aws-sdk-cognitoidentityprovider 1.84.0 → 1.85.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -459,7 +459,9 @@ module Aws::CognitoIdentityProvider
459
459
  req.send_request(options)
460
460
  end
461
461
 
462
- # Adds the specified user to the specified group.
462
+ # Adds a user to a group. A user who is in a group can present a
463
+ # preferred-role claim to an identity pool, and populates a
464
+ # `cognito:groups` claim to their access and identity tokens.
463
465
  #
464
466
  # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
465
467
  # in requests for this API operation. For this operation, you must use
@@ -483,10 +485,13 @@ module Aws::CognitoIdentityProvider
483
485
  # The user pool ID for the user pool.
484
486
  #
485
487
  # @option params [required, String] :username
486
- # The username for the user.
488
+ # The username of the user that you want to query or modify. The value
489
+ # of this parameter is typically your user's username, but it can be
490
+ # any of their alias attributes. If `username` isn't an alias attribute
491
+ # in your user pool, you can also use their `sub` in this request.
487
492
  #
488
493
  # @option params [required, String] :group_name
489
- # The group name.
494
+ # The name of the group that you want to add your user to.
490
495
  #
491
496
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
492
497
  #
@@ -507,8 +512,18 @@ module Aws::CognitoIdentityProvider
507
512
  req.send_request(options)
508
513
  end
509
514
 
510
- # Confirms user registration as an admin without using a confirmation
511
- # code. Works on any user.
515
+ # This IAM-authenticated API operation provides a code that Amazon
516
+ # Cognito sent to your user when they signed up in your user pool. After
517
+ # your user enters their code, they confirm ownership of the email
518
+ # address or phone number that they provided, and their user account
519
+ # becomes active. Depending on your user pool configuration, your users
520
+ # will receive their confirmation code in an email or SMS message.
521
+ #
522
+ # Local users who signed up in your user pool are the only type of user
523
+ # who can confirm sign-up with a code. Users who federate through an
524
+ # external identity provider (IdP) have already been confirmed by their
525
+ # IdP. Administrator-created users confirm their accounts when they
526
+ # respond to their invitation email message and choose a password.
512
527
  #
513
528
  # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
514
529
  # in requests for this API operation. For this operation, you must use
@@ -532,7 +547,10 @@ module Aws::CognitoIdentityProvider
532
547
  # The user pool ID for which you want to confirm user registration.
533
548
  #
534
549
  # @option params [required, String] :username
535
- # The user name for which you want to confirm user registration.
550
+ # The username of the user that you want to query or modify. The value
551
+ # of this parameter is typically your user's username, but it can be
552
+ # any of their alias attributes. If `username` isn't an alias attribute
553
+ # in your user pool, you can also use their `sub` in this request.
536
554
  #
537
555
  # @option params [Hash<String,String>] :client_metadata
538
556
  # A map of custom key-value pairs that you can provide as input for any
@@ -707,18 +725,24 @@ module Aws::CognitoIdentityProvider
707
725
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
708
726
  #
709
727
  # @option params [Array<Types::AttributeType>] :validation_data
710
- # The user's validation data. This is an array of name-value pairs that
711
- # contain user attributes and attribute values that you can use for
712
- # custom validation, such as restricting the types of user accounts that
713
- # can be registered. For example, you might choose to allow or disallow
714
- # user sign-up based on the user's domain.
728
+ # Temporary user attributes that contribute to the outcomes of your pre
729
+ # sign-up Lambda trigger. This set of key-value pairs are for custom
730
+ # validation of information that you collect from your users but don't
731
+ # need to retain.
732
+ #
733
+ # Your Lambda function can analyze this additional data and act on it.
734
+ # Your function might perform external API operations like logging user
735
+ # attributes and validation data to Amazon CloudWatch Logs. Validation
736
+ # data might also affect the response that your function returns to
737
+ # Amazon Cognito, like automatically confirming the user if they sign up
738
+ # from within your network.
739
+ #
740
+ # For more information about the pre sign-up Lambda trigger, see [Pre
741
+ # sign-up Lambda trigger][1].
742
+ #
715
743
  #
716
- # To configure custom validation, you must create a Pre Sign-up Lambda
717
- # trigger for the user pool as described in the Amazon Cognito Developer
718
- # Guide. The Lambda trigger receives the validation data and uses it in
719
- # the validation process.
720
744
  #
721
- # The user's validation data isn't persisted.
745
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
722
746
  #
723
747
  # @option params [String] :temporary_password
724
748
  # The user's temporary password. This password must conform to the
@@ -933,7 +957,10 @@ module Aws::CognitoIdentityProvider
933
957
  # The user pool ID for the user pool where you want to delete the user.
934
958
  #
935
959
  # @option params [required, String] :username
936
- # The user name of the user you want to delete.
960
+ # The username of the user that you want to query or modify. The value
961
+ # of this parameter is typically your user's username, but it can be
962
+ # any of their alias attributes. If `username` isn't an alias attribute
963
+ # in your user pool, you can also use their `sub` in this request.
937
964
  #
938
965
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
939
966
  #
@@ -979,8 +1006,10 @@ module Aws::CognitoIdentityProvider
979
1006
  # attributes.
980
1007
  #
981
1008
  # @option params [required, String] :username
982
- # The user name of the user from which you would like to delete
983
- # attributes.
1009
+ # The username of the user that you want to query or modify. The value
1010
+ # of this parameter is typically your user's username, but it can be
1011
+ # any of their alias attributes. If `username` isn't an alias attribute
1012
+ # in your user pool, you can also use their `sub` in this request.
984
1013
  #
985
1014
  # @option params [required, Array<String>] :user_attribute_names
986
1015
  # An array of strings representing the user attribute names you want to
@@ -1114,7 +1143,10 @@ module Aws::CognitoIdentityProvider
1114
1143
  # The user pool ID for the user pool where you want to disable the user.
1115
1144
  #
1116
1145
  # @option params [required, String] :username
1117
- # The user name of the user you want to disable.
1146
+ # The username of the user that you want to query or modify. The value
1147
+ # of this parameter is typically your user's username, but it can be
1148
+ # any of their alias attributes. If `username` isn't an alias attribute
1149
+ # in your user pool, you can also use their `sub` in this request.
1118
1150
  #
1119
1151
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1120
1152
  #
@@ -1158,7 +1190,10 @@ module Aws::CognitoIdentityProvider
1158
1190
  # The user pool ID for the user pool where you want to enable the user.
1159
1191
  #
1160
1192
  # @option params [required, String] :username
1161
- # The user name of the user you want to enable.
1193
+ # The username of the user that you want to query or modify. The value
1194
+ # of this parameter is typically your user's username, but it can be
1195
+ # any of their alias attributes. If `username` isn't an alias attribute
1196
+ # in your user pool, you can also use their `sub` in this request.
1162
1197
  #
1163
1198
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
1164
1199
  #
@@ -1202,7 +1237,10 @@ module Aws::CognitoIdentityProvider
1202
1237
  # The user pool ID.
1203
1238
  #
1204
1239
  # @option params [required, String] :username
1205
- # The user name.
1240
+ # The username of the user that you want to query or modify. The value
1241
+ # of this parameter is typically your user's username, but it can be
1242
+ # any of their alias attributes. If `username` isn't an alias attribute
1243
+ # in your user pool, you can also use their `sub` in this request.
