aws-sdk-cognitoidentityprovider 1.79.0 → 1.80.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -147,7 +147,7 @@ module Aws::CognitoIdentityProvider
147
147
  include Aws::Structure
148
148
  end
149
149
 
150
- # Represents the request to confirm user registration.
150
+ # Confirm a user's registration as a user pool administrator.
151
151
  #
152
152
  # @!attribute [rw] user_pool_id
153
153
  # The user pool ID for which you want to confirm user registration.
@@ -332,10 +332,9 @@ module Aws::CognitoIdentityProvider
332
332
  # Amazon Cognito generates one for you.
333
333
  #
334
334
  # The temporary password can only be used until the user account
335
- # expiration limit that you specified when you created the user pool.
336
- # To reset the account after that time limit, you must call
337
- # `AdminCreateUser` again, specifying `"RESEND"` for the
338
- # `MessageAction` parameter.
335
+ # expiration limit that you set for your user pool. To reset the
336
+ # account after that time limit, you must call `AdminCreateUser` again
337
+ # and specify `RESEND` for the `MessageAction` parameter.
339
338
  # @return [String]
340
339
  #
341
340
  # @!attribute [rw] force_alias_creation
@@ -654,7 +653,7 @@ module Aws::CognitoIdentityProvider
654
653
  # specified user as an administrator.
655
654
  #
656
655
  # @!attribute [rw] username
657
- # The user name of the user about whom you're receiving information.
656
+ # The username of the user that you requested.
658
657
  # @return [String]
659
658
  #
660
659
  # @!attribute [rw] user_attributes
@@ -666,7 +665,12 @@ module Aws::CognitoIdentityProvider
666
665
  # @return [Time]
667
666
  #
668
667
  # @!attribute [rw] user_last_modified_date
669
- # The date the user was last modified.
668
+ # The date and time, in [ISO 8601][1] format, when the item was
669
+ # modified.
670
+ #
671
+ #
672
+ #
673
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
670
674
  # @return [Time]
671
675
  #
672
676
  # @!attribute [rw] enabled
@@ -680,8 +684,6 @@ module Aws::CognitoIdentityProvider
680
684
  #
681
685
  # * CONFIRMED - User has been confirmed.
682
686
  #
683
- # * ARCHIVED - User is no longer active.
684
- #
685
687
  # * UNKNOWN - User status isn't known.
686
688
  #
687
689
  # * RESET\_REQUIRED - User is confirmed, but the user must request a
@@ -781,18 +783,27 @@ module Aws::CognitoIdentityProvider
781
783
  # `SECRET_HASH` (required if the app client is configured with a
782
784
  # client secret), `DEVICE_KEY`.
783
785
  #
784
- # * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN`
786
+ # * For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD`
785
787
  # (required), `SECRET_HASH` (required if the app client is
786
788
  # configured with a client secret), `DEVICE_KEY`.
787
789
  #
788
- # * For `ADMIN_NO_SRP_AUTH`: `USERNAME` (required), `SECRET_HASH` (if
789
- # app client is configured with client secret), `PASSWORD`
790
- # (required), `DEVICE_KEY`.
790
+ # * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN`
791
+ # (required), `SECRET_HASH` (required if the app client is
792
+ # configured with a client secret), `DEVICE_KEY`.
791
793
  #
792
794
  # * For `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app
793
795
  # client is configured with client secret), `DEVICE_KEY`. To start
794
796
  # the authentication flow with password verification, include
795
797
  # `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
798
+ #
799
+ # For more information about `SECRET_HASH`, see [Computing secret hash
800
+ # values][1]. For information about `DEVICE_KEY`, see [Working with
801
+ # user devices in your user pool][2].
802
+ #
803
+ #
804
+ #
805
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
806
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
796
807
  # @return [Hash<String,String>]
797
808
  #
798
809
  # @!attribute [rw] client_metadata
@@ -995,7 +1006,7 @@ module Aws::CognitoIdentityProvider
995
1006
  :session,
996
1007
  :challenge_parameters,
997
1008
  :authentication_result)
998
- SENSITIVE = [:session]
1009
+ SENSITIVE = []
999
1010
  include Aws::Structure
1000
1011
  end
1001
1012
 
@@ -1005,7 +1016,7 @@ module Aws::CognitoIdentityProvider
1005
1016
  #
1006
1017
  # @!attribute [rw] destination_user
1007
1018
  # The existing user in the user pool that you want to assign to the
1008
- # external IdP user account. This user can be a native (Username +
1019
+ # external IdP user account. This user can be a local (Username +
1009
1020
  # Password) Amazon Cognito user pools user or a federated user (for
1010
1021
  # example, a SAML or Facebook user). If the user doesn't exist,
1011
1022
  # Amazon Cognito generates an exception. Amazon Cognito returns this
@@ -1042,13 +1053,22 @@ module Aws::CognitoIdentityProvider
1042
1053
  #
1043
1054
  #
1044
1055
  #
1056
+ # For OIDC, the `ProviderAttributeName` can be any value that matches
1057
+ # a claim in the ID token, or that your app retrieves from the
1058
+ # `userInfo` endpoint. You must map the claim to a user pool attribute
1059
+ # in your IdP configuration, and set the user pool attribute name as
1060
+ # the value of `ProviderAttributeName` in your
1061
+ # `AdminLinkProviderForUser` request.
1062
+ #
1045
1063
  # For SAML, the `ProviderAttributeName` can be any value that matches
1046
- # a claim in the SAML assertion. If you want to link SAML users based
1047
- # on the subject of the SAML assertion, you should map the subject to
1048
- # a claim through the SAML IdP and submit that claim name as the
1049
- # `ProviderAttributeName`. If you set `ProviderAttributeName` to
1050
- # `Cognito_Subject`, Amazon Cognito will automatically parse the
1051
- # default unique identifier found in the subject from the SAML token.
1064
+ # a claim in the SAML assertion. To link SAML users based on the
1065
+ # subject of the SAML assertion, map the subject to a claim through
1066
+ # the SAML IdP and set that claim name as the value of
1067
+ # `ProviderAttributeName` in your `AdminLinkProviderForUser` request.
1068
+ #
1069
+ # For both OIDC and SAML users, when you set `ProviderAttributeName`
1070
+ # to `Cognito_Subject`, Amazon Cognito will automatically parse the
1071
+ # default unique identifier found in the subject from the IdP token.
1052
1072
  # @return [Types::ProviderUserIdentifierType]
1053
1073
  #
1054
1074
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminLinkProviderForUserRequest AWS API Documentation
@@ -1363,6 +1383,15 @@ module Aws::CognitoIdentityProvider
1363
1383
  # actual username value in the `USERNAMEUSER_ID_FOR_SRP` attribute.
1364
1384
  # This happens even if you specified an alias in your call to
1365
1385
  # `AdminInitiateAuth`.
1386
+ #
1387
+ # For more information about `SECRET_HASH`, see [Computing secret hash
1388
+ # values][1]. For information about `DEVICE_KEY`, see [Working with
1389
+ # user devices in your user pool][2].
1390
+ #
1391
+ #
1392
+ #
1393
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
1394
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
1366
1395
  # @return [Hash<String,String>]
1367
1396
  #
1368
1397
  # @!attribute [rw] session
@@ -1454,7 +1483,7 @@ module Aws::CognitoIdentityProvider
1454
1483
  :analytics_metadata,
1455
1484
  :context_data,
1456
1485
  :client_metadata)
1457
- SENSITIVE = [:client_id, :challenge_responses, :session]
1486
+ SENSITIVE = [:client_id]
1458
1487
  include Aws::Structure
1459
1488
  end
1460
1489
 
