aws-sdk-cognitoidentityprovider 1.118.0 → 1.119.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: ff1ce0bdf772defb37617a546eba136b79a96c242ae67387f21d7f128c6bb3d8
-  data.tar.gz: 0f58e28f3f8a0d7b96a403607ceceaa2c3d85ea58b0affb743bafa6c61f91bae
+  metadata.gz: 3d34ce7f8b54bbc48677f6a5e29d976517396e30cd4bf73fced415604e191720
+  data.tar.gz: ef168795dbfce26a4463d3e103335a6755ca982712c405fcff9680b65e8edd9e
 SHA512:
-  metadata.gz: 539e2ad805fe2c66b5cb4cf147da155396123d6d200c6918b89abf3de1bce20101dd8f46263eff65a4a388d319ba50b99c5150aeeb4ebfb6ad434ec534c041ce
-  data.tar.gz: d4a749e8187b2c46e0389b1e79205963357fdab8964666c0a06bb96ecd3ef808c08bc5b6080944234fef9b81914990b2dbe7e2fdd94ec3a9f87e69928eea5a16
+  metadata.gz: e95183eaaf26480336f926132badd48f89e285f31e4a1465d3baed196a23e65552c75a7fd4765ffd344b34a9e496806a401dc3cbe81c1bcdb7655d6e14e30cac
+  data.tar.gz: 3048a43ff691c2db8bc77862b7dc6195e6ab23e8b56d996481c5d2c9937f5b7506a1686bace56bc0e49ad279118971860264c841b5d1605b44744d2c47b11b8c

