for an email or SMS message that Amazon Cognito
|
2562
|
+
# sent for authentication or verification.
|
2512
2563
|
#
|
2513
2564
|
# @!attribute [rw] destination
|
2514
|
-
# The
|
2565
|
+
# The email address or phone number destination where Amazon Cognito
|
2566
|
+
# sent the code.
|
2515
2567
|
# @return [String]
|
2516
2568
|
#
|
2517
2569
|
# @!attribute [rw] delivery_medium
|
2518
|
-
# The
|
2570
|
+
# The method that Amazon Cognito used to send the code.
|
2519
2571
|
# @return [String]
|
2520
2572
|
#
|
2521
2573
|
# @!attribute [rw] attribute_name
|
2522
|
-
# The attribute
|
2574
|
+
# The name of the attribute that Amazon Cognito verifies with the
|
2575
|
+
# code.
|
2523
2576
|
# @return [String]
|
2524
2577
|
#
|
2525
2578
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CodeDeliveryDetailsType AWS API Documentation
|
@@ -2645,7 +2698,8 @@ module Aws::CognitoIdentityProvider
|
|
2645
2698
|
# }
|
2646
2699
|
#
|
2647
2700
|
# @!attribute [rw] access_token
|
2648
|
-
#
|
2701
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
2702
|
+
# device you want to confirm.
|
2649
2703
|
# @return [String]
|
2650
2704
|
#
|
2651
2705
|
# @!attribute [rw] device_key
|
@@ -3013,7 +3067,7 @@ module Aws::CognitoIdentityProvider
|
|
3013
3067
|
# A non-negative integer value that specifies the precedence of this
|
3014
3068
|
# group relative to the other groups that a user can belong to in the
|
3015
3069
|
# user pool. Zero is the highest precedence value. Groups with lower
|
3016
|
-
# `Precedence` values take precedence over groups with higher
|
3070
|
+
# `Precedence` values take precedence over groups with higher or null
|
3017
3071
|
# `Precedence` values. If a user belongs to two or more groups, it is
|
3018
3072
|
# the group with the lowest precedence value whose role ARN is given
|
3019
3073
|
# in the user's tokens for the `cognito:roles` and
|
@@ -3026,7 +3080,8 @@ module Aws::CognitoIdentityProvider
|
|
3026
3080
|
# group. If the two groups have different role ARNs, the
|
3027
3081
|
# `cognito:preferred_role` claim isn't set in users' tokens.
|
3028
3082
|
#
|
3029
|
-
# The default `Precedence` value is null.
|
3083
|
+
# The default `Precedence` value is null. The maximum `Precedence`
|
3084
|
+
# value is `2^31-1`.
|
3030
3085
|
# @return [Integer]
|
3031
3086
|
#
|
3032
3087
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateGroupRequest AWS API Documentation
|
@@ -3074,16 +3129,16 @@ module Aws::CognitoIdentityProvider
|
|
3074
3129
|
# @return [String]
|
3075
3130
|
#
|
3076
3131
|
# @!attribute [rw] provider_name
|
3077
|
-
# The
|
3132
|
+
# The IdP name.
|
3078
3133
|
# @return [String]
|
3079
3134
|
#
|
3080
3135
|
# @!attribute [rw] provider_type
|
3081
|
-
# The
|
3136
|
+
# The IdP type.
|
3082
3137
|
# @return [String]
|
3083
3138
|
#
|
3084
3139
|
# @!attribute [rw] provider_details
|
3085
|
-
# The
|
3086
|
-
#
|
3140
|
+
# The IdP details. The following list describes the provider detail
|
3141
|
+
# keys for each IdP type.
|
3087
3142
|
#
|
3088
3143
|
# * For Google and Login with Amazon:
|
3089
3144
|
#
|
@@ -3127,35 +3182,38 @@ module Aws::CognitoIdentityProvider
|
|
3127
3182
|
#
|
3128
3183
|
# * authorize\_scopes
|
3129
3184
|
#
|
3130
|
-
# *
|
3131
|
-
#
|
3185
|
+
# * The following keys are only present if Amazon Cognito didn't
|
3186
|
+
# discover them at the `oidc_issuer` URL.
|
3187
|
+
#
|
3188
|
+
# * authorize\_url
|
3189
|
+
#
|
3190
|
+
# * token\_url
|
3132
3191
|
#
|
3133
|
-
#
|
3134
|
-
# oidc\_issuer key*
|
3192
|
+
# * attributes\_url
|
3135
3193
|
#
|
3136
|
-
#
|
3137
|
-
# by oidc\_issuer key*
|
3194
|
+
# * jwks\_uri
|
3138
3195
|
#
|
3139
|
-
# *
|
3140
|
-
#
|
3196
|
+
# * Amazon Cognito sets the value of the following keys
|
3197
|
+
# automatically. They are read-only.
|
3141
3198
|
#
|
3142
|
-
#
|
3143
|
-
#
|
3199
|
+
# * attributes\_url\_add\_attributes
|
3200
|
+
#
|
3201
|
+
# ^
|
3144
3202
|
#
|
3145
3203
|
# * For SAML providers:
|
3146
3204
|
#
|
3147
|
-
# * MetadataFile
|
3205
|
+
# * MetadataFile or MetadataURL
|
3148
3206
|
#
|
3149
|
-
# * IDPSignout
|
3207
|
+
# * IDPSignout *optional*
|
3150
3208
|
# @return [Hash<String,String>]
|
3151
3209
|
#
|
3152
3210
|
# @!attribute [rw] attribute_mapping
|
3153
|
-
# A mapping of
|
3154
|
-
#
|
3211
|
+
# A mapping of IdP attributes to standard and custom user pool
|
3212
|
+
# attributes.
|
3155
3213
|
# @return [Hash<String,String>]
|
3156
3214
|
#
|
3157
3215
|
# @!attribute [rw] idp_identifiers
|
3158
|
-
# A list of
|
3216
|
+
# A list of IdP identifiers.
|
3159
3217
|
# @return [Array<String>]
|
3160
3218
|
#
|
3161
3219
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderRequest AWS API Documentation
|
@@ -3172,7 +3230,7 @@ module Aws::CognitoIdentityProvider
|
|
3172
3230
|
end
|
3173
3231
|
|
3174
3232
|
# @!attribute [rw] identity_provider
|
3175
|
-
# The newly created
|
3233
|
+
# The newly created IdP object.
|
3176
3234
|
# @return [Types::IdentityProviderType]
|
3177
3235
|
#
|
3178
3236
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderResponse AWS API Documentation