@@ -1498,7 +1527,7 @@ module Aws::CognitoIdentityProvider
1498
1527
  :session,
1499
1528
  :challenge_parameters,
1500
1529
  :authentication_result)
1501
- SENSITIVE = [:session]
1530
+ SENSITIVE = []
1502
1531
  include Aws::Structure
1503
1532
  end
1504
1533
 
@@ -1612,7 +1641,13 @@ module Aws::CognitoIdentityProvider
1612
1641
  # @return [String]
1613
1642
  #
1614
1643
  # @!attribute [rw] feedback_value
1615
- # The authentication event feedback value.
1644
+ # The authentication event feedback value. When you provide a
1645
+ # `FeedbackValue` value of `valid`, you tell Amazon Cognito that you
1646
+ # trust a user session where Amazon Cognito has evaluated some level
1647
+ # of risk. When you provide a `FeedbackValue` value of `invalid`, you
1648
+ # tell Amazon Cognito that you don't trust a user session, or you
1649
+ # don't believe that Amazon Cognito evaluated a high-enough risk
1650
+ # level.
1616
1651
  # @return [String]
1617
1652
  #
1618
1653
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUpdateAuthEventFeedbackRequest AWS API Documentation
@@ -1806,7 +1841,7 @@ module Aws::CognitoIdentityProvider
1806
1841
  # The Amazon Pinpoint analytics configuration necessary to collect
1807
1842
  # metrics for a user pool.
1808
1843
  #
1809
- # <note markdown="1"> In Regions where Amazon Pinpointisn't available, user pools only
1844
+ # <note markdown="1"> In Regions where Amazon Pinpoint isn't available, user pools only
1810
1845
  # support sending events to Amazon Pinpoint projects in us-east-1. In
1811
1846
  # Regions where Amazon Pinpoint is available, user pools support sending
1812
1847
  # events to Amazon Pinpoint projects within that same Region.
@@ -1891,7 +1926,7 @@ module Aws::CognitoIdentityProvider
1891
1926
  class AssociateSoftwareTokenRequest < Struct.new(
1892
1927
  :access_token,
1893
1928
  :session)
1894
- SENSITIVE = [:access_token, :session]
1929
+ SENSITIVE = [:access_token]
1895
1930
  include Aws::Structure
1896
1931
  end
1897
1932
 
@@ -1911,7 +1946,7 @@ module Aws::CognitoIdentityProvider
1911
1946
  class AssociateSoftwareTokenResponse < Struct.new(
1912
1947
  :secret_code,
1913
1948
  :session)
1914
- SENSITIVE = [:secret_code, :session]
1949
+ SENSITIVE = [:secret_code]
1915
1950
  include Aws::Structure
1916
1951
  end
1917
1952
 
@@ -1945,7 +1980,12 @@ module Aws::CognitoIdentityProvider
1945
1980
  # @return [String]
1946
1981
  #
1947
1982
  # @!attribute [rw] creation_date
1948
- # The creation date
1983
+ # The date and time, in [ISO 8601][1] format, when the item was
1984
+ # created.
1985
+ #
1986
+ #
1987
+ #
1988
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
1949
1989
  # @return [Time]
1950
1990
  #
1951
1991
  # @!attribute [rw] event_response
@@ -2076,6 +2116,24 @@ module Aws::CognitoIdentityProvider
2076
2116
  #
2077
2117
  class ChangePasswordResponse < Aws::EmptyStructure; end
2078
2118
 
2119
+ # The CloudWatch logging destination of a user pool detailed activity
2120
+ # logging configuration.
2121
+ #
2122
+ # @!attribute [rw] log_group_arn
2123
+ # The Amazon Resource Name (arn) of a CloudWatch Logs log group where
2124
+ # your user pool sends logs. The log group must not be encrypted with
2125
+ # Key Management Service and must be in the same Amazon Web Services
2126
+ # account as your user pool.
2127
+ # @return [String]
2128
+ #
2129
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CloudWatchLogsConfigurationType AWS API Documentation
2130
+ #
2131
+ class CloudWatchLogsConfigurationType < Struct.new(
2132
+ :log_group_arn)
2133
+ SENSITIVE = []
2134
+ include Aws::Structure
2135
+ end
2136
+
2079
2137
  # The delivery details for an email or SMS message that Amazon Cognito
2080
2138
  # sent for authentication or verification.
2081
2139
  #
@@ -2237,7 +2295,12 @@ module Aws::CognitoIdentityProvider
2237
2295
  # @!attribute [rw] secret_hash
2238
2296
  # A keyed-hash message authentication code (HMAC) calculated using the
2239
2297
  # secret key of a user pool client and username plus the client ID in
2240
- # the message.
2298
+ # the message. For more information about `SecretHash`, see [Computing
2299
+ # secret hash values][1].
2300
+ #
2301
+ #
2302
+ #
2303
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
2241
2304
  # @return [String]
2242
2305
  #
2243
2306
  # @!attribute [rw] username
@@ -2320,7 +2383,7 @@ module Aws::CognitoIdentityProvider
2320
2383
  :analytics_metadata,
2321
2384
  :user_context_data,
2322
2385
  :client_metadata)
2323
- SENSITIVE = [:client_id, :secret_hash, :username, :password, :user_context_data]
2386
+ SENSITIVE = [:client_id, :secret_hash, :username, :password]
2324
2387
  include Aws::Structure
2325
2388
  end
2326
2389
 
@@ -2424,7 +2487,7 @@ module Aws::CognitoIdentityProvider
2424
2487
  :analytics_metadata,
2425
2488
  :user_context_data,
2426
2489
  :client_metadata)
2427
- SENSITIVE = [:client_id, :secret_hash, :username, :user_context_data]
2490
+ SENSITIVE = [:client_id, :secret_hash, :username]
2428
2491
  include Aws::Structure
2429
2492
  end
2430
2493
 
