aws-sdk-cognitoidentityprovider 1.65.0 → 1.66.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -52,7 +52,7 @@ module Aws::CognitoIdentityProvider
52
52
  #
53
53
  # @!attribute [rw] event_action
54
54
  # The action to take in response to the account takeover action. Valid
55
- # values are:
55
+ # values are as follows:
56
56
  #
57
57
  # * `BLOCK` Choosing this action will block the request.
58
58
  #
@@ -354,11 +354,11 @@ module Aws::CognitoIdentityProvider
354
354
  # @return [Boolean]
355
355
  #
356
356
  # @!attribute [rw] unused_account_validity_days
357
- # The user account expiration limit, in days, after which the account
358
- # is no longer usable. To reset the account after that time limit, you
359
- # must call `AdminCreateUser` again, specifying `"RESEND"` for the
360
- # `MessageAction` parameter. The default value for this parameter is
361
- # 7.
357
+ # The user account expiration limit, in days, after which a new
358
+ # account that hasn't signed in is no longer usable. To reset the
359
+ # account after that time limit, you must call `AdminCreateUser`
360
+ # again, specifying `"RESEND"` for the `MessageAction` parameter. The
361
+ # default value for this parameter is 7.
362
362
  #
363
363
  # <note markdown="1"> If you set a value for `TemporaryPasswordValidityDays` in
364
364
  # `PasswordPolicy`, that value will be used, and
@@ -1185,9 +1185,21 @@ module Aws::CognitoIdentityProvider
1185
1185
  # enabled to use this flow.
1186
1186
  #
1187
1187
  # * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
1188
- # their passwords after successful first login. This challenge
1189
- # should be passed with `NEW_PASSWORD` and any other required
1190
- # attributes.
1188
+ # their passwords after successful first login. Respond to this
1189
+ # challenge with `NEW_PASSWORD` and any required attributes that
1190
+ # Amazon Cognito returned in the `requiredAttributes` parameter. You
1191
+ # can also set values for attributes that aren't required by your
1192
+ # user pool and that your app client can write. For more
1193
+ # information, see [AdminRespondToAuthChallenge][1].
1194
+ #
1195
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
1196
+ # a required attribute that already has a value. In
1197
+ # `AdminRespondToAuthChallenge`, set a value for any keys that
1198
+ # Amazon Cognito returned in the `requiredAttributes` parameter,
1199
+ # then use the `AdminUpdateUserAttributes` API operation to modify
1200
+ # the value of any additional attributes.
1201
+ #
1202
+ # </note>
1191
1203
  #
1192
1204
  # * `MFA_SETUP`\: For users who are required to set up an MFA factor
1193
1205
  # before they can sign in. The MFA types activated for the user pool
@@ -1200,6 +1212,10 @@ module Aws::CognitoIdentityProvider
1200
1212
  # complete sign-in. To set up SMS MFA, users will need help from an
1201
1213
  # administrator to add a phone number to their account and then call
1202
1214
  # `InitiateAuth` again to restart sign-in.
1215
+ #
1216
+ #
1217
+ #
1218
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
1203
1219
  # @return [String]
1204
1220
  #
1205
1221
  # @!attribute [rw] session
@@ -1267,12 +1283,11 @@ module Aws::CognitoIdentityProvider
1267
1283
  #
1268
1284
  # @!attribute [rw] destination_user
1269
1285
  # The existing user in the user pool that you want to assign to the
1270
- # external identity provider user account. This user can be a native
1271
- # (Username + Password) Amazon Cognito user pools user or a federated
1272
- # user (for example, a SAML or Facebook user). If the user doesn't
1273
- # exist, Amazon Cognito generates an exception. Amazon Cognito returns
1274
- # this user when the new user (with the linked identity provider
1275
- # attribute) signs in.
1286
+ # external IdP user account. This user can be a native (Username +
1287
+ # Password) Amazon Cognito user pools user or a federated user (for
1288
+ # example, a SAML or Facebook user). If the user doesn't exist,
1289
+ # Amazon Cognito generates an exception. Amazon Cognito returns this
1290
+ # user when the new user (with the linked IdP attribute) signs in.
1276
1291
  #
1277
1292
  # For a native username + password user, the `ProviderAttributeValue`
1278
1293
  # for the `DestinationUser` should be the username in the user pool.
@@ -1289,30 +1304,29 @@ module Aws::CognitoIdentityProvider
1289
1304
  # @return [Types::ProviderUserIdentifierType]
1290
1305
  #
1291
1306
  # @!attribute [rw] source_user
1292
- # An external identity provider account for a user who doesn't exist
1293
- # yet in the user pool. This user must be a federated user (for
1294
- # example, a SAML or Facebook user), not another native user.
1307
+ # An external IdP account for a user who doesn't exist yet in the
1308
+ # user pool. This user must be a federated user (for example, a SAML
1309
+ # or Facebook user), not another native user.
1295
1310
  #
1296
- # If the `SourceUser` is using a federated social identity provider,
1297
- # such as Facebook, Google, or Login with Amazon, you must set the
1298
- # `ProviderAttributeName` to `Cognito_Subject`. For social identity
1299
- # providers, the `ProviderName` will be `Facebook`, `Google`, or
1300
- # `LoginWithAmazon`, and Amazon Cognito will automatically parse the
1301
- # Facebook, Google, and Login with Amazon tokens for `id`, `sub`, and
1302
- # `user_id`, respectively. The `ProviderAttributeValue` for the user
1303
- # must be the same value as the `id`, `sub`, or `user_id` value found
1304
- # in the social identity provider token.
1311
+ # If the `SourceUser` is using a federated social IdP, such as
1312
+ # Facebook, Google, or Login with Amazon, you must set the
1313
+ # `ProviderAttributeName` to `Cognito_Subject`. For social IdPs, the
1314
+ # `ProviderName` will be `Facebook`, `Google`, or `LoginWithAmazon`,
1315
+ # and Amazon Cognito will automatically parse the Facebook, Google,
1316
+ # and Login with Amazon tokens for `id`, `sub`, and `user_id`,
1317
+ # respectively. The `ProviderAttributeValue` for the user must be the
1318
+ # same value as the `id`, `sub`, or `user_id` value found in the
1319
+ # social IdP token.
1305
1320
  #
1306
1321
  #
1307
1322
  #
1308
1323
  # For SAML, the `ProviderAttributeName` can be any value that matches
1309
1324
  # a claim in the SAML assertion. If you want to link SAML users based
1310
1325
  # on the subject of the SAML assertion, you should map the subject to
1311
- # a claim through the SAML identity provider and submit that claim
1312
- # name as the `ProviderAttributeName`. If you set
1313
- # `ProviderAttributeName` to `Cognito_Subject`, Amazon Cognito will
1314
- # automatically parse the default unique identifier found in the
1315
- # subject from the SAML token.
1326
+ # a claim through the SAML IdP and submit that claim name as the
1327
+ # `ProviderAttributeName`. If you set `ProviderAttributeName` to
1328
+ # `Cognito_Subject`, Amazon Cognito will automatically parse the
1329
+ # default unique identifier found in the subject from the SAML token.
1316
1330
  # @return [Types::ProviderUserIdentifierType]
1317
1331
  #
1318
1332
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminLinkProviderForUserRequest AWS API Documentation
@@ -1679,9 +1693,22 @@ module Aws::CognitoIdentityProvider
1679
1693
  # * `ADMIN_NO_SRP_AUTH`\: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if
1680
1694
  # app client is configured with client secret).
1681
1695
  #
1682
- # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
1683
- # attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
1684
- # with client secret).
1696
+ # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
1697
+ # `SECRET_HASH` (if app client is configured with client secret). To
1698
+ # set any required attributes that Amazon Cognito returned as
1699
+ # `requiredAttributes` in the `AdminInitiateAuth` response, add a
1700
+ # `userAttributes.attributename ` parameter. This parameter can also
1701
+ # set values for writable attributes that aren't required by your
1702
+ # user pool.
1703
+ #
1704
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
1705
+ # a required attribute that already has a value. In
1706
+ # `AdminRespondToAuthChallenge`, set a value for any keys that
1707
+ # Amazon Cognito returned in the `requiredAttributes` parameter,
1708
+ # then use the `AdminUpdateUserAttributes` API operation to modify
1709
+ # the value of any additional attributes.
1710
+ #
1711
+ # </note>
1685
1712
  #
1686
1713
  # * `MFA_SETUP` requires `USERNAME`, plus you must use the session
1687
1714
  # value returned by `VerifySoftwareToken` in the `Session`
@@ -2089,6 +2116,22 @@ module Aws::CognitoIdentityProvider
2089
2116
  #
2090
2117
  # For custom attributes, you must prepend the `custom:` prefix to the
2091
2118
  # attribute name.
2119
+ #
2120
+ # If your user pool requires verification before Amazon Cognito
2121
+ # updates an attribute value that you specify in this request, Amazon
2122
+ # Cognito doesn’t immediately update the value of that attribute.
2123
+ # After your user receives and responds to a verification message to
2124
+ # verify the new value, Amazon Cognito updates the attribute value.
2125
+ # Your user can sign in and receive messages with the original
2126
+ # attribute value until they verify the new value.
2127
+ #
2128
+ # To update the value of an attribute that requires verification in
2129
+ # the same API request, include the `email_verified` or
2130
+ # `phone_number_verified` attribute, with a value of `true`. If you
2131
+ # set the `email_verified` or `phone_number_verified` value for an
2132
+ # `email` or `phone_number` attribute that requires verification to
2133
+ # `true`, Amazon Cognito doesn’t send a verification message to your
2134
+ # user.
2092
2135
  # @return [Array<Types::AttributeType>]
2093
2136
  #
2094
2137
  # @!attribute [rw] client_metadata
@@ -2181,9 +2224,11 @@ module Aws::CognitoIdentityProvider
2181
2224
  class AdminUserGlobalSignOutResponse < Aws::EmptyStructure; end
2182
2225
 
2183
2226
  # This exception is thrown when a user tries to confirm the account with
2184
- # an email or phone number that has already been supplied as an alias
2185
- # from a different account. This exception tells user that an account
2186
- # with this email or phone already exists.
2227
+ # an email address or phone number that has already been supplied as an
2228
+ # alias from a different account. This exception indicates that an
2229
+ # account with this email address or phone already exists in a user pool
2230
+ # that you've configured to use email address or phone number as a
2231
+ # sign-in alias.
2187
2232
  #
2188
2233
  # @!attribute [rw] message
2189
2234
  # The message sent to the user when an alias exists.
@@ -2197,8 +2242,8 @@ module Aws::CognitoIdentityProvider
2197
2242
  include Aws::Structure
2198
2243
  end
2199
2244
 