|
@@ -3343,26 +3401,53 @@ module Aws::CognitoIdentityProvider
|
|
3343
3401
|
# @return [Boolean]
|
3344
3402
|
#
|
3345
3403
|
# @!attribute [rw] refresh_token_validity
|
3346
|
-
# The time limit
|
3347
|
-
#
|
3404
|
+
# The refresh token time limit. After this limit expires, your user
|
3405
|
+
# can't use their refresh token. To specify the time unit for
|
3406
|
+
# `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
3407
|
+
# set a `TokenValidityUnits` value in your API request.
|
3408
|
+
#
|
3409
|
+
# For example, when you set `RefreshTokenValidity` as `10` and
|
3410
|
+
# `TokenValidityUnits` as `days`, your user can refresh their session
|
3411
|
+
# and retrieve new access and ID tokens for 10 days.
|
3412
|
+
#
|
3413
|
+
# The default time unit for `RefreshTokenValidity` in an API request
|
3414
|
+
# is days. You can't set `RefreshTokenValidity` to 0. If you do,
|
3415
|
+
# Amazon Cognito overrides the value with the default value of 30
|
3416
|
+
# days. *Valid range* is displayed below in seconds.
|
3348
3417
|
# @return [Integer]
|
3349
3418
|
#
|
3350
3419
|
# @!attribute [rw] access_token_validity
|
3351
|
-
# The time limit
|
3352
|
-
#
|
3353
|
-
#
|
3420
|
+
# The access token time limit. After this limit expires, your user
|
3421
|
+
# can't use their access token. To specify the time unit for
|
3422
|
+
# `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
3423
|
+
# set a `TokenValidityUnits` value in your API request.
|
3424
|
+
#
|
3425
|
+
# For example, when you set `AccessTokenValidity` to `10` and
|
3426
|
+
# `TokenValidityUnits` to `hours`, your user can authorize access with
|
3427
|
+
# their access token for 10 hours.
|
3428
|
+
#
|
3429
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
3430
|
+
# hours. *Valid range* is displayed below in seconds.
|
3354
3431
|
# @return [Integer]
|
3355
3432
|
#
|
3356
3433
|
# @!attribute [rw] id_token_validity
|
3357
|
-
# The time limit
|
3358
|
-
#
|
3359
|
-
#
|
3434
|
+
# The ID token time limit. After this limit expires, your user can't
|
3435
|
+
# use their ID token. To specify the time unit for `IdTokenValidity`
|
3436
|
+
# as `seconds`, `minutes`, `hours`, or `days`, set a
|
3437
|
+
# `TokenValidityUnits` value in your API request.
|
3438
|
+
#
|
3439
|
+
# For example, when you set `IdTokenValidity` as `10` and
|
3440
|
+
# `TokenValidityUnits` as `hours`, your user can authenticate their
|
3441
|
+
# session with their ID token for 10 hours.
|
3442
|
+
#
|
3443
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
3444
|
+
# hours. *Valid range* is displayed below in seconds.
|
3360
3445
|
# @return [Integer]
|
3361
3446
|
#
|
3362
3447
|
# @!attribute [rw] token_validity_units
|
3363
|
-
# The units in which the validity times are represented.
|
3364
|
-
# RefreshToken is days, and default for ID and access tokens
|
3365
|
-
# hours.
|
3448
|
+
# The units in which the validity times are represented. The default
|
3449
|
+
# unit for RefreshToken is days, and default for ID and access tokens
|
3450
|
+
# are hours.
|
3366
3451
|
# @return [Types::TokenValidityUnitsType]
|
3367
3452
|
#
|
3368
3453
|
# @!attribute [rw] read_attributes
|
@@ -3372,14 +3457,13 @@ module Aws::CognitoIdentityProvider
|
|
3372
3457
|
# @!attribute [rw] write_attributes
|
3373
3458
|
# The user pool attributes that the app client can write to.
|
3374
3459
|
#
|
3375
|
-
# If your app client allows users to sign in through an
|
3376
|
-
#
|
3377
|
-
#
|
3378
|
-
#
|
3379
|
-
#
|
3380
|
-
#
|
3381
|
-
#
|
3382
|
-
# Provider Attribute Mappings for Your user pool][1].
|
3460
|
+
# If your app client allows users to sign in through an IdP, this
|
3461
|
+
# array must include all attributes that you have mapped to IdP
|
3462
|
+
# attributes. Amazon Cognito updates mapped attributes when users sign
|
3463
|
+
# in to your application through an IdP. If your app client does not
|
3464
|
+
# have write access to a mapped attribute, Amazon Cognito throws an
|
3465
|
+
# error when it tries to update the attribute. For more information,
|
3466
|
+
# see [Specifying IdP Attribute Mappings for Your user pool][1].
|
3383
3467
|
#
|
3384
3468
|
#
|
3385
3469
|
#
|
@@ -3415,17 +3499,21 @@ module Aws::CognitoIdentityProvider
|
|
3415
3499
|
# * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
|
3416
3500
|
#
|
3417
3501
|
# * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
|
3502
|
+
#
|
3503
|
+
# If you don't specify a value for `ExplicitAuthFlows`, your app
|
3504
|
+
# client activates the `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`
|
3505
|
+
# authentication flows.
|
3418
3506
|
# @return [Array<String>]
|
3419
3507
|
#
|
3420
3508
|
# @!attribute [rw] supported_identity_providers
|
3421
|
-
# A list of provider names for the
|
3422
|
-
#
|
3423
|
-
# `
|
3509
|
+
# A list of provider names for the IdPs that this client supports. The
|
3510
|
+
# following are supported: `COGNITO`, `Facebook`, `Google`
|
3511
|
+
# `LoginWithAmazon`, and the names of your own SAML and OIDC
|
3512
|
+
# providers.
|
3424
3513
|
# @return [Array<String>]
|
3425
3514
|
#
|
3426
3515
|
# @!attribute [rw] callback_urls
|
3427
|
-
# A list of allowed redirect (callback) URLs for the
|
3428
|
-
# providers.
|
3516
|
+
# A list of allowed redirect (callback) URLs for the IdPs.
|
3429
3517
|
#
|
3430
3518
|
# A redirect URI must:
|
3431
3519
|
#
|
@@ -3448,7 +3536,7 @@ module Aws::CognitoIdentityProvider
|
|
3448
3536
|
# @return [Array<String>]
|
3449
3537
|
#
|
3450
3538
|
# @!attribute [rw] logout_urls
|
3451
|
-
# A list of allowed logout URLs for the
|
3539
|
+
# A list of allowed logout URLs for the IdPs.
|
3452
3540
|
# @return [Array<String>]
|
3453
3541
|
#
|
3454
3542
|
# @!attribute [rw] default_redirect_uri
|
@@ -3477,22 +3565,28 @@ module Aws::CognitoIdentityProvider
|
|
3477
3565
|
# @!attribute [rw] allowed_o_auth_flows
|
3478
3566
|
# The allowed OAuth flows.
|
3479
3567
|
#
|
3480
|
-
#
|
3481
|
-
#
|
3482
|
-
#
|
3568
|
+
# code
|
3569
|
+
#
|
3570
|
+
# : Use a code grant flow, which provides an authorization code as the
|
3571
|
+
# response. This code can be exchanged for access tokens with the
|
3572
|
+
# `/oauth2/token` endpoint.
|
3483
3573
|
#
|
3484
|
-
#
|
3485
|
-
# token (and, optionally, ID token, based on scopes) directly.
|
3574
|
+
# implicit
|
3486
3575
|
#
|
3487
|
-
#
|
3488
|
-
#
|
3489
|
-
#
|
3576
|
+
# : Issue the access token (and, optionally, ID token, based on
|
3577
|
+
# scopes) directly to your user.
|
3578
|
+
#
|
3579
|
+
# client\_credentials
|
3580
|
+
#
|
3581
|
+
# : Issue the access token from the `/oauth2/token` endpoint directly
|
3582
|
+
# to a non-person user using a combination of the client ID and
|
3583
|
+
# client secret.
|
3490
3584
|
# @return [Array<String>]
|
3491
3585
|
#
|
3492
3586
|
# @!attribute [rw] allowed_o_auth_scopes
|
3493
|
-
# The allowed OAuth scopes. Possible values provided by OAuth are
|
3587
|
+
# The allowed OAuth scopes. Possible values provided by OAuth are
|
3494
3588
|
# `phone`, `email`, `openid`, and `profile`. Possible values provided
|
3495
|
-
# by Amazon Web Services are
|
3589
|
+
# by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
|
3496
3590
|
# scopes created in Resource Servers are also supported.
|
3497
3591
|
# @return [Array<String>]
|
3498
3592
|
#
|
@@ -3700,6 +3794,9 @@ module Aws::CognitoIdentityProvider
|
|
3700
3794
|
# },
|
3701
3795
|
# sms_authentication_message: "SmsVerificationMessageType",
|
3702
3796
|
# mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
|
3797
|
+
# user_attribute_update_settings: {
|
3798
|
+
# attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
|
3799
|
+
# },
|
3703
3800
|
# device_configuration: {
|
3704
3801
|
# challenge_required_on_new_device: false,
|
3705
3802
|
# device_only_remembered_on_user_prompt: false,
|
@@ -3844,6 +3941,9 @@ module Aws::CognitoIdentityProvider
|
|
3844
3941
|
# Specifies MFA configuration details.
|
3845
3942
|
# @return [String]
|
3846
3943
|
#
|
3944
|
+
# @!attribute [rw] user_attribute_update_settings
|
3945
|
+
# @return [Types::UserAttributeUpdateSettingsType]
|
3946
|
+
#
|
3847
3947
|
# @!attribute [rw] device_configuration
|
3848
3948
|
# The device configuration.
|
3849
3949
|
# @return [Types::DeviceConfigurationType]
|
@@ -3921,6 +4021,7 @@ module Aws::CognitoIdentityProvider
|
|
3921
4021
|
:verification_message_template,
|
3922
4022
|
:sms_authentication_message,
|
3923
4023
|
:mfa_configuration,
|
4024
|
+
:user_attribute_update_settings,
|
3924
4025
|
:device_configuration,
|
3925
4026
|
:email_configuration,
|
3926
4027
|
:sms_configuration,
|
@@ -4071,7 +4172,7 @@ module Aws::CognitoIdentityProvider
|
|
4071
4172
|
# @return [String]
|
4072
4173
|
#
|
4073
4174
|
# @!attribute [rw] provider_name
|
4074
|
-
# The
|
4175
|
+
# The IdP name.
|
4075
4176
|
# @return [String]
|
4076
4177
|
#
|
4077
4178
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteIdentityProviderRequest AWS API Documentation
|
@@ -4127,7 +4228,8 @@ module Aws::CognitoIdentityProvider
|
|
4127
4228
|
# @return [Array<String>]
|
4128
4229
|
#
|
4129
4230
|
# @!attribute [rw] access_token
|
4130
|
-
#
|
4231
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
4232
|
+
# attributes you want to delete.
|
4131
4233
|
# @return [String]
|
4132
4234
|
#
|
4133
4235
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserAttributesRequest AWS API Documentation
|
@@ -4235,7 +4337,8 @@ module Aws::CognitoIdentityProvider
|
|
4235
4337
|
# }
|
4236
4338
|
#
|
4237
4339
|
# @!attribute [rw] access_token
|
4238
|
-
#
|
4340
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
4341
|
+
# user profile you want to delete.
|
4239
4342
|
# @return [String]
|
4240
4343
|
#
|
4241
4344
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserRequest AWS API Documentation
|
@@ -4259,7 +4362,7 @@ module Aws::CognitoIdentityProvider
|
|
4259
4362
|
# @return [String]
|
4260
4363
|
#
|
4261
4364
|
# @!attribute [rw] provider_name
|
4262
|
-
# The
|
4365
|
+
# The IdP name.
|
4263
4366
|
# @return [String]
|
4264
4367
|
#
|
4265
4368
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderRequest AWS API Documentation