@@ -2800,7 +2863,7 @@ module Aws::CognitoIdentityProvider
2800
2863
  # `TokenValidityUnits` as `hours`, your user can authenticate their
2801
2864
  # session with their ID token for 10 hours.
2802
2865
  #
2803
- # The default time unit for `AccessTokenValidity` in an API request is
2866
+ # The default time unit for `IdTokenValidity` in an API request is
2804
2867
  # hours. *Valid range* is displayed below in seconds.
2805
2868
  #
2806
2869
  # If you don't specify otherwise in the configuration of your app
@@ -2961,8 +3024,27 @@ module Aws::CognitoIdentityProvider
2961
3024
  # @return [Array<String>]
2962
3025
  #
2963
3026
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
2964
- # Set to true if the client is allowed to follow the OAuth protocol
2965
- # when interacting with Amazon Cognito user pools.
3027
+ # Set to `true` to use OAuth 2.0 features in your user pool app
3028
+ # client.
3029
+ #
3030
+ # `AllowedOAuthFlowsUserPoolClient` must be `true` before you can
3031
+ # configure the following features in your app client.
3032
+ #
3033
+ # * `CallBackURLs`: Callback URLs.
3034
+ #
3035
+ # * `LogoutURLs`: Sign-out redirect URLs.
3036
+ #
3037
+ # * `AllowedOAuthScopes`: OAuth 2.0 scopes.
3038
+ #
3039
+ # * `AllowedOAuthFlows`: Support for authorization code, implicit, and
3040
+ # client credentials OAuth 2.0 grants.
3041
+ #
3042
+ # To use OAuth 2.0 features, configure one of these features in the
3043
+ # Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to
3044
+ # `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API
3045
+ # request. If you don't set a value for
3046
+ # `AllowedOAuthFlowsUserPoolClient` in a request with the CLI or SDKs,
3047
+ # it defaults to `false`.
2966
3048
  # @return [Boolean]
2967
3049
  #
2968
3050
  # @!attribute [rw] analytics_configuration
@@ -3277,15 +3359,32 @@ module Aws::CognitoIdentityProvider
3277
3359
  # @return [Array<Types::SchemaAttributeType>]
3278
3360
  #
3279
3361
  # @!attribute [rw] user_pool_add_ons
3280
- # Enables advanced security risk detection. Set the key
3281
- # `AdvancedSecurityMode` to the value "AUDIT".
3362
+ # User pool add-ons. Contains settings for activation of advanced
3363
+ # security features. To log user security information but take no
3364
+ # action, set to `AUDIT`. To configure automatic security responses to
3365
+ # risky traffic to your user pool, set to `ENFORCED`.
3366
+ #
3367
+ # For more information, see [Adding advanced security to a user
3368
+ # pool][1].
3369
+ #
3370
+ #
3371
+ #
3372
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
3282
3373
  # @return [Types::UserPoolAddOnsType]
3283
3374
  #
3284
3375
  # @!attribute [rw] username_configuration
3285
3376
  # Case sensitivity on the username input for the selected sign-in
3286
- # option. For example, when case sensitivity is set to `False`, users
3287
- # can sign in using either "username" or "Username". This
3288
- # configuration is immutable once it has been set. For more
3377
+ # option. When case sensitivity is set to `False` (case insensitive),
3378
+ # users can sign in with any combination of capital and lowercase
3379
+ # letters. For example, `username`, `USERNAME`, or `UserName`, or for
3380
+ # email, `email@example.com` or `EMaiL@eXamplE.Com`. For most use
3381
+ # cases, set case sensitivity to `False` (case insensitive) as a best
3382
+ # practice. When usernames and email addresses are case insensitive,
3383
+ # Amazon Cognito treats any variation in case as the same user, and
3384
+ # prevents a case variation from being assigned to the same attribute
3385
+ # for a different user.
3386
+ #
3387
+ # This configuration is immutable after you set it. For more
3289
3388
  # information, see [UsernameConfigurationType][1].
3290
3389
  #
3291
3390
  #
@@ -3880,7 +3979,12 @@ module Aws::CognitoIdentityProvider
3880
3979
  # @return [Time]
3881
3980
  #
3882
3981
  # @!attribute [rw] device_last_modified_date
3883
- # The last modified date of the device.
3982
+ # The date and time, in [ISO 8601][1] format, when the item was
3983
+ # modified.
3984
+ #
3985
+ #
3986
+ #
3987
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
3884
3988
  # @return [Time]
3885
3989
  #
3886
3990
  # @!attribute [rw] device_last_authenticated_date
@@ -3921,8 +4025,8 @@ module Aws::CognitoIdentityProvider
3921
4025
  # @return [String]
3922
4026
  #
3923
4027
  # @!attribute [rw] cloud_front_distribution
3924
- # The Amazon Resource Name (ARN) of the Amazon CloudFront
3925
- # distribution.
4028
+ # The Amazon CloudFront endpoint that you use as the target of the
4029
+ # alias that you set up with your Domain Name Service (DNS) provider.
3926
4030
  # @return [String]
3927
4031
  #
3928
4032
  # @!attribute [rw] version
@@ -3984,9 +4088,13 @@ module Aws::CognitoIdentityProvider
3984
4088
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-email.html
3985
4089
  #
3986
4090
  # @!attribute [rw] source_arn
3987
- # The ARN of a verified email address in Amazon SES. Amazon Cognito
3988
- # uses this email address in one of the following ways, depending on
3989
- # the value that you specify for the `EmailSendingAccount` parameter:
4091
+ # The ARN of a verified email address or an address from a verified
4092
+ # domain in Amazon SES. You can set a `SourceArn` email from a
4093
+ # verified domain only with an API request. You can set a verified
4094
+ # email address, but not an address in a verified domain, in the
4095
+ # Amazon Cognito console. Amazon Cognito uses the email address that
4096
+ # you provide in one of the following ways, depending on the value
4097
+ # that you specify for the `EmailSendingAccount` parameter:
3990
4098
  #
3991
4099
  # * If you specify `COGNITO_DEFAULT`, Amazon Cognito uses this address
3992
4100
  # as the custom FROM address when it emails your users using its
@@ -4158,7 +4266,13 @@ module Aws::CognitoIdentityProvider
4158
4266
  # Specifies the event feedback type.
4159
4267
  #
4160
4268
  # @!attribute [rw] feedback_value
4161
- # The event feedback value.
4269
+ # The authentication event feedback value. When you provide a
4270
+ # `FeedbackValue` value of `valid`, you tell Amazon Cognito that you
4271
+ # trust a user session where Amazon Cognito has evaluated some level
4272
+ # of risk. When you provide a `FeedbackValue` value of `invalid`, you
4273
+ # tell Amazon Cognito that you don't trust a user session, or you
4274
+ # don't believe that Amazon Cognito evaluated a high-enough risk
4275
+ # level.
4162
4276
  # @return [String]
4163
4277
  #
4164
4278
  # @!attribute [rw] provider
@@ -4332,7 +4446,7 @@ module Aws::CognitoIdentityProvider
4332
4446
  :username,
4333
4447
  :analytics_metadata,
4334
4448
  :client_metadata)
4335
- SENSITIVE = [:client_id, :secret_hash, :user_context_data, :username]
4449
+ SENSITIVE = [:client_id, :secret_hash, :username]
4336
4450
  include Aws::Structure
4337
4451
  end
4338
4452
 
@@ -4480,6 +4594,32 @@ module Aws::CognitoIdentityProvider
4480
4594
  include Aws::Structure
4481
4595
  end
4482
4596
 