2200
- # The Amazon Pinpoint analytics configuration for collecting metrics for
2201
- # a user pool.
2245
+ # The Amazon Pinpoint analytics configuration necessary to collect
2246
+ # metrics for a user pool.
2202
2247
  #
2203
2248
  # <note markdown="1"> In Regions where Amazon Pinpointisn't available, user pools only
2204
2249
  # support sending events to Amazon Pinpoint projects in us-east-1. In
@@ -2226,7 +2271,7 @@ module Aws::CognitoIdentityProvider
2226
2271
  # The Amazon Resource Name (ARN) of an Amazon Pinpoint project. You
2227
2272
  # can use the Amazon Pinpoint project to integrate with the chosen
2228
2273
  # user pool Client. Amazon Cognito publishes events to the Amazon
2229
- # Pinpointproject declared by the app ARN.
2274
+ # Pinpoint project that the app ARN declares.
2230
2275
  # @return [String]
2231
2276
  #
2232
2277
  # @!attribute [rw] role_arn
@@ -2239,8 +2284,8 @@ module Aws::CognitoIdentityProvider
2239
2284
  # @return [String]
2240
2285
  #
2241
2286
  # @!attribute [rw] user_data_shared
2242
- # If `UserDataShared` is `true`, Amazon Cognito will include user data
2243
- # in the events it publishes to Amazon Pinpoint analytics.
2287
+ # If `UserDataShared` is `true`, Amazon Cognito includes user data in
2288
+ # the events that it publishes to Amazon Pinpoint analytics.
2244
2289
  # @return [Boolean]
2245
2290
  #
2246
2291
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AnalyticsConfigurationType AWS API Documentation
@@ -2259,12 +2304,14 @@ module Aws::CognitoIdentityProvider
2259
2304
  #
2260
2305
  # An endpoint uniquely identifies a mobile device, email address, or
2261
2306
  # phone number that can receive messages from Amazon Pinpoint analytics.
2307
+ # For more information about Amazon Web Services Regions that can
2308
+ # contain Amazon Pinpoint resources for use with Amazon Cognito user
2309
+ # pools, see [Using Amazon Pinpoint analytics with Amazon Cognito user
2310
+ # pools][1].
2262
2311
  #
2263
- # <note markdown="1"> Amazon Cognito user pools only support sending events to Amazon
2264
- # Pinpoint projects in the US East (N. Virginia) us-east-1 Region,
2265
- # regardless of the Region where the user pool resides.
2266
2312
  #
2267
- # </note>
2313
+ #
2314
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html
2268
2315
  #
2269
2316
  # @note When making an API call, you may pass AnalyticsMetadataType
2270
2317
  # data as a hash:
@@ -2294,7 +2341,8 @@ module Aws::CognitoIdentityProvider
2294
2341
  # }
2295
2342
  #
2296
2343
  # @!attribute [rw] access_token
2297
- # The access token.
2344
+ # A valid access token that Amazon Cognito issued to the user whose
2345
+ # software token you want to generate.
2298
2346
  # @return [String]
2299
2347
  #
2300
2348
  # @!attribute [rw] session
@@ -2414,7 +2462,8 @@ module Aws::CognitoIdentityProvider
2414
2462
  # The authentication result.
2415
2463
  #
2416
2464
  # @!attribute [rw] access_token
2417
- # The access token.
2465
+ # A valid access token that Amazon Cognito issued to the user who you
2466
+ # want to authenticate.
2418
2467
  # @return [String]
2419
2468
  #
2420
2469
  # @!attribute [rw] expires_in
@@ -2489,7 +2538,8 @@ module Aws::CognitoIdentityProvider
2489
2538
  # @return [String]
2490
2539
  #
2491
2540
  # @!attribute [rw] access_token
2492
- # The access token.
2541
+ # A valid access token that Amazon Cognito issued to the user whose
2542
+ # password you want to change.
2493
2543
  # @return [String]
2494
2544
  #
2495
2545
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ChangePasswordRequest AWS API Documentation
@@ -2508,18 +2558,21 @@ module Aws::CognitoIdentityProvider
2508
2558
  #
2509
2559
  class ChangePasswordResponse < Aws::EmptyStructure; end
2510
2560
 
2511
- # The code delivery details being returned from the server.
2561
+ # The delivery details for an email or SMS message that Amazon Cognito
2562
+ # sent for authentication or verification.
2512
2563
  #
2513
2564
  # @!attribute [rw] destination
2514
- # The destination for the code delivery details.
2565
+ # The email address or phone number destination where Amazon Cognito
2566
+ # sent the code.
2515
2567
  # @return [String]
2516
2568
  #
2517
2569
  # @!attribute [rw] delivery_medium
2518
- # The delivery medium (email message or phone number).
2570
+ # The method that Amazon Cognito used to send the code.
2519
2571
  # @return [String]
2520
2572
  #
2521
2573
  # @!attribute [rw] attribute_name
2522
- # The attribute name.
2574
+ # The name of the attribute that Amazon Cognito verifies with the
2575
+ # code.
2523
2576
  # @return [String]
2524
2577
  #
2525
2578
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CodeDeliveryDetailsType AWS API Documentation
@@ -2645,7 +2698,8 @@ module Aws::CognitoIdentityProvider
2645
2698
  # }
2646
2699
  #
2647
2700
  # @!attribute [rw] access_token
2648
- # The access token.
2701
+ # A valid access token that Amazon Cognito issued to the user whose
2702
+ # device you want to confirm.
2649
2703
  # @return [String]
2650
2704
  #
2651
2705
  # @!attribute [rw] device_key
@@ -3013,7 +3067,7 @@ module Aws::CognitoIdentityProvider
3013
3067
  # A non-negative integer value that specifies the precedence of this
3014
3068
  # group relative to the other groups that a user can belong to in the
3015
3069
  # user pool. Zero is the highest precedence value. Groups with lower
3016
- # `Precedence` values take precedence over groups with higher ornull
3070
+ # `Precedence` values take precedence over groups with higher or null
3017
3071
  # `Precedence` values. If a user belongs to two or more groups, it is
3018
3072
  # the group with the lowest precedence value whose role ARN is given
3019
3073
  # in the user's tokens for the `cognito:roles` and
@@ -3026,7 +3080,8 @@ module Aws::CognitoIdentityProvider
3026
3080
  # group. If the two groups have different role ARNs, the
3027
3081
  # `cognito:preferred_role` claim isn't set in users' tokens.
3028
3082
  #
3029
- # The default `Precedence` value is null.
3083
+ # The default `Precedence` value is null. The maximum `Precedence`
3084
+ # value is `2^31-1`.
3030
3085
  # @return [Integer]
3031
3086
  #
3032
3087
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateGroupRequest AWS API Documentation
@@ -3074,16 +3129,16 @@ module Aws::CognitoIdentityProvider
3074
3129
  # @return [String]
3075
3130
  #
3076
3131
  # @!attribute [rw] provider_name
3077
- # The identity provider name.
3132
+ # The IdP name.
3078
3133
  # @return [String]
3079
3134
  #
3080
3135
  # @!attribute [rw] provider_type
3081
- # The identity provider type.
3136
+ # The IdP type.
3082
3137
  # @return [String]
3083
3138
  #
3084
3139
  # @!attribute [rw] provider_details
3085
- # The identity provider details. The following list describes the
3086
- # provider detail keys for each identity provider type.
3140
+ # The IdP details. The following list describes the provider detail
3141
+ # keys for each IdP type.
3087
3142
  #
3088
3143
  # * For Google and Login with Amazon:
3089
3144
  #
@@ -3127,35 +3182,38 @@ module Aws::CognitoIdentityProvider
3127
3182
  #
3128
3183
  # * authorize\_scopes
3129
3184
  #
3130
- # * authorize\_url *if not available from discovery URL specified by
3131
- # oidc\_issuer key*
3185
+ # * The following keys are only present if Amazon Cognito didn't
3186
+ # discover them at the `oidc_issuer` URL.
3187
+ #
3188
+ # * authorize\_url
3189
+ #
3190
+ # * token\_url
3132
3191
  #
3133
- # * token\_url *if not available from discovery URL specified by
3134
- # oidc\_issuer key*
3192
+ # * attributes\_url
3135
3193
  #
3136
- # * attributes\_url *if not available from discovery URL specified
3137
- # by oidc\_issuer key*
3194
+ # * jwks\_uri
3138
3195
  #
3139
- # * jwks\_uri *if not available from discovery URL specified by
3140
- # oidc\_issuer key*
3196
+ # * Amazon Cognito sets the value of the following keys
3197
+ # automatically. They are read-only.
3141
3198
  #
3142
- # * attributes\_url\_add\_attributes *a read-only property that is
3143
- # set automatically*
3199
+ # * attributes\_url\_add\_attributes
3200
+ #
3201
+ # ^
3144
3202
  #
3145
3203
  # * For SAML providers:
3146
3204
  #
3147
- # * MetadataFile OR MetadataURL
3205
+ # * MetadataFile or MetadataURL
3148
3206
  #
3149
- # * IDPSignout (optional)
3207
+ # * IDPSignout *optional*
3150
3208
  # @return [Hash<String,String>]
3151
3209
  #
3152
3210
  # @!attribute [rw] attribute_mapping
3153
- # A mapping of identity provider attributes to standard and custom
3154
- # user pool attributes.
3211
+ # A mapping of IdP attributes to standard and custom user pool
3212
+ # attributes.
3155
3213
  # @return [Hash<String,String>]
3156
3214
  #
3157
3215
  # @!attribute [rw] idp_identifiers
3158
- # A list of identity provider identifiers.
3216
+ # A list of IdP identifiers.
3159
3217
  # @return [Array<String>]
3160
3218
  #
3161
3219
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderRequest AWS API Documentation
@@ -3172,7 +3230,7 @@ module Aws::CognitoIdentityProvider
3172
3230
  end
3173
3231
 
