aws-cdk-lib 2.142.0__py3-none-any.whl → 2.143.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -842,6 +842,23 @@ user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
 secret = user_pool_client.user_pool_client_secret
 ```
 
+If you set `enablePropagateAdditionalUserContextData: true`, you can collect and pass
+information about your user's session to Amazon Cognito advanced security
+when you use the API to sign them up, sign them in, and reset their password.
+
+```python
+# imported_pool: cognito.UserPool
+
+
+user_pool_client = cognito.UserPoolClient(self, "UserPoolClient",
+    user_pool=imported_pool,
+    generate_secret=True,
+    enable_propagate_additional_user_context_data=True
+)
+```
+
+See [Adding user device and session data to API requests](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint) for more information.
+
 ### Resource Servers
 
 A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an
@@ -12495,6 +12512,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -12513,6 +12531,7 @@ class IUserPool(_IResource_c80c4260, typing_extensions.Protocol):
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -12628,6 +12647,7 @@ class _IUserPoolProxy(
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -12646,6 +12666,7 @@ class _IUserPoolProxy(
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -12667,6 +12688,7 @@ class _IUserPoolProxy(
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
+            enable_propagate_additional_user_context_data=enable_propagate_additional_user_context_data,
             enable_token_revocation=enable_token_revocation,
             generate_secret=generate_secret,
             id_token_validity=id_token_validity,
@@ -15756,6 +15778,7 @@ class UserPool(
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -15774,6 +15797,7 @@ class UserPool(
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -15793,6 +15817,7 @@ class UserPool(
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
+            enable_propagate_additional_user_context_data=enable_propagate_additional_user_context_data,
             enable_token_revocation=enable_token_revocation,
             generate_secret=generate_secret,
             id_token_validity=id_token_validity,
@@ -15982,6 +16007,7 @@ class UserPoolClient(
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -16001,6 +16027,7 @@ class UserPoolClient(
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -16022,6 +16049,7 @@ class UserPoolClient(
             auth_flows=auth_flows,
             auth_session_validity=auth_session_validity,
             disable_o_auth=disable_o_auth,
+            enable_propagate_additional_user_context_data=enable_propagate_additional_user_context_data,
             enable_token_revocation=enable_token_revocation,
             generate_secret=generate_secret,
             id_token_validity=id_token_validity,
@@ -16172,6 +16200,7 @@ class UserPoolClientIdentityProvider(
         "auth_flows": "authFlows",
         "auth_session_validity": "authSessionValidity",
         "disable_o_auth": "disableOAuth",
+        "enable_propagate_additional_user_context_data": "enablePropagateAdditionalUserContextData",
         "enable_token_revocation": "enableTokenRevocation",
         "generate_secret": "generateSecret",
         "id_token_validity": "idTokenValidity",
@@ -16192,6 +16221,7 @@ class UserPoolClientOptions:
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -16209,6 +16239,7 @@ class UserPoolClientOptions:
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -16246,6 +16277,7 @@ class UserPoolClientOptions:
             check_type(argname="argument auth_flows", value=auth_flows, expected_type=type_hints["auth_flows"])
             check_type(argname="argument auth_session_validity", value=auth_session_validity, expected_type=type_hints["auth_session_validity"])
             check_type(argname="argument disable_o_auth", value=disable_o_auth, expected_type=type_hints["disable_o_auth"])
+            check_type(argname="argument enable_propagate_additional_user_context_data", value=enable_propagate_additional_user_context_data, expected_type=type_hints["enable_propagate_additional_user_context_data"])
             check_type(argname="argument enable_token_revocation", value=enable_token_revocation, expected_type=type_hints["enable_token_revocation"])
             check_type(argname="argument generate_secret", value=generate_secret, expected_type=type_hints["generate_secret"])
             check_type(argname="argument id_token_validity", value=id_token_validity, expected_type=type_hints["id_token_validity"])
@@ -16265,6 +16297,8 @@ class UserPoolClientOptions:
             self._values["auth_session_validity"] = auth_session_validity
         if disable_o_auth is not None:
             self._values["disable_o_auth"] = disable_o_auth
+        if enable_propagate_additional_user_context_data is not None:
+            self._values["enable_propagate_additional_user_context_data"] = enable_propagate_additional_user_context_data
         if enable_token_revocation is not None:
             self._values["enable_token_revocation"] = enable_token_revocation
         if generate_secret is not None:
@@ -16333,6 +16367,21 @@ class UserPoolClientOptions:
         result = self._values.get("disable_o_auth")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def enable_propagate_additional_user_context_data(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Enable the propagation of additional user context data.
+
+        You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.
+
+        :default: false for new user pool clients
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
+        '''
+        result = self._values.get("enable_propagate_additional_user_context_data")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def enable_token_revocation(self) -> typing.Optional[builtins.bool]:
         '''Enable token revocation for this client.