4597
+ # @!attribute [rw] user_pool_id
4598
+ # The ID of the user pool where you want to view detailed activity
4599
+ # logging configuration.
4600
+ # @return [String]
4601
+ #
4602
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationRequest AWS API Documentation
4603
+ #
4604
+ class GetLogDeliveryConfigurationRequest < Struct.new(
4605
+ :user_pool_id)
4606
+ SENSITIVE = []
4607
+ include Aws::Structure
4608
+ end
4609
+
4610
+ # @!attribute [rw] log_delivery_configuration
4611
+ # The detailed activity logging configuration of the requested user
4612
+ # pool.
4613
+ # @return [Types::LogDeliveryConfigurationType]
4614
+ #
4615
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetLogDeliveryConfigurationResponse AWS API Documentation
4616
+ #
4617
+ class GetLogDeliveryConfigurationResponse < Struct.new(
4618
+ :log_delivery_configuration)
4619
+ SENSITIVE = []
4620
+ include Aws::Structure
4621
+ end
4622
+
4483
4623
  # Request to get a signing certificate from Amazon Cognito.
4484
4624
  #
4485
4625
  # @!attribute [rw] user_pool_id
@@ -4675,8 +4815,7 @@ module Aws::CognitoIdentityProvider
4675
4815
  # information about the user.
4676
4816
  #
4677
4817
  # @!attribute [rw] username
4678
- # The user name of the user you want to retrieve from the get user
4679
- # request.
4818
+ # The username of the user that you requested.
4680
4819
  # @return [String]
4681
4820
  #
4682
4821
  # @!attribute [rw] user_attributes
@@ -4789,11 +4928,21 @@ module Aws::CognitoIdentityProvider
4789
4928
  # @return [Integer]
4790
4929
  #
4791
4930
  # @!attribute [rw] last_modified_date
4792
- # The date the group was last modified.
4931
+ # The date and time, in [ISO 8601][1] format, when the item was
4932
+ # modified.
4933
+ #
4934
+ #
4935
+ #
4936
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
4793
4937
  # @return [Time]
4794
4938
  #
4795
4939
  # @!attribute [rw] creation_date
4796
- # The date the group was created.
4940
+ # The date and time, in [ISO 8601][1] format, when the item was
4941
+ # created.
4942
+ #
4943
+ #
4944
+ #
4945
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
4797
4946
  # @return [Time]
4798
4947
  #
4799
4948
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GroupType AWS API Documentation
@@ -4927,11 +5076,21 @@ module Aws::CognitoIdentityProvider
4927
5076
  # @return [Array<String>]
4928
5077
  #
4929
5078
  # @!attribute [rw] last_modified_date
4930
- # The date the IdP was last modified.
5079
+ # The date and time, in [ISO 8601][1] format, when the item was
5080
+ # modified.
5081
+ #
5082
+ #
5083
+ #
5084
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
4931
5085
  # @return [Time]
4932
5086
  #
4933
5087
  # @!attribute [rw] creation_date
4934
- # The date the IdP was created.
5088
+ # The date and time, in [ISO 8601][1] format, when the item was
5089
+ # created.
5090
+ #
5091
+ #
5092
+ #
5093
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
4935
5094
  # @return [Time]
4936
5095
  #
4937
5096
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/IdentityProviderType AWS API Documentation
@@ -4992,6 +5151,10 @@ module Aws::CognitoIdentityProvider
4992
5151
  # `SECRET_HASH` (required if the app client is configured with a
4993
5152
  # client secret), `DEVICE_KEY`.
4994
5153
  #
5154
+ # * For `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD`
5155
+ # (required), `SECRET_HASH` (required if the app client is
5156
+ # configured with a client secret), `DEVICE_KEY`.
5157
+ #
4995
5158
  # * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN`
4996
5159
  # (required), `SECRET_HASH` (required if the app client is
4997
5160
  # configured with a client secret), `DEVICE_KEY`.
@@ -5000,6 +5163,15 @@ module Aws::CognitoIdentityProvider
5000
5163
  # client is configured with client secret), `DEVICE_KEY`. To start
5001
5164
  # the authentication flow with password verification, include
5002
5165
  # `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
5166
+ #
5167
+ # For more information about `SECRET_HASH`, see [Computing secret hash
5168
+ # values][1]. For information about `DEVICE_KEY`, see [Working with
5169
+ # user devices in your user pool][2].
5170
+ #
5171
+ #
5172
+ #
5173
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
5174
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
5003
5175
  # @return [Hash<String,String>]
5004
5176
  #
5005
5177
  # @!attribute [rw] client_metadata
@@ -5091,7 +5263,7 @@ module Aws::CognitoIdentityProvider
5091
5263
  :client_id,
5092
5264
  :analytics_metadata,
5093
5265
  :user_context_data)
5094
- SENSITIVE = [:auth_parameters, :client_id, :user_context_data]
5266
+ SENSITIVE = [:auth_parameters, :client_id]
5095
5267
  include Aws::Structure
5096
5268
  end
5097
5269
 
@@ -5195,7 +5367,7 @@ module Aws::CognitoIdentityProvider
5195
5367
  :session,
5196
5368
  :challenge_parameters,
5197
5369
  :authentication_result)
5198
- SENSITIVE = [:session]
5370
+ SENSITIVE = []
5199
5371
  include Aws::Structure
5200
5372
  end
5201
5373
 
@@ -5821,9 +5993,10 @@ module Aws::CognitoIdentityProvider
5821
5993
  # @return [String]
5822
5994
  #
5823
5995
  # @!attribute [rw] attributes_to_get
5824
- # An array of strings, where each string is the name of a user
5825
- # attribute to be returned for each user in the search results. If the
5826
- # array is null, all attributes are returned.
5996
+ # A JSON array of user attribute names, for example `given_name`, that
5997
+ # you want Amazon Cognito to include in the response for each user.
5998
+ # When you don't provide an `AttributesToGet` parameter, Amazon
5999
+ # Cognito returns all attributes for each user.
5827
6000
  # @return [Array<String>]
5828
6001
  #
5829
6002
  # @!attribute [rw] limit
@@ -5921,7 +6094,23 @@ module Aws::CognitoIdentityProvider
5921
6094
  # The response from the request to list users.
5922
6095
  #
5923
6096
  # @!attribute [rw] users
5924
- # The users returned in the request to list users.
6097
+ # A list of the user pool users, and their attributes, that match your
6098
+ # query.
6099
+ #
6100
+ # <note markdown="1"> Amazon Cognito creates a profile in your user pool for each native
6101
+ # user in your user pool, and each unique user ID from your
6102
+ # third-party identity providers (IdPs). When you link users with the
6103
+ # [AdminLinkProviderForUser][1] API operation, the output of
6104
+ # `ListUsers` displays both the IdP user and the native user that you
6105
+ # linked. You can identify IdP users in the `Users` object of this API
6106
+ # response by the IdP prefix that Amazon Cognito appends to
6107
+ # `Username`.
6108
+ #
6109
+ # </note>
6110
+ #
6111
+ #
6112
+ #
6113
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html
5925
6114
  # @return [Array<Types::UserType>]
5926
6115
  #
5927
6116
  # @!attribute [rw] pagination_token
@@ -5939,6 +6128,52 @@ module Aws::CognitoIdentityProvider
5939
6128
  include Aws::Structure
5940
6129
  end
5941
6130
 