3174
3232
  # @!attribute [rw] identity_provider
3175
- # The newly created identity provider object.
3233
+ # The newly created IdP object.
3176
3234
  # @return [Types::IdentityProviderType]
3177
3235
  #
3178
3236
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateIdentityProviderResponse AWS API Documentation
@@ -3343,26 +3401,53 @@ module Aws::CognitoIdentityProvider
3343
3401
  # @return [Boolean]
3344
3402
  #
3345
3403
  # @!attribute [rw] refresh_token_validity
3346
- # The time limit, in days, after which the refresh token is no longer
3347
- # valid and can't be used.
3404
+ # The refresh token time limit. After this limit expires, your user
3405
+ # can't use their refresh token. To specify the time unit for
3406
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
3407
+ # set a `TokenValidityUnits` value in your API request.
3408
+ #
3409
+ # For example, when you set `RefreshTokenValidity` as `10` and
3410
+ # `TokenValidityUnits` as `days`, your user can refresh their session
3411
+ # and retrieve new access and ID tokens for 10 days.
3412
+ #
3413
+ # The default time unit for `RefreshTokenValidity` in an API request
3414
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
3415
+ # Amazon Cognito overrides the value with the default value of 30
3416
+ # days. *Valid range* is displayed below in seconds.
3348
3417
  # @return [Integer]
3349
3418
  #
3350
3419
  # @!attribute [rw] access_token_validity
3351
- # The time limit, between 5 minutes and 1 day, after which the access
3352
- # token is no longer valid and can't be used. If you supply a
3353
- # TokenValidityUnits value, you will override the default time unit.
3420
+ # The access token time limit. After this limit expires, your user
3421
+ # can't use their access token. To specify the time unit for
3422
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
3423
+ # set a `TokenValidityUnits` value in your API request.
3424
+ #
3425
+ # For example, when you set `AccessTokenValidity` to `10` and
3426
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
3427
+ # their access token for 10 hours.
3428
+ #
3429
+ # The default time unit for `AccessTokenValidity` in an API request is
3430
+ # hours. *Valid range* is displayed below in seconds.
3354
3431
  # @return [Integer]
3355
3432
  #
3356
3433
  # @!attribute [rw] id_token_validity
3357
- # The time limit, between 5 minutes and 1 day, after which the access
3358
- # token is no longer valid and can't be used. If you supply a
3359
- # TokenValidityUnits value, you will override the default time unit.
3434
+ # The ID token time limit. After this limit expires, your user can't
3435
+ # use their ID token. To specify the time unit for `IdTokenValidity`
3436
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
3437
+ # `TokenValidityUnits` value in your API request.
3438
+ #
3439
+ # For example, when you set `IdTokenValidity` as `10` and
3440
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
3441
+ # session with their ID token for 10 hours.
3442
+ #
3443
+ # The default time unit for `AccessTokenValidity` in an API request is
3444
+ # hours. *Valid range* is displayed below in seconds.
3360
3445
  # @return [Integer]
3361
3446
  #
3362
3447
  # @!attribute [rw] token_validity_units
3363
- # The units in which the validity times are represented. Default for
3364
- # RefreshToken is days, and default for ID and access tokens are
3365
- # hours.
3448
+ # The units in which the validity times are represented. The default
3449
+ # unit for RefreshToken is days, and default for ID and access tokens
3450
+ # are hours.
3366
3451
  # @return [Types::TokenValidityUnitsType]
3367
3452
  #
3368
3453
  # @!attribute [rw] read_attributes
@@ -3372,14 +3457,13 @@ module Aws::CognitoIdentityProvider
3372
3457
  # @!attribute [rw] write_attributes
3373
3458
  # The user pool attributes that the app client can write to.
3374
3459
  #
3375
- # If your app client allows users to sign in through an identity
3376
- # provider, this array must include all attributes that you have
3377
- # mapped to identity provider attributes. Amazon Cognito updates
3378
- # mapped attributes when users sign in to your application through an
3379
- # identity provider. If your app client does not have write access to
3380
- # a mapped attribute, Amazon Cognito throws an error when it tries to
3381
- # update the attribute. For more information, see [Specifying Identity
3382
- # Provider Attribute Mappings for Your user pool][1].
3460
+ # If your app client allows users to sign in through an IdP, this
3461
+ # array must include all attributes that you have mapped to IdP
3462
+ # attributes. Amazon Cognito updates mapped attributes when users sign
3463
+ # in to your application through an IdP. If your app client does not
3464
+ # have write access to a mapped attribute, Amazon Cognito throws an
3465
+ # error when it tries to update the attribute. For more information,
3466
+ # see [Specifying IdP Attribute Mappings for Your user pool][1].
3383
3467
  #
3384
3468
  #
3385
3469
  #
@@ -3415,17 +3499,21 @@ module Aws::CognitoIdentityProvider
3415
3499
  # * `ALLOW_USER_SRP_AUTH`\: Enable SRP-based authentication.
3416
3500
  #
3417
3501
  # * `ALLOW_REFRESH_TOKEN_AUTH`\: Enable authflow to refresh tokens.
3502
+ #
3503
+ # If you don't specify a value for `ExplicitAuthFlows`, your app
3504
+ # client activates the `ALLOW_USER_SRP_AUTH` and `ALLOW_CUSTOM_AUTH`
3505
+ # authentication flows.
3418
3506
  # @return [Array<String>]
3419
3507
  #
3420
3508
  # @!attribute [rw] supported_identity_providers
3421
- # A list of provider names for the identity providers that are
3422
- # supported on this client. The following are supported: `COGNITO`,
3423
- # `Facebook`, `Google` and `LoginWithAmazon`.
3509
+ # A list of provider names for the IdPs that this client supports. The
3510
+ # following are supported: `COGNITO`, `Facebook`, `Google`
3511
+ # `LoginWithAmazon`, and the names of your own SAML and OIDC
3512
+ # providers.
3424
3513
  # @return [Array<String>]
3425
3514
  #
3426
3515
  # @!attribute [rw] callback_urls
3427
- # A list of allowed redirect (callback) URLs for the identity
3428
- # providers.
3516
+ # A list of allowed redirect (callback) URLs for the IdPs.
3429
3517
  #
3430
3518
  # A redirect URI must:
3431
3519
  #
@@ -3448,7 +3536,7 @@ module Aws::CognitoIdentityProvider
3448
3536
  # @return [Array<String>]
3449
3537
  #
3450
3538
  # @!attribute [rw] logout_urls
3451
- # A list of allowed logout URLs for the identity providers.
3539
+ # A list of allowed logout URLs for the IdPs.
3452
3540
  # @return [Array<String>]
3453
3541
  #
3454
3542
  # @!attribute [rw] default_redirect_uri
@@ -3477,22 +3565,28 @@ module Aws::CognitoIdentityProvider
3477
3565
  # @!attribute [rw] allowed_o_auth_flows
3478
3566
  # The allowed OAuth flows.
3479
3567
  #
3480
- # Set to `code` to initiate a code grant flow, which provides an
3481
- # authorization code as the response. This code can be exchanged for
3482
- # access tokens with the token endpoint.
3568
+ # code
3569
+ #
3570
+ # : Use a code grant flow, which provides an authorization code as the
3571
+ # response. This code can be exchanged for access tokens with the
3572
+ # `/oauth2/token` endpoint.
3483
3573
  #
3484
- # Set to `implicit` to specify that the client should get the access
3485
- # token (and, optionally, ID token, based on scopes) directly.
3574
+ # implicit
3486
3575
  #
3487
- # Set to `client_credentials` to specify that the client should get
3488
- # the access token (and, optionally, ID token, based on scopes) from
3489
- # the token endpoint using a combination of client and client\_secret.
3576
+ # : Issue the access token (and, optionally, ID token, based on
3577
+ # scopes) directly to your user.
3578
+ #
3579
+ # client\_credentials
3580
+ #
3581
+ # : Issue the access token from the `/oauth2/token` endpoint directly
3582
+ # to a non-person user using a combination of the client ID and
3583
+ # client secret.
3490
3584
  # @return [Array<String>]
3491
3585
  #
3492
3586
  # @!attribute [rw] allowed_o_auth_scopes
3493
- # The allowed OAuth scopes. Possible values provided by OAuth are:
3587
+ # The allowed OAuth scopes. Possible values provided by OAuth are
3494
3588
  # `phone`, `email`, `openid`, and `profile`. Possible values provided
3495
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
3589
+ # by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
3496
3590
  # scopes created in Resource Servers are also supported.
3497
3591
  # @return [Array<String>]
3498
3592
  #
@@ -3700,6 +3794,9 @@ module Aws::CognitoIdentityProvider
3700
3794
  # },
3701
3795
  # sms_authentication_message: "SmsVerificationMessageType",
3702
3796
  # mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
3797
+ # user_attribute_update_settings: {
3798
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
3799
+ # },
3703
3800
  # device_configuration: {
3704
3801
  # challenge_required_on_new_device: false,
3705
3802
  # device_only_remembered_on_user_prompt: false,
@@ -3844,6 +3941,9 @@ module Aws::CognitoIdentityProvider
3844
3941
  # Specifies MFA configuration details.
3845
3942
  # @return [String]
3846
3943
  #
3944
+ # @!attribute [rw] user_attribute_update_settings
3945
+ # @return [Types::UserAttributeUpdateSettingsType]
3946
+ #
3847
3947
  # @!attribute [rw] device_configuration
3848
3948
  # The device configuration.
3849
3949
  # @return [Types::DeviceConfigurationType]
@@ -3921,6 +4021,7 @@ module Aws::CognitoIdentityProvider
3921
4021
  :verification_message_template,
3922
4022
  :sms_authentication_message,
3923
4023
  :mfa_configuration,
4024
+ :user_attribute_update_settings,
3924
4025
  :device_configuration,
3925
4026
  :email_configuration,
3926
4027
  :sms_configuration,
@@ -4071,7 +4172,7 @@ module Aws::CognitoIdentityProvider
4071
4172
  # @return [String]
4072
4173
  #
4073
4174
  # @!attribute [rw] provider_name
4074
- # The identity provider name.
4175
+ # The IdP name.
4075
4176
  # @return [String]
4076
4177
  #
4077
4178
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteIdentityProviderRequest AWS API Documentation
@@ -4127,7 +4228,8 @@ module Aws::CognitoIdentityProvider
4127
4228
  # @return [Array<String>]
4128
4229
  #
4129
4230
  # @!attribute [rw] access_token
4130
- # The access token used in the request to delete user attributes.
4231
+ # A valid access token that Amazon Cognito issued to the user whose
4232
+ # attributes you want to delete.
4131
4233
  # @return [String]
4132
4234
  #
4133
4235
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserAttributesRequest AWS API Documentation
@@ -4235,7 +4337,8 @@ module Aws::CognitoIdentityProvider
4235
4337
  # }
4236
4338
  #
4237
4339
  # @!attribute [rw] access_token
4238
- # The access token from a request to delete a user.
4340
+ # A valid access token that Amazon Cognito issued to the user whose
4341
+ # user profile you want to delete.
4239
4342
  # @return [String]
4240
4343
  #
4241
4344
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeleteUserRequest AWS API Documentation
@@ -4259,7 +4362,7 @@ module Aws::CognitoIdentityProvider
4259
4362
  # @return [String]
4260
4363
  #
4261
4364
  # @!attribute [rw] provider_name
4262
- # The identity provider name.
4365
+ # The IdP name.
4263
4366
  # @return [String]
4264
4367
  #
4265
4368
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderRequest AWS API Documentation
@@ -4272,7 +4375,7 @@ module Aws::CognitoIdentityProvider
4272
4375
  end
4273
4376
 