1206
1244
  #
1207
1245
  # @option params [required, String] :device_key
1208
1246
  # The device key.
@@ -1253,7 +1291,10 @@ module Aws::CognitoIdentityProvider
1253
1291
  # The user pool ID.
1254
1292
  #
1255
1293
  # @option params [required, String] :username
1256
- # The user name.
1294
+ # The username of the user that you want to query or modify. The value
1295
+ # of this parameter is typically your user's username, but it can be
1296
+ # any of their alias attributes. If `username` isn't an alias attribute
1297
+ # in your user pool, you can also use their `sub` in this request.
1257
1298
  #
1258
1299
  # @return [Types::AdminGetDeviceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1259
1300
  #
@@ -1312,7 +1353,10 @@ module Aws::CognitoIdentityProvider
1312
1353
  # about the user.
1313
1354
  #
1314
1355
  # @option params [required, String] :username
1315
- # The user name of the user you want to retrieve.
1356
+ # The username of the user that you want to query or modify. The value
1357
+ # of this parameter is typically your user's username, but it can be
1358
+ # any of their alias attributes. If `username` isn't an alias attribute
1359
+ # in your user pool, you can also use their `sub` in this request.
1316
1360
  #
1317
1361
  # @return [Types::AdminGetUserResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1318
1362
  #
@@ -1511,8 +1555,6 @@ module Aws::CognitoIdentityProvider
1511
1555
  #
1512
1556
  # * Define auth challenge
1513
1557
  #
1514
- # * Verify auth challenge
1515
- #
1516
1558
  # For more information, see [ Customizing user pool Workflows with
1517
1559
  # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
1518
1560
  #
@@ -1751,13 +1793,21 @@ module Aws::CognitoIdentityProvider
1751
1793
  # The user pool ID.
1752
1794
  #
1753
1795
  # @option params [required, String] :username
1754
- # The user name.
1796
+ # The username of the user that you want to query or modify. The value
1797
+ # of this parameter is typically your user's username, but it can be
1798
+ # any of their alias attributes. If `username` isn't an alias attribute
1799
+ # in your user pool, you can also use their `sub` in this request.
1755
1800
  #
1756
1801
  # @option params [Integer] :limit
1757
1802
  # The limit of the devices request.
1758
1803
  #
1759
1804
  # @option params [String] :pagination_token
1760
- # The pagination token.
1805
+ # This API operation returns a limited number of results. The pagination
1806
+ # token is an identifier that you can present in an additional API
1807
+ # request with the same parameters. When you include the pagination
1808
+ # token, Amazon Cognito returns the next set of items after the current
1809
+ # list. Subsequent requests return a new pagination token. By use of
1810
+ # this token, you can paginate through the full list of items.
1761
1811
  #
1762
1812
  # @return [Types::AdminListDevicesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1763
1813
  #
@@ -1794,7 +1844,7 @@ module Aws::CognitoIdentityProvider
1794
1844
  req.send_request(options)
1795
1845
  end
1796
1846
 
1797
- # Lists the groups that the user belongs to.
1847
+ # Lists the groups that a user belongs to.
1798
1848
  #
1799
1849
  # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
1800
1850
  # in requests for this API operation. For this operation, you must use
@@ -1815,7 +1865,10 @@ module Aws::CognitoIdentityProvider
1815
1865
  # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
1816
1866
  #
1817
1867
  # @option params [required, String] :username
1818
- # The username for the user.
1868
+ # The username of the user that you want to query or modify. The value
1869
+ # of this parameter is typically your user's username, but it can be
1870
+ # any of their alias attributes. If `username` isn't an alias attribute
1871
+ # in your user pool, you can also use their `sub` in this request.
1819
1872
  #
1820
1873
  # @option params [required, String] :user_pool_id
1821
1874
  # The user pool ID for the user pool.
@@ -1890,7 +1943,10 @@ module Aws::CognitoIdentityProvider
1890
1943
  # The user pool ID.
1891
1944
  #
1892
1945
  # @option params [required, String] :username
1893
- # The user pool username or an alias.
1946
+ # The username of the user that you want to query or modify. The value
1947
+ # of this parameter is typically your user's username, but it can be
1948
+ # any of their alias attributes. If `username` isn't an alias attribute
1949
+ # in your user pool, you can also use their `sub` in this request.
1894
1950
  #
1895
1951
  # @option params [Integer] :max_results
1896
1952
  # The maximum number of authentication events to return. Returns 60
@@ -1972,7 +2028,10 @@ module Aws::CognitoIdentityProvider
1972
2028
  # The user pool ID for the user pool.
1973
2029
  #
1974
2030
  # @option params [required, String] :username
1975
- # The username for the user.
2031
+ # The username of the user that you want to query or modify. The value
2032
+ # of this parameter is typically your user's username, but it can be
2033
+ # any of their alias attributes. If `username` isn't an alias attribute
2034
+ # in your user pool, you can also use their `sub` in this request.
1976
2035
  #
1977
2036
  # @option params [required, String] :group_name
1978
2037
  # The group name.
@@ -2055,7 +2114,10 @@ module Aws::CognitoIdentityProvider
2055
2114
  # password.
2056
2115
  #
2057
2116
  # @option params [required, String] :username
2058
- # The user name of the user whose password you want to reset.
2117
+ # The username of the user that you want to query or modify. The value
2118
+ # of this parameter is typically your user's username, but it can be
2119
+ # any of their alias attributes. If `username` isn't an alias attribute
2120
+ # in your user pool, you can also use their `sub` in this request.
2059
2121
  #
2060
2122
  # @option params [Hash<String,String>] :client_metadata
2061
2123
  # A map of custom key-value pairs that you can provide as input for any
@@ -2115,13 +2177,21 @@ module Aws::CognitoIdentityProvider
2115
2177
  req.send_request(options)
2116
2178
  end
2117
2179
 
2118
- # Responds to an authentication challenge, as an administrator.
2180
+ # Some API operations in a user pool generate a challenge, like a prompt
2181
+ # for an MFA code, for device authentication that bypasses MFA, or for a
2182
+ # custom authentication challenge. An `AdminRespondToAuthChallenge` API
2183
+ # request provides the answer to that challenge, like a code or a secure
2184
+ # remote password (SRP). The parameters of a response to an
2185
+ # authentication challenge vary with the type of challenge.
2186
+ #
2187
+ # For more information about custom authentication challenges, see
2188
+ # [Custom authentication challenge Lambda triggers][1].