6131
+ # The logging parameters of a user pool.
6132
+ #
6133
+ # @!attribute [rw] log_level
6134
+ # The `errorlevel` selection of logs that a user pool sends for
6135
+ # detailed activity logging.
6136
+ # @return [String]
6137
+ #
6138
+ # @!attribute [rw] event_source
6139
+ # The source of events that your user pool sends for detailed activity
6140
+ # logging.
6141
+ # @return [String]
6142
+ #
6143
+ # @!attribute [rw] cloud_watch_logs_configuration
6144
+ # The CloudWatch logging destination of a user pool.
6145
+ # @return [Types::CloudWatchLogsConfigurationType]
6146
+ #
6147
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogConfigurationType AWS API Documentation
6148
+ #
6149
+ class LogConfigurationType < Struct.new(
6150
+ :log_level,
6151
+ :event_source,
6152
+ :cloud_watch_logs_configuration)
6153
+ SENSITIVE = []
6154
+ include Aws::Structure
6155
+ end
6156
+
6157
+ # The logging parameters of a user pool.
6158
+ #
6159
+ # @!attribute [rw] user_pool_id
6160
+ # The ID of the user pool where you configured detailed activity
6161
+ # logging.
6162
+ # @return [String]
6163
+ #
6164
+ # @!attribute [rw] log_configurations
6165
+ # The detailed activity logging destination of a user pool.
6166
+ # @return [Array<Types::LogConfigurationType>]
6167
+ #
6168
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/LogDeliveryConfigurationType AWS API Documentation
6169
+ #
6170
+ class LogDeliveryConfigurationType < Struct.new(
6171
+ :user_pool_id,
6172
+ :log_configurations)
6173
+ SENSITIVE = []
6174
+ include Aws::Structure
6175
+ end
6176
+
5942
6177
  # This exception is thrown when Amazon Cognito can't find a
5943
6178
  # multi-factor authentication (MFA) method.
5944
6179
  #
@@ -6232,7 +6467,12 @@ module Aws::CognitoIdentityProvider
6232
6467
  # @return [Time]
6233
6468
  #
6234
6469
  # @!attribute [rw] creation_date
6235
- # The date the provider was added to the user pool.
6470
+ # The date and time, in [ISO 8601][1] format, when the item was
6471
+ # created.
6472
+ #
6473
+ #
6474
+ #
6475
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
6236
6476
  # @return [Time]
6237
6477
  #
6238
6478
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ProviderDescription AWS API Documentation
@@ -6370,7 +6610,7 @@ module Aws::CognitoIdentityProvider
6370
6610
  :username,
6371
6611
  :analytics_metadata,
6372
6612
  :client_metadata)
6373
- SENSITIVE = [:client_id, :secret_hash, :user_context_data, :username]
6613
+ SENSITIVE = [:client_id, :secret_hash, :username]
6374
6614
  include Aws::Structure
6375
6615
  end
6376
6616
 
@@ -6528,6 +6768,15 @@ module Aws::CognitoIdentityProvider
6528
6768
  # * `MFA_SETUP` requires `USERNAME`, plus you must use the session
6529
6769
  # value returned by `VerifySoftwareToken` in the `Session`
6530
6770
  # parameter.
6771
+ #
6772
+ # For more information about `SECRET_HASH`, see [Computing secret hash
6773
+ # values][1]. For information about `DEVICE_KEY`, see [Working with
6774
+ # user devices in your user pool][2].
6775
+ #
6776
+ #
6777
+ #
6778
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
6779
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
6531
6780
  # @return [Hash<String,String>]
6532
6781
  #
6533
6782
  # @!attribute [rw] analytics_metadata
@@ -6593,7 +6842,7 @@ module Aws::CognitoIdentityProvider
6593
6842
  :analytics_metadata,
6594
6843
  :user_context_data,
6595
6844
  :client_metadata)
6596
- SENSITIVE = [:client_id, :session, :challenge_responses, :user_context_data]
6845
+ SENSITIVE = [:client_id]
6597
6846
  include Aws::Structure
6598
6847
  end
6599
6848
 
@@ -6636,7 +6885,7 @@ module Aws::CognitoIdentityProvider
6636
6885
  :session,
6637
6886
  :challenge_parameters,
6638
6887
  :authentication_result)
6639
- SENSITIVE = [:session]
6888
+ SENSITIVE = []
6640
6889
  include Aws::Structure
6641
6890
  end
6642
6891
 
@@ -6693,7 +6942,12 @@ module Aws::CognitoIdentityProvider
6693
6942
  # @return [Types::RiskExceptionConfigurationType]
6694
6943
  #
6695
6944
  # @!attribute [rw] last_modified_date
6696
- # The last modified date.
6945
+ # The date and time, in [ISO 8601][1] format, when the item was
6946
+ # modified.
6947
+ #
6948
+ #
6949
+ #
6950
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
6697
6951
  # @return [Time]
6698
6952
  #
6699
6953
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RiskConfigurationType AWS API Documentation
@@ -6760,14 +7014,27 @@ module Aws::CognitoIdentityProvider
6760
7014
  include Aws::Structure
6761
7015
  end
6762
7016
 
6763
- # Contains information about the schema attribute.
7017
+ # A list of the user attributes and their properties in your user pool.
7018
+ # The attribute schema contains standard attributes, custom attributes
7019
+ # with a `custom:` prefix, and developer attributes with a `dev:`
7020
+ # prefix. For more information, see [User pool attributes][1].
7021
+ #
7022
+ # Developer-only attributes are a legacy feature of user pools, are
7023
+ # read-only to all app clients. You can create and update developer-only
7024
+ # attributes only with IAM-authenticated API operations. Use app client
7025
+ # read/write permissions instead.
7026
+ #
7027
+ #
7028
+ #
7029
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
6764
7030
  #
6765
7031
  # @!attribute [rw] name
6766
- # A schema attribute of the name type.
7032
+ # The name of your user pool attribute, for example `username` or
7033
+ # `custom:costcenter`.
6767
7034
  # @return [String]
6768
7035
  #
6769
7036
  # @!attribute [rw] attribute_data_type
6770
- # The attribute data type.
7037
+ # The data format of the values for your attribute.
6771
7038
  # @return [String]
6772
7039
  #
6773
7040
  # @!attribute [rw] developer_only_attribute
@@ -6792,13 +7059,13 @@ module Aws::CognitoIdentityProvider
6792
7059
  # @!attribute [rw] mutable
6793
7060
  # Specifies whether the value of the attribute can be changed.
6794
7061
  #
6795
- # For any user pool attribute that is mapped to an IdP attribute, you
6796
- # must set this parameter to `true`. Amazon Cognito updates mapped
6797
- # attributes when users sign in to your application through an IdP. If
6798
- # an attribute is immutable, Amazon Cognito throws an error when it
6799
- # attempts to update the attribute. For more information, see
6800
- # [Specifying Identity Provider Attribute Mappings for Your User
6801
- # Pool][1].
7062
+ # Any user pool attribute whose value you map from an IdP attribute
7063
+ # must be mutable, with a parameter value of `true`. Amazon Cognito
7064
+ # updates mapped attributes when users sign in to your application
7065
+ # through an IdP. If an attribute is immutable, Amazon Cognito throws
7066
+ # an error when it attempts to update the attribute. For more
7067
+ # information, see [Specifying Identity Provider Attribute Mappings
7068
+ # for Your User Pool][1].
6802
7069
  #
6803
7070
  #
6804
7071
  #
@@ -6846,6 +7113,38 @@ module Aws::CognitoIdentityProvider
6846
7113
  include Aws::Structure
6847
7114
  end
6848
7115
 