4274
4377
  # @!attribute [rw] identity_provider
4275
- # The identity provider that was deleted.
4378
+ # The IdP that was deleted.
4276
4379
  # @return [Types::IdentityProviderType]
4277
4380
  #
4278
4381
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeIdentityProviderResponse AWS API Documentation
@@ -4570,7 +4673,11 @@ module Aws::CognitoIdentityProvider
4570
4673
  # @return [String]
4571
4674
  #
4572
4675
  # @!attribute [rw] salt
4573
- # The salt.
4676
+ # The [salt][1]
4677
+ #
4678
+ #
4679
+ #
4680
+ # [1]: https://en.wikipedia.org/wiki/Salt_(cryptography)
4574
4681
  # @return [String]
4575
4682
  #
4576
4683
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DeviceSecretVerifierConfigType AWS API Documentation
@@ -4762,29 +4869,6 @@ module Aws::CognitoIdentityProvider
4762
4869
  # of an Amazon SES verified email address for the `SourceArn`
4763
4870
  # parameter.
4764
4871
  #
4765
- # If EmailSendingAccount is COGNITO\_DEFAULT, you can't use the
4766
- # following parameters:
4767
- #
4768
- # * EmailVerificationMessage
4769
- #
4770
- # * EmailVerificationSubject
4771
- #
4772
- # * InviteMessageTemplate.EmailMessage
4773
- #
4774
- # * InviteMessageTemplate.EmailSubject
4775
- #
4776
- # * VerificationMessageTemplate.EmailMessage
4777
- #
4778
- # * VerificationMessageTemplate.EmailMessageByLink
4779
- #
4780
- # * VerificationMessageTemplate.EmailSubject,
4781
- #
4782
- # * VerificationMessageTemplate.EmailSubjectByLink
4783
- #
4784
- # <note markdown="1"> DEVELOPER EmailSendingAccount is required.
4785
- #
4786
- # </note>
4787
- #
4788
4872
  # DEVELOPER
4789
4873
  #
4790
4874
  # : When Amazon Cognito emails your users, it uses your Amazon SES
@@ -4794,8 +4878,8 @@ module Aws::CognitoIdentityProvider
4794
4878
  # to your Amazon SES verified email address in your Amazon Web
4795
4879
  # Services account.
4796
4880
  #
4797
- # If you use this option, you must provide the ARN of an Amazon SES
4798
- # verified email address for the `SourceArn` parameter.
4881
+ # If you use this option, provide the ARN of an Amazon SES verified
4882
+ # email address for the `SourceArn` parameter.
4799
4883
  #
4800
4884
  # Before Amazon Cognito can email your users, it requires additional
4801
4885
  # permissions to call Amazon SES on your behalf. When you update
@@ -4980,7 +5064,8 @@ module Aws::CognitoIdentityProvider
4980
5064
  # }
4981
5065
  #
4982
5066
  # @!attribute [rw] access_token
4983
- # The access token for the forgotten device request.
5067
+ # A valid access token that Amazon Cognito issued to the user whose
5068
+ # registered device you want to forget.
4984
5069
  # @return [String]
4985
5070
  #
4986
5071
  # @!attribute [rw] device_key
@@ -5038,8 +5123,8 @@ module Aws::CognitoIdentityProvider
5038
5123
  # @return [String]
5039
5124
  #
5040
5125
  # @!attribute [rw] analytics_metadata
5041
- # The Amazon Pinpoint analytics metadata for collecting metrics for
5042
- # `ForgotPassword` calls.
5126
+ # The Amazon Pinpoint analytics metadata that contributes to your
5127
+ # metrics for `ForgotPassword` calls.
5043
5128
  # @return [Types::AnalyticsMetadataType]
5044
5129
  #
5045
5130
  # @!attribute [rw] client_metadata
@@ -5094,8 +5179,8 @@ module Aws::CognitoIdentityProvider
5094
5179
  include Aws::Structure
5095
5180
  end
5096
5181
 
5097
- # Respresents the response from the server regarding the request to
5098
- # reset a password.
5182
+ # Represents the response from the server regarding the request to reset
5183
+ # a password.
5099
5184
  #
5100
5185
  # @!attribute [rw] code_delivery_details
5101
5186
  # The code delivery details returned by the server in response to the
@@ -5169,7 +5254,8 @@ module Aws::CognitoIdentityProvider
5169
5254
  # @return [String]
5170
5255
  #
5171
5256
  # @!attribute [rw] access_token
5172
- # The access token.
5257
+ # A valid access token that Amazon Cognito issued to the user whose
5258
+ # device information you want to request.
5173
5259
  # @return [String]
5174
5260
  #
5175
5261
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetDeviceRequest AWS API Documentation
@@ -5245,7 +5331,7 @@ module Aws::CognitoIdentityProvider
5245
5331
  # @return [String]
5246
5332
  #
5247
5333
  # @!attribute [rw] idp_identifier
5248
- # The identity provider ID.
5334
+ # The IdP identifier.
5249
5335
  # @return [String]
5250
5336
  #
5251
5337
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierRequest AWS API Documentation
@@ -5258,7 +5344,7 @@ module Aws::CognitoIdentityProvider
5258
5344
  end
5259
5345
 
5260
5346
  # @!attribute [rw] identity_provider
5261
- # The identity provider object.
5347
+ # The IdP object.
5262
5348
  # @return [Types::IdentityProviderType]
5263
5349
  #
5264
5350
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetIdentityProviderByIdentifierResponse AWS API Documentation
@@ -5355,8 +5441,8 @@ module Aws::CognitoIdentityProvider
5355
5441
  # }
5356
5442
  #
5357
5443
  # @!attribute [rw] access_token
5358
- # The access token returned by the server response to get the user
5359
- # attribute verification code.
5444
+ # A non-expired access token for the user whose attribute verification
5445
+ # code you want to generate.
5360
5446
  # @return [String]
5361
5447
  #
5362
5448
  # @!attribute [rw] attribute_name
@@ -5486,8 +5572,8 @@ module Aws::CognitoIdentityProvider
5486
5572
  # }
5487
5573
  #
5488
5574
  # @!attribute [rw] access_token
5489
- # The access token returned by the server response to get information
5490
- # about the user.
5575
+ # A non-expired access token for the user whose information you want
5576
+ # to query.
5491
5577
  # @return [String]
5492
5578
  #
5493
5579
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserRequest AWS API Documentation
@@ -5552,7 +5638,8 @@ module Aws::CognitoIdentityProvider
5552
5638
  # }
5553
5639
  #
5554
5640
  # @!attribute [rw] access_token
5555
- # The access token.
5641
+ # A valid access token that Amazon Cognito issued to the user who you
5642
+ # want to sign out.
5556
5643
  # @return [String]
5557
5644
  #
5558
5645
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GlobalSignOutRequest AWS API Documentation
@@ -5670,23 +5757,23 @@ module Aws::CognitoIdentityProvider
5670
5757
  include Aws::Structure
5671
5758
  end
5672
5759
 