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.119.0 (2025-04-22)
+------------------
+
+* Feature - This release adds refresh token rotation.
+
 1.118.0 (2025-03-14)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.118.0
+1.119.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -5890,6 +5890,12 @@ module Aws::CognitoIdentityProvider
     #   minutes, of that session token. Your user pool native user must
     #   respond to each authentication challenge before the session expires.
     #
+    # @option params [Types::RefreshTokenRotationType] :refresh_token_rotation
+    #   The configuration of your app client for refresh token rotation. When
+    #   enabled, your app client issues new ID, access, and refresh tokens
+    #   when users renew their sessions with refresh tokens. When disabled,
+    #   token refresh issues only ID and access tokens.
+    #
     # @return [Types::CreateUserPoolClientResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateUserPoolClientResponse#user_pool_client #user_pool_client} => Types::UserPoolClientType
@@ -6057,6 +6063,10 @@ module Aws::CognitoIdentityProvider
     #     enable_token_revocation: false,
     #     enable_propagate_additional_user_context_data: false,
     #     auth_session_validity: 1,
+    #     refresh_token_rotation: {
+    #       feature: "ENABLED", # required, accepts ENABLED, DISABLED
+    #       retry_grace_period_seconds: 1,
+    #     },
     #   })
     #
     # @example Response structure
@@ -6100,6 +6110,8 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.enable_token_revocation #=> Boolean
     #   resp.user_pool_client.enable_propagate_additional_user_context_data #=> Boolean
     #   resp.user_pool_client.auth_session_validity #=> Integer
+    #   resp.user_pool_client.refresh_token_rotation.feature #=> String, one of "ENABLED", "DISABLED"
+    #   resp.user_pool_client.refresh_token_rotation.retry_grace_period_seconds #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClient AWS API Documentation
     #
@@ -7182,6 +7194,8 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.enable_token_revocation #=> Boolean
     #   resp.user_pool_client.enable_propagate_additional_user_context_data #=> Boolean
     #   resp.user_pool_client.auth_session_validity #=> Integer
+    #   resp.user_pool_client.refresh_token_rotation.feature #=> String, one of "ENABLED", "DISABLED"
+    #   resp.user_pool_client.refresh_token_rotation.retry_grace_period_seconds #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/DescribeUserPoolClient AWS API Documentation
     #
@@ -7801,6 +7815,109 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
+    # Given a refresh token, issues new ID, access, and optionally refresh
+    # tokens for the user who owns the submitted token. This operation
+    # issues a new refresh token and invalidates the original refresh token
+    # after an optional grace period when refresh token rotation is enabled.
+    # If refresh token rotation is disabled, issues new ID and access tokens
+    # only.
+    #
+    # @option params [required, String] :refresh_token
+    #   A valid refresh token that can authorize the request for new tokens.
+    #   When refresh token rotation is active in the requested app client,
+    #   this token is invalidated after the request is complete.
+    #
+    # @option params [required, String] :client_id
+    #   The app client that issued the refresh token to the user who wants to
+    #   request new tokens.
+    #
+    # @option params [String] :client_secret
+    #   The client secret of the requested app client, if the client has a
+    #   secret.
+    #
+    # @option params [String] :device_key
+    #   When you enable device remembering, Amazon Cognito issues a device key
+    #   that you can use for device authentication that bypasses multi-factor
+    #   authentication (MFA). To implement `GetTokensFromRefreshToken` in a
+    #   user pool with device remembering, you must capture the device key
+    #   from the initial authentication request. If your application doesn't
+    #   provide the key of a registered device, Amazon Cognito issues a new
+    #   one. You must provide the confirmed device key in this request if