7116
+ # @!attribute [rw] user_pool_id
7117
+ # The ID of the user pool where you want to configure detailed
7118
+ # activity logging .
7119
+ # @return [String]
7120
+ #
7121
+ # @!attribute [rw] log_configurations
7122
+ # A collection of all of the detailed activity logging configurations
7123
+ # for a user pool.
7124
+ # @return [Array<Types::LogConfigurationType>]
7125
+ #
7126
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfigurationRequest AWS API Documentation
7127
+ #
7128
+ class SetLogDeliveryConfigurationRequest < Struct.new(
7129
+ :user_pool_id,
7130
+ :log_configurations)
7131
+ SENSITIVE = []
7132
+ include Aws::Structure
7133
+ end
7134
+
7135
+ # @!attribute [rw] log_delivery_configuration
7136
+ # The detailed activity logging configuration that you applied to the
7137
+ # requested user pool.
7138
+ # @return [Types::LogDeliveryConfigurationType]
7139
+ #
7140
+ # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetLogDeliveryConfigurationResponse AWS API Documentation
7141
+ #
7142
+ class SetLogDeliveryConfigurationResponse < Struct.new(
7143
+ :log_delivery_configuration)
7144
+ SENSITIVE = []
7145
+ include Aws::Structure
7146
+ end
7147
+
6849
7148
  # @!attribute [rw] user_pool_id
6850
7149
  # The user pool ID.
6851
7150
  # @return [String]
@@ -7154,7 +7453,7 @@ module Aws::CognitoIdentityProvider
7154
7453
  :analytics_metadata,
7155
7454
  :user_context_data,
7156
7455
  :client_metadata)
7157
- SENSITIVE = [:client_id, :secret_hash, :username, :password, :user_context_data]
7456
+ SENSITIVE = [:client_id, :secret_hash, :username, :password]
7158
7457
  include Aws::Structure
7159
7458
  end
7160
7459
 
@@ -7451,18 +7750,23 @@ module Aws::CognitoIdentityProvider
7451
7750
  # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
7452
7751
  # value that you set in the `AccessTokenValidity` parameter. The
7453
7752
  # default `AccessTokenValidity` time unit is hours.
7753
+ # `AccessTokenValidity` duration can range from five minutes to one
7754
+ # day.
7454
7755
  # @return [String]
7455
7756
  #
7456
7757
  # @!attribute [rw] id_token
7457
7758
  # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
7458
7759
  # value that you set in the `IdTokenValidity` parameter. The default
7459
- # `IdTokenValidity` time unit is hours.
7760
+ # `IdTokenValidity` time unit is hours. `IdTokenValidity` duration can
7761
+ # range from five minutes to one day.
7460
7762
  # @return [String]
7461
7763
  #
7462
7764
  # @!attribute [rw] refresh_token
7463
7765
  # A time unit of `seconds`, `minutes`, `hours`, or `days` for the
7464
7766
  # value that you set in the `RefreshTokenValidity` parameter. The
7465
7767
  # default `RefreshTokenValidity` time unit is days.
7768
+ # `RefreshTokenValidity` duration can range from 60 minutes to 10
7769
+ # years.
7466
7770
  # @return [String]
7467
7771
  #
7468
7772
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/TokenValidityUnitsType AWS API Documentation
@@ -7531,11 +7835,21 @@ module Aws::CognitoIdentityProvider
7531
7835
  # @return [String]
7532
7836
  #
7533
7837
  # @!attribute [rw] last_modified_date
7534
- # The last-modified date for the UI customization.
7838
+ # The date and time, in [ISO 8601][1] format, when the item was
7839
+ # modified.
7840
+ #
7841
+ #
7842
+ #
7843
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
7535
7844
  # @return [Time]
7536
7845
  #
7537
7846
  # @!attribute [rw] creation_date
7538
- # The creation date for the UI customization.
7847
+ # The date and time, in [ISO 8601][1] format, when the item was
7848
+ # created.
7849
+ #
7850
+ #
7851
+ #
7852
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
7539
7853
  # @return [Time]
7540
7854
  #
7541
7855
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UICustomizationType AWS API Documentation
@@ -7677,7 +7991,13 @@ module Aws::CognitoIdentityProvider
7677
7991
  # @return [String]
7678
7992
  #
7679
7993
  # @!attribute [rw] feedback_value
7680
- # The authentication event feedback value.
7994
+ # The authentication event feedback value. When you provide a
7995
+ # `FeedbackValue` value of `valid`, you tell Amazon Cognito that you
7996
+ # trust a user session where Amazon Cognito has evaluated some level
7997
+ # of risk. When you provide a `FeedbackValue` value of `invalid`, you
7998
+ # tell Amazon Cognito that you don't trust a user session, or you
7999
+ # don't believe that Amazon Cognito evaluated a high-enough risk
8000
+ # level.
7681
8001
  # @return [String]
7682
8002
  #
7683
8003
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateAuthEventFeedbackRequest AWS API Documentation
@@ -8009,7 +8329,7 @@ module Aws::CognitoIdentityProvider
8009
8329
  # `TokenValidityUnits` as `hours`, your user can authenticate their
8010
8330
  # session with their ID token for 10 hours.
8011
8331
  #
8012
- # The default time unit for `AccessTokenValidity` in an API request is
8332
+ # The default time unit for `IdTokenValidity` in an API request is
8013
8333
  # hours. *Valid range* is displayed below in seconds.
8014
8334
  #
8015
8335
  # If you don't specify otherwise in the configuration of your app
@@ -8017,9 +8337,9 @@ module Aws::CognitoIdentityProvider
8017
8337
  # @return [Integer]
8018
8338
  #
8019
8339
  # @!attribute [rw] token_validity_units
8020
- # The units in which the validity times are represented. The default
8021
- # unit for RefreshToken is days, and the default for ID and access
8022
- # tokens is hours.
8340
+ # The time units you use when you set the duration of ID, access, and
8341
+ # refresh tokens. The default unit for RefreshToken is days, and the
8342
+ # default for ID and access tokens is hours.
8023
8343
  # @return [Types::TokenValidityUnitsType]
8024
8344
  #
8025
8345
  # @!attribute [rw] read_attributes
@@ -8157,8 +8477,27 @@ module Aws::CognitoIdentityProvider
8157
8477
  # @return [Array<String>]
8158
8478
  #
8159
8479
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
8160
- # Set to true if the client is allowed to follow the OAuth protocol
8161
- # when interacting with Amazon Cognito user pools.
8480
+ # Set to `true` to use OAuth 2.0 features in your user pool app
8481
+ # client.
8482
+ #
8483
+ # `AllowedOAuthFlowsUserPoolClient` must be `true` before you can
8484
+ # configure the following features in your app client.
8485
+ #
8486
+ # * `CallBackURLs`: Callback URLs.
8487
+ #
8488
+ # * `LogoutURLs`: Sign-out redirect URLs.
8489
+ #
8490
+ # * `AllowedOAuthScopes`: OAuth 2.0 scopes.
8491
+ #
8492
+ # * `AllowedOAuthFlows`: Support for authorization code, implicit, and
8493
+ # client credentials OAuth 2.0 grants.
8494
+ #
8495
+ # To use OAuth 2.0 features, configure one of these features in the
8496
+ # Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to
8497
+ # `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API
8498
+ # request. If you don't set a value for
8499
+ # `AllowedOAuthFlowsUserPoolClient` in a request with the CLI or SDKs,
8500
+ # it defaults to `false`.
8162
8501
  # @return [Boolean]
8163
8502
  #
8164
8503
  # @!attribute [rw] analytics_configuration
@@ -8453,8 +8792,17 @@ module Aws::CognitoIdentityProvider
8453
8792
  # @return [Types::AdminCreateUserConfigType]
8454
8793
  #
8455
8794
  # @!attribute [rw] user_pool_add_ons
8456
- # Enables advanced security risk detection. Set the key
8457
- # `AdvancedSecurityMode` to the value "AUDIT".
8795
+ # User pool add-ons. Contains settings for activation of advanced
8796
+ # security features. To log user security information but take no
8797
+ # action, set to `AUDIT`. To configure automatic security responses to
8798
+ # risky traffic to your user pool, set to `ENFORCED`.
8799
+ #
8800
+ # For more information, see [Adding advanced security to a user
8801
+ # pool][1].
8802
+ #
8803
+ #
8804
+ #
8805
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
8458
8806
  # @return [Types::UserPoolAddOnsType]
8459
8807
  #
8460
8808
  # @!attribute [rw] account_recovery_setting
@@ -8523,8 +8871,8 @@ module Aws::CognitoIdentityProvider
8523
8871
  #
8524
8872
  # You can verify an updated email address or phone number with a
8525
8873
  # [VerifyUserAttribute][1] API request. You can also call the
8526
- # [UpdateUserAttributes][2] or [AdminUpdateUserAttributes][3] API and
8527
- # set `email_verified` or `phone_number_verified` to true.
8874
+ # [AdminUpdateUserAttributes][2] API and set `email_verified` or
8875
+ # `phone_number_verified` to true.
8528
8876
  #
8529
8877
  # When `AttributesRequireVerificationBeforeUpdate` is false, your user
8530
8878
  # pool doesn't require that your users verify attribute changes
@@ -8536,8 +8884,7 @@ module Aws::CognitoIdentityProvider
8536
8884
  #
8537
8885
  #
8538
8886
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifyUserAttribute.html
8539
- # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
8540
- # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
8887
+ # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
8541
8888
  # @return [Array<String>]
8542
8889
  #
8543
8890
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserAttributeUpdateSettingsType AWS API Documentation
@@ -8611,7 +8958,12 @@ module Aws::CognitoIdentityProvider
8611
8958
  # @return [String]
8612
8959
  #
8613
8960
  # @!attribute [rw] creation_date
8614
- # The date the user import job was created.
8961
+ # The date and time, in [ISO 8601][1] format, when the item was
8962
+ # created.
8963
+ #
8964
+ #
8965
+ #
8966
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
8615
8967
  # @return [Time]
8616
8968
  #
8617
8969
  # @!attribute [rw] start_date
@@ -8747,10 +9099,20 @@ module Aws::CognitoIdentityProvider
8747
9099
  include Aws::Structure
8748
9100
  end
8749
9101
 