2119
2189
  #
2120
2190
  # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
2121
2191
  # US telecom carriers require you to register an origination phone
2122
2192
  # number before you can send SMS messages to US phone numbers. If you
2123
2193
  # use SMS text messages in Amazon Cognito, you must register a phone
2124
- # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
2194
+ # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
2125
2195
  # number automatically. Otherwise, Amazon Cognito users who must receive
2126
2196
  # SMS messages might not be able to sign up, activate their accounts, or
2127
2197
  # sign in.
@@ -2133,7 +2203,7 @@ module Aws::CognitoIdentityProvider
2133
2203
  # mode</a> </i>, you can send messages only to verified phone numbers.
2134
2204
  # After you test your app while in the sandbox environment, you can move
2135
2205
  # out of the sandbox and into production. For more information, see [
2136
- # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
2206
+ # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
2137
2207
  # Cognito Developer Guide*.
2138
2208
  #
2139
2209
  # </note>
@@ -2145,18 +2215,19 @@ module Aws::CognitoIdentityProvider
2145
2215
  #
2146
2216
  # **Learn more**
2147
2217
  #
2148
- # * [Signing Amazon Web Services API Requests][3]
2218
+ # * [Signing Amazon Web Services API Requests][4]
2149
2219
  #
2150
- # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
2220
+ # * [Using the Amazon Cognito user pools API and user pool endpoints][5]
2151
2221
  #
2152
2222
  # </note>
2153
2223
  #
2154
2224
  #
2155
2225
  #
2156
- # [1]: https://console.aws.amazon.com/pinpoint/home/
2157
- # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
2158
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
2159
- # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
2226
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
2227
+ # [2]: https://console.aws.amazon.com/pinpoint/home/
2228
+ # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
2229
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
2230
+ # [5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
2160
2231
  #
2161
2232
  # @option params [required, String] :user_pool_id
2162
2233
  # The ID of the Amazon Cognito user pool.
@@ -2172,50 +2243,85 @@ module Aws::CognitoIdentityProvider
2172
2243
  # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
2173
2244
  #
2174
2245
  # @option params [Hash<String,String>] :challenge_responses
2175
- # The challenge responses. These are inputs corresponding to the value
2176
- # of `ChallengeName`, for example:
2246
+ # The responses to the challenge that you received in the previous
2247
+ # request. Each challenge has its own required response parameters. The
2248
+ # following examples are partial JSON request bodies that highlight
2249
+ # challenge-response parameters.
2177
2250
  #
2178
- # * `SMS_MFA`: `SMS_MFA_CODE`, `USERNAME`, `SECRET_HASH` (if app client
2179
- # is configured with client secret).
2251
+ # You must provide a SECRET\_HASH parameter in all challenge responses
2252
+ # to an app client that has a client secret.
2180
2253
  #
2181
- # * `PASSWORD_VERIFIER`: `PASSWORD_CLAIM_SIGNATURE`,
2182
- # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`,
2183
- # `SECRET_HASH` (if app client is configured with client secret).
2254
+ # SMS\_MFA
2184
2255
  #
2185
- # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when signing in with a
2186
- # remembered device.
2256
+ # : `"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
2257
+ # "[SMS_code]", "USERNAME": "[username]"\}`
2187
2258
  #
2188
- # </note>
2259
+ # PASSWORD\_VERIFIER
2189
2260
  #
2190
- # * `ADMIN_NO_SRP_AUTH`: `PASSWORD`, `USERNAME`, `SECRET_HASH` (if app
2191
- # client is configured with client secret).
2261
+ # : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
2262
+ # \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
2263
+ # "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
2264
+ # [timestamp], "USERNAME": "[username]"\}`
2192
2265
  #
2193
- # * `NEW_PASSWORD_REQUIRED`: `NEW_PASSWORD`, `USERNAME`, `SECRET_HASH`
2194
- # (if app client is configured with client secret). To set any
2195
- # required attributes that Amazon Cognito returned as
2196
- # `requiredAttributes` in the `AdminInitiateAuth` response, add a
2197
- # `userAttributes.attributename ` parameter. This parameter can also
2198
- # set values for writable attributes that aren't required by your
2199
- # user pool.
2266
+ # Add `"DEVICE_KEY"` when you sign in with a remembered device.
2267
+ #
2268
+ # CUSTOM\_CHALLENGE
2269
+ #
2270
+ # : `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
2271
+ # \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}`
2272
+ #
2273
+ # Add `"DEVICE_KEY"` when you sign in with a remembered device.
2274
+ #
2275
+ # NEW\_PASSWORD\_REQUIRED
2276
+ #
2277
+ # : `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
2278
+ # \{"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"\}`
2279
+ #
2280
+ # To set any required attributes that `InitiateAuth` returned in an
2281
+ # `requiredAttributes` parameter, add
2282
+ # `"userAttributes.[attribute_name]": "[attribute_value]"`. This
2283
+ # parameter can also set values for writable attributes that aren't
2284
+ # required by your user pool.
2200
2285
  #
2201
2286
  # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a
2202
2287
  # required attribute that already has a value. In
2203
- # `AdminRespondToAuthChallenge`, set a value for any keys that Amazon
2288
+ # `RespondToAuthChallenge`, set a value for any keys that Amazon
2204
2289
  # Cognito returned in the `requiredAttributes` parameter, then use the
2205
- # `AdminUpdateUserAttributes` API operation to modify the value of any
2290
+ # `UpdateUserAttributes` API operation to modify the value of any
2206
2291
  # additional attributes.
2207
2292
  #
2208
2293
  # </note>
2209
2294
  #
2210
- # * `MFA_SETUP` requires `USERNAME`, plus you must use the session value
2211
- # returned by `VerifySoftwareToken` in the `Session` parameter.
2295
+ # SOFTWARE\_TOKEN\_MFA
2296
+ #
2297
+ # : `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
2298
+ # \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
2299
+ # [authenticator_code]\}`
2300
+ #
2301
+ # DEVICE\_SRP\_AUTH
2302
+ #
2303
+ # : `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses":
2304
+ # \{"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
2305
+ # "[srp_a]"\}`
2306
+ #
2307
+ # DEVICE\_PASSWORD\_VERIFIER
2308
+ #
2309
+ # : `"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses":
2310
+ # \{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
2311
+ # "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK":
2312
+ # "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME":
2313
+ # "[username]"\}`
2212
2314
  #
2213
- # The value of the `USERNAME` attribute must be the user's actual
2214
- # username, not an alias (such as an email address or phone number). To
2215
- # make this simpler, the `AdminInitiateAuth` response includes the
2216
- # actual username value in the `USERNAMEUSER_ID_FOR_SRP` attribute. This
2217
- # happens even if you specified an alias in your call to
2218
- # `AdminInitiateAuth`.
2315
+ # MFA\_SETUP
2316
+ #
2317
+ # : `"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
2318
+ # "[username]"\}, "SESSION": "[Session ID from VerifySoftwareToken]"`
2319
+ #
2320
+ # SELECT\_MFA\_TYPE
2321
+ #
2322
+ # : `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses":
2323
+ # \{"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
2324
+ # SOFTWARE_TOKEN_MFA]"\}`
2219
2325
  #
2220
2326
  # For more information about `SECRET_HASH`, see [Computing secret hash
2221
2327
  # values][1]. For information about `DEVICE_KEY`, see [Working with user
@@ -2391,7 +2497,10 @@ module Aws::CognitoIdentityProvider
2391
2497
  # The time-based one-time password software token MFA settings.
2392
2498
  #
2393
2499
  # @option params [required, String] :username
2394
- # The user pool username or alias.
2500
+ # The username of the user that you want to query or modify. The value
2501
+ # of this parameter is typically your user's username, but it can be
2502
+ # any of their alias attributes. If `username` isn't an alias attribute
2503
+ # in your user pool, you can also use their `sub` in this request.
2395
2504
  #
2396
2505
  # @option params [required, String] :user_pool_id
2397
2506
  # The user pool ID.
@@ -2472,7 +2581,10 @@ module Aws::CognitoIdentityProvider
2472
2581
  # password.
2473
2582
  #
2474
2583
  # @option params [required, String] :username
2475
- # The user name of the user whose password you want to set.
2584
+ # The username of the user that you want to query or modify. The value
2585
+ # of this parameter is typically your user's username, but it can be
2586
+ # any of their alias attributes. If `username` isn't an alias attribute
2587
+ # in your user pool, you can also use their `sub` in this request.