+    #   device remembering is enabled in your user pool.
+    #
+    #   For more information about device remembering, see [Working with
+    #   devices][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning Lambda functions to user pool
+    #   triggers. When you use the `GetTokensFromRefreshToken` API action,
+    #   Amazon Cognito invokes the Lambda function the pre token generation
+    #   trigger.
+    #
+    #   For more information, see [ Using Lambda triggers][1] in the *Amazon
+    #   Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> When you use the `ClientMetadata` parameter, note that Amazon Cognito
+    #   won't do the following:
+    #
+    #    * Store the `ClientMetadata` value. This data is available only to
+    #     Lambda triggers that are assigned to a user pool to support custom
+    #     workflows. If your user pool configuration doesn't include
+    #     triggers, the `ClientMetadata` parameter serves no purpose.
+    #
+    #   * Validate the `ClientMetadata` value.
+    #
+    #   * Encrypt the `ClientMetadata` value. Don't send sensitive
+    #     information in this parameter.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
+    # @return [Types::GetTokensFromRefreshTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::GetTokensFromRefreshTokenResponse#authentication_result #authentication_result} => Types::AuthenticationResultType
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.get_tokens_from_refresh_token({
+    #     refresh_token: "TokenModelType", # required
+    #     client_id: "ClientIdType", # required
+    #     client_secret: "ClientSecretType",
+    #     device_key: "DeviceKeyType",
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.authentication_result.access_token #=> String
+    #   resp.authentication_result.expires_in #=> Integer
+    #   resp.authentication_result.token_type #=> String
+    #   resp.authentication_result.refresh_token #=> String
+    #   resp.authentication_result.id_token #=> String
+    #   resp.authentication_result.new_device_metadata.device_key #=> String
+    #   resp.authentication_result.new_device_metadata.device_group_key #=> String
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetTokensFromRefreshToken AWS API Documentation
+    #
+    # @overload get_tokens_from_refresh_token(params = {})
+    # @param [Hash] params ({})
+    def get_tokens_from_refresh_token(params = {}, options = {})
+      req = build_request(:get_tokens_from_refresh_token, params)
+      req.send_request(options)
+    end
+
     # Given a user pool ID or app client, returns information about classic
     # hosted UI branding that you applied, if any. Returns user-pool level
     # branding information if no app client branding is applied, or if you
@@ -12555,6 +12672,12 @@ module Aws::CognitoIdentityProvider
     #   minutes, of that session token. Your user pool native user must
     #   respond to each authentication challenge before the session expires.
     #
+    # @option params [Types::RefreshTokenRotationType] :refresh_token_rotation
+    #   The configuration of your app client for refresh token rotation. When
+    #   enabled, your app client issues new ID, access, and refresh tokens
+    #   when users renew their sessions with refresh tokens. When disabled,
+    #   token refresh issues only ID and access tokens.
+    #
     # @return [Types::UpdateUserPoolClientResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateUserPoolClientResponse#user_pool_client #user_pool_client} => Types::UserPoolClientType
@@ -12594,6 +12717,10 @@ module Aws::CognitoIdentityProvider
     #     enable_token_revocation: false,
     #     enable_propagate_additional_user_context_data: false,
     #     auth_session_validity: 1,
+    #     refresh_token_rotation: {
+    #       feature: "ENABLED", # required, accepts ENABLED, DISABLED
+    #       retry_grace_period_seconds: 1,
+    #     },
     #   })
     #
     # @example Response structure
@@ -12637,6 +12764,8 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool_client.enable_token_revocation #=> Boolean
     #   resp.user_pool_client.enable_propagate_additional_user_context_data #=> Boolean
     #   resp.user_pool_client.auth_session_validity #=> Integer