|
@@ -4272,7 +4375,7 @@ module Aws::CognitoIdentityProvider
|
|
4272
4375
|
end
|
4273
4376
|
|
4274
4377
|
# @!attribute [rw] identity_provider
|
4275
|
-
# The
|
4378
|
+
# The IdP that was deleted.
|
4276
4379
|
# @return [Types::IdentityProviderType]
|
4277
4380
|
#
|
4278
4381
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
|
@@ -4570,7 +4673,11 @@ module Aws::CognitoIdentityProvider
|
|
4570
4673
|
# @return [String]
|
4571
4674
|
#
|
4572
4675
|
# @!attribute [rw] salt
|
4573
|
-
# The salt
|
4676
|
+
# The [salt][1]
|
4677
|
+
#
|
4678
|
+
#
|
4679
|
+
#
|
4680
|
+
# [1]: https://en.wikipedia.org/wiki/Salt_(cryptography)
|
4574
4681
|
# @return [String]
|
4575
4682
|
#
|
4576
4683
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceSecretVerifierConfigType AWS API Documentation
|
@@ -4762,29 +4869,6 @@ module Aws::CognitoIdentityProvider
|
|
4762
4869
|
# of an Amazon SES verified email address for the `SourceArn`
|
4763
4870
|
# parameter.
|
4764
4871
|
#
|
4765
|
-
# If EmailSendingAccount is COGNITO\_DEFAULT, you can't use the
|
4766
|
-
# following parameters:
|
4767
|
-
#
|
4768
|
-
# * EmailVerificationMessage
|
4769
|
-
#
|
4770
|
-
# * EmailVerificationSubject
|
4771
|
-
#
|
4772
|
-
# * InviteMessageTemplate.EmailMessage
|
4773
|
-
#
|
4774
|
-
# * InviteMessageTemplate.EmailSubject
|
4775
|
-
#
|
4776
|
-
# * VerificationMessageTemplate.EmailMessage
|
4777
|
-
#
|
4778
|
-
# * VerificationMessageTemplate.EmailMessageByLink
|
4779
|
-
#
|
4780
|
-
# * VerificationMessageTemplate.EmailSubject,
|
4781
|
-
#
|
4782
|
-
# * VerificationMessageTemplate.EmailSubjectByLink
|
4783
|
-
#
|
4784
|
-
# <note markdown="1"> DEVELOPER EmailSendingAccount is required.
|
4785
|
-
#
|
4786
|
-
# </note>
|
4787
|
-
#
|
4788
4872
|
# DEVELOPER
|
4789
4873
|
#
|
4790
4874
|
# : When Amazon Cognito emails your users, it uses your Amazon SES
|
@@ -4794,8 +4878,8 @@ module Aws::CognitoIdentityProvider
|
|
4794
4878
|
# to your Amazon SES verified email address in your Amazon Web
|
4795
4879
|
# Services account.
|
4796
4880
|
#
|
4797
|
-
# If you use this option,
|
4798
|
-
#
|
4881
|
+
# If you use this option, provide the ARN of an Amazon SES verified
|
4882
|
+
# email address for the `SourceArn` parameter.
|
4799
4883
|
#
|
4800
4884
|
# Before Amazon Cognito can email your users, it requires additional
|
4801
4885
|
# permissions to call Amazon SES on your behalf. When you update
|
@@ -4980,7 +5064,8 @@ module Aws::CognitoIdentityProvider
|
|
4980
5064
|
# }
|
4981
5065
|
#
|
4982
5066
|
# @!attribute [rw] access_token
|
4983
|
-
#
|
5067
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
5068
|
+
# registered device you want to forget.
|
4984
5069
|
# @return [String]
|
4985
5070
|
#
|
4986
5071
|
# @!attribute [rw] device_key
|
@@ -5038,8 +5123,8 @@ module Aws::CognitoIdentityProvider
|
|
5038
5123
|
# @return [String]
|
5039
5124
|
#
|
5040
5125
|
# @!attribute [rw] analytics_metadata
|
5041
|
-
# The Amazon Pinpoint analytics metadata
|
5042
|
-
# `ForgotPassword` calls.
|
5126
|
+
# The Amazon Pinpoint analytics metadata that contributes to your
|
5127
|
+
# metrics for `ForgotPassword` calls.
|
5043
5128
|
# @return [Types::AnalyticsMetadataType]
|
5044
5129
|
#
|
5045
5130
|
# @!attribute [rw] client_metadata
|
@@ -5094,8 +5179,8 @@ module Aws::CognitoIdentityProvider
|
|
5094
5179
|
include Aws::Structure
|
5095
5180
|
end
|
5096
5181
|
|
5097
|
-
#
|
5098
|
-
#
|
5182
|
+
# Represents the response from the server regarding the request to reset
|
5183
|
+
# a password.
|
5099
5184
|
#
|
5100
5185
|
# @!attribute [rw] code_delivery_details
|
5101
5186
|
# The code delivery details returned by the server in response to the
|
@@ -5169,7 +5254,8 @@ module Aws::CognitoIdentityProvider
|
|
5169
5254
|
# @return [String]
|
5170
5255
|
#
|
5171
5256
|
# @!attribute [rw] access_token
|
5172
|
-
#
|
5257
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
5258
|
+
# device information you want to request.
|
5173
5259
|
# @return [String]
|
5174
5260
|
#
|
5175
5261
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetDeviceRequest AWS API Documentation
|
@@ -5245,7 +5331,7 @@ module Aws::CognitoIdentityProvider
|
|
5245
5331
|
# @return [String]
|
5246
5332
|
#
|
5247
5333
|
# @!attribute [rw] idp_identifier
|
5248
|
-
# The
|
5334
|
+
# The IdP identifier.
|
5249
5335
|
# @return [String]
|
5250
5336
|
#
|
5251
5337
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierRequest AWS API Documentation
|
@@ -5258,7 +5344,7 @@ module Aws::CognitoIdentityProvider
|
|
5258
5344
|
end
|
5259
5345
|
|
5260
5346
|
# @!attribute [rw] identity_provider
|
5261
|
-
# The
|
5347
|
+
# The IdP object.
|
5262
5348
|
# @return [Types::IdentityProviderType]
|
5263
5349
|
#
|
5264
5350
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
|
@@ -5355,8 +5441,8 @@ module Aws::CognitoIdentityProvider
|
|
5355
5441
|
# }
|
5356
5442
|
#
|
5357
5443
|
# @!attribute [rw] access_token
|
5358
|
-
#
|
5359
|
-
#
|
5444
|
+
# A non-expired access token for the user whose attribute verification
|
5445
|
+
# code you want to generate.
|
5360
5446
|
# @return [String]
|
5361
5447
|
#
|
5362
5448
|
# @!attribute [rw] attribute_name
|
@@ -5486,8 +5572,8 @@ module Aws::CognitoIdentityProvider
|
|
5486
5572
|
# }
|
5487
5573
|
#
|
5488
5574
|
# @!attribute [rw] access_token
|
5489
|
-
#
|
5490
|
-
#
|
5575
|
+
# A non-expired access token for the user whose information you want
|
5576
|
+
# to query.
|
5491
5577
|
# @return [String]
|
5492
5578
|
#
|
5493
5579
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserRequest AWS API Documentation
|
@@ -5552,7 +5638,8 @@ module Aws::CognitoIdentityProvider
|
|
5552
5638
|
# }
|
5553
5639
|
#
|
5554
5640
|
# @!attribute [rw] access_token
|
5555
|
-
#
|
5641
|
+
# A valid access token that Amazon Cognito issued to the user who you
|
5642
|
+
# want to sign out.
|
5556
5643
|
# @return [String]
|
5557
5644
|
#
|
5558
5645
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GlobalSignOutRequest AWS API Documentation