2476
2588
  #
2477
2589
  # @option params [required, String] :password
2478
2590
  # The password for the user.
@@ -2529,7 +2641,10 @@ module Aws::CognitoIdentityProvider
2529
2641
  # setting.
2530
2642
  #
2531
2643
  # @option params [required, String] :username
2532
- # The user name of the user whose options you're setting.
2644
+ # The username of the user that you want to query or modify. The value
2645
+ # of this parameter is typically your user's username, but it can be
2646
+ # any of their alias attributes. If `username` isn't an alias attribute
2647
+ # in your user pool, you can also use their `sub` in this request.
2533
2648
  #
2534
2649
  # @option params [required, Array<Types::MFAOptionType>] :mfa_options
2535
2650
  # You can use this parameter only to set an SMS configuration that uses
@@ -2586,7 +2701,10 @@ module Aws::CognitoIdentityProvider
2586
2701
  # The user pool ID.
2587
2702
  #
2588
2703
  # @option params [required, String] :username
2589
- # The user pool username.
2704
+ # The username of the user that you want to query or modify. The value
2705
+ # of this parameter is typically your user's username, but it can be
2706
+ # any of their alias attributes. If `username` isn't an alias attribute
2707
+ # in your user pool, you can also use their `sub` in this request.
2590
2708
  #
2591
2709
  # @option params [required, String] :event_id
2592
2710
  # The authentication event ID.
@@ -2643,7 +2761,10 @@ module Aws::CognitoIdentityProvider
2643
2761
  # The user pool ID.
2644
2762
  #
2645
2763
  # @option params [required, String] :username
2646
- # The user name.
2764
+ # The username of the user that you want to query or modify. The value
2765
+ # of this parameter is typically your user's username, but it can be
2766
+ # any of their alias attributes. If `username` isn't an alias attribute
2767
+ # in your user pool, you can also use their `sub` in this request.
2647
2768
  #
2648
2769
  # @option params [required, String] :device_key
2649
2770
  # The device key.
@@ -2728,7 +2849,10 @@ module Aws::CognitoIdentityProvider
2728
2849
  # attributes.
2729
2850
  #
2730
2851
  # @option params [required, String] :username
2731
- # The user name of the user for whom you want to update user attributes.
2852
+ # The username of the user that you want to query or modify. The value
2853
+ # of this parameter is typically your user's username, but it can be
2854
+ # any of their alias attributes. If `username` isn't an alias attribute
2855
+ # in your user pool, you can also use their `sub` in this request.
2732
2856
  #
2733
2857
  # @option params [required, Array<Types::AttributeType>] :user_attributes
2734
2858
  # An array of name-value pairs representing user attributes.
@@ -2815,16 +2939,30 @@ module Aws::CognitoIdentityProvider
2815
2939
  req.send_request(options)
2816
2940
  end
2817
2941
 
2818
- # Signs out a user from all devices. `AdminUserGlobalSignOut`
2819
- # invalidates all identity, access and refresh tokens that Amazon
2820
- # Cognito has issued to a user. A user can still use a hosted UI cookie
2821
- # to retrieve new tokens for the duration of the 1-hour cookie validity
2822
- # period.
2942
+ # Invalidates the identity, access, and refresh tokens that Amazon
2943
+ # Cognito issued to a user. Call this operation with your administrative
2944
+ # credentials when your user signs out of your app. This results in the
2945
+ # following behavior.
2946
+ #
2947
+ # * Amazon Cognito no longer accepts *token-authorized* user operations
2948
+ # that you authorize with a signed-out user's access tokens. For more
2949
+ # information, see [Using the Amazon Cognito user pools API and user
2950
+ # pool endpoints][1].
2951
+ #
2952
+ # Amazon Cognito returns an `Access Token has been revoked` error when
2953
+ # your app attempts to authorize a user pools API request with a
2954
+ # revoked access token that contains the scope
2955
+ # `aws.cognito.signin.user.admin`.
2956
+ #
2957
+ # * Amazon Cognito no longer accepts a signed-out user's ID token in a
2958
+ # [GetId ][2] request to an identity pool with `ServerSideTokenCheck`
2959
+ # enabled for its user pool IdP configuration in
2960
+ # [CognitoIdentityProvider][3].
2961
+ #
2962
+ # * Amazon Cognito no longer accepts a signed-out user's refresh tokens
2963
+ # in refresh requests.
2823
2964
  #
2824
- # Your app isn't aware that a user's access token is revoked unless it
2825
- # attempts to authorize a user pools API request with an access token
2826
- # that contains the scope `aws.cognito.signin.user.admin`. Your app
2827
- # might otherwise accept access tokens until they expire.
2965
+ # Other requests might be valid until your user's token expires.
2828
2966
  #
2829
2967
  # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
2830
2968
  # in requests for this API operation. For this operation, you must use
@@ -2833,22 +2971,27 @@ module Aws::CognitoIdentityProvider
2833
2971
  #
2834
2972
  # **Learn more**
2835
2973
  #
2836
- # * [Signing Amazon Web Services API Requests][1]
2974
+ # * [Signing Amazon Web Services API Requests][4]
2837
2975
  #
2838
- # * [Using the Amazon Cognito user pools API and user pool endpoints][2]
2976
+ # * [Using the Amazon Cognito user pools API and user pool endpoints][1]
2839
2977
  #
2840
2978
  # </note>
2841
2979
  #
2842
2980
  #
2843
2981
  #
2844
- # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
2845
- # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
2982
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
2983
+ # [2]: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html
2984
+ # [3]: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html
2985
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
2846
2986
  #
2847
2987
  # @option params [required, String] :user_pool_id
2848
2988
  # The user pool ID.
2849
2989
  #
2850
2990
  # @option params [required, String] :username
2851
- # The user name.
2991
+ # The username of the user that you want to query or modify. The value
2992
+ # of this parameter is typically your user's username, but it can be
2993
+ # any of their alias attributes. If `username` isn't an alias attribute
2994
+ # in your user pool, you can also use their `sub` in this request.
2852
2995
  #
2853
2996
  # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
2854
2997
  #
@@ -3071,8 +3214,10 @@ module Aws::CognitoIdentityProvider
3071
3214
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
3072
3215
  #
3073
3216
  # @option params [required, String] :username
3074
- # The user name of the user for whom you want to enter a code to
3075
- # retrieve a forgotten password.
3217
+ # The username of the user that you want to query or modify. The value
3218
+ # of this parameter is typically your user's username, but it can be
3219
+ # any of their alias attributes. If `username` isn't an alias attribute
3220
+ # in your user pool, you can also use their `sub` in this request.
3076
3221
  #
3077
3222
  # @option params [required, String] :confirmation_code
3078
3223
  # The confirmation code from your user's request to reset their
@@ -3164,20 +3309,37 @@ module Aws::CognitoIdentityProvider
3164
3309
  req.send_request(options)
3165
3310
  end
3166
3311
 
3167
- # Confirms registration of a new user.
3312
+ # This public API operation provides a code that Amazon Cognito sent to
3313
+ # your user when they signed up in your user pool via the [SignUp][1]
3314
+ # API operation. After your user enters their code, they confirm
3315
+ # ownership of the email address or phone number that they provided, and
3316
+ # their user account becomes active. Depending on your user pool
3317
+ # configuration, your users will receive their confirmation code in an
3318
+ # email or SMS message.