@@ -16467,6 +16516,7 @@ class UserPoolClientOptions:
         "auth_flows": "authFlows",
         "auth_session_validity": "authSessionValidity",
         "disable_o_auth": "disableOAuth",
+        "enable_propagate_additional_user_context_data": "enablePropagateAdditionalUserContextData",
         "enable_token_revocation": "enableTokenRevocation",
         "generate_secret": "generateSecret",
         "id_token_validity": "idTokenValidity",
@@ -16488,6 +16538,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
         auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
         disable_o_auth: typing.Optional[builtins.bool] = None,
+        enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
         enable_token_revocation: typing.Optional[builtins.bool] = None,
         generate_secret: typing.Optional[builtins.bool] = None,
         id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -16506,6 +16557,7 @@ class UserPoolClientProps(UserPoolClientOptions):
         :param auth_flows: The set of OAuth authentication flows to enable on the client. Default: - If you don't specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.
         :param auth_session_validity: Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in ``AuthSessionValidity``. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)
         :param disable_o_auth: Turns off all OAuth interactions for this client. Default: false
+        :param enable_propagate_additional_user_context_data: Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients
         :param enable_token_revocation: Enable token revocation for this client. Default: true for new user pool clients
         :param generate_secret: Whether to generate a client secret. Default: false
         :param id_token_validity: Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)
@@ -16543,6 +16595,7 @@ class UserPoolClientProps(UserPoolClientOptions):
             check_type(argname="argument auth_flows", value=auth_flows, expected_type=type_hints["auth_flows"])
             check_type(argname="argument auth_session_validity", value=auth_session_validity, expected_type=type_hints["auth_session_validity"])
             check_type(argname="argument disable_o_auth", value=disable_o_auth, expected_type=type_hints["disable_o_auth"])
+            check_type(argname="argument enable_propagate_additional_user_context_data", value=enable_propagate_additional_user_context_data, expected_type=type_hints["enable_propagate_additional_user_context_data"])
             check_type(argname="argument enable_token_revocation", value=enable_token_revocation, expected_type=type_hints["enable_token_revocation"])
             check_type(argname="argument generate_secret", value=generate_secret, expected_type=type_hints["generate_secret"])
             check_type(argname="argument id_token_validity", value=id_token_validity, expected_type=type_hints["id_token_validity"])
@@ -16565,6 +16618,8 @@ class UserPoolClientProps(UserPoolClientOptions):
             self._values["auth_session_validity"] = auth_session_validity
         if disable_o_auth is not None:
             self._values["disable_o_auth"] = disable_o_auth
+        if enable_propagate_additional_user_context_data is not None:
+            self._values["enable_propagate_additional_user_context_data"] = enable_propagate_additional_user_context_data
         if enable_token_revocation is not None:
             self._values["enable_token_revocation"] = enable_token_revocation
         if generate_secret is not None:
@@ -16633,6 +16688,21 @@ class UserPoolClientProps(UserPoolClientOptions):
         result = self._values.get("disable_o_auth")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def enable_propagate_additional_user_context_data(
+        self,
+    ) -> typing.Optional[builtins.bool]:
+        '''Enable the propagation of additional user context data.
+
+        You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.
+
+        :default: false for new user pool clients
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint
+        '''
+        result = self._values.get("enable_propagate_additional_user_context_data")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def enable_token_revocation(self) -> typing.Optional[builtins.bool]:
         '''Enable token revocation for this client.
@@ -22395,6 +22465,7 @@ def _typecheckingstub__6eaa0ebaf797c6ac4bac11bd73d9ad61c50892a9450e0ff5880903434
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
+    enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
     enable_token_revocation: typing.Optional[builtins.bool] = None,
     generate_secret: typing.Optional[builtins.bool] = None,
     id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -22700,6 +22771,7 @@ def _typecheckingstub__b4ce1f762a6eeaca3920ca827a1685cfa2b670f96aa13d8cfdded4055
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
+    enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
     enable_token_revocation: typing.Optional[builtins.bool] = None,
     generate_secret: typing.Optional[builtins.bool] = None,
     id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -22763,6 +22835,7 @@ def _typecheckingstub__e654de9921a676ab8214720f2ab2c7f212d67a62531595c721560e88c
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
+    enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
     enable_token_revocation: typing.Optional[builtins.bool] = None,
     generate_secret: typing.Optional[builtins.bool] = None,
     id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -22797,6 +22870,7 @@ def _typecheckingstub__80185296586b917ea24ebc48255c627ce95ec5c85ae2ab4e52736240b
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
+    enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
     enable_token_revocation: typing.Optional[builtins.bool] = None,
     generate_secret: typing.Optional[builtins.bool] = None,
     id_token_validity: typing.Optional[_Duration_4839e8c3] = None,
@@ -22817,6 +22891,7 @@ def _typecheckingstub__95c8cad8419f2fd5def82ad39281b322b9ec6b2f7d891de939bf1e903
     auth_flows: typing.Optional[typing.Union[AuthFlow, typing.Dict[builtins.str, typing.Any]]] = None,
     auth_session_validity: typing.Optional[_Duration_4839e8c3] = None,
     disable_o_auth: typing.Optional[builtins.bool] = None,
+    enable_propagate_additional_user_context_data: typing.Optional[builtins.bool] = None,
     enable_token_revocation: typing.Optional[builtins.bool] = None,
     generate_secret: typing.Optional[builtins.bool] = None,
     id_token_validity: typing.Optional[_Duration_4839e8c3] = None,