|
@@ -5670,23 +5757,23 @@ module Aws::CognitoIdentityProvider
|
|
5670
5757
|
include Aws::Structure
|
5671
5758
|
end
|
5672
5759
|
|
5673
|
-
# A container for information about an
|
5760
|
+
# A container for information about an IdP.
|
5674
5761
|
#
|
5675
5762
|
# @!attribute [rw] user_pool_id
|
5676
5763
|
# The user pool ID.
|
5677
5764
|
# @return [String]
|
5678
5765
|
#
|
5679
5766
|
# @!attribute [rw] provider_name
|
5680
|
-
# The
|
5767
|
+
# The IdP name.
|
5681
5768
|
# @return [String]
|
5682
5769
|
#
|
5683
5770
|
# @!attribute [rw] provider_type
|
5684
|
-
# The
|
5771
|
+
# The IdP type.
|
5685
5772
|
# @return [String]
|
5686
5773
|
#
|
5687
5774
|
# @!attribute [rw] provider_details
|
5688
|
-
# The
|
5689
|
-
#
|
5775
|
+
# The IdP details. The following list describes the provider detail
|
5776
|
+
# keys for each IdP type.
|
5690
5777
|
#
|
5691
5778
|
# * For Google and Login with Amazon:
|
5692
5779
|
#
|
@@ -5716,6 +5803,9 @@ module Aws::CognitoIdentityProvider
|
|
5716
5803
|
#
|
5717
5804
|
# * private\_key
|
5718
5805
|
#
|
5806
|
+
# *You can submit a private\_key when you add or update an IdP.
|
5807
|
+
# Describe operations don't return the private key.*
|
5808
|
+
#
|
5719
5809
|
# * authorize\_scopes
|
5720
5810
|
#
|
5721
5811
|
# * For OIDC providers:
|
@@ -5730,43 +5820,46 @@ module Aws::CognitoIdentityProvider
|
|
5730
5820
|
#
|
5731
5821
|
# * authorize\_scopes
|
5732
5822
|
#
|
5733
|
-
# *
|
5734
|
-
#
|
5823
|
+
# * The following keys are only present if Amazon Cognito didn't
|
5824
|
+
# discover them at the `oidc_issuer` URL.
|
5825
|
+
#
|
5826
|
+
# * authorize\_url
|
5735
5827
|
#
|
5736
|
-
#
|
5737
|
-
# oidc\_issuer key*
|
5828
|
+
# * token\_url
|
5738
5829
|
#
|
5739
|
-
#
|
5740
|
-
# by oidc\_issuer key*
|
5830
|
+
# * attributes\_url
|
5741
5831
|
#
|
5742
|
-
#
|
5743
|
-
# oidc\_issuer key*
|
5832
|
+
# * jwks\_uri
|
5744
5833
|
#
|
5745
|
-
# *
|
5746
|
-
#
|
5834
|
+
# * Amazon Cognito sets the value of the following keys
|
5835
|
+
# automatically. They are read-only.
|
5836
|
+
#
|
5837
|
+
# * attributes\_url\_add\_attributes
|
5838
|
+
#
|
5839
|
+
# ^
|
5747
5840
|
#
|
5748
5841
|
# * For SAML providers:
|
5749
5842
|
#
|
5750
5843
|
# * MetadataFile or MetadataURL
|
5751
5844
|
#
|
5752
|
-
# *
|
5845
|
+
# * IDPSignout *optional*
|
5753
5846
|
# @return [Hash<String,String>]
|
5754
5847
|
#
|
5755
5848
|
# @!attribute [rw] attribute_mapping
|
5756
|
-
# A mapping of
|
5757
|
-
#
|
5849
|
+
# A mapping of IdP attributes to standard and custom user pool
|
5850
|
+
# attributes.
|
5758
5851
|
# @return [Hash<String,String>]
|
5759
5852
|
#
|
5760
5853
|
# @!attribute [rw] idp_identifiers
|
5761
|
-
# A list of
|
5854
|
+
# A list of IdP identifiers.
|
5762
5855
|
# @return [Array<String>]
|
5763
5856
|
#
|
5764
5857
|
# @!attribute [rw] last_modified_date
|
5765
|
-
# The date the
|
5858
|
+
# The date the IdP was last modified.
|
5766
5859
|
# @return [Time]
|
5767
5860
|
#
|
5768
5861
|
# @!attribute [rw] creation_date
|
5769
|
-
# The date the
|
5862
|
+
# The date the IdP was created.
|
5770
5863
|
# @return [Time]
|
5771
5864
|
#
|
5772
5865
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/IdentityProviderType AWS API Documentation
|
@@ -5830,10 +5923,10 @@ module Aws::CognitoIdentityProvider
|
|
5830
5923
|
#
|
5831
5924
|
# * `CUSTOM_AUTH`\: Custom authentication flow.
|
5832
5925
|
#
|
5833
|
-
# * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow;
|
5834
|
-
#
|
5926
|
+
# * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; user name and
|
5927
|
+
# password are passed directly. If a user migration Lambda trigger
|
5835
5928
|
# is set, this flow will invoke the user migration Lambda if it
|
5836
|
-
# doesn't find the
|
5929
|
+
# doesn't find the user name in the user pool.
|
5837
5930
|
#
|
5838
5931
|
# `ADMIN_NO_SRP_AUTH` isn't a valid value.
|
5839
5932
|
# @return [String]
|
@@ -5925,8 +6018,8 @@ module Aws::CognitoIdentityProvider
|
|
5925
6018
|
# @return [String]
|
5926
6019
|
#
|
5927
6020
|
# @!attribute [rw] analytics_metadata
|
5928
|
-
# The Amazon Pinpoint analytics metadata
|
5929
|
-
# `InitiateAuth` calls.
|
6021
|
+
# The Amazon Pinpoint analytics metadata that contributes to your
|
6022
|
+
# metrics for `InitiateAuth` calls.
|
5930
6023
|
# @return [Types::AnalyticsMetadataType]
|
5931
6024
|
#
|
5932
6025
|
# @!attribute [rw] user_context_data
|
@@ -5981,9 +6074,23 @@ module Aws::CognitoIdentityProvider
|
|
5981
6074
|
# for devices only.
|
5982
6075
|
#
|
5983
6076
|
# * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
|
5984
|
-
# their passwords after successful first login.
|
5985
|
-
#
|
5986
|
-
#
|
6077
|
+
# their passwords after successful first login.
|
6078
|
+
#
|
6079
|
+
# Respond to this challenge with `NEW_PASSWORD` and any required
|
6080
|
+
# attributes that Amazon Cognito returned in the
|
6081
|
+
# `requiredAttributes` parameter. You can also set values for
|
6082
|
+
# attributes that aren't required by your user pool and that your
|
6083
|
+
# app client can write. For more information, see
|
6084
|
+
# [RespondToAuthChallenge][1].
|
6085
|
+
#
|
6086
|
+
# <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
|
6087
|
+
# a required attribute that already has a value. In
|
6088
|
+
# `RespondToAuthChallenge`, set a value for any keys that Amazon
|
6089
|
+
# Cognito returned in the `requiredAttributes` parameter, then use
|
6090
|
+
# the `UpdateUserAttributes` API operation to modify the value of
|
6091
|
+
# any additional attributes.
|
6092
|
+
#
|
6093
|
+
# </note>
|
5987
6094
|
#
|
5988
6095
|
# * `MFA_SETUP`\: For users who are required to setup an MFA factor
|
5989
6096
|
# before they can sign in. The MFA types activated for the user pool
|
@@ -5996,6 +6103,10 @@ module Aws::CognitoIdentityProvider
|
|
5996
6103
|
# complete sign-in. To set up SMS MFA, an administrator should help
|
5997
6104
|
# the user to add a phone number to their account, and then the user
|
5998
6105
|
# should call `InitiateAuth` again to restart sign-in.
|
6106
|
+
#
|
6107
|
+
#
|
6108
|
+
#
|
6109
|
+
# [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
|
5999
6110
|
# @return [String]
|
6000
6111
|
#
|
6001
6112
|
# @!attribute [rw] session
|
@@ -6071,7 +6182,7 @@ module Aws::CognitoIdentityProvider
|
|
6071
6182
|
# Lambda response.
|
6072
6183
|
#
|
6073
6184
|
# @!attribute [rw] message
|
6074
|
-
# The message returned when Amazon Cognito
|
6185
|
+
# The message returned when Amazon Cognito throws an invalid Lambda
|
6075
6186
|
# response exception.
|
6076
6187
|
# @return [String]
|
6077
6188
|
#
|
@@ -6308,7 +6419,8 @@ module Aws::CognitoIdentityProvider
|
|
6308
6419
|
# }
|
6309
6420
|
#
|
6310
6421
|
# @!attribute [rw] access_token
|
6311
|
-
#
|
6422
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
6423
|
+
# list of devices you want to view.
|
6312
6424
|
# @return [String]
|
6313
6425
|
#
|
6314
6426
|
# @!attribute [rw] limit
|
@@ -6414,7 +6526,7 @@ module Aws::CognitoIdentityProvider
|
|
6414
6526
|
# @return [String]
|
6415
6527
|
#
|
6416
6528
|
# @!attribute [rw] max_results
|
6417
|
-
# The maximum number of
|
6529
|
+
# The maximum number of IdPs to return.
|
6418
6530
|
# @return [Integer]
|
6419
6531
|
#
|
6420
6532
|
# @!attribute [rw] next_token
|
@@ -6432,7 +6544,7 @@ module Aws::CognitoIdentityProvider
|
|
6432
6544
|
end
|
6433
6545
|
|
6434
6546
|
# @!attribute [rw] providers
|
6435
|
-
# A list of
|
6547
|
+
# A list of IdP objects.
|
6436
6548
|
# @return [Array<Types::ProviderDescription>]
|
6437
6549
|
#
|
6438
6550
|
# @!attribute [rw] next_token
|
@@ -6738,9 +6850,8 @@ module Aws::CognitoIdentityProvider
|
|
6738
6850
|
# @return [Array<Types::UserType>]
|
6739
6851
|
#
|
6740
6852
|
# @!attribute [rw] next_token
|
6741
|
-
# An identifier that
|
6742
|
-
#
|
6743
|
-
# list.
|
6853
|
+
# An identifier that you can use in a later request to return the next
|
6854
|
+
# set of items in the list.
|
6744
6855
|
# @return [String]
|
6745
6856
|
#
|
6746
6857
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersInGroupResponse AWS API Documentation