3319
+ #
3320
+ # Local users who signed up in your user pool are the only type of user
3321
+ # who can confirm sign-up with a code. Users who federate through an
3322
+ # external identity provider (IdP) have already been confirmed by their
3323
+ # IdP. Administrator-created users, users created with the
3324
+ # [AdminCreateUser][2] API operation, confirm their accounts when they
3325
+ # respond to their invitation email message and choose a password. They
3326
+ # do not receive a confirmation code. Instead, they receive a temporary
3327
+ # password.
3168
3328
  #
3169
3329
  # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
3170
3330
  # policies in requests for this API operation. For this operation, you
3171
3331
  # can't use IAM credentials to authorize requests, and you can't grant
3172
3332
  # IAM permissions in policies. For more information about authorization
3173
3333
  # models in Amazon Cognito, see [Using the Amazon Cognito native and
3174
- # OIDC APIs][1].
3334
+ # OIDC APIs][3].
3175
3335
  #
3176
3336
  # </note>
3177
3337
  #
3178
3338
  #
3179
3339
  #
3180
- # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
3340
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html
3341
+ # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
3342
+ # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
3181
3343
  #
3182
3344
  # @option params [required, String] :client_id
3183
3345
  # The ID of the app client associated with the user pool.
@@ -3188,7 +3350,10 @@ module Aws::CognitoIdentityProvider
3188
3350
  # the message.
3189
3351
  #
3190
3352
  # @option params [required, String] :username
3191
- # The user name of the user whose registration you want to confirm.
3353
+ # The username of the user that you want to query or modify. The value
3354
+ # of this parameter is typically your user's username, but it can be
3355
+ # any of their alias attributes. If `username` isn't an alias attribute
3356
+ # in your user pool, you can also use their `sub` in this request.
3192
3357
  #
3193
3358
  # @option params [required, String] :confirmation_code
3194
3359
  # The confirmation code sent by a user's request to confirm
@@ -4360,6 +4525,10 @@ module Aws::CognitoIdentityProvider
4360
4525
  # create_auth_challenge: "ArnType",
4361
4526
  # verify_auth_challenge_response: "ArnType",
4362
4527
  # pre_token_generation: "ArnType",
4528
+ # pre_token_generation_config: {
4529
+ # lambda_version: "V1_0", # required, accepts V1_0, V2_0
4530
+ # lambda_arn: "ArnType", # required
4531
+ # },
4363
4532
  # user_migration: "ArnType",
4364
4533
  # custom_sms_sender: {
4365
4534
  # lambda_version: "V1_0", # required, accepts V1_0
@@ -4471,6 +4640,8 @@ module Aws::CognitoIdentityProvider
4471
4640
  # resp.user_pool.lambda_config.create_auth_challenge #=> String
4472
4641
  # resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
4473
4642
  # resp.user_pool.lambda_config.pre_token_generation #=> String
4643
+ # resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
4644
+ # resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
4474
4645
  # resp.user_pool.lambda_config.user_migration #=> String
4475
4646
  # resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
4476
4647
  # resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
@@ -4642,10 +4813,42 @@ module Aws::CognitoIdentityProvider
4642
4813
  # are hours.
4643
4814
  #
4644
4815
  # @option params [Array<String>] :read_attributes
4645
- # The read attributes.
4816
+ # The list of user attributes that you want your app client to have
4817
+ # read-only access to. After your user authenticates in your app, their
4818
+ # access token authorizes them to read their own attribute value for any
4819
+ # attribute in this list. An example of this kind of activity is when
4820
+ # your user selects a link to view their profile information. Your app
4821
+ # makes a [GetUser][1] API request to retrieve and display your user's
4822
+ # profile data.
4823
+ #
4824
+ # When you don't specify the `ReadAttributes` for your app client, your
4825
+ # app can read the values of `email_verified`, `phone_number_verified`,
4826
+ # and the Standard attributes of your user pool. When your user pool has
4827
+ # read access to these default attributes, `ReadAttributes` doesn't
4828
+ # return any information. Amazon Cognito only populates `ReadAttributes`
4829
+ # in the API response if you have specified your own custom set of read
4830
+ # attributes.
4831
+ #
4832
+ #
4833
+ #
4834
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
4646
4835
  #
4647
4836
  # @option params [Array<String>] :write_attributes
4648
- # The user pool attributes that the app client can write to.
4837
+ # The list of user attributes that you want your app client to have
4838
+ # write access to. After your user authenticates in your app, their
4839
+ # access token authorizes them to set or modify their own attribute
4840
+ # value for any attribute in this list. An example of this kind of
4841
+ # activity is when you present your user with a form to update their
4842
+ # profile information and they change their last name. Your app then
4843
+ # makes an [UpdateUserAttributes][1] API request and sets `family_name`
4844
+ # to the new value.
4845
+ #
4846
+ # When you don't specify the `WriteAttributes` for your app client,
4847
+ # your app can write the values of the Standard attributes of your user
4848
+ # pool. When your user pool has write access to these default
4849
+ # attributes, `WriteAttributes` doesn't return any information. Amazon
4850
+ # Cognito only populates `WriteAttributes` in the API response if you
4851
+ # have specified your own custom set of write attributes.
4649
4852
  #
4650
4853
  # If your app client allows users to sign in through an IdP, this array
4651
4854
  # must include all attributes that you have mapped to IdP attributes.
@@ -4653,11 +4856,12 @@ module Aws::CognitoIdentityProvider
4653
4856
  # application through an IdP. If your app client does not have write
4654
4857
  # access to a mapped attribute, Amazon Cognito throws an error when it
4655
4858
  # tries to update the attribute. For more information, see [Specifying
4656
- # IdP Attribute Mappings for Your user pool][1].
4859
+ # IdP Attribute Mappings for Your user pool][2].
4657
4860
  #
4658
4861
  #
4659
4862
  #
4660
- # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
4863
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
4864
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
4661
4865
  #
4662
4866
  # @option params [Array<String>] :explicit_auth_flows
4663
4867
  # The authentication flows that you want your user pool client to
@@ -5624,6 +5828,8 @@ module Aws::CognitoIdentityProvider
5624
5828
  # resp.user_pool.lambda_config.create_auth_challenge #=> String
5625
5829
  # resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
5626
5830
  # resp.user_pool.lambda_config.pre_token_generation #=> String
5831
+ # resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
5832
+ # resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
5627
5833
  # resp.user_pool.lambda_config.user_migration #=> String
5628
5834
  # resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
5629
5835
  # resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
@@ -5934,8 +6140,10 @@ module Aws::CognitoIdentityProvider
5934
6140
  # requests.
5935
6141
  #
5936
6142
  # @option params [required, String] :username
5937
- # The user name of the user for whom you want to enter a code to reset a
5938
- # forgotten password.
6143
+ # The username of the user that you want to query or modify. The value
6144
+ # of this parameter is typically your user's username, but it can be
6145
+ # any of their alias attributes. If `username` isn't an alias attribute
6146
+ # in your user pool, you can also use their `sub` in this request.
5939
6147
  #
5940
6148
  # @option params [Types::AnalyticsMetadataType] :analytics_metadata
5941
6149
  # The Amazon Pinpoint analytics metadata that contributes to your
@@ -6496,15 +6704,29 @@ module Aws::CognitoIdentityProvider
6496
6704
  req.send_request(options)
6497
6705
  end
6498
6706
 
6499
- # Signs out a user from all devices. `GlobalSignOut` invalidates all
6500
- # identity, access and refresh tokens that Amazon Cognito has issued to
6501
- # a user. A user can still use a hosted UI cookie to retrieve new tokens
6502
- # for the duration of the 1-hour cookie validity period.