5673
- # A container for information about an identity provider.
5760
+ # A container for information about an IdP.
5674
5761
  #
5675
5762
  # @!attribute [rw] user_pool_id
5676
5763
  # The user pool ID.
5677
5764
  # @return [String]
5678
5765
  #
5679
5766
  # @!attribute [rw] provider_name
5680
- # The identity provider name.
5767
+ # The IdP name.
5681
5768
  # @return [String]
5682
5769
  #
5683
5770
  # @!attribute [rw] provider_type
5684
- # The identity provider type.
5771
+ # The IdP type.
5685
5772
  # @return [String]
5686
5773
  #
5687
5774
  # @!attribute [rw] provider_details
5688
- # The identity provider details. The following list describes the
5689
- # provider detail keys for each identity provider type.
5775
+ # The IdP details. The following list describes the provider detail
5776
+ # keys for each IdP type.
5690
5777
  #
5691
5778
  # * For Google and Login with Amazon:
5692
5779
  #
@@ -5716,6 +5803,9 @@ module Aws::CognitoIdentityProvider
5716
5803
  #
5717
5804
  # * private\_key
5718
5805
  #
5806
+ # *You can submit a private\_key when you add or update an IdP.
5807
+ # Describe operations don't return the private key.*
5808
+ #
5719
5809
  # * authorize\_scopes
5720
5810
  #
5721
5811
  # * For OIDC providers:
@@ -5730,43 +5820,46 @@ module Aws::CognitoIdentityProvider
5730
5820
  #
5731
5821
  # * authorize\_scopes
5732
5822
  #
5733
- # * authorize\_url *if not available from discovery URL specified by
5734
- # oidc\_issuer key*
5823
+ # * The following keys are only present if Amazon Cognito didn't
5824
+ # discover them at the `oidc_issuer` URL.
5825
+ #
5826
+ # * authorize\_url
5735
5827
  #
5736
- # * token\_url *if not available from discovery URL specified by
5737
- # oidc\_issuer key*
5828
+ # * token\_url
5738
5829
  #
5739
- # * attributes\_url *if not available from discovery URL specified
5740
- # by oidc\_issuer key*
5830
+ # * attributes\_url
5741
5831
  #
5742
- # * jwks\_uri *if not available from discovery URL specified by
5743
- # oidc\_issuer key*
5832
+ # * jwks\_uri
5744
5833
  #
5745
- # * attributes\_url\_add\_attributes *a read-only property that is
5746
- # set automatically*
5834
+ # * Amazon Cognito sets the value of the following keys
5835
+ # automatically. They are read-only.
5836
+ #
5837
+ # * attributes\_url\_add\_attributes
5838
+ #
5839
+ # ^
5747
5840
  #
5748
5841
  # * For SAML providers:
5749
5842
  #
5750
5843
  # * MetadataFile or MetadataURL
5751
5844
  #
5752
- # * IDPSignOut *optional*
5845
+ # * IDPSignout *optional*
5753
5846
  # @return [Hash<String,String>]
5754
5847
  #
5755
5848
  # @!attribute [rw] attribute_mapping
5756
- # A mapping of identity provider attributes to standard and custom
5757
- # user pool attributes.
5849
+ # A mapping of IdP attributes to standard and custom user pool
5850
+ # attributes.
5758
5851
  # @return [Hash<String,String>]
5759
5852
  #
5760
5853
  # @!attribute [rw] idp_identifiers
5761
- # A list of identity provider identifiers.
5854
+ # A list of IdP identifiers.
5762
5855
  # @return [Array<String>]
5763
5856
  #
5764
5857
  # @!attribute [rw] last_modified_date
5765
- # The date the identity provider was last modified.
5858
+ # The date the IdP was last modified.
5766
5859
  # @return [Time]
5767
5860
  #
5768
5861
  # @!attribute [rw] creation_date
5769
- # The date the identity provider was created.
5862
+ # The date the IdP was created.
5770
5863
  # @return [Time]
5771
5864
  #
5772
5865
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/IdentityProviderType AWS API Documentation
@@ -5830,10 +5923,10 @@ module Aws::CognitoIdentityProvider
5830
5923
  #
5831
5924
  # * `CUSTOM_AUTH`\: Custom authentication flow.
5832
5925
  #
5833
- # * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; USERNAME and
5834
- # PASSWORD are passed directly. If a user migration Lambda trigger
5926
+ # * `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; user name and
5927
+ # password are passed directly. If a user migration Lambda trigger
5835
5928
  # is set, this flow will invoke the user migration Lambda if it
5836
- # doesn't find the USERNAME in the user pool.
5929
+ # doesn't find the user name in the user pool.
5837
5930
  #
5838
5931
  # `ADMIN_NO_SRP_AUTH` isn't a valid value.
5839
5932
  # @return [String]
@@ -5925,8 +6018,8 @@ module Aws::CognitoIdentityProvider
5925
6018
  # @return [String]
5926
6019
  #
5927
6020
  # @!attribute [rw] analytics_metadata
5928
- # The Amazon Pinpoint analytics metadata for collecting metrics for
5929
- # `InitiateAuth` calls.
6021
+ # The Amazon Pinpoint analytics metadata that contributes to your
6022
+ # metrics for `InitiateAuth` calls.
5930
6023
  # @return [Types::AnalyticsMetadataType]
5931
6024
  #
5932
6025
  # @!attribute [rw] user_context_data
@@ -5981,9 +6074,23 @@ module Aws::CognitoIdentityProvider
5981
6074
  # for devices only.
5982
6075
  #
5983
6076
  # * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
5984
- # their passwords after successful first login. This challenge
5985
- # should be passed with `NEW_PASSWORD` and any other required
5986
- # attributes.
6077
+ # their passwords after successful first login.
6078
+ #
6079
+ # Respond to this challenge with `NEW_PASSWORD` and any required
6080
+ # attributes that Amazon Cognito returned in the
6081
+ # `requiredAttributes` parameter. You can also set values for
6082
+ # attributes that aren't required by your user pool and that your
6083
+ # app client can write. For more information, see
6084
+ # [RespondToAuthChallenge][1].
6085
+ #
6086
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
6087
+ # a required attribute that already has a value. In
6088
+ # `RespondToAuthChallenge`, set a value for any keys that Amazon
6089
+ # Cognito returned in the `requiredAttributes` parameter, then use
6090
+ # the `UpdateUserAttributes` API operation to modify the value of
6091
+ # any additional attributes.
6092
+ #
6093
+ # </note>
5987
6094
  #
5988
6095
  # * `MFA_SETUP`\: For users who are required to setup an MFA factor
5989
6096
  # before they can sign in. The MFA types activated for the user pool
@@ -5996,6 +6103,10 @@ module Aws::CognitoIdentityProvider
5996
6103
  # complete sign-in. To set up SMS MFA, an administrator should help
5997
6104
  # the user to add a phone number to their account, and then the user
5998
6105
  # should call `InitiateAuth` again to restart sign-in.
6106
+ #
6107
+ #
6108
+ #
6109
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
5999
6110
  # @return [String]
6000
6111
  #
6001
6112
  # @!attribute [rw] session
@@ -6071,7 +6182,7 @@ module Aws::CognitoIdentityProvider
6071
6182
  # Lambda response.
6072
6183
  #
6073
6184
  # @!attribute [rw] message
6074
- # The message returned when Amazon Cognito hrows an invalid Lambda
6185
+ # The message returned when Amazon Cognito throws an invalid Lambda
6075
6186
  # response exception.
6076
6187
  # @return [String]
6077
6188
  #
@@ -6308,7 +6419,8 @@ module Aws::CognitoIdentityProvider
6308
6419
  # }
6309
6420
  #
6310
6421
  # @!attribute [rw] access_token
6311
- # The access tokens for the request to list devices.
6422
+ # A valid access token that Amazon Cognito issued to the user whose
6423
+ # list of devices you want to view.
6312
6424
  # @return [String]
6313
6425
  #
6314
6426
  # @!attribute [rw] limit
@@ -6414,7 +6526,7 @@ module Aws::CognitoIdentityProvider
6414
6526
  # @return [String]
6415
6527
  #
6416
6528
  # @!attribute [rw] max_results
6417
- # The maximum number of identity providers to return.
6529
+ # The maximum number of IdPs to return.
6418
6530
  # @return [Integer]
6419
6531
  #
6420
6532
  # @!attribute [rw] next_token
@@ -6432,7 +6544,7 @@ module Aws::CognitoIdentityProvider
6432
6544
  end
6433
6545
 
6434
6546
  # @!attribute [rw] providers
6435
- # A list of identity provider objects.
6547
+ # A list of IdP objects.
6436
6548
  # @return [Array<Types::ProviderDescription>]
6437
6549
  #
6438
6550
  # @!attribute [rw] next_token
@@ -6738,9 +6850,8 @@ module Aws::CognitoIdentityProvider
6738
6850
  # @return [Array<Types::UserType>]
6739
6851
  #
6740
6852
  # @!attribute [rw] next_token
6741
- # An identifier that was returned from the previous call to this
6742
- # operation, which can be used to return the next set of items in the
6743
- # list.
6853
+ # An identifier that you can use in a later request to return the next
6854
+ # set of items in the list.
6744
6855
  # @return [String]
6745
6856
  #
6746
6857
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersInGroupResponse AWS API Documentation
@@ -6831,8 +6942,8 @@ module Aws::CognitoIdentityProvider
6831
6942
  # Custom attributes aren't searchable.
6832
6943
  #
6833
6944
  # <note markdown="1"> You can also list users with a client-side filter. The server-side
6834
- # filter matches no more than 1 attribute. For an advanced search, use
6835
- # a client-side filter with the `--query` parameter of the
6945
+ # filter matches no more than one attribute. For an advanced search,
6946
+ # use a client-side filter with the `--query` parameter of the
6836
6947
  # `list-users` action in the CLI. When you use a client-side filter,
6837
6948
  # ListUsers returns a paginated list of zero or more users. You can
6838
6949
  # receive multiple pages in a row with zero results. Repeat the query
@@ -7190,8 +7301,8 @@ module Aws::CognitoIdentityProvider
7190
7301
  # administrator must reset their password.
7191
7302
  #
7192
7303
  # <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
7193
- # can no longer set the deprecated `UnusedAccountValidityDays` value
7194
- # for that user pool.
7304
+ # can no longer set a value for the legacy `UnusedAccountValidityDays`
7305
+ # parameter in that user pool.
7195
7306
  #
7196
7307
  # </note>
7197
7308
  # @return [Integer]
@@ -7237,14 +7348,14 @@ module Aws::CognitoIdentityProvider
7237
7348
  include Aws::Structure
7238
7349
  end
7239
7350
 
7240
- # A container for identity provider details.
7351
+ # A container for IdP details.
7241
7352
  #
7242
7353
  # @!attribute [rw] provider_name
7243
- # The identity provider name.
7354
+ # The IdP name.
7244
7355
  # @return [String]
7245
7356
  #
7246
7357
  # @!attribute [rw] provider_type
7247
- # The identity provider type.
7358
+ # The IdP type.
7248
7359
  # @return [String]
7249
7360
  #
7250
7361
  # @!attribute [rw] last_modified_date
@@ -7266,8 +7377,7 @@ module Aws::CognitoIdentityProvider
7266
7377
  include Aws::Structure
7267
7378
  end
7268
7379
 