8750
- # The user pool add-ons type.
9102
+ # User pool add-ons. Contains settings for activation of advanced
9103
+ # security features. To log user security information but take no
9104
+ # action, set to `AUDIT`. To configure automatic security responses to
9105
+ # risky traffic to your user pool, set to `ENFORCED`.
9106
+ #
9107
+ # For more information, see [Adding advanced security to a user
9108
+ # pool][1].
9109
+ #
9110
+ #
9111
+ #
9112
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
8751
9113
  #
8752
9114
  # @!attribute [rw] advanced_security_mode
8753
- # The advanced security mode.
9115
+ # The operating mode of advanced security features in your user pool.
8754
9116
  # @return [String]
8755
9117
  #
8756
9118
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolAddOnsType AWS API Documentation
@@ -8805,11 +9167,21 @@ module Aws::CognitoIdentityProvider
8805
9167
  # @return [String]
8806
9168
  #
8807
9169
  # @!attribute [rw] last_modified_date
8808
- # The date the user pool client was last modified.
9170
+ # The date and time, in [ISO 8601][1] format, when the item was
9171
+ # modified.
9172
+ #
9173
+ #
9174
+ #
9175
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
8809
9176
  # @return [Time]
8810
9177
  #
8811
9178
  # @!attribute [rw] creation_date
8812
- # The date the user pool client was created.
9179
+ # The date and time, in [ISO 8601][1] format, when the item was
9180
+ # created.
9181
+ #
9182
+ #
9183
+ #
9184
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
8813
9185
  # @return [Time]
8814
9186
  #
8815
9187
  # @!attribute [rw] refresh_token_validity
@@ -8858,7 +9230,7 @@ module Aws::CognitoIdentityProvider
8858
9230
  # `TokenValidityUnits` as `hours`, your user can authenticate their
8859
9231
  # session with their ID token for 10 hours.
8860
9232
  #
8861
- # The default time unit for `AccessTokenValidity` in an API request is
9233
+ # The default time unit for `IdTokenValidity` in an API request is
8862
9234
  # hours. *Valid range* is displayed below in seconds.
8863
9235
  #
8864
9236
  # If you don't specify otherwise in the configuration of your app
@@ -9006,8 +9378,27 @@ module Aws::CognitoIdentityProvider
9006
9378
  # @return [Array<String>]
9007
9379
  #
9008
9380
  # @!attribute [rw] allowed_o_auth_flows_user_pool_client
9009
- # Set to true if the client is allowed to follow the OAuth protocol
9010
- # when interacting with Amazon Cognito user pools.
9381
+ # Set to `true` to use OAuth 2.0 features in your user pool app
9382
+ # client.
9383
+ #
9384
+ # `AllowedOAuthFlowsUserPoolClient` must be `true` before you can
9385
+ # configure the following features in your app client.
9386
+ #
9387
+ # * `CallBackURLs`: Callback URLs.
9388
+ #
9389
+ # * `LogoutURLs`: Sign-out redirect URLs.
9390
+ #
9391
+ # * `AllowedOAuthScopes`: OAuth 2.0 scopes.
9392
+ #
9393
+ # * `AllowedOAuthFlows`: Support for authorization code, implicit, and
9394
+ # client credentials OAuth 2.0 grants.
9395
+ #
9396
+ # To use OAuth 2.0 features, configure one of these features in the
9397
+ # Amazon Cognito console or set `AllowedOAuthFlowsUserPoolClient` to
9398
+ # `true` in a `CreateUserPoolClient` or `UpdateUserPoolClient` API
9399
+ # request. If you don't set a value for
9400
+ # `AllowedOAuthFlowsUserPoolClient` in a request with the CLI or SDKs,
9401
+ # it defaults to `false`.
9011
9402
  # @return [Boolean]
9012
9403
  #
9013
9404
  # @!attribute [rw] analytics_configuration
@@ -9136,11 +9527,21 @@ module Aws::CognitoIdentityProvider
9136
9527
  # @return [String]
9137
9528
  #
9138
9529
  # @!attribute [rw] last_modified_date
9139
- # The date the user pool description was last modified.
9530
+ # The date and time, in [ISO 8601][1] format, when the item was
9531
+ # modified.
9532
+ #
9533
+ #
9534
+ #
9535
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
9140
9536
  # @return [Time]
9141
9537
  #
9142
9538
  # @!attribute [rw] creation_date
9143
- # The date the user pool description was created.
9539
+ # The date and time, in [ISO 8601][1] format, when the item was
9540
+ # created.
9541
+ #
9542
+ #
9543
+ #
9544
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
9144
9545
  # @return [Time]
9145
9546
  #
9146
9547
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolDescriptionType AWS API Documentation
@@ -9219,15 +9620,37 @@ module Aws::CognitoIdentityProvider
9219
9620
  # @return [String]
9220
9621
  #
9221
9622
  # @!attribute [rw] last_modified_date
9222
- # The date the user pool was last modified.
9623
+ # The date and time, in [ISO 8601][1] format, when the item was
9624
+ # modified.
9625
+ #
9626
+ #
9627
+ #
9628
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
9223
9629
  # @return [Time]
9224
9630
  #
9225
9631
  # @!attribute [rw] creation_date
9226
- # The date the user pool was created.
9632
+ # The date and time, in [ISO 8601][1] format, when the item was
9633
+ # created.
9634
+ #
9635
+ #
9636
+ #
9637
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
9227
9638
  # @return [Time]
9228
9639
  #
9229
9640
  # @!attribute [rw] schema_attributes
9230
- # A container with the schema attributes of a user pool.
9641
+ # A list of the user attributes and their properties in your user
9642
+ # pool. The attribute schema contains standard attributes, custom
9643
+ # attributes with a `custom:` prefix, and developer attributes with a
9644
+ # `dev:` prefix. For more information, see [User pool attributes][1].
9645
+ #