6707
+ # Invalidates the identity, access, and refresh tokens that Amazon
6708
+ # Cognito issued to a user. Call this operation when your user signs out
6709
+ # of your app. This results in the following behavior.
6710
+ #
6711
+ # * Amazon Cognito no longer accepts *token-authorized* user operations
6712
+ # that you authorize with a signed-out user's access tokens. For more
6713
+ # information, see [Using the Amazon Cognito user pools API and user
6714
+ # pool endpoints][1].
6503
6715
  #
6504
- # Your app isn't aware that a user's access token is revoked unless it
6505
- # attempts to authorize a user pools API request with an access token
6506
- # that contains the scope `aws.cognito.signin.user.admin`. Your app
6507
- # might otherwise accept access tokens until they expire.
6716
+ # Amazon Cognito returns an `Access Token has been revoked` error when
6717
+ # your app attempts to authorize a user pools API request with a
6718
+ # revoked access token that contains the scope
6719
+ # `aws.cognito.signin.user.admin`.
6720
+ #
6721
+ # * Amazon Cognito no longer accepts a signed-out user's ID token in a
6722
+ # [GetId ][2] request to an identity pool with `ServerSideTokenCheck`
6723
+ # enabled for its user pool IdP configuration in
6724
+ # [CognitoIdentityProvider][3].
6725
+ #
6726
+ # * Amazon Cognito no longer accepts a signed-out user's refresh tokens
6727
+ # in refresh requests.
6728
+ #
6729
+ # Other requests might be valid until your user's token expires.
6508
6730
  #
6509
6731
  # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
6510
6732
  # policies in requests for this API operation. For this operation, you
@@ -6518,6 +6740,8 @@ module Aws::CognitoIdentityProvider
6518
6740
  #
6519
6741
  #
6520
6742
  # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
6743
+ # [2]: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html
6744
+ # [3]: https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_CognitoIdentityProvider.html
6521
6745
  #
6522
6746
  # @option params [required, String] :access_token
6523
6747
  # A valid access token that Amazon Cognito issued to the user who you
@@ -6682,8 +6906,6 @@ module Aws::CognitoIdentityProvider
6682
6906
  #
6683
6907
  # * Define auth challenge
6684
6908
  #
6685
- # * Verify auth challenge
6686
- #
6687
6909
  # For more information, see [ Customizing user pool Workflows with
6688
6910
  # Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
6689
6911
  #
@@ -6830,7 +7052,12 @@ module Aws::CognitoIdentityProvider
6830
7052
  # The limit of the device request.
6831
7053
  #
6832
7054
  # @option params [String] :pagination_token
6833
- # The pagination token for the list request.
7055
+ # This API operation returns a limited number of results. The pagination
7056
+ # token is an identifier that you can present in an additional API
7057
+ # request with the same parameters. When you include the pagination
7058
+ # token, Amazon Cognito returns the next set of items after the current
7059
+ # list. Subsequent requests return a new pagination token. By use of
7060
+ # this token, you can paginate through the full list of items.
6834
7061
  #
6835
7062
  # @return [Types::ListDevicesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
6836
7063
  #
@@ -7123,9 +7350,12 @@ module Aws::CognitoIdentityProvider
7123
7350
  # The maximum number of import jobs you want the request to return.
7124
7351
  #
7125
7352
  # @option params [String] :pagination_token
7126
- # An identifier that was returned from the previous call to
7127
- # `ListUserImportJobs`, which can be used to return the next set of
7128
- # import jobs in the list.
7353
+ # This API operation returns a limited number of results. The pagination
7354
+ # token is an identifier that you can present in an additional API
7355
+ # request with the same parameters. When you include the pagination
7356
+ # token, Amazon Cognito returns the next set of items after the current
7357
+ # list. Subsequent requests return a new pagination token. By use of
7358
+ # this token, you can paginate through the full list of items.
7129
7359
  #
7130
7360
  # @return [Types::ListUserImportJobsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
7131
7361
  #
@@ -7289,6 +7519,8 @@ module Aws::CognitoIdentityProvider
7289
7519
  # resp.user_pools[0].lambda_config.create_auth_challenge #=> String
7290
7520
  # resp.user_pools[0].lambda_config.verify_auth_challenge_response #=> String
7291
7521
  # resp.user_pools[0].lambda_config.pre_token_generation #=> String
7522
+ # resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
7523
+ # resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_arn #=> String
7292
7524
  # resp.user_pools[0].lambda_config.user_migration #=> String
7293
7525
  # resp.user_pools[0].lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
7294
7526
  # resp.user_pools[0].lambda_config.custom_sms_sender.lambda_arn #=> String
@@ -7339,13 +7571,23 @@ module Aws::CognitoIdentityProvider
7339
7571
  # you don't provide an `AttributesToGet` parameter, Amazon Cognito
7340
7572
  # returns all attributes for each user.
7341
7573
  #
7574
+ # Use `AttributesToGet` with required attributes in your user pool, or
7575
+ # in conjunction with `Filter`. Amazon Cognito returns an error if not
7576
+ # all users in the results have set a value for the attribute you
7577
+ # request. Attributes that you can't filter on, including custom
7578
+ # attributes, must have a value set in every user profile before an
7579
+ # `AttributesToGet` parameter returns results.
7580
+ #
7342
7581
  # @option params [Integer] :limit
7343
7582
  # Maximum number of users to be returned.
7344
7583
  #
7345
7584
  # @option params [String] :pagination_token
7346
- # An identifier that was returned from the previous call to this
7347
- # operation, which can be used to return the next set of items in the
7348
- # list.
7585
+ # This API operation returns a limited number of results. The pagination
7586
+ # token is an identifier that you can present in an additional API
7587
+ # request with the same parameters. When you include the pagination
7588
+ # token, Amazon Cognito returns the next set of items after the current
7589
+ # list. Subsequent requests return a new pagination token. By use of
7590
+ # this token, you can paginate through the full list of items.
7349
7591
  #
7350
7592
  # @option params [String] :filter
7351
7593
  # A filter string of the form "*AttributeName* *Filter-Type*
@@ -7560,7 +7802,8 @@ module Aws::CognitoIdentityProvider
7560
7802
  # The name of the group.
7561
7803
  #
7562
7804
  # @option params [Integer] :limit
7563
- # The limit of the request to list users.
7805
+ # The maximum number of users that you want to retrieve before
7806
+ # pagination.
7564
7807
  #
7565
7808
  # @option params [String] :next_token
7566
7809
  # An identifier that was returned from the previous call to this
@@ -7663,8 +7906,10 @@ module Aws::CognitoIdentityProvider
7663
7906
  # requests.
7664
7907
  #
7665
7908
  # @option params [required, String] :username
7666
- # The `username` attribute of the user to whom you want to resend a
7667
- # confirmation code.
7909
+ # The username of the user that you want to query or modify. The value
7910
+ # of this parameter is typically your user's username, but it can be
7911
+ # any of their alias attributes. If `username` isn't an alias attribute
7912
+ # in your user pool, you can also use their `sub` in this request.
7668
7913
  #
7669
7914
  # @option params [Types::AnalyticsMetadataType] :analytics_metadata
7670
7915
  # The Amazon Pinpoint analytics metadata that contributes to your
@@ -7744,14 +7989,22 @@ module Aws::CognitoIdentityProvider
7744
7989
  req.send_request(options)
7745
7990
  end
7746
7991
 
7747
- # Responds to the authentication challenge.