7269
- # A container for information about an identity provider for a user
7270
- # pool.
7380
+ # A container for information about an IdP for a user pool.
7271
7381
  #
7272
7382
  # @note When making an API call, you may pass ProviderUserIdentifierType
7273
7383
  # data as a hash:
@@ -7373,8 +7483,8 @@ module Aws::CognitoIdentityProvider
7373
7483
  # @return [String]
7374
7484
  #
7375
7485
  # @!attribute [rw] analytics_metadata
7376
- # The Amazon Pinpoint analytics metadata for collecting metrics for
7377
- # `ResendConfirmationCode` calls.
7486
+ # The Amazon Pinpoint analytics metadata that contributes to your
7487
+ # metrics for `ResendConfirmationCode` calls.
7378
7488
  # @return [Types::AnalyticsMetadataType]
7379
7489
  #
7380
7490
  # @!attribute [rw] client_metadata
@@ -7577,13 +7687,27 @@ module Aws::CognitoIdentityProvider
7577
7687
  # * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
7578
7688
  # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
7579
7689
  #
7580
- # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when signing in with a
7690
+ # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
7581
7691
  # remembered device.
7582
7692
  #
7583
7693
  # </note>
7584
7694
  #
7585
- # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
7586
- # attributes, `USERNAME`.
7695
+ # * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, `USERNAME`,
7696
+ # `SECRET_HASH` (if app client is configured with client secret). To
7697
+ # set any required attributes that Amazon Cognito returned as
7698
+ # `requiredAttributes` in the `InitiateAuth` response, add a
7699
+ # `userAttributes.attributename ` parameter. This parameter can also
7700
+ # set values for writable attributes that aren't required by your
7701
+ # user pool.
7702
+ #
7703
+ # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify
7704
+ # a required attribute that already has a value. In
7705
+ # `RespondToAuthChallenge`, set a value for any keys that Amazon
7706
+ # Cognito returned in the `requiredAttributes` parameter, then use
7707
+ # the `UpdateUserAttributes` API operation to modify the value of
7708
+ # any additional attributes.
7709
+ #
7710
+ # </note>
7587
7711
  #
7588
7712
  # * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
7589
7713
  # are required attributes.
@@ -7600,8 +7724,8 @@ module Aws::CognitoIdentityProvider
7600
7724
  # @return [Hash<String,String>]
7601
7725
  #
7602
7726
  # @!attribute [rw] analytics_metadata
7603
- # The Amazon Pinpoint analytics metadata for collecting metrics for
7604
- # `RespondToAuthChallenge` calls.
7727
+ # The Amazon Pinpoint analytics metadata that contributes to your
7728
+ # metrics for `RespondToAuthChallenge` calls.
7605
7729
  # @return [Types::AnalyticsMetadataType]
7606
7730
  #
7607
7731
  # @!attribute [rw] user_context_data
@@ -7903,13 +8027,13 @@ module Aws::CognitoIdentityProvider
7903
8027
  # @!attribute [rw] mutable
7904
8028
  # Specifies whether the value of the attribute can be changed.
7905
8029
  #
7906
- # For any user pool attribute that is mapped to an identity provider
7907
- # attribute, you must set this parameter to `true`. Amazon Cognito
7908
- # updates mapped attributes when users sign in to your application
7909
- # through an identity provider. If an attribute is immutable, Amazon
7910
- # Cognito throws an error when it attempts to update the attribute.
7911
- # For more information, see [Specifying Identity Provider Attribute
7912
- # Mappings for Your User Pool][1].
8030
+ # For any user pool attribute that is mapped to an IdP attribute, you
8031
+ # must set this parameter to `true`. Amazon Cognito updates mapped
8032
+ # attributes when users sign in to your application through an IdP. If
8033
+ # an attribute is immutable, Amazon Cognito throws an error when it
8034
+ # attempts to update the attribute. For more information, see
8035
+ # [Specifying Identity Provider Attribute Mappings for Your User
8036
+ # Pool][1].
7913
8037
  #
7914
8038
  #
7915
8039
  #
@@ -8135,7 +8259,8 @@ module Aws::CognitoIdentityProvider
8135
8259
  # @return [Types::SoftwareTokenMfaSettingsType]
8136
8260
  #
8137
8261
  # @!attribute [rw] access_token
8138
- # The access token for the user.
8262
+ # A valid access token that Amazon Cognito issued to the user whose
8263
+ # MFA preference you want to set.
8139
8264
  # @return [String]
8140
8265
  #
8141
8266
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
@@ -8254,7 +8379,8 @@ module Aws::CognitoIdentityProvider
8254
8379
  # }
8255
8380
  #
8256
8381
  # @!attribute [rw] access_token
8257
- # The access token for the set user settings request.
8382
+ # A valid access token that Amazon Cognito issued to the user whose
8383
+ # user settings you want to configure.
8258
8384
  # @return [String]
8259
8385
  #
8260
8386
  # @!attribute [rw] mfa_options
@@ -8340,8 +8466,8 @@ module Aws::CognitoIdentityProvider
8340
8466
  # @return [Array<Types::AttributeType>]
8341
8467
  #
8342
8468
  # @!attribute [rw] analytics_metadata
8343
- # The Amazon Pinpoint analytics metadata for collecting metrics for
8344
- # `SignUp` calls.
8469
+ # The Amazon Pinpoint analytics metadata that contributes to your
8470
+ # metrics for `SignUp` calls.
8345
8471
  # @return [Types::AnalyticsMetadataType]
8346
8472
  #
8347
8473
  # @!attribute [rw] user_context_data
@@ -8760,8 +8886,8 @@ module Aws::CognitoIdentityProvider
8760
8886
  #
8761
8887
  class TagResourceResponse < Aws::EmptyStructure; end
8762
8888
 
8763
- # The data type for TokenValidityUnits that specifics the time
8764
- # measurements for token validity.
8889
+ # The data type TokenValidityUnits specifies the time units you use when
8890
+ # you set the duration of ID, access, and refresh tokens.
8765
8891
  #
8766
8892
  # @note When making an API call, you may pass TokenValidityUnitsType
8767
8893
  # data as a hash:
@@ -9049,7 +9175,8 @@ module Aws::CognitoIdentityProvider
9049
9175
  # }
9050
9176
  #
9051
9177
  # @!attribute [rw] access_token
9052
- # The access token.
9178
+ # A valid access token that Amazon Cognito issued to the user whose
9179
+ # device status you want to update.
9053
9180
  # @return [String]
9054
9181
  #
9055
9182
  # @!attribute [rw] device_key
@@ -9158,20 +9285,20 @@ module Aws::CognitoIdentityProvider
9158
9285
  # @return [String]
9159
9286
  #
9160
9287
  # @!attribute [rw] provider_name
9161
- # The identity provider name.
9288
+ # The IdP name.
9162
9289
  # @return [String]
9163
9290
  #
9164
9291
  # @!attribute [rw] provider_details
9165
- # The identity provider details to be updated, such as `MetadataURL`
9166
- # and `MetadataFile`.
9292
+ # The IdP details to be updated, such as `MetadataURL` and
9293
+ # `MetadataFile`.
9167
9294
  # @return [Hash<String,String>]
9168
9295
  #
9169
9296
  # @!attribute [rw] attribute_mapping
9170
- # The identity provider attribute mapping to be changed.
9297
+ # The IdP attribute mapping to be changed.
9171
9298
  # @return [Hash<String,String>]
9172
9299
  #
9173
9300
  # @!attribute [rw] idp_identifiers
9174
- # A list of identity provider identifiers.
9301
+ # A list of IdP identifiers.
9175
9302
  # @return [Array<String>]
9176
9303
  #
9177
9304
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderRequest AWS API Documentation
@@ -9187,7 +9314,7 @@ module Aws::CognitoIdentityProvider
9187
9314
  end
9188
9315
 