+    #   resp.user_pool_client.refresh_token_rotation.feature #=> String, one of "ENABLED", "DISABLED"
+    #   resp.user_pool_client.refresh_token_rotation.retry_grace_period_seconds #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClient AWS API Documentation
     #
@@ -12890,7 +13019,7 @@ module Aws::CognitoIdentityProvider
         tracer: tracer
       )
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.118.0'
+      context[:gem_version] = '1.119.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -251,6 +251,7 @@ module Aws::CognitoIdentityProvider
     ExpiredCodeException = Shapes::StructureShape.new(name: 'ExpiredCodeException')
     ExplicitAuthFlowsListType = Shapes::ListShape.new(name: 'ExplicitAuthFlowsListType')
     ExplicitAuthFlowsType = Shapes::StringShape.new(name: 'ExplicitAuthFlowsType')
+    FeatureType = Shapes::StringShape.new(name: 'FeatureType')
     FeatureUnavailableInTierException = Shapes::StructureShape.new(name: 'FeatureUnavailableInTierException')
     FeedbackValueType = Shapes::StringShape.new(name: 'FeedbackValueType')
     FirehoseConfigurationType = Shapes::StructureShape.new(name: 'FirehoseConfigurationType')
@@ -272,6 +273,8 @@ module Aws::CognitoIdentityProvider
     GetLogDeliveryConfigurationResponse = Shapes::StructureShape.new(name: 'GetLogDeliveryConfigurationResponse')
     GetSigningCertificateRequest = Shapes::StructureShape.new(name: 'GetSigningCertificateRequest')
     GetSigningCertificateResponse = Shapes::StructureShape.new(name: 'GetSigningCertificateResponse')
+    GetTokensFromRefreshTokenRequest = Shapes::StructureShape.new(name: 'GetTokensFromRefreshTokenRequest')
+    GetTokensFromRefreshTokenResponse = Shapes::StructureShape.new(name: 'GetTokensFromRefreshTokenResponse')
     GetUICustomizationRequest = Shapes::StructureShape.new(name: 'GetUICustomizationRequest')
     GetUICustomizationResponse = Shapes::StructureShape.new(name: 'GetUICustomizationResponse')
     GetUserAttributeVerificationCodeRequest = Shapes::StructureShape.new(name: 'GetUserAttributeVerificationCodeRequest')
@@ -388,6 +391,8 @@ module Aws::CognitoIdentityProvider
     RecoveryOptionNameType = Shapes::StringShape.new(name: 'RecoveryOptionNameType')
     RecoveryOptionType = Shapes::StructureShape.new(name: 'RecoveryOptionType')
     RedirectUrlType = Shapes::StringShape.new(name: 'RedirectUrlType')
+    RefreshTokenReuseException = Shapes::StructureShape.new(name: 'RefreshTokenReuseException')
+    RefreshTokenRotationType = Shapes::StructureShape.new(name: 'RefreshTokenRotationType')
     RefreshTokenValidityType = Shapes::IntegerShape.new(name: 'RefreshTokenValidityType')
     RegionCodeType = Shapes::StringShape.new(name: 'RegionCodeType')
     RelyingPartyIdType = Shapes::StringShape.new(name: 'RelyingPartyIdType')
@@ -405,6 +410,7 @@ module Aws::CognitoIdentityProvider
     ResourceServersListType = Shapes::ListShape.new(name: 'ResourceServersListType')
     RespondToAuthChallengeRequest = Shapes::StructureShape.new(name: 'RespondToAuthChallengeRequest')
     RespondToAuthChallengeResponse = Shapes::StructureShape.new(name: 'RespondToAuthChallengeResponse')
+    RetryGracePeriodSecondsType = Shapes::IntegerShape.new(name: 'RetryGracePeriodSecondsType')
     RevokeTokenRequest = Shapes::StructureShape.new(name: 'RevokeTokenRequest')
     RevokeTokenResponse = Shapes::StructureShape.new(name: 'RevokeTokenResponse')
     RiskConfigurationType = Shapes::StructureShape.new(name: 'RiskConfigurationType')
@@ -1058,6 +1064,7 @@ module Aws::CognitoIdentityProvider
     CreateUserPoolClientRequest.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     CreateUserPoolClientRequest.add_member(:enable_propagate_additional_user_context_data, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnablePropagateAdditionalUserContextData"))
     CreateUserPoolClientRequest.add_member(:auth_session_validity, Shapes::ShapeRef.new(shape: AuthSessionValidityType, location_name: "AuthSessionValidity"))
+    CreateUserPoolClientRequest.add_member(:refresh_token_rotation, Shapes::ShapeRef.new(shape: RefreshTokenRotationType, location_name: "RefreshTokenRotation"))
     CreateUserPoolClientRequest.struct_class = Types::CreateUserPoolClientRequest
 
     CreateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -1364,6 +1371,16 @@ module Aws::CognitoIdentityProvider
     GetSigningCertificateResponse.add_member(:certificate, Shapes::ShapeRef.new(shape: StringType, location_name: "Certificate"))
     GetSigningCertificateResponse.struct_class = Types::GetSigningCertificateResponse
 
+    GetTokensFromRefreshTokenRequest.add_member(:refresh_token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "RefreshToken"))
+    GetTokensFromRefreshTokenRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
+    GetTokensFromRefreshTokenRequest.add_member(:client_secret, Shapes::ShapeRef.new(shape: ClientSecretType, location_name: "ClientSecret"))
+    GetTokensFromRefreshTokenRequest.add_member(:device_key, Shapes::ShapeRef.new(shape: DeviceKeyType, location_name: "DeviceKey"))
+    GetTokensFromRefreshTokenRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
+    GetTokensFromRefreshTokenRequest.struct_class = Types::GetTokensFromRefreshTokenRequest
+
+    GetTokensFromRefreshTokenResponse.add_member(:authentication_result, Shapes::ShapeRef.new(shape: AuthenticationResultType, location_name: "AuthenticationResult"))
+    GetTokensFromRefreshTokenResponse.struct_class = Types::GetTokensFromRefreshTokenResponse
+
     GetUICustomizationRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     GetUICustomizationRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, location_name: "ClientId"))
     GetUICustomizationRequest.struct_class = Types::GetUICustomizationRequest
@@ -1719,6 +1736,13 @@ module Aws::CognitoIdentityProvider
     RecoveryOptionType.add_member(:name, Shapes::ShapeRef.new(shape: RecoveryOptionNameType, required: true, location_name: "Name"))
     RecoveryOptionType.struct_class = Types::RecoveryOptionType
 
+    RefreshTokenReuseException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
+    RefreshTokenReuseException.struct_class = Types::RefreshTokenReuseException
+
+    RefreshTokenRotationType.add_member(:feature, Shapes::ShapeRef.new(shape: FeatureType, required: true, location_name: "Feature"))
+    RefreshTokenRotationType.add_member(:retry_grace_period_seconds, Shapes::ShapeRef.new(shape: RetryGracePeriodSecondsType, location_name: "RetryGracePeriodSeconds"))
+    RefreshTokenRotationType.struct_class = Types::RefreshTokenRotationType
+
     ResendConfirmationCodeRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
     ResendConfirmationCodeRequest.add_member(:secret_hash, Shapes::ShapeRef.new(shape: SecretHashType, location_name: "SecretHash"))
     ResendConfirmationCodeRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
@@ -2066,6 +2090,7 @@ module Aws::CognitoIdentityProvider
     UpdateUserPoolClientRequest.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     UpdateUserPoolClientRequest.add_member(:enable_propagate_additional_user_context_data, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnablePropagateAdditionalUserContextData"))
     UpdateUserPoolClientRequest.add_member(:auth_session_validity, Shapes::ShapeRef.new(shape: AuthSessionValidityType, location_name: "AuthSessionValidity"))
+    UpdateUserPoolClientRequest.add_member(:refresh_token_rotation, Shapes::ShapeRef.new(shape: RefreshTokenRotationType, location_name: "RefreshTokenRotation"))
     UpdateUserPoolClientRequest.struct_class = Types::UpdateUserPoolClientRequest
 
     UpdateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -2183,6 +2208,7 @@ module Aws::CognitoIdentityProvider
     UserPoolClientType.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     UserPoolClientType.add_member(:enable_propagate_additional_user_context_data, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnablePropagateAdditionalUserContextData"))
     UserPoolClientType.add_member(:auth_session_validity, Shapes::ShapeRef.new(shape: AuthSessionValidityType, location_name: "AuthSessionValidity"))
+    UserPoolClientType.add_member(:refresh_token_rotation, Shapes::ShapeRef.new(shape: RefreshTokenRotationType, location_name: "RefreshTokenRotation"))
     UserPoolClientType.struct_class = Types::UserPoolClientType
 
     UserPoolDescriptionType.add_member(:id, Shapes::ShapeRef.new(shape: UserPoolIdType, location_name: "Id"))
@@ -2538,6 +2564,7 @@ module Aws::CognitoIdentityProvider
         o.input = Shapes::ShapeRef.new(shape: AdminInitiateAuthRequest)
         o.output = Shapes::ShapeRef.new(shape: AdminInitiateAuthResponse)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
@@ -3045,6 +3072,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: ScopeDoesNotExistException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidOAuthFlowException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: FeatureUnavailableInTierException)
       end)
 
       api.add_operation(:create_user_pool_domain, Seahorse::Model::Operation.new.tap do |o|
@@ -3055,6 +3083,7 @@ module Aws::CognitoIdentityProvider
         o.output = Shapes::ShapeRef.new(shape: CreateUserPoolDomainResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
@@ -3190,6 +3219,7 @@ module Aws::CognitoIdentityProvider
         o.output = Shapes::ShapeRef.new(shape: DeleteUserPoolDomainResponse)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
       end)
@@ -3455,6 +3485,25 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
       end)
 
+      api.add_operation(:get_tokens_from_refresh_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "GetTokensFromRefreshToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: GetTokensFromRefreshTokenRequest)
+        o.output = Shapes::ShapeRef.new(shape: GetTokensFromRefreshTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
+        o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
+        o.errors << Shapes::ShapeRef.new(shape: UserNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: UnexpectedLambdaException)
+        o.errors << Shapes::ShapeRef.new(shape: UserLambdaValidationException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidLambdaResponseException)
+        o.errors << Shapes::ShapeRef.new(shape: ForbiddenException)
+        o.errors << Shapes::ShapeRef.new(shape: RefreshTokenReuseException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+      end)
+
       api.add_operation(:get_ui_customization, Seahorse::Model::Operation.new.tap do |o|
         o.name = "GetUICustomization"
         o.http_method = "POST"
@@ -3572,6 +3621,7 @@ module Aws::CognitoIdentityProvider
         o['auth'] = ["smithy.api#noAuth"]
         o.input = Shapes::ShapeRef.new(shape: InitiateAuthRequest)
         o.output = Shapes::ShapeRef.new(shape: InitiateAuthResponse)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
@@ -4207,6 +4257,7 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: ScopeDoesNotExistException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidOAuthFlowException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: FeatureUnavailableInTierException)
       end)
 
       api.add_operation(:update_user_pool_domain, Seahorse::Model::Operation.new.tap do |o|
@@ -4217,6 +4268,7 @@ module Aws::CognitoIdentityProvider
         o.output = Shapes::ShapeRef.new(shape: UpdateUserPoolDomainResponse)
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
+        o.errors << Shapes::ShapeRef.new(shape: ConcurrentModificationException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)

data/lib/aws-sdk-cognitoidentityprovider/errors.rb

@@ -54,6 +54,7 @@ module Aws::CognitoIdentityProvider
   # * {PasswordHistoryPolicyViolationException}
   # * {PasswordResetRequiredException}
   # * {PreconditionNotMetException}
+  # * {RefreshTokenReuseException}
   # * {ResourceNotFoundException}
   # * {ScopeDoesNotExistException}
   # * {SoftwareTokenMFANotFoundException}
@@ -497,6 +498,21 @@ module Aws::CognitoIdentityProvider
       end
     end
 