|
@@ -6831,8 +6942,8 @@ module Aws::CognitoIdentityProvider
|
|
6831
6942
|
# Custom attributes aren't searchable.
|
6832
6943
|
#
|
6833
6944
|
# <note markdown="1"> You can also list users with a client-side filter. The server-side
|
6834
|
-
# filter matches no more than
|
6835
|
-
# a client-side filter with the `--query` parameter of the
|
6945
|
+
# filter matches no more than one attribute. For an advanced search,
|
6946
|
+
# use a client-side filter with the `--query` parameter of the
|
6836
6947
|
# `list-users` action in the CLI. When you use a client-side filter,
|
6837
6948
|
# ListUsers returns a paginated list of zero or more users. You can
|
6838
6949
|
# receive multiple pages in a row with zero results. Repeat the query
|
@@ -7190,8 +7301,8 @@ module Aws::CognitoIdentityProvider
|
|
7190
7301
|
# administrator must reset their password.
|
7191
7302
|
#
|
7192
7303
|
# <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
|
7193
|
-
# can no longer set the
|
7194
|
-
#
|
7304
|
+
# can no longer set a value for the legacy `UnusedAccountValidityDays`
|
7305
|
+
# parameter in that user pool.
|
7195
7306
|
#
|
7196
7307
|
# </note>
|
7197
7308
|
# @return [Integer]
|
@@ -7237,14 +7348,14 @@ module Aws::CognitoIdentityProvider
|
|
7237
7348
|
include Aws::Structure
|
7238
7349
|
end
|
7239
7350
|
|
7240
|
-
# A container for
|
7351
|
+
# A container for IdP details.
|
7241
7352
|
#
|
7242
7353
|
# @!attribute [rw] provider_name
|
7243
|
-
# The
|
7354
|
+
# The IdP name.
|
7244
7355
|
# @return [String]
|
7245
7356
|
#
|
7246
7357
|
# @!attribute [rw] provider_type
|
7247
|
-
# The
|
7358
|
+
# The IdP type.
|
7248
7359
|
# @return [String]
|
7249
7360
|
#
|
7250
7361
|
# @!attribute [rw] last_modified_date
|
@@ -7266,8 +7377,7 @@ module Aws::CognitoIdentityProvider
|
|
7266
7377
|
include Aws::Structure
|
7267
7378
|
end
|
7268
7379
|
|
7269
|
-
# A container for information about an
|
7270
|
-
# pool.
|
7380
|
+
# A container for information about an IdP for a user pool.
|
7271
7381
|
#
|
7272
7382
|
# @note When making an API call, you may pass ProviderUserIdentifierType
|
7273
7383
|
# data as a hash:
|
@@ -7373,8 +7483,8 @@ module Aws::CognitoIdentityProvider
|
|
7373
7483
|
# @return [String]
|
7374
7484
|
#
|
7375
7485
|
# @!attribute [rw] analytics_metadata
|
7376
|
-
# The Amazon Pinpoint analytics metadata
|
7377
|
-
# `ResendConfirmationCode` calls.
|
7486
|
+
# The Amazon Pinpoint analytics metadata that contributes to your
|
7487
|
+
# metrics for `ResendConfirmationCode` calls.
|
7378
7488
|
# @return [Types::AnalyticsMetadataType]
|
7379
7489
|
#
|
7380
7490
|
# @!attribute [rw] client_metadata
|
@@ -7577,13 +7687,27 @@ module Aws::CognitoIdentityProvider
|
|
7577
7687
|
# * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
|
7578
7688
|
# `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
|
7579
7689
|
#
|
7580
|
-
# <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when
|
7690
|
+
# <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
|
7581
7691
|
# remembered device.
|
7582
7692
|
#
|
7583
7693
|
# </note>
|
7584
7694
|
#
|
7585
|
-
# * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`,
|
7586
|
-
#
|
7695
|
+
# * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
|
7696
|
+
# `SECRET_HASH` (if app client is configured with client secret). To
|
7697
|
+
# set any required attributes that Amazon Cognito returned as
|
7698
|
+
# `requiredAttributes` in the `InitiateAuth` response, add a
|
7699
|
+
# `userAttributes.attributename ` parameter. This parameter can also
|
7700
|
+
# set values for writable attributes that aren't required by your
|
7701
|
+
# user pool.
|
7702
|
+
#
|
7703
|
+
# <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
|
7704
|
+
# a required attribute that already has a value. In
|
7705
|
+
# `RespondToAuthChallenge`, set a value for any keys that Amazon
|
7706
|
+
# Cognito returned in the `requiredAttributes` parameter, then use
|
7707
|
+
# the `UpdateUserAttributes` API operation to modify the value of
|
7708
|
+
# any additional attributes.
|
7709
|
+
#
|
7710
|
+
# </note>
|
7587
7711
|
#
|
7588
7712
|
# * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
|
7589
7713
|
# are required attributes.
|
@@ -7600,8 +7724,8 @@ module Aws::CognitoIdentityProvider
|
|
7600
7724
|
# @return [Hash<String,String>]
|
7601
7725
|
#
|
7602
7726
|
# @!attribute [rw] analytics_metadata
|
7603
|
-
# The Amazon Pinpoint analytics metadata
|
7604
|
-
# `RespondToAuthChallenge` calls.
|
7727
|
+
# The Amazon Pinpoint analytics metadata that contributes to your
|
7728
|
+
# metrics for `RespondToAuthChallenge` calls.
|
7605
7729
|
# @return [Types::AnalyticsMetadataType]
|
7606
7730
|
#
|
7607
7731
|
# @!attribute [rw] user_context_data
|
@@ -7903,13 +8027,13 @@ module Aws::CognitoIdentityProvider
|
|
7903
8027
|
# @!attribute [rw] mutable
|
7904
8028
|
# Specifies whether the value of the attribute can be changed.
|
7905
8029
|
#
|
7906
|
-
# For any user pool attribute that is mapped to an
|
7907
|
-
#
|
7908
|
-
#
|
7909
|
-
#
|
7910
|
-
#
|
7911
|
-
#
|
7912
|
-
#
|
8030
|
+
# For any user pool attribute that is mapped to an IdP attribute, you
|
8031
|
+
# must set this parameter to `true`. Amazon Cognito updates mapped
|
8032
|
+
# attributes when users sign in to your application through an IdP. If
|
8033
|
+
# an attribute is immutable, Amazon Cognito throws an error when it
|
8034
|
+
# attempts to update the attribute. For more information, see
|
8035
|
+
# [Specifying Identity Provider Attribute Mappings for Your User
|
8036
|
+
# Pool][1].
|
7913
8037
|
#
|
7914
8038
|
#
|
7915
8039
|
#
|
@@ -8135,7 +8259,8 @@ module Aws::CognitoIdentityProvider
|
|
8135
8259
|
# @return [Types::SoftwareTokenMfaSettingsType]
|
8136
8260
|
#
|
8137
8261
|
# @!attribute [rw] access_token
|
8138
|
-
#
|
8262
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
8263
|
+
# MFA preference you want to set.
|
8139
8264
|
# @return [String]
|
8140
8265
|
#
|
8141
8266
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
|
@@ -8254,7 +8379,8 @@ module Aws::CognitoIdentityProvider
|
|
8254
8379
|
# }
|
8255
8380
|
#
|
8256
8381
|
# @!attribute [rw] access_token
|
8257
|
-
#
|
8382
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
8383
|
+
# user settings you want to configure.
|
8258
8384
|
# @return [String]
|
8259
8385
|
#
|
8260
8386
|
# @!attribute [rw] mfa_options
|
@@ -8340,8 +8466,8 @@ module Aws::CognitoIdentityProvider
|
|
8340
8466
|
# @return [Array<Types::AttributeType>]
|
8341
8467
|
#
|
8342
8468
|
# @!attribute [rw] analytics_metadata
|
8343
|
-
# The Amazon Pinpoint analytics metadata
|
8344
|
-
# `SignUp` calls.
|
8469
|
+
# The Amazon Pinpoint analytics metadata that contributes to your
|
8470
|
+
# metrics for `SignUp` calls.
|
8345
8471
|
# @return [Types::AnalyticsMetadataType]
|
8346
8472
|
#
|
8347
8473
|
# @!attribute [rw] user_context_data
|
@@ -8760,8 +8886,8 @@ module Aws::CognitoIdentityProvider
|
|
8760
8886
|
#
|
8761
8887
|
class TagResourceResponse < Aws::EmptyStructure; end
|
8762
8888
|
|
8763
|
-
# The data type
|
8764
|
-
#
|
8889
|
+
# The data type TokenValidityUnits specifies the time units you use when
|
8890
|
+
# you set the duration of ID, access, and refresh tokens.
|
8765
8891
|
#
|
8766
8892
|
# @note When making an API call, you may pass TokenValidityUnitsType
|
8767
8893
|
# data as a hash:
|
@@ -9049,7 +9175,8 @@ module Aws::CognitoIdentityProvider
|
|
9049
9175
|
# }
|
9050
9176
|
#
|
9051
9177
|
# @!attribute [rw] access_token
|
9052
|
-
#
|
9178
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
9179
|
+
# device status you want to update.
|
9053
9180
|
# @return [String]
|
9054
9181
|
#
|
9055
9182
|
# @!attribute [rw] device_key
|
@@ -9158,20 +9285,20 @@ module Aws::CognitoIdentityProvider
|
|
9158
9285
|
# @return [String]
|
9159
9286
|
#
|
9160
9287
|
# @!attribute [rw] provider_name
|
9161
|
-
# The
|
9288
|
+
# The IdP name.
|
9162
9289
|
# @return [String]
|
9163
9290
|
#
|
9164
9291
|
# @!attribute [rw] provider_details
|
9165
|
-
# The
|
9166
|
-
#
|
9292
|
+
# The IdP details to be updated, such as `MetadataURL` and
|
9293
|
+
# `MetadataFile`.
|
9167
9294
|
# @return [Hash<String,String>]
|
9168
9295
|
#
|
9169
9296
|
# @!attribute [rw] attribute_mapping
|
9170
|
-
# The
|
9297
|
+
# The IdP attribute mapping to be changed.
|
9171
9298
|
# @return [Hash<String,String>]
|
9172
9299
|
#
|
9173
9300
|
# @!attribute [rw] idp_identifiers
|
9174
|
-
# A list of
|
9301
|
+
# A list of IdP identifiers.
|
9175
9302
|
# @return [Array<String>]
|
9176
9303
|
#
|
9177
9304
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderRequest AWS API Documentation