7992
+ # Some API operations in a user pool generate a challenge, like a prompt
7993
+ # for an MFA code, for device authentication that bypasses MFA, or for a
7994
+ # custom authentication challenge. A `RespondToAuthChallenge` API
7995
+ # request provides the answer to that challenge, like a code or a secure
7996
+ # remote password (SRP). The parameters of a response to an
7997
+ # authentication challenge vary with the type of challenge.
7998
+ #
7999
+ # For more information about custom authentication challenges, see
8000
+ # [Custom authentication challenge Lambda triggers][1].
7748
8001
  #
7749
8002
  # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
7750
8003
  # policies in requests for this API operation. For this operation, you
7751
8004
  # can't use IAM credentials to authorize requests, and you can't grant
7752
8005
  # IAM permissions in policies. For more information about authorization
7753
8006
  # models in Amazon Cognito, see [Using the Amazon Cognito native and
7754
- # OIDC APIs][1].
8007
+ # OIDC APIs][2].
7755
8008
  #
7756
8009
  # </note>
7757
8010
  #
@@ -7759,7 +8012,7 @@ module Aws::CognitoIdentityProvider
7759
8012
  # US telecom carriers require you to register an origination phone
7760
8013
  # number before you can send SMS messages to US phone numbers. If you
7761
8014
  # use SMS text messages in Amazon Cognito, you must register a phone
7762
- # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
8015
+ # number with [Amazon Pinpoint][3]. Amazon Cognito uses the registered
7763
8016
  # number automatically. Otherwise, Amazon Cognito users who must receive
7764
8017
  # SMS messages might not be able to sign up, activate their accounts, or
7765
8018
  # sign in.
@@ -7771,16 +8024,17 @@ module Aws::CognitoIdentityProvider
7771
8024
  # mode</a> </i>, you can send messages only to verified phone numbers.
7772
8025
  # After you test your app while in the sandbox environment, you can move
7773
8026
  # out of the sandbox and into production. For more information, see [
7774
- # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
8027
+ # SMS message settings for Amazon Cognito user pools][4] in the *Amazon
7775
8028
  # Cognito Developer Guide*.
7776
8029
  #
7777
8030
  # </note>
7778
8031
  #
7779
8032
  #
7780
8033
  #
7781
- # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
7782
- # [2]: https://console.aws.amazon.com/pinpoint/home/
7783
- # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
8034
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
8035
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
8036
+ # [3]: https://console.aws.amazon.com/pinpoint/home/
8037
+ # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
7784
8038
  #
7785
8039
  # @option params [required, String] :client_id
7786
8040
  # The app client ID.
@@ -7802,31 +8056,45 @@ module Aws::CognitoIdentityProvider
7802
8056
  # be passed as it is to the next `RespondToAuthChallenge` API call.
7803
8057
  #
7804
8058
  # @option params [Hash<String,String>] :challenge_responses
7805
- # The challenge responses. These are inputs corresponding to the value
7806
- # of `ChallengeName`, for example:
8059
+ # The responses to the challenge that you received in the previous
8060
+ # request. Each challenge has its own required response parameters. The
8061
+ # following examples are partial JSON request bodies that highlight
8062
+ # challenge-response parameters.
7807
8063
  #
7808
- # <note markdown="1"> `SECRET_HASH` (if app client is configured with client secret) applies
7809
- # to all of the inputs that follow (including `SOFTWARE_TOKEN_MFA`).
8064
+ # You must provide a SECRET\_HASH parameter in all challenge responses
8065
+ # to an app client that has a client secret.
7810
8066
  #
7811
- # </note>
8067
+ # SMS\_MFA
7812
8068
  #
7813
- # * `SMS_MFA`: `SMS_MFA_CODE`, `USERNAME`.
8069
+ # : `"ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE":
8070
+ # "[SMS_code]", "USERNAME": "[username]"\}`
7814
8071
  #
7815
- # * `PASSWORD_VERIFIER`: `PASSWORD_CLAIM_SIGNATURE`,
7816
- # `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
8072
+ # PASSWORD\_VERIFIER
7817
8073
  #
7818
- # <note markdown="1"> `PASSWORD_VERIFIER` requires `DEVICE_KEY` when you sign in with a
7819
- # remembered device.
8074
+ # : `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
8075
+ # \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
8076
+ # "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
8077
+ # [timestamp], "USERNAME": "[username]"\}`
7820
8078
  #
7821
- # </note>
8079
+ # Add `"DEVICE_KEY"` when you sign in with a remembered device.
7822
8080
  #
7823
- # * `NEW_PASSWORD_REQUIRED`: `NEW_PASSWORD`, `USERNAME`, `SECRET_HASH`
7824
- # (if app client is configured with client secret). To set any
7825
- # required attributes that Amazon Cognito returned as
7826
- # `requiredAttributes` in the `InitiateAuth` response, add a
7827
- # `userAttributes.attributename ` parameter. This parameter can also
7828
- # set values for writable attributes that aren't required by your
7829
- # user pool.
8081
+ # CUSTOM\_CHALLENGE
8082
+ #
8083
+ # : `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses":
8084
+ # \{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"\}`
8085
+ #
8086
+ # Add `"DEVICE_KEY"` when you sign in with a remembered device.
8087
+ #
8088
+ # NEW\_PASSWORD\_REQUIRED
8089
+ #
8090
+ # : `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses":
8091
+ # \{"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"\}`
8092
+ #
8093
+ # To set any required attributes that `InitiateAuth` returned in an
8094
+ # `requiredAttributes` parameter, add
8095
+ # `"userAttributes.[attribute_name]": "[attribute_value]"`. This
8096
+ # parameter can also set values for writable attributes that aren't
8097
+ # required by your user pool.
7830
8098
  #
7831
8099
  # <note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a
7832
8100
  # required attribute that already has a value. In
@@ -7837,17 +8105,36 @@ module Aws::CognitoIdentityProvider
7837
8105
  #
7838
8106
  # </note>
7839
8107
  #
7840
- # * `SOFTWARE_TOKEN_MFA`: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE` are
7841
- # required attributes.
8108
+ # SOFTWARE\_TOKEN\_MFA
8109
+ #
8110
+ # : `"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses":
8111
+ # \{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
8112
+ # [authenticator_code]\}`
8113
+ #
8114
+ # DEVICE\_SRP\_AUTH
8115
+ #
8116
+ # : `"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses":
8117
+ # \{"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
8118
+ # "[srp_a]"\}`
8119
+ #
8120
+ # DEVICE\_PASSWORD\_VERIFIER
8121
+ #
8122
+ # : `"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses":
8123
+ # \{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
8124
+ # "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK":
8125
+ # "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME":
8126
+ # "[username]"\}`
7842
8127
  #
7843
- # * `DEVICE_SRP_AUTH` requires `USERNAME`, `DEVICE_KEY`, `SRP_A` (and
7844
- # `SECRET_HASH`).
8128
+ # MFA\_SETUP
7845
8129
  #
7846
- # * `DEVICE_PASSWORD_VERIFIER` requires everything that
7847
- # `PASSWORD_VERIFIER` requires, plus `DEVICE_KEY`.
8130
+ # : `"ChallengeName": "MFA_SETUP", "ChallengeResponses": \{"USERNAME":
8131
+ # "[username]"\}, "SESSION": "[Session ID from VerifySoftwareToken]"`
7848
8132
  #
7849
- # * `MFA_SETUP` requires `USERNAME`, plus you must use the session value
7850
- # returned by `VerifySoftwareToken` in the `Session` parameter.