+    class RefreshTokenReuseException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::CognitoIdentityProvider::Types::RefreshTokenReuseException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class ResourceNotFoundException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -4251,6 +4251,13 @@ module Aws::CognitoIdentityProvider
     #   respond to each authentication challenge before the session expires.
     #   @return [Integer]
     #
+    # @!attribute [rw] refresh_token_rotation
+    #   The configuration of your app client for refresh token rotation.
+    #   When enabled, your app client issues new ID, access, and refresh
+    #   tokens when users renew their sessions with refresh tokens. When
+    #   disabled, token refresh issues only ID and access tokens.
+    #   @return [Types::RefreshTokenRotationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
     #
     class CreateUserPoolClientRequest < Struct.new(
@@ -4275,7 +4282,8 @@ module Aws::CognitoIdentityProvider
       :prevent_user_existence_errors,
       :enable_token_revocation,
       :enable_propagate_additional_user_context_data,
-      :auth_session_validity)
+      :auth_session_validity,
+      :refresh_token_rotation)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -6158,6 +6166,98 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # @!attribute [rw] refresh_token
+    #   A valid refresh token that can authorize the request for new tokens.
+    #   When refresh token rotation is active in the requested app client,
+    #   this token is invalidated after the request is complete.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_id
+    #   The app client that issued the refresh token to the user who wants
+    #   to request new tokens.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_secret
+    #   The client secret of the requested app client, if the client has a
+    #   secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] device_key
+    #   When you enable device remembering, Amazon Cognito issues a device
+    #   key that you can use for device authentication that bypasses
+    #   multi-factor authentication (MFA). To implement
+    #   `GetTokensFromRefreshToken` in a user pool with device remembering,
+    #   you must capture the device key from the initial authentication
+    #   request. If your application doesn't provide the key of a
+    #   registered device, Amazon Cognito issues a new one. You must provide
+    #   the confirmed device key in this request if device remembering is
+    #   enabled in your user pool.
+    #
+    #   For more information about device remembering, see [Working with
+    #   devices][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    #   @return [String]
+    #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the `GetTokensFromRefreshToken` API
+    #   action, Amazon Cognito invokes the Lambda function the pre token
+    #   generation trigger.
+    #
+    #   For more information, see [ Using Lambda triggers][1] in the *Amazon
+    #   Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> When you use the `ClientMetadata` parameter, note that Amazon
+    #   Cognito won't do the following:
+    #
+    #    * Store the `ClientMetadata` value. This data is available only to
+    #     Lambda triggers that are assigned to a user pool to support custom
+    #     workflows. If your user pool configuration doesn't include
+    #     triggers, the `ClientMetadata` parameter serves no purpose.
+    #
+    #   * Validate the `ClientMetadata` value.
+    #
+    #   * Encrypt the `ClientMetadata` value. Don't send sensitive
+    #     information in this parameter.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetTokensFromRefreshTokenRequest AWS API Documentation
+    #
+    class GetTokensFromRefreshTokenRequest < Struct.new(
+      :refresh_token,
+      :client_id,
+      :client_secret,
+      :device_key,
+      :client_metadata)
+      SENSITIVE = [:refresh_token, :client_id, :client_secret]
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] authentication_result
+    #   The object that your application receives after authentication.
+    #   Contains tokens and information for device authentication.
+    #   @return [Types::AuthenticationResultType]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetTokensFromRefreshTokenResponse AWS API Documentation
+    #
+    class GetTokensFromRefreshTokenResponse < Struct.new(
+      :authentication_result)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] user_pool_id
     #   The ID of the user pool that you want to query for branding
     #   settings.
@@ -8693,6 +8793,48 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # This exception is throw when your application requests token refresh
+    # with a refresh token that has been invalidated by refresh-token
+    # rotation.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RefreshTokenReuseException AWS API Documentation
+    #
+    class RefreshTokenReuseException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The configuration of your app client for refresh token rotation. When
+    # enabled, your app client issues new ID, access, and refresh tokens
+    # when users renew their sessions with refresh tokens. When disabled,
+    # token refresh issues only ID and access tokens.
+    #
+    # @!attribute [rw] feature
+    #   The state of refresh token rotation for the current app client.
+    #   @return [String]
+    #
+    # @!attribute [rw] retry_grace_period_seconds
+    #   When you request a token refresh with `GetTokensFromRefreshToken`,
+    #   the original refresh token that you're rotating out can remain
+    #   valid for a period of time of up to 60 seconds. This allows for
+    #   client-side retries. When `RetryGracePeriodSeconds` is `0`, the
+    #   grace period is disabled and a successful request immediately
+    #   invalidates the submitted refresh token.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RefreshTokenRotationType AWS API Documentation
+    #
+    class RefreshTokenRotationType < Struct.new(
+      :feature,
+      :retry_grace_period_seconds)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Represents the request to resend the confirmation code.
     #
     # @!attribute [rw] client_id
@@ -11570,6 +11712,13 @@ module Aws::CognitoIdentityProvider
     #   respond to each authentication challenge before the session expires.
     #   @return [Integer]
     #
+    # @!attribute [rw] refresh_token_rotation
+    #   The configuration of your app client for refresh token rotation.
+    #   When enabled, your app client issues new ID, access, and refresh
+    #   tokens when users renew their sessions with refresh tokens. When
+    #   disabled, token refresh issues only ID and access tokens.
+    #   @return [Types::RefreshTokenRotationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
     #
     class UpdateUserPoolClientRequest < Struct.new(
@@ -11594,7 +11743,8 @@ module Aws::CognitoIdentityProvider
       :prevent_user_existence_errors,
       :enable_token_revocation,
       :enable_propagate_additional_user_context_data,
-      :auth_session_validity)
+      :auth_session_validity,
+      :refresh_token_rotation)
       SENSITIVE = [:client_id]
       include Aws::Structure
     end
@@ -12618,6 +12768,13 @@ module Aws::CognitoIdentityProvider
     #   respond to each authentication challenge before the session expires.
     #   @return [Integer]
     #
+    # @!attribute [rw] refresh_token_rotation
+    #   The configuration of your app client for refresh token rotation.
+    #   When enabled, your app client issues new ID, access, and refresh
+    #   tokens when users renew their sessions with refresh tokens. When
+    #   disabled, token refresh issues only ID and access tokens.
+    #   @return [Types::RefreshTokenRotationType]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
     #
     class UserPoolClientType < Struct.new(
@@ -12645,7 +12802,8 @@ module Aws::CognitoIdentityProvider
       :prevent_user_existence_errors,
       :enable_token_revocation,
       :enable_propagate_additional_user_context_data,
-      :auth_session_validity)
+      :auth_session_validity,
+      :refresh_token_rotation)
       SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -54,7 +54,7 @@ module Aws::CognitoIdentityProvider
   autoload :EndpointProvider, 'aws-sdk-cognitoidentityprovider/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-cognitoidentityprovider/endpoints'
 