|
@@ -9187,7 +9314,7 @@ module Aws::CognitoIdentityProvider
|
|
9187
9314
|
end
|
9188
9315
|
|
9189
9316
|
# @!attribute [rw] identity_provider
|
9190
|
-
# The
|
9317
|
+
# The IdP object.
|
9191
9318
|
# @return [Types::IdentityProviderType]
|
9192
9319
|
#
|
9193
9320
|
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
|
@@ -9275,10 +9402,19 @@ module Aws::CognitoIdentityProvider
|
|
9275
9402
|
#
|
9276
9403
|
# For custom attributes, you must prepend the `custom:` prefix to the
|
9277
9404
|
# attribute name.
|
9405
|
+
#
|
9406
|
+
# If you have set an attribute to require verification before Amazon
|
9407
|
+
# Cognito updates its value, this request doesn’t immediately update
|
9408
|
+
# the value of that attribute. After your user receives and responds
|
9409
|
+
# to a verification message to verify the new value, Amazon Cognito
|
9410
|
+
# updates the attribute value. Your user can sign in and receive
|
9411
|
+
# messages with the original attribute value until they verify the new
|
9412
|
+
# value.
|
9278
9413
|
# @return [Array<Types::AttributeType>]
|
9279
9414
|
#
|
9280
9415
|
# @!attribute [rw] access_token
|
9281
|
-
#
|
9416
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
9417
|
+
# user attributes you want to update.
|
9282
9418
|
# @return [String]
|
9283
9419
|
#
|
9284
9420
|
# @!attribute [rw] client_metadata
|
@@ -9397,23 +9533,53 @@ module Aws::CognitoIdentityProvider
|
|
9397
9533
|
# @return [String]
|
9398
9534
|
#
|
9399
9535
|
# @!attribute [rw] refresh_token_validity
|
9400
|
-
# The time limit
|
9401
|
-
#
|
9536
|
+
# The refresh token time limit. After this limit expires, your user
|
9537
|
+
# can't use their refresh token. To specify the time unit for
|
9538
|
+
# `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
9539
|
+
# set a `TokenValidityUnits` value in your API request.
|
9540
|
+
#
|
9541
|
+
# For example, when you set `RefreshTokenValidity` as `10` and
|
9542
|
+
# `TokenValidityUnits` as `days`, your user can refresh their session
|
9543
|
+
# and retrieve new access and ID tokens for 10 days.
|
9544
|
+
#
|
9545
|
+
# The default time unit for `RefreshTokenValidity` in an API request
|
9546
|
+
# is days. You can't set `RefreshTokenValidity` to 0. If you do,
|
9547
|
+
# Amazon Cognito overrides the value with the default value of 30
|
9548
|
+
# days. *Valid range* is displayed below in seconds.
|
9402
9549
|
# @return [Integer]
|
9403
9550
|
#
|
9404
9551
|
# @!attribute [rw] access_token_validity
|
9405
|
-
# The time limit
|
9406
|
-
# can't
|
9552
|
+
# The access token time limit. After this limit expires, your user
|
9553
|
+
# can't use their access token. To specify the time unit for
|
9554
|
+
# `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
9555
|
+
# set a `TokenValidityUnits` value in your API request.
|
9556
|
+
#
|
9557
|
+
# For example, when you set `AccessTokenValidity` to `10` and
|
9558
|
+
# `TokenValidityUnits` to `hours`, your user can authorize access with
|
9559
|
+
# their access token for 10 hours.
|
9560
|
+
#
|
9561
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
9562
|
+
# hours. *Valid range* is displayed below in seconds.
|
9407
9563
|
# @return [Integer]
|
9408
9564
|
#
|
9409
9565
|
# @!attribute [rw] id_token_validity
|
9410
|
-
# The time limit
|
9411
|
-
#
|
9566
|
+
# The ID token time limit. After this limit expires, your user can't
|
9567
|
+
# use their ID token. To specify the time unit for `IdTokenValidity`
|
9568
|
+
# as `seconds`, `minutes`, `hours`, or `days`, set a
|
9569
|
+
# `TokenValidityUnits` value in your API request.
|
9570
|
+
#
|
9571
|
+
# For example, when you set `IdTokenValidity` as `10` and
|
9572
|
+
# `TokenValidityUnits` as `hours`, your user can authenticate their
|
9573
|
+
# session with their ID token for 10 hours.
|
9574
|
+
#
|
9575
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
9576
|
+
# hours. *Valid range* is displayed below in seconds.
|
9412
9577
|
# @return [Integer]
|
9413
9578
|
#
|
9414
9579
|
# @!attribute [rw] token_validity_units
|
9415
|
-
# The units in which the validity times are represented.
|
9416
|
-
# RefreshToken is days, and default for ID and access
|
9580
|
+
# The units in which the validity times are represented. The default
|
9581
|
+
# unit for RefreshToken is days, and the default for ID and access
|
9582
|
+
# tokens is hours.
|
9417
9583
|
# @return [Types::TokenValidityUnitsType]
|
9418
9584
|
#
|
9419
9585
|
# @!attribute [rw] read_attributes
|
@@ -9453,13 +9619,14 @@ module Aws::CognitoIdentityProvider
|
|
9453
9619
|
# @return [Array<String>]
|
9454
9620
|
#
|
9455
9621
|
# @!attribute [rw] supported_identity_providers
|
9456
|
-
# A list of provider names for the
|
9457
|
-
# supported
|
9622
|
+
# A list of provider names for the IdPs that this client supports. The
|
9623
|
+
# following are supported: `COGNITO`, `Facebook`, `Google`
|
9624
|
+
# `LoginWithAmazon`, and the names of your own SAML and OIDC
|
9625
|
+
# providers.
|
9458
9626
|
# @return [Array<String>]
|
9459
9627
|
#
|
9460
9628
|
# @!attribute [rw] callback_urls
|
9461
|
-
# A list of allowed redirect (callback) URLs for the
|
9462
|
-
# providers.
|
9629
|
+
# A list of allowed redirect (callback) URLs for the IdPs.
|
9463
9630
|
#
|
9464
9631
|
# A redirect URI must:
|
9465
9632
|
#
|
@@ -9482,7 +9649,7 @@ module Aws::CognitoIdentityProvider
|
|
9482
9649
|
# @return [Array<String>]
|
9483
9650
|
#
|
9484
9651
|
# @!attribute [rw] logout_urls
|
9485
|
-
# A list of allowed logout URLs for the
|
9652
|
+
# A list of allowed logout URLs for the IdPs.
|
9486
9653
|
# @return [Array<String>]
|
9487
9654
|
#
|
9488
9655
|
# @!attribute [rw] default_redirect_uri
|
@@ -9511,22 +9678,28 @@ module Aws::CognitoIdentityProvider
|
|
9511
9678
|
# @!attribute [rw] allowed_o_auth_flows
|
9512
9679
|
# The allowed OAuth flows.
|
9513
9680
|
#
|
9514
|
-
#
|
9515
|
-
#
|
9516
|
-
#
|
9681
|
+
# code
|
9682
|
+
#
|
9683
|
+
# : Use a code grant flow, which provides an authorization code as the
|
9684
|
+
# response. This code can be exchanged for access tokens with the
|
9685
|
+
# `/oauth2/token` endpoint.
|
9517
9686
|
#
|
9518
|
-
#
|
9519
|
-
# token (and, optionally, ID token, based on scopes) directly.
|
9687
|
+
# implicit
|
9520
9688
|
#
|
9521
|
-
#
|
9522
|
-
#
|
9523
|
-
#
|
9689
|
+
# : Issue the access token (and, optionally, ID token, based on
|
9690
|
+
# scopes) directly to your user.
|
9691
|
+
#
|
9692
|
+
# client\_credentials
|
9693
|
+
#
|
9694
|
+
# : Issue the access token from the `/oauth2/token` endpoint directly
|
9695
|
+
# to a non-person user using a combination of the client ID and
|
9696
|
+
# client secret.
|
9524
9697
|
# @return [Array<String>]
|
9525
9698
|
#
|
9526
9699
|
# @!attribute [rw] allowed_o_auth_scopes
|
9527
|
-
# The allowed OAuth scopes. Possible values provided by OAuth are
|
9700
|
+
# The allowed OAuth scopes. Possible values provided by OAuth are
|
9528
9701
|
# `phone`, `email`, `openid`, and `profile`. Possible values provided
|
9529
|
-
# by Amazon Web Services are
|
9702
|
+
# by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
|
9530
9703
|
# scopes created in Resource Servers are also supported.
|
9531
9704
|
# @return [Array<String>]
|
9532
9705
|
#
|
@@ -9536,8 +9709,8 @@ module Aws::CognitoIdentityProvider
|
|
9536
9709
|
# @return [Boolean]
|
9537
9710
|
#
|
9538
9711
|
# @!attribute [rw] analytics_configuration
|
9539
|
-
# The Amazon Pinpoint analytics configuration
|
9540
|
-
# for this user pool.
|
9712
|
+
# The Amazon Pinpoint analytics configuration necessary to collect
|
9713
|
+
# metrics for this user pool.
|
9541
9714
|
#
|
9542
9715
|
# <note markdown="1"> In Amazon Web Services Regions where Amazon Pinpoint isn't
|
9543
9716
|
# available, user pools only support sending events to Amazon Pinpoint
|
@@ -9729,6 +9902,9 @@ module Aws::CognitoIdentityProvider
|
|
9729
9902
|
# default_email_option: "CONFIRM_WITH_LINK", # accepts CONFIRM_WITH_LINK, CONFIRM_WITH_CODE
|
9730
9903
|
# },
|
9731
9904
|
# sms_authentication_message: "SmsVerificationMessageType",
|
9905
|
+
# user_attribute_update_settings: {
|
9906
|
+
# attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
|
9907
|
+
# },
|
9732
9908
|
# mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
|
9733
9909
|
# device_configuration: {
|
9734
9910
|
# challenge_required_on_new_device: false,
|
@@ -9809,8 +9985,11 @@ module Aws::CognitoIdentityProvider
|
|
9809
9985
|
# The contents of the SMS authentication message.
|
9810
9986
|
# @return [String]
|
9811
9987
|
#
|
9988
|
+
# @!attribute [rw] user_attribute_update_settings
|
9989
|
+
# @return [Types::UserAttributeUpdateSettingsType]
|
9990
|
+
#
|
9812
9991
|
# @!attribute [rw] mfa_configuration
|
9813
|
-
#
|
9992
|
+
# Possible values include:
|
9814
9993
|
#
|
9815
9994
|
# * `OFF` - MFA tokens aren't required and can't be specified during
|
9816
9995
|
# user registration.
|
@@ -9886,6 +10065,7 @@ module Aws::CognitoIdentityProvider
|
|
9886
10065
|
:email_verification_subject,
|
9887
10066
|
:verification_message_template,
|
9888
10067
|
:sms_authentication_message,
|
10068
|
+
:user_attribute_update_settings,
|
9889
10069
|
:mfa_configuration,
|
9890
10070
|
:device_configuration,
|
9891
10071
|
:email_configuration,
|
@@ -9905,9 +10085,55 @@ module Aws::CognitoIdentityProvider
|
|
9905
10085
|
#
|
9906
10086
|
class UpdateUserPoolResponse < Aws::EmptyStructure; end
|
9907
10087
|
|
9908
|
-
#
|
9909
|
-
#
|
9910
|
-
#
|
10088
|
+
# The settings for updates to user attributes.
|
10089
|
+
#
|
10090
|
+
# @note When making an API call, you may pass UserAttributeUpdateSettingsType
|
10091
|
+
# data as a hash:
|
10092
|
+
#
|
10093
|
+
# {
|
10094
|
+
# attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
|
10095
|
+
# }
|
10096
|
+
#
|
10097
|
+
# @!attribute [rw] attributes_require_verification_before_update
|
10098
|
+
# Requires that your user verifies their email address, phone number,
|
10099
|
+
# or both before Amazon Cognito updates the value of that attribute.
|
10100
|
+
# When you update a user attribute that has this option activated,
|
10101
|
+
# Amazon Cognito sends a verification message to the new phone number
|
10102
|
+
# or email address. Amazon Cognito doesn’t change the value of the
|
10103
|
+
# attribute until your user responds to the verification message and
|
10104
|
+
# confirms the new value.
|
10105
|
+
#
|
10106
|
+
# You can verify an updated email address or phone number with a
|
10107
|
+
# [VerifyUserAttribute][1] API request. You can also call the
|
10108
|
+
# [UpdateUserAttributes][2] or [AdminUpdateUserAttributes][3] API and
|
10109
|
+
# set `email_verified` or `phone_number_verified` to true.
|
10110
|
+
#
|
10111
|
+
# When `AttributesRequireVerificationBeforeUpdate` is false, your user
|
10112
|
+
# pool doesn't require that your users verify attribute changes
|
10113
|
+
# before Amazon Cognito updates them. In a user pool where
|
10114
|
+
# `AttributesRequireVerificationBeforeUpdate` is false, API operations
|
10115
|
+
# that change attribute values can immediately update a user’s `email`
|
10116
|
+
# or `phone_number` attribute.
|
10117
|
+
#
|
10118
|
+
#
|
10119
|
+
#
|
10120
|
+
# [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html
|
10121
|
+
# [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
|
10122
|
+
# [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
|
10123
|
+
# @return [Array<String>]
|
10124
|
+
#
|
10125
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserAttributeUpdateSettingsType AWS API Documentation
|
10126
|
+
#
|
10127
|
+
class UserAttributeUpdateSettingsType < Struct.new(
|
10128
|
+
:attributes_require_verification_before_update)
|
10129
|
+
SENSITIVE = []