8133
+ # SELECT\_MFA\_TYPE
8134
+ #
8135
+ # : `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses":
8136
+ # \{"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
8137
+ # SOFTWARE_TOKEN_MFA]"\}`
7851
8138
  #
7852
8139
  # For more information about `SECRET_HASH`, see [Computing secret hash
7853
8140
  # values][1]. For information about `DEVICE_KEY`, see [Working with user
@@ -8492,7 +8779,9 @@ module Aws::CognitoIdentityProvider
8492
8779
  # the message.
8493
8780
  #
8494
8781
  # @option params [required, String] :username
8495
- # The user name of the user you want to register.
8782
+ # The username of the user that you want to sign up. The value of this
8783
+ # parameter is typically a username, but can be any alias attribute in
8784
+ # your user pool.
8496
8785
  #
8497
8786
  # @option params [required, String] :password
8498
8787
  # The password of the user you want to register.
@@ -8504,7 +8793,24 @@ module Aws::CognitoIdentityProvider
8504
8793
  # attribute name.
8505
8794
  #
8506
8795
  # @option params [Array<Types::AttributeType>] :validation_data
8507
- # The validation data in the request to register a user.
8796
+ # Temporary user attributes that contribute to the outcomes of your pre
8797
+ # sign-up Lambda trigger. This set of key-value pairs are for custom
8798
+ # validation of information that you collect from your users but don't
8799
+ # need to retain.
8800
+ #
8801
+ # Your Lambda function can analyze this additional data and act on it.
8802
+ # Your function might perform external API operations like logging user
8803
+ # attributes and validation data to Amazon CloudWatch Logs. Validation
8804
+ # data might also affect the response that your function returns to
8805
+ # Amazon Cognito, like automatically confirming the user if they sign up
8806
+ # from within your network.
8807
+ #
8808
+ # For more information about the pre sign-up Lambda trigger, see [Pre
8809
+ # sign-up Lambda trigger][1].
8810
+ #
8811
+ #
8812
+ #
8813
+ # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html
8508
8814
  #
8509
8815
  # @option params [Types::AnalyticsMetadataType] :analytics_metadata
8510
8816
  # The Amazon Pinpoint analytics metadata that contributes to your
@@ -8794,7 +9100,10 @@ module Aws::CognitoIdentityProvider
8794
9100
  # The user pool ID.
8795
9101
  #
8796
9102
  # @option params [required, String] :username
8797
- # The user pool username.
9103
+ # The username of the user that you want to query or modify. The value
9104
+ # of this parameter is typically your user's username, but it can be
9105
+ # any of their alias attributes. If `username` isn't an alias attribute
9106
+ # in your user pool, you can also use their `sub` in this request.
8798
9107
  #
8799
9108
  # @option params [required, String] :event_id
8800
9109
  # The event ID.
@@ -9099,7 +9408,11 @@ module Aws::CognitoIdentityProvider
9099
9408
  req.send_request(options)
9100
9409
  end
9101
9410
 
9102
- # Allows a user to update a specific attribute (one at a time).
9411
+ # With this operation, your users can update one or more of their
9412
+ # attributes with their own credentials. You authorize this API request
9413
+ # with the user's access token. To delete an attribute from your user,
9414
+ # submit the attribute in your API request with a blank value. Custom
9415
+ # attribute values in this request must include the `custom:` prefix.
9103
9416
  #
9104
9417
  # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
9105
9418
  # policies in requests for this API operation. For this operation, you
@@ -9441,6 +9754,10 @@ module Aws::CognitoIdentityProvider
9441
9754
  # create_auth_challenge: "ArnType",
9442
9755
  # verify_auth_challenge_response: "ArnType",
9443
9756
  # pre_token_generation: "ArnType",
9757
+ # pre_token_generation_config: {
9758
+ # lambda_version: "V1_0", # required, accepts V1_0, V2_0
9759
+ # lambda_arn: "ArnType", # required
9760
+ # },
9444
9761
  # user_migration: "ArnType",
9445
9762
  # custom_sms_sender: {
9446
9763
  # lambda_version: "V1_0", # required, accepts V1_0
@@ -9616,10 +9933,55 @@ module Aws::CognitoIdentityProvider
9616
9933
  # default for ID and access tokens is hours.
9617
9934
  #
9618
9935
  # @option params [Array<String>] :read_attributes
9619
- # The read-only attributes of the user pool.
9936
+ # The list of user attributes that you want your app client to have
9937
+ # read-only access to. After your user authenticates in your app, their
9938
+ # access token authorizes them to read their own attribute value for any
9939
+ # attribute in this list. An example of this kind of activity is when
9940
+ # your user selects a link to view their profile information. Your app
9941
+ # makes a [GetUser][1] API request to retrieve and display your user's
9942
+ # profile data.
9943
+ #
9944
+ # When you don't specify the `ReadAttributes` for your app client, your
9945
+ # app can read the values of `email_verified`, `phone_number_verified`,
9946
+ # and the Standard attributes of your user pool. When your user pool has
9947
+ # read access to these default attributes, `ReadAttributes` doesn't
9948
+ # return any information. Amazon Cognito only populates `ReadAttributes`
9949
+ # in the API response if you have specified your own custom set of read
9950
+ # attributes.
9951
+ #
9952
+ #
9953
+ #
9954
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
9620
9955
  #
9621
9956
  # @option params [Array<String>] :write_attributes
9622
- # The writeable attributes of the user pool.
9957
+ # The list of user attributes that you want your app client to have
9958
+ # write access to. After your user authenticates in your app, their
9959
+ # access token authorizes them to set or modify their own attribute
9960
+ # value for any attribute in this list. An example of this kind of
9961
+ # activity is when you present your user with a form to update their
9962
+ # profile information and they change their last name. Your app then
9963
+ # makes an [UpdateUserAttributes][1] API request and sets `family_name`
9964
+ # to the new value.
9965
+ #
9966
+ # When you don't specify the `WriteAttributes` for your app client,
9967
+ # your app can write the values of the Standard attributes of your user
9968
+ # pool. When your user pool has write access to these default
9969
+ # attributes, `WriteAttributes` doesn't return any information. Amazon
9970
+ # Cognito only populates `WriteAttributes` in the API response if you
9971
+ # have specified your own custom set of write attributes.
9972
+ #
9973
+ # If your app client allows users to sign in through an IdP, this array
9974
+ # must include all attributes that you have mapped to IdP attributes.
9975
+ # Amazon Cognito updates mapped attributes when users sign in to your
9976
+ # application through an IdP. If your app client does not have write
9977
+ # access to a mapped attribute, Amazon Cognito throws an error when it
9978
+ # tries to update the attribute. For more information, see [Specifying
9979
+ # IdP Attribute Mappings for Your user pool][2].
9980
+ #
9981
+ #
9982
+ #
9983
+ # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
9984
+ # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html
9623
9985
  #
9624
9986
  # @option params [Array<String>] :explicit_auth_flows
9625
9987
  # The authentication flows that you want your user pool client to
@@ -10133,7 +10495,7 @@ module Aws::CognitoIdentityProvider
10133
10495
  params: params,
10134
10496
  config: config)
10135
10497
  context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
10136
- context[:gem_version] = '1.84.0'
10498
+ context[:gem_version] = '1.85.0'
10137
10499
  Seahorse::Client::Request.new(handlers, context)
10138
10500
  end
10139
10501