-  GEM_VERSION = '1.118.0'
+  GEM_VERSION = '1.119.0'
 
 end
 

data/sig/client.rbs

@@ -833,7 +833,11 @@ module Aws
                                      ?prevent_user_existence_errors: ("LEGACY" | "ENABLED"),
                                      ?enable_token_revocation: bool,
                                      ?enable_propagate_additional_user_context_data: bool,
-                                     ?auth_session_validity: ::Integer
+                                     ?auth_session_validity: ::Integer,
+                                     ?refresh_token_rotation: {
+                                       feature: ("ENABLED" | "DISABLED"),
+                                       retry_grace_period_seconds: ::Integer?
+                                     }
                                    ) -> _CreateUserPoolClientResponseSuccess
                                  | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _CreateUserPoolClientResponseSuccess
 
@@ -1120,6 +1124,20 @@ module Aws
                                    ) -> _GetSigningCertificateResponseSuccess
                                  | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetSigningCertificateResponseSuccess
 
+      interface _GetTokensFromRefreshTokenResponseSuccess
+        include ::Seahorse::Client::_ResponseSuccess[Types::GetTokensFromRefreshTokenResponse]
+        def authentication_result: () -> Types::AuthenticationResultType
+      end
+      # https://docs.aws.amazon.com/sdk-for-ruby/v3/api/Aws/CognitoIdentityProvider/Client.html#get_tokens_from_refresh_token-instance_method
+      def get_tokens_from_refresh_token: (
+                                           refresh_token: ::String,
+                                           client_id: ::String,
+                                           ?client_secret: ::String,
+                                           ?device_key: ::String,
+                                           ?client_metadata: Hash[::String, ::String]
+                                         ) -> _GetTokensFromRefreshTokenResponseSuccess
+                                       | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _GetTokensFromRefreshTokenResponseSuccess
+
       interface _GetUICustomizationResponseSuccess
         include ::Seahorse::Client::_ResponseSuccess[Types::GetUICustomizationResponse]
         def ui_customization: () -> Types::UICustomizationType
@@ -1923,7 +1941,11 @@ module Aws
                                      ?prevent_user_existence_errors: ("LEGACY" | "ENABLED"),
                                      ?enable_token_revocation: bool,
                                      ?enable_propagate_additional_user_context_data: bool,
-                                     ?auth_session_validity: ::Integer
+                                     ?auth_session_validity: ::Integer,
+                                     ?refresh_token_rotation: {
+                                       feature: ("ENABLED" | "DISABLED"),
+                                       retry_grace_period_seconds: ::Integer?
+                                     }
                                    ) -> _UpdateUserPoolClientResponseSuccess
                                  | (Hash[Symbol, untyped] params, ?Hash[Symbol, untyped] options) -> _UpdateUserPoolClientResponseSuccess
 

data/sig/errors.rbs

@@ -93,6 +93,9 @@ module Aws
       class PreconditionNotMetException < ::Aws::Errors::ServiceError
         def message: () -> ::String
       end
+      class RefreshTokenReuseException < ::Aws::Errors::ServiceError
+        def message: () -> ::String
+      end
       class ResourceNotFoundException < ::Aws::Errors::ServiceError
         def message: () -> ::String
       end

data/sig/types.rbs

@@ -631,6 +631,7 @@ module Aws::CognitoIdentityProvider
       attr_accessor enable_token_revocation: bool
       attr_accessor enable_propagate_additional_user_context_data: bool
       attr_accessor auth_session_validity: ::Integer
+      attr_accessor refresh_token_rotation: Types::RefreshTokenRotationType
       SENSITIVE: []
     end
 
@@ -1067,6 +1068,20 @@ module Aws::CognitoIdentityProvider
       SENSITIVE: []
     end
 
+    class GetTokensFromRefreshTokenRequest
+      attr_accessor refresh_token: ::String
+      attr_accessor client_id: ::String
+      attr_accessor client_secret: ::String
+      attr_accessor device_key: ::String
+      attr_accessor client_metadata: ::Hash[::String, ::String]
+      SENSITIVE: [:refresh_token, :client_id, :client_secret]
+    end
+
+    class GetTokensFromRefreshTokenResponse
+      attr_accessor authentication_result: Types::AuthenticationResultType
+      SENSITIVE: []
+    end
+
     class GetUICustomizationRequest
       attr_accessor user_pool_id: ::String
       attr_accessor client_id: ::String
@@ -1540,6 +1555,17 @@ module Aws::CognitoIdentityProvider
       SENSITIVE: []
     end
 
+    class RefreshTokenReuseException
+      attr_accessor message: ::String
+      SENSITIVE: []
+    end
+
+    class RefreshTokenRotationType
+      attr_accessor feature: ("ENABLED" | "DISABLED")
+      attr_accessor retry_grace_period_seconds: ::Integer
+      SENSITIVE: []
+    end
+
     class ResendConfirmationCodeRequest
       attr_accessor client_id: ::String
       attr_accessor secret_hash: ::String
@@ -2009,6 +2035,7 @@ module Aws::CognitoIdentityProvider
       attr_accessor enable_token_revocation: bool
       attr_accessor enable_propagate_additional_user_context_data: bool
       attr_accessor auth_session_validity: ::Integer
+      attr_accessor refresh_token_rotation: Types::RefreshTokenRotationType
       SENSITIVE: [:client_id]
     end
 
@@ -2151,6 +2178,7 @@ module Aws::CognitoIdentityProvider
       attr_accessor enable_token_revocation: bool
       attr_accessor enable_propagate_additional_user_context_data: bool
       attr_accessor auth_session_validity: ::Integer
+      attr_accessor refresh_token_rotation: Types::RefreshTokenRotationType
       SENSITIVE: [:client_id, :client_secret]
     end
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-cognitoidentityprovider
 version: !ruby/object:Gem::Version
-  version: 1.118.0
+  version: 1.119.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-03-14 00:00:00.000000000 Z
+date: 2025-04-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core