|
10130
|
+
include Aws::Structure
|
10131
|
+
end
|
10132
|
+
|
10133
|
+
# Information that your app generates about a user's
|
10134
|
+
# `AdminInitiateAuth` or `AdminRespondToAuthChallenge` session. Amazon
|
10135
|
+
# Cognito advanced security features calculate risk levels for user
|
10136
|
+
# sessions based on this context data.
|
9911
10137
|
#
|
9912
10138
|
# @note When making an API call, you may pass UserContextDataType
|
9913
10139
|
# data as a hash:
|
@@ -10174,24 +10400,52 @@ module Aws::CognitoIdentityProvider
|
|
10174
10400
|
# @return [Time]
|
10175
10401
|
#
|
10176
10402
|
# @!attribute [rw] refresh_token_validity
|
10177
|
-
# The time limit
|
10178
|
-
#
|
10403
|
+
# The refresh token time limit. After this limit expires, your user
|
10404
|
+
# can't use their refresh token. To specify the time unit for
|
10405
|
+
# `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
10406
|
+
# set a `TokenValidityUnits` value in your API request.
|
10407
|
+
#
|
10408
|
+
# For example, when you set `RefreshTokenValidity` as `10` and
|
10409
|
+
# `TokenValidityUnits` as `days`, your user can refresh their session
|
10410
|
+
# and retrieve new access and ID tokens for 10 days.
|
10411
|
+
#
|
10412
|
+
# The default time unit for `RefreshTokenValidity` in an API request
|
10413
|
+
# is days. You can't set `RefreshTokenValidity` to 0. If you do,
|
10414
|
+
# Amazon Cognito overrides the value with the default value of 30
|
10415
|
+
# days. *Valid range* is displayed below in seconds.
|
10179
10416
|
# @return [Integer]
|
10180
10417
|
#
|
10181
10418
|
# @!attribute [rw] access_token_validity
|
10182
|
-
# The time limit
|
10183
|
-
#
|
10184
|
-
#
|
10419
|
+
# The access token time limit. After this limit expires, your user
|
10420
|
+
# can't use their access token. To specify the time unit for
|
10421
|
+
# `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
|
10422
|
+
# set a `TokenValidityUnits` value in your API request.
|
10423
|
+
#
|
10424
|
+
# For example, when you set `AccessTokenValidity` to `10` and
|
10425
|
+
# `TokenValidityUnits` to `hours`, your user can authorize access with
|
10426
|
+
# their access token for 10 hours.
|
10427
|
+
#
|
10428
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
10429
|
+
# hours. *Valid range* is displayed below in seconds.
|
10185
10430
|
# @return [Integer]
|
10186
10431
|
#
|
10187
10432
|
# @!attribute [rw] id_token_validity
|
10188
|
-
# The time limit
|
10189
|
-
#
|
10433
|
+
# The ID token time limit. After this limit expires, your user can't
|
10434
|
+
# use their ID token. To specify the time unit for `IdTokenValidity`
|
10435
|
+
# as `seconds`, `minutes`, `hours`, or `days`, set a
|
10436
|
+
# `TokenValidityUnits` value in your API request.
|
10437
|
+
#
|
10438
|
+
# For example, when you set `IdTokenValidity` as `10` and
|
10439
|
+
# `TokenValidityUnits` as `hours`, your user can authenticate their
|
10440
|
+
# session with their ID token for 10 hours.
|
10441
|
+
#
|
10442
|
+
# The default time unit for `AccessTokenValidity` in an API request is
|
10443
|
+
# hours. *Valid range* is displayed below in seconds.
|
10190
10444
|
# @return [Integer]
|
10191
10445
|
#
|
10192
10446
|
# @!attribute [rw] token_validity_units
|
10193
|
-
# The time units used to specify the token validity times of
|
10194
|
-
#
|
10447
|
+
# The time units used to specify the token validity times of each
|
10448
|
+
# token type: ID, access, and refresh.
|
10195
10449
|
# @return [Types::TokenValidityUnitsType]
|
10196
10450
|
#
|
10197
10451
|
# @!attribute [rw] read_attributes
|
@@ -10231,13 +10485,14 @@ module Aws::CognitoIdentityProvider
|
|
10231
10485
|
# @return [Array<String>]
|
10232
10486
|
#
|
10233
10487
|
# @!attribute [rw] supported_identity_providers
|
10234
|
-
# A list of provider names for the
|
10235
|
-
# supported
|
10488
|
+
# A list of provider names for the IdPs that this client supports. The
|
10489
|
+
# following are supported: `COGNITO`, `Facebook`, `Google`
|
10490
|
+
# `LoginWithAmazon`, and the names of your own SAML and OIDC
|
10491
|
+
# providers.
|
10236
10492
|
# @return [Array<String>]
|
10237
10493
|
#
|
10238
10494
|
# @!attribute [rw] callback_urls
|
10239
|
-
# A list of allowed redirect (callback) URLs for the
|
10240
|
-
# providers.
|
10495
|
+
# A list of allowed redirect (callback) URLs for the IdPs.
|
10241
10496
|
#
|
10242
10497
|
# A redirect URI must:
|
10243
10498
|
#
|
@@ -10260,7 +10515,7 @@ module Aws::CognitoIdentityProvider
|
|
10260
10515
|
# @return [Array<String>]
|
10261
10516
|
#
|
10262
10517
|
# @!attribute [rw] logout_urls
|
10263
|
-
# A list of allowed logout URLs for the
|
10518
|
+
# A list of allowed logout URLs for the IdPs.
|
10264
10519
|
# @return [Array<String>]
|
10265
10520
|
#
|
10266
10521
|
# @!attribute [rw] default_redirect_uri
|
@@ -10289,23 +10544,30 @@ module Aws::CognitoIdentityProvider
|
|
10289
10544
|
# @!attribute [rw] allowed_o_auth_flows
|
10290
10545
|
# The allowed OAuth flows.
|
10291
10546
|
#
|
10292
|
-
#
|
10293
|
-
#
|
10294
|
-
#
|
10547
|
+
# code
|
10548
|
+
#
|
10549
|
+
# : Use a code grant flow, which provides an authorization code as the
|
10550
|
+
# response. This code can be exchanged for access tokens with the
|
10551
|
+
# `/oauth2/token` endpoint.
|
10552
|
+
#
|
10553
|
+
# implicit
|
10295
10554
|
#
|
10296
|
-
#
|
10297
|
-
#
|
10555
|
+
# : Issue the access token (and, optionally, ID token, based on
|
10556
|
+
# scopes) directly to your user.
|
10298
10557
|
#
|
10299
|
-
#
|
10300
|
-
#
|
10301
|
-
#
|
10558
|
+
# client\_credentials
|
10559
|
+
#
|
10560
|
+
# : Issue the access token from the `/oauth2/token` endpoint directly
|
10561
|
+
# to a non-person user using a combination of the client ID and
|
10562
|
+
# client secret.
|
10302
10563
|
# @return [Array<String>]
|
10303
10564
|
#
|
10304
10565
|
# @!attribute [rw] allowed_o_auth_scopes
|
10305
|
-
# The
|
10306
|
-
# `phone`, `email`, `openid`, and `profile`.
|
10307
|
-
#
|
10308
|
-
#
|
10566
|
+
# The OAuth scopes that your app client supports. Possible values that
|
10567
|
+
# OAuth provides are `phone`, `email`, `openid`, and `profile`.
|
10568
|
+
# Possible values that Amazon Web Services provides are
|
10569
|
+