9189
9316
  # @!attribute [rw] identity_provider
9190
- # The identity provider object.
9317
+ # The IdP object.
9191
9318
  # @return [Types::IdentityProviderType]
9192
9319
  #
9193
9320
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateIdentityProviderResponse AWS API Documentation
@@ -9275,10 +9402,19 @@ module Aws::CognitoIdentityProvider
9275
9402
  #
9276
9403
  # For custom attributes, you must prepend the `custom:` prefix to the
9277
9404
  # attribute name.
9405
+ #
9406
+ # If you have set an attribute to require verification before Amazon
9407
+ # Cognito updates its value, this request doesn’t immediately update
9408
+ # the value of that attribute. After your user receives and responds
9409
+ # to a verification message to verify the new value, Amazon Cognito
9410
+ # updates the attribute value. Your user can sign in and receive
9411
+ # messages with the original attribute value until they verify the new
9412
+ # value.
9278
9413
  # @return [Array<Types::AttributeType>]
9279
9414
  #
9280
9415
  # @!attribute [rw] access_token
9281
- # The access token for the request to update user attributes.
9416
+ # A valid access token that Amazon Cognito issued to the user whose
9417
+ # user attributes you want to update.
9282
9418
  # @return [String]
9283
9419
  #
9284
9420
  # @!attribute [rw] client_metadata
@@ -9397,23 +9533,53 @@ module Aws::CognitoIdentityProvider
9397
9533
  # @return [String]
9398
9534
  #
9399
9535
  # @!attribute [rw] refresh_token_validity
9400
- # The time limit, in days, after which the refresh token is no longer
9401
- # valid and can't be used.
9536
+ # The refresh token time limit. After this limit expires, your user
9537
+ # can't use their refresh token. To specify the time unit for
9538
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
9539
+ # set a `TokenValidityUnits` value in your API request.
9540
+ #
9541
+ # For example, when you set `RefreshTokenValidity` as `10` and
9542
+ # `TokenValidityUnits` as `days`, your user can refresh their session
9543
+ # and retrieve new access and ID tokens for 10 days.
9544
+ #
9545
+ # The default time unit for `RefreshTokenValidity` in an API request
9546
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
9547
+ # Amazon Cognito overrides the value with the default value of 30
9548
+ # days. *Valid range* is displayed below in seconds.
9402
9549
  # @return [Integer]
9403
9550
  #
9404
9551
  # @!attribute [rw] access_token_validity
9405
- # The time limit after which the access token is no longer valid and
9406
- # can't be used.
9552
+ # The access token time limit. After this limit expires, your user
9553
+ # can't use their access token. To specify the time unit for
9554
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
9555
+ # set a `TokenValidityUnits` value in your API request.
9556
+ #
9557
+ # For example, when you set `AccessTokenValidity` to `10` and
9558
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
9559
+ # their access token for 10 hours.
9560
+ #
9561
+ # The default time unit for `AccessTokenValidity` in an API request is
9562
+ # hours. *Valid range* is displayed below in seconds.
9407
9563
  # @return [Integer]
9408
9564
  #
9409
9565
  # @!attribute [rw] id_token_validity
9410
- # The time limit after which the ID token is no longer valid and
9411
- # can't be used.
9566
+ # The ID token time limit. After this limit expires, your user can't
9567
+ # use their ID token. To specify the time unit for `IdTokenValidity`
9568
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
9569
+ # `TokenValidityUnits` value in your API request.
9570
+ #
9571
+ # For example, when you set `IdTokenValidity` as `10` and
9572
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
9573
+ # session with their ID token for 10 hours.
9574
+ #
9575
+ # The default time unit for `AccessTokenValidity` in an API request is
9576
+ # hours. *Valid range* is displayed below in seconds.
9412
9577
  # @return [Integer]
9413
9578
  #
9414
9579
  # @!attribute [rw] token_validity_units
9415
- # The units in which the validity times are represented. Default for
9416
- # RefreshToken is days, and default for ID and access tokens is hours.
9580
+ # The units in which the validity times are represented. The default
9581
+ # unit for RefreshToken is days, and the default for ID and access
9582
+ # tokens is hours.
9417
9583
  # @return [Types::TokenValidityUnitsType]
9418
9584
  #
9419
9585
  # @!attribute [rw] read_attributes
@@ -9453,13 +9619,14 @@ module Aws::CognitoIdentityProvider
9453
9619
  # @return [Array<String>]
9454
9620
  #
9455
9621
  # @!attribute [rw] supported_identity_providers
9456
- # A list of provider names for the identity providers that are
9457
- # supported on this client.
9622
+ # A list of provider names for the IdPs that this client supports. The
9623
+ # following are supported: `COGNITO`, `Facebook`, `Google`
9624
+ # `LoginWithAmazon`, and the names of your own SAML and OIDC
9625
+ # providers.
9458
9626
  # @return [Array<String>]
9459
9627
  #
9460
9628
  # @!attribute [rw] callback_urls
9461
- # A list of allowed redirect (callback) URLs for the identity
9462
- # providers.
9629
+ # A list of allowed redirect (callback) URLs for the IdPs.
9463
9630
  #
9464
9631
  # A redirect URI must:
9465
9632
  #
@@ -9482,7 +9649,7 @@ module Aws::CognitoIdentityProvider
9482
9649
  # @return [Array<String>]
9483
9650
  #
9484
9651
  # @!attribute [rw] logout_urls
9485
- # A list of allowed logout URLs for the identity providers.
9652
+ # A list of allowed logout URLs for the IdPs.
9486
9653
  # @return [Array<String>]
9487
9654
  #
9488
9655
  # @!attribute [rw] default_redirect_uri
@@ -9511,22 +9678,28 @@ module Aws::CognitoIdentityProvider
9511
9678
  # @!attribute [rw] allowed_o_auth_flows
9512
9679
  # The allowed OAuth flows.
9513
9680
  #
9514
- # Set to `code` to initiate a code grant flow, which provides an
9515
- # authorization code as the response. This code can be exchanged for
9516
- # access tokens with the token endpoint.
9681
+ # code
9682
+ #
9683
+ # : Use a code grant flow, which provides an authorization code as the
9684
+ # response. This code can be exchanged for access tokens with the
9685
+ # `/oauth2/token` endpoint.
9517
9686
  #
9518
- # Set to `implicit` to specify that the client should get the access
9519
- # token (and, optionally, ID token, based on scopes) directly.
9687
+ # implicit
9520
9688
  #
9521
- # Set to `client_credentials` to specify that the client should get
9522
- # the access token (and, optionally, ID token, based on scopes) from
9523
- # the token endpoint using a combination of client and client\_secret.
9689
+ # : Issue the access token (and, optionally, ID token, based on
9690
+ # scopes) directly to your user.
9691
+ #
9692
+ # client\_credentials
9693
+ #
9694
+ # : Issue the access token from the `/oauth2/token` endpoint directly
9695
+ # to a non-person user using a combination of the client ID and
9696
+ # client secret.
9524
9697
  # @return [Array<String>]
9525
9698
  #
9526
9699
  # @!attribute [rw] allowed_o_auth_scopes
9527
- # The allowed OAuth scopes. Possible values provided by OAuth are:
9700
+ # The allowed OAuth scopes. Possible values provided by OAuth are
9528
9701
  # `phone`, `email`, `openid`, and `profile`. Possible values provided
9529
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
9702
+ # by Amazon Web Services are `aws.cognito.signin.user.admin`. Custom
9530
9703
  # scopes created in Resource Servers are also supported.
9531
9704
  # @return [Array<String>]
9532
9705
  #
@@ -9536,8 +9709,8 @@ module Aws::CognitoIdentityProvider
9536
9709
  # @return [Boolean]
9537
9710
  #
9538
9711
  # @!attribute [rw] analytics_configuration
9539
- # The Amazon Pinpoint analytics configuration for collecting metrics
9540
- # for this user pool.
9712
+ # The Amazon Pinpoint analytics configuration necessary to collect
9713
+ # metrics for this user pool.
9541
9714
  #
9542
9715
  # <note markdown="1"> In Amazon Web Services Regions where Amazon Pinpoint isn't
9543
9716
  # available, user pools only support sending events to Amazon Pinpoint
@@ -9729,6 +9902,9 @@ module Aws::CognitoIdentityProvider
9729
9902
  # default_email_option: "CONFIRM_WITH_LINK", # accepts CONFIRM_WITH_LINK, CONFIRM_WITH_CODE
9730
9903
  # },
9731
9904
  # sms_authentication_message: "SmsVerificationMessageType",
9905
+ # user_attribute_update_settings: {
9906
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
9907
+ # },
9732
9908
  # mfa_configuration: "OFF", # accepts OFF, ON, OPTIONAL
9733
9909
  # device_configuration: {
9734
9910
  # challenge_required_on_new_device: false,
@@ -9809,8 +9985,11 @@ module Aws::CognitoIdentityProvider
9809
9985
  # The contents of the SMS authentication message.
9810
9986
  # @return [String]
9811
9987
  #
9988
+ # @!attribute [rw] user_attribute_update_settings
9989
+ # @return [Types::UserAttributeUpdateSettingsType]
9990
+ #
9812
9991
  # @!attribute [rw] mfa_configuration
9813
- # Can be one of the following values:
9992
+ # Possible values include:
9814
9993
  #
9815
9994
  # * `OFF` - MFA tokens aren't required and can't be specified during
9816
9995
  # user registration.
@@ -9886,6 +10065,7 @@ module Aws::CognitoIdentityProvider
9886
10065
  :email_verification_subject,
9887
10066
  :verification_message_template,
9888
10067
  :sms_authentication_message,
10068
+ :user_attribute_update_settings,
9889
10069
  :mfa_configuration,
9890
10070
  :device_configuration,
9891
10071
  :email_configuration,
@@ -9905,9 +10085,55 @@ module Aws::CognitoIdentityProvider
9905
10085
  #
9906
10086
  class UpdateUserPoolResponse < Aws::EmptyStructure; end
9907
10087
 