9646
+ # Developer-only attributes are a legacy feature of user pools, are
9647
+ # read-only to all app clients. You can create and update
9648
+ # developer-only attributes only with IAM-authenticated API
9649
+ # operations. Use app client read/write permissions instead.
9650
+ #
9651
+ #
9652
+ #
9653
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
9231
9654
  # @return [Array<Types::SchemaAttributeType>]
9232
9655
  #
9233
9656
  # @!attribute [rw] auto_verified_attributes
@@ -9322,7 +9745,7 @@ module Aws::CognitoIdentityProvider
9322
9745
  # @!attribute [rw] email_configuration
9323
9746
  # The email configuration of your user pool. The email configuration
9324
9747
  # type sets your preferred sending method, Amazon Web Services Region,
9325
- # and sender for messages tfrom your user pool.
9748
+ # and sender for messages from your user pool.
9326
9749
  # @return [Types::EmailConfigurationType]
9327
9750
  #
9328
9751
  # @!attribute [rw] sms_configuration
@@ -9358,10 +9781,10 @@ module Aws::CognitoIdentityProvider
9358
9781
  #
9359
9782
  # : The Amazon Web Services account is in the SNS SMS Sandbox and
9360
9783
  # messages will only reach verified end users. This parameter won’t
9361
- # get populated with SNSSandbox if the IAM user creating the user
9362
- # pool doesn’t have SNS permissions. To learn how to move your
9363
- # Amazon Web Services account out of the sandbox, see [Moving out of
9364
- # the SMS sandbox][2].
9784
+ # get populated with SNSSandbox if the user creating the user pool
9785
+ # doesn’t have SNS permissions. To learn how to move your Amazon Web
9786
+ # Services account out of the sandbox, see [Moving out of the SMS
9787
+ # sandbox][2].
9365
9788
  #
9366
9789
  #
9367
9790
  #
@@ -9398,7 +9821,17 @@ module Aws::CognitoIdentityProvider
9398
9821
  # @return [Types::AdminCreateUserConfigType]
9399
9822
  #
9400
9823
  # @!attribute [rw] user_pool_add_ons
9401
- # The user pool add-ons.
9824
+ # User pool add-ons. Contains settings for activation of advanced
9825
+ # security features. To log user security information but take no
9826
+ # action, set to `AUDIT`. To configure automatic security responses to
9827
+ # risky traffic to your user pool, set to `ENFORCED`.
9828
+ #
9829
+ # For more information, see [Adding advanced security to a user
9830
+ # pool][1].
9831
+ #
9832
+ #
9833
+ #
9834
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
9402
9835
  # @return [Types::UserPoolAddOnsType]
9403
9836
  #
9404
9837
  # @!attribute [rw] username_configuration
@@ -9483,7 +9916,12 @@ module Aws::CognitoIdentityProvider
9483
9916
  # @return [Time]
9484
9917
  #
9485
9918
  # @!attribute [rw] user_last_modified_date
9486
- # The last modified date of the user.
9919
+ # The date and time, in [ISO 8601][1] format, when the item was
9920
+ # modified.
9921
+ #
9922
+ #
9923
+ #
9924
+ # [1]: https://www.iso.org/iso-8601-date-and-time-format.html
9487
9925
  # @return [Time]
9488
9926
  #
9489
9927
  # @!attribute [rw] enabled
@@ -9499,8 +9937,6 @@ module Aws::CognitoIdentityProvider
9499
9937
  #
9500
9938
  # * EXTERNAL\_PROVIDER - User signed in with a third-party IdP.
9501
9939
  #
9502
- # * ARCHIVED - User is no longer active.
9503
- #
9504
9940
  # * UNKNOWN - User status isn't known.
9505
9941
  #
9506
9942
  # * RESET\_REQUIRED - User is confirmed, but the user must request a
@@ -9534,7 +9970,11 @@ module Aws::CognitoIdentityProvider
9534
9970
  #
9535
9971
  # @!attribute [rw] case_sensitive
9536
9972
  # Specifies whether user name case sensitivity will be applied for all
9537
- # users in the user pool through Amazon Cognito APIs.
9973
+ # users in the user pool through Amazon Cognito APIs. For most use
9974
+ # cases, set case sensitivity to `False` (case insensitive) as a best
9975
+ # practice. When usernames and email addresses are case insensitive,
9976
+ # users can sign in as the same user when they enter a different
9977
+ # capitalization of their user name.
9538
9978
  #
9539
9979
  # Valid values include:
9540
9980
  #
@@ -9548,10 +9988,10 @@ module Aws::CognitoIdentityProvider
9548
9988
  # False
9549
9989
  #
9550
9990
  # : Enables case insensitivity for all username input. For example,
9551
- # when this option is set to `False`, users can sign in using either
9552
- # "username" or "Username". This option also enables both
9553
- # `preferred_username` and `email` alias to be case insensitive, in
9554
- # addition to the `username` attribute.
9991
+ # when this option is set to `False`, users can sign in using
9992
+ # `username`, `USERNAME`, or `UserName`. This option also enables
9993
+ # both `preferred_username` and `email` alias to be case
9994
+ # insensitive, in addition to the `username` attribute.
9555
9995
  # @return [Boolean]
9556
9996
  #
9557
9997
  # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UsernameConfigurationType AWS API Documentation
@@ -9681,7 +10121,7 @@ module Aws::CognitoIdentityProvider
9681
10121
  :session,
9682
10122
  :user_code,
9683
10123
  :friendly_device_name)
9684
- SENSITIVE = [:access_token, :session, :user_code]
10124
+ SENSITIVE = [:access_token]
9685
10125
  include Aws::Structure
9686
10126
  end
9687
10127
 
@@ -9699,7 +10139,7 @@ module Aws::CognitoIdentityProvider
9699
10139
  class VerifySoftwareTokenResponse < Struct.new(
9700
10140
  :status,
9701
10141
  :session)
9702
- SENSITIVE = [:session]
10142
+ SENSITIVE = []
9703
10143
  include Aws::Structure
9704
10144
  end
9705
10145