# `aws.cognito.signin.user.admin`. Amazon Cognito also supports custom
|
10570
|
+
# scopes that you create in Resource Servers.
|
10309
10571
|
# @return [Array<String>]
|
10310
10572
|
#
|
10311
10573
|
# @!attribute [rw] allowed_o_auth_flows_user_pool_client
|
@@ -10339,8 +10601,8 @@ module Aws::CognitoIdentityProvider
|
|
10339
10601
|
#
|
10340
10602
|
# * `ENABLED` - This prevents user existence-related errors.
|
10341
10603
|
#
|
10342
|
-
# * `LEGACY` - This represents the old behavior of Cognito
|
10343
|
-
# existence related errors aren't prevented.
|
10604
|
+
# * `LEGACY` - This represents the old behavior of Amazon Cognito
|
10605
|
+
# where user existence related errors aren't prevented.
|
10344
10606
|
# @return [String]
|
10345
10607
|
#
|
10346
10608
|
# @!attribute [rw] enable_token_revocation
|
@@ -10532,6 +10794,9 @@ module Aws::CognitoIdentityProvider
|
|
10532
10794
|
# The contents of the SMS authentication message.
|
10533
10795
|
# @return [String]
|
10534
10796
|
#
|
10797
|
+
# @!attribute [rw] user_attribute_update_settings
|
10798
|
+
# @return [Types::UserAttributeUpdateSettingsType]
|
10799
|
+
#
|
10535
10800
|
# @!attribute [rw] mfa_configuration
|
10536
10801
|
# Can be one of the following values:
|
10537
10802
|
#
|
@@ -10681,6 +10946,7 @@ module Aws::CognitoIdentityProvider
|
|
10681
10946
|
:email_verification_subject,
|
10682
10947
|
:verification_message_template,
|
10683
10948
|
:sms_authentication_message,
|
10949
|
+
:user_attribute_update_settings,
|
10684
10950
|
:mfa_configuration,
|
10685
10951
|
:device_configuration,
|
10686
10952
|
:estimated_number_of_users,
|
@@ -10700,7 +10966,7 @@ module Aws::CognitoIdentityProvider
|
|
10700
10966
|
include Aws::Structure
|
10701
10967
|
end
|
10702
10968
|
|
10703
|
-
#
|
10969
|
+
# A user profile in a Amazon Cognito user pool.
|
10704
10970
|
#
|
10705
10971
|
# @!attribute [rw] username
|
10706
10972
|
# The user name of the user you want to describe.
|
@@ -10729,6 +10995,8 @@ module Aws::CognitoIdentityProvider
|
|
10729
10995
|
#
|
10730
10996
|
# * CONFIRMED - User has been confirmed.
|
10731
10997
|
#
|
10998
|
+
# * EXTERNAL\_PROVIDER - User signed in with a third-party IdP.
|
10999
|
+
#
|
10732
11000
|
# * ARCHIVED - User is no longer active.
|
10733
11001
|
#
|
10734
11002
|
# * UNKNOWN - User status isn't known.
|
@@ -10770,7 +11038,7 @@ module Aws::CognitoIdentityProvider
|
|
10770
11038
|
# }
|
10771
11039
|
#
|
10772
11040
|
# @!attribute [rw] case_sensitive
|
10773
|
-
# Specifies whether
|
11041
|
+
# Specifies whether user name case sensitivity will be applied for all
|
10774
11042
|
# users in the user pool through Amazon Cognito APIs.
|
10775
11043
|
#
|
10776
11044
|
# Valid values include:
|
@@ -10830,12 +11098,16 @@ module Aws::CognitoIdentityProvider
|
|
10830
11098
|
# }
|
10831
11099
|
#
|
10832
11100
|
# @!attribute [rw] sms_message
|
10833
|
-
# The SMS
|
11101
|
+
# The template for SMS messages that Amazon Cognito sends to your
|
11102
|
+
# users.
|
10834
11103
|
# @return [String]
|
10835
11104
|
#
|
10836
11105
|
# @!attribute [rw] email_message
|
10837
|
-
# The email
|
10838
|
-
#
|
11106
|
+
# The template for email messages that Amazon Cognito sends to your
|
11107
|
+
# users. You can set an `EmailMessage` template only if the value of [
|
11108
|
+
# EmailSendingAccount][1] is `DEVELOPER`. When your
|
11109
|
+
# [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
|
11110
|
+
# messages with your own Amazon SES configuration.
|
10839
11111
|
#
|
10840
11112
|
#
|
10841
11113
|
#
|
@@ -10843,8 +11115,11 @@ module Aws::CognitoIdentityProvider
|
|
10843
11115
|
# @return [String]
|
10844
11116
|
#
|
10845
11117
|
# @!attribute [rw] email_subject
|
10846
|
-
# The subject line for the email message template.
|
10847
|
-
#
|
11118
|
+
# The subject line for the email message template. You can set an
|
11119
|
+
# `EmailSubject` template only if the value of [
|
11120
|
+
# EmailSendingAccount][1] is `DEVELOPER`. When your
|
11121
|
+
# [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
|
11122
|
+
# messages with your own Amazon SES configuration.
|
10848
11123
|
#
|
10849
11124
|
#
|
10850
11125
|
#
|
@@ -10853,8 +11128,10 @@ module Aws::CognitoIdentityProvider
|
|
10853
11128
|
#
|
10854
11129
|
# @!attribute [rw] email_message_by_link
|
10855
11130
|
# The email message template for sending a confirmation link to the
|
10856
|
-
# user. EmailMessageByLink
|
10857
|
-
# EmailSendingAccount][1] is DEVELOPER
|
11131
|
+
# user. You can set an `EmailMessageByLink` template only if the value
|
11132
|
+
# of [ EmailSendingAccount][1] is `DEVELOPER`. When your
|
11133
|
+
# [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
|
11134
|
+
# messages with your own Amazon SES configuration.
|
10858
11135
|
#
|
10859
11136
|
#
|
10860
11137
|
#
|
@@ -10863,8 +11140,11 @@ module Aws::CognitoIdentityProvider
|
|
10863
11140
|
#
|
10864
11141
|
# @!attribute [rw] email_subject_by_link
|
10865
11142
|
# The subject line for the email message template for sending a
|
10866
|
-
# confirmation link to the user.
|
10867
|
-
# EmailSendingAccount][1] is
|
11143
|
+
# confirmation link to the user. You can set an `EmailSubjectByLink`
|
11144
|
+
# template only if the value of [ EmailSendingAccount][1] is
|
11145
|
+
# `DEVELOPER`. When your [EmailSendingAccount][1] is `DEVELOPER`, your
|
11146
|
+
# user pool sends email messages with your own Amazon SES
|
11147
|
+
# configuration.
|
10868
11148
|
#
|
10869
11149
|
#
|
10870
11150
|
#
|
@@ -10899,7 +11179,8 @@ module Aws::CognitoIdentityProvider
|
|
10899
11179
|
# }
|
10900
11180
|
#
|
10901
11181
|
# @!attribute [rw] access_token
|
10902
|
-
#
|
11182
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
11183
|
+
# software token you want to verify.
|
10903
11184
|
# @return [String]
|
10904
11185
|
#
|
10905
11186
|
# @!attribute [rw] session
|
@@ -10961,7 +11242,8 @@ module Aws::CognitoIdentityProvider
|
|
10961
11242
|
# }
|
10962
11243
|
#
|
10963
11244
|
# @!attribute [rw] access_token
|
10964
|
-
#
|
11245
|
+
# A valid access token that Amazon Cognito issued to the user whose
|
11246
|
+
# user attributes you want to verify.
|
10965
11247
|
# @return [String]
|
10966
11248
|
#
|
10967
11249
|
# @!attribute [rw] attribute_name
|