9908
- # Contextual data, such as the user's device fingerprint, IP address,
9909
- # or location, used for evaluating the risk of an unexpected event by
9910
- # Amazon Cognito advanced security.
10088
+ # The settings for updates to user attributes.
10089
+ #
10090
+ # @note When making an API call, you may pass UserAttributeUpdateSettingsType
10091
+ # data as a hash:
10092
+ #
10093
+ # {
10094
+ # attributes_require_verification_before_update: ["phone_number"], # accepts phone_number, email
10095
+ # }
10096
+ #
10097
+ # @!attribute [rw] attributes_require_verification_before_update
10098
+ # Requires that your user verifies their email address, phone number,
10099
+ # or both before Amazon Cognito updates the value of that attribute.
10100
+ # When you update a user attribute that has this option activated,
10101
+ # Amazon Cognito sends a verification message to the new phone number
10102
+ # or email address. Amazon Cognito doesn’t change the value of the
10103
+ # attribute until your user responds to the verification message and
10104
+ # confirms the new value.
10105
+ #
10106
+ # You can verify an updated email address or phone number with a
10107
+ # [VerifyUserAttribute][1] API request. You can also call the
10108
+ # [UpdateUserAttributes][2] or [AdminUpdateUserAttributes][3] API and
10109
+ # set `email_verified` or `phone_number_verified` to true.
10110
+ #
10111
+ # When `AttributesRequireVerificationBeforeUpdate` is false, your user
10112
+ # pool doesn't require that your users verify attribute changes
10113
+ # before Amazon Cognito updates them. In a user pool where
10114
+ # `AttributesRequireVerificationBeforeUpdate` is false, API operations
10115
+ # that change attribute values can immediately update a user’s `email`
10116
+ # or `phone_number` attribute.
10117
+ #
10118
+ #
10119
+ #
10120
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html
10121
+ # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
10122
+ # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
10123
+ # @return [Array<String>]
10124
+ #
10125
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserAttributeUpdateSettingsType AWS API Documentation
10126
+ #
10127
+ class UserAttributeUpdateSettingsType < Struct.new(
10128
+ :attributes_require_verification_before_update)
10129
+ SENSITIVE = []
10130
+ include Aws::Structure
10131
+ end
10132
+
10133
+ # Information that your app generates about a user's
10134
+ # `AdminInitiateAuth` or `AdminRespondToAuthChallenge` session. Amazon
10135
+ # Cognito advanced security features calculate risk levels for user
10136
+ # sessions based on this context data.
9911
10137
  #
9912
10138
  # @note When making an API call, you may pass UserContextDataType
9913
10139
  # data as a hash:
@@ -10174,24 +10400,52 @@ module Aws::CognitoIdentityProvider
10174
10400
  # @return [Time]
10175
10401
  #
10176
10402
  # @!attribute [rw] refresh_token_validity
10177
- # The time limit, in days, after which the refresh token is no longer
10178
- # valid and can't be used.
10403
+ # The refresh token time limit. After this limit expires, your user
10404
+ # can't use their refresh token. To specify the time unit for
10405
+ # `RefreshTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
10406
+ # set a `TokenValidityUnits` value in your API request.
10407
+ #
10408
+ # For example, when you set `RefreshTokenValidity` as `10` and
10409
+ # `TokenValidityUnits` as `days`, your user can refresh their session
10410
+ # and retrieve new access and ID tokens for 10 days.
10411
+ #
10412
+ # The default time unit for `RefreshTokenValidity` in an API request
10413
+ # is days. You can't set `RefreshTokenValidity` to 0. If you do,
10414
+ # Amazon Cognito overrides the value with the default value of 30
10415
+ # days. *Valid range* is displayed below in seconds.
10179
10416
  # @return [Integer]
10180
10417
  #
10181
10418
  # @!attribute [rw] access_token_validity
10182
- # The time limit, specified by tokenValidityUnits, defaulting to
10183
- # hours, after which the access token is no longer valid and can't be
10184
- # used.
10419
+ # The access token time limit. After this limit expires, your user
10420
+ # can't use their access token. To specify the time unit for
10421
+ # `AccessTokenValidity` as `seconds`, `minutes`, `hours`, or `days`,
10422
+ # set a `TokenValidityUnits` value in your API request.
10423
+ #
10424
+ # For example, when you set `AccessTokenValidity` to `10` and
10425
+ # `TokenValidityUnits` to `hours`, your user can authorize access with
10426
+ # their access token for 10 hours.
10427
+ #
10428
+ # The default time unit for `AccessTokenValidity` in an API request is
10429
+ # hours. *Valid range* is displayed below in seconds.
10185
10430
  # @return [Integer]
10186
10431
  #
10187
10432
  # @!attribute [rw] id_token_validity
10188
- # The time limit specified by tokenValidityUnits, defaulting to hours,
10189
- # after which the refresh token is no longer valid and can't be used.
10433
+ # The ID token time limit. After this limit expires, your user can't
10434
+ # use their ID token. To specify the time unit for `IdTokenValidity`
10435
+ # as `seconds`, `minutes`, `hours`, or `days`, set a
10436
+ # `TokenValidityUnits` value in your API request.
10437
+ #
10438
+ # For example, when you set `IdTokenValidity` as `10` and
10439
+ # `TokenValidityUnits` as `hours`, your user can authenticate their
10440
+ # session with their ID token for 10 hours.
10441
+ #
10442
+ # The default time unit for `AccessTokenValidity` in an API request is
10443
+ # hours. *Valid range* is displayed below in seconds.
10190
10444
  # @return [Integer]
10191
10445
  #
10192
10446
  # @!attribute [rw] token_validity_units
10193
- # The time units used to specify the token validity times of their
10194
- # respective token.
10447
+ # The time units used to specify the token validity times of each
10448
+ # token type: ID, access, and refresh.
10195
10449
  # @return [Types::TokenValidityUnitsType]
10196
10450
  #
10197
10451
  # @!attribute [rw] read_attributes
@@ -10231,13 +10485,14 @@ module Aws::CognitoIdentityProvider
10231
10485
  # @return [Array<String>]
10232
10486
  #
10233
10487
  # @!attribute [rw] supported_identity_providers
10234
- # A list of provider names for the identity providers that are
10235
- # supported on this client.
10488
+ # A list of provider names for the IdPs that this client supports. The
10489
+ # following are supported: `COGNITO`, `Facebook`, `Google`
10490
+ # `LoginWithAmazon`, and the names of your own SAML and OIDC
10491
+ # providers.
10236
10492
  # @return [Array<String>]
10237
10493
  #
10238
10494
  # @!attribute [rw] callback_urls
10239
- # A list of allowed redirect (callback) URLs for the identity
10240
- # providers.
10495
+ # A list of allowed redirect (callback) URLs for the IdPs.
10241
10496
  #
10242
10497
  # A redirect URI must:
10243
10498
  #
@@ -10260,7 +10515,7 @@ module Aws::CognitoIdentityProvider
10260
10515
  # @return [Array<String>]
10261
10516
  #
10262
10517
  # @!attribute [rw] logout_urls
10263
- # A list of allowed logout URLs for the identity providers.
10518
+ # A list of allowed logout URLs for the IdPs.
10264
10519
  # @return [Array<String>]
10265
10520
  #
10266
10521
  # @!attribute [rw] default_redirect_uri
@@ -10289,23 +10544,30 @@ module Aws::CognitoIdentityProvider
10289
10544
  # @!attribute [rw] allowed_o_auth_flows
10290
10545
  # The allowed OAuth flows.
10291
10546
  #
10292
- # Set to `code` to initiate a code grant flow, which provides an
10293
- # authorization code as the response. This code can be exchanged for
10294
- # access tokens with the token endpoint.
10547
+ # code
10548
+ #
10549
+ # : Use a code grant flow, which provides an authorization code as the
10550
+ # response. This code can be exchanged for access tokens with the
10551
+ # `/oauth2/token` endpoint.
10552
+ #
10553
+ # implicit
10295
10554
  #
10296
- # Set to `implicit` to specify that the client should get the access
10297
- # token (and, optionally, ID token, based on scopes) directly.
10555
+ # : Issue the access token (and, optionally, ID token, based on
10556
+ # scopes) directly to your user.
10298
10557
  #
10299
- # Set to `client_credentials` to specify that the client should get
10300
- # the access token (and, optionally, ID token, based on scopes) from
10301
- # the token endpoint using a combination of client and client\_secret.
10558
+ # client\_credentials
10559
+ #
10560
+ # : Issue the access token from the `/oauth2/token` endpoint directly
10561
+ # to a non-person user using a combination of the client ID and
10562
+ # client secret.
10302
10563
  # @return [Array<String>]
10303
10564
  #
10304
10565
  # @!attribute [rw] allowed_o_auth_scopes
10305
- # The allowed OAuth scopes. Possible values provided by OAuth are:
10306
- # `phone`, `email`, `openid`, and `profile`. Possible values provided
10307
- # by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
10308
- # scopes created in Resource Servers are also supported.
10566
+ # The OAuth scopes that your app client supports. Possible values that
10567
+ # OAuth provides are `phone`, `email`, `openid`, and `profile`.
10568
+ # Possible values that Amazon Web Services provides are
10569
+ # `aws.cognito.signin.user.admin`. Amazon Cognito also supports custom
10570
+ # scopes that you create in Resource Servers.
10309
10571
  # @return [Array<String>]
10310
10572
  #
10311
10573
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -10339,8 +10601,8 @@ module Aws::CognitoIdentityProvider
10339
10601
  #
10340
10602
  # * `ENABLED` - This prevents user existence-related errors.
10341
10603
  #
10342
- # * `LEGACY` - This represents the old behavior of Cognito where user
10343
- # existence related errors aren't prevented.
10604
+ # * `LEGACY` - This represents the old behavior of Amazon Cognito
10605
+ # where user existence related errors aren't prevented.
10344
10606
  # @return [String]
10345
10607
  #
10346
10608
  # @!attribute [rw] enable_token_revocation
@@ -10532,6 +10794,9 @@ module Aws::CognitoIdentityProvider
10532
10794
  # The contents of the SMS authentication message.
10533
10795
  # @return [String]
10534
10796
  #
10797
+ # @!attribute [rw] user_attribute_update_settings
10798
+ # @return [Types::UserAttributeUpdateSettingsType]
10799
+ #
10535
10800
  # @!attribute [rw] mfa_configuration
10536
10801
  # Can be one of the following values:
10537
10802
  #
@@ -10681,6 +10946,7 @@ module Aws::CognitoIdentityProvider
10681
10946
  :email_verification_subject,
10682
10947
  :verification_message_template,
10683
10948
  :sms_authentication_message,
10949
+ :user_attribute_update_settings,
10684
10950
  :mfa_configuration,
10685
10951
  :device_configuration,
10686
10952
  :estimated_number_of_users,
@@ -10700,7 +10966,7 @@ module Aws::CognitoIdentityProvider
10700
10966
  include Aws::Structure
10701
10967
  end
10702
10968
 
10703
- # The user type.
10969
+ # A user profile in a Amazon Cognito user pool.
10704
10970
  #
10705
10971
  # @!attribute [rw] username
10706
10972
  # The user name of the user you want to describe.
@@ -10729,6 +10995,8 @@ module Aws::CognitoIdentityProvider
10729
10995
  #
10730
10996
  # * CONFIRMED - User has been confirmed.
10731
10997
  #
10998
+ # * EXTERNAL\_PROVIDER - User signed in with a third-party IdP.
10999
+ #
10732
11000
  # * ARCHIVED - User is no longer active.
10733
11001
  #
10734
11002
  # * UNKNOWN - User status isn't known.
@@ -10770,7 +11038,7 @@ module Aws::CognitoIdentityProvider
10770
11038
  # }
10771
11039
  #
10772
11040
  # @!attribute [rw] case_sensitive
10773
- # Specifies whether username case sensitivity will be applied for all
11041
+ # Specifies whether user name case sensitivity will be applied for all
10774
11042
  # users in the user pool through Amazon Cognito APIs.
10775
11043
  #
10776
11044
  # Valid values include:
@@ -10830,12 +11098,16 @@ module Aws::CognitoIdentityProvider
10830
11098
  # }
10831
11099
  #
10832
11100
  # @!attribute [rw] sms_message
10833
- # The SMS message template.
11101
+ # The template for SMS messages that Amazon Cognito sends to your
11102
+ # users.
10834
11103
  # @return [String]
10835
11104
  #
10836
11105
  # @!attribute [rw] email_message
10837
- # The email message template. EmailMessage is allowed only if [
10838
- # EmailSendingAccount][1] is DEVELOPER.
11106
+ # The template for email messages that Amazon Cognito sends to your
11107
+ # users. You can set an `EmailMessage` template only if the value of [
11108
+ # EmailSendingAccount][1] is `DEVELOPER`. When your
11109
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11110
+ # messages with your own Amazon SES configuration.
10839
11111
  #
10840
11112
  #
10841
11113
  #
@@ -10843,8 +11115,11 @@ module Aws::CognitoIdentityProvider
10843
11115
  # @return [String]
10844
11116
  #
10845
11117
  # @!attribute [rw] email_subject
10846
- # The subject line for the email message template. EmailSubject is
10847
- # allowed only if [EmailSendingAccount][1] is DEVELOPER.
11118
+ # The subject line for the email message template. You can set an
11119
+ # `EmailSubject` template only if the value of [
11120
+ # EmailSendingAccount][1] is `DEVELOPER`. When your
11121
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11122
+ # messages with your own Amazon SES configuration.
10848
11123
  #
10849
11124
  #
10850
11125
  #
@@ -10853,8 +11128,10 @@ module Aws::CognitoIdentityProvider
10853
11128
  #
10854
11129
  # @!attribute [rw] email_message_by_link
10855
11130
  # The email message template for sending a confirmation link to the
10856
- # user. EmailMessageByLink is allowed only if [
10857
- # EmailSendingAccount][1] is DEVELOPER.
11131
+ # user. You can set an `EmailMessageByLink` template only if the value
11132
+ # of [ EmailSendingAccount][1] is `DEVELOPER`. When your
11133
+ # [EmailSendingAccount][1] is `DEVELOPER`, your user pool sends email
11134
+ # messages with your own Amazon SES configuration.
10858
11135
  #
10859
11136
  #
10860
11137
  #
@@ -10863,8 +11140,11 @@ module Aws::CognitoIdentityProvider
10863
11140
  #
10864
11141
  # @!attribute [rw] email_subject_by_link
10865
11142
  # The subject line for the email message template for sending a
10866
- # confirmation link to the user. EmailSubjectByLink is allowed only [
10867
- # EmailSendingAccount][1] is DEVELOPER.
11143
+ # confirmation link to the user. You can set an `EmailSubjectByLink`
11144
+ # template only if the value of [ EmailSendingAccount][1] is
11145
+ # `DEVELOPER`. When your [EmailSendingAccount][1] is `DEVELOPER`, your
11146
+ # user pool sends email messages with your own Amazon SES
11147
+ # configuration.
10868
11148
  #
10869
11149
  #
10870
11150
  #
@@ -10899,7 +11179,8 @@ module Aws::CognitoIdentityProvider
10899
11179
  # }
10900
11180
  #
10901
11181
  # @!attribute [rw] access_token
10902
- # The access token.
11182
+ # A valid access token that Amazon Cognito issued to the user whose
11183
+ # software token you want to verify.
10903
11184
  # @return [String]
10904
11185
  #
10905
11186
  # @!attribute [rw] session
@@ -10961,7 +11242,8 @@ module Aws::CognitoIdentityProvider
10961
11242
  # }
10962
11243
  #
10963
11244
  # @!attribute [rw] access_token
10964
- # The access token of the request to verify user attributes.
11245
+ # A valid access token that Amazon Cognito issued to the user whose
11246
+ # user attributes you want to verify.
10965
11247
  # @return [String]
10966
11248
  #
10967
11249
  # @!attribute [rw] attribute_name