aws-cdk-lib 2.175.0__py3-none-any.whl → 2.176.0__py3-none-any.whl
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of aws-cdk-lib might be problematic. Click here for more details.
- aws_cdk/__init__.py +15 -6
- aws_cdk/_jsii/__init__.py +1 -1
- aws_cdk/_jsii/{aws-cdk-lib@2.175.0.jsii.tgz → aws-cdk-lib@2.176.0.jsii.tgz} +0 -0
- aws_cdk/aws_apigatewayv2_integrations/__init__.py +159 -7
- aws_cdk/aws_appconfig/__init__.py +106 -24
- aws_cdk/aws_appsync/__init__.py +3 -3
- aws_cdk/aws_backup/__init__.py +18 -84
- aws_cdk/aws_cleanrooms/__init__.py +77 -34
- aws_cdk/aws_cloudformation/__init__.py +4 -2
- aws_cdk/aws_cloudfront/experimental/__init__.py +1 -1
- aws_cdk/aws_cloudwatch/__init__.py +53 -49
- aws_cdk/aws_codebuild/__init__.py +36 -0
- aws_cdk/aws_cognito/__init__.py +228 -219
- aws_cdk/aws_customerprofiles/__init__.py +1060 -0
- aws_cdk/aws_docdb/__init__.py +29 -9
- aws_cdk/aws_dynamodb/__init__.py +77 -58
- aws_cdk/aws_ec2/__init__.py +11 -8
- aws_cdk/aws_ecs/__init__.py +100 -35
- aws_cdk/aws_elasticloadbalancingv2/__init__.py +41 -5
- aws_cdk/aws_healthlake/__init__.py +36 -40
- aws_cdk/aws_lambda/__init__.py +8 -8
- aws_cdk/aws_lambda_event_sources/__init__.py +9 -9
- aws_cdk/aws_lex/__init__.py +105 -0
- aws_cdk/aws_mediaconvert/__init__.py +7 -3
- aws_cdk/aws_organizations/__init__.py +5 -9
- aws_cdk/aws_rds/__init__.py +83 -8
- aws_cdk/aws_resiliencehub/__init__.py +41 -0
- aws_cdk/aws_s3/__init__.py +5 -5
- aws_cdk/aws_ses/__init__.py +25 -4
- aws_cdk/aws_ssm/__init__.py +9 -2
- aws_cdk/aws_ssmquicksetup/__init__.py +84 -84
- aws_cdk/aws_sso/__init__.py +9 -5
- aws_cdk/cx_api/__init__.py +25 -4
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/METADATA +1 -1
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/RECORD +39 -40
- aws_cdk/aws_iot1click/__init__.py +0 -1193
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/LICENSE +0 -0
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/NOTICE +0 -0
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/WHEEL +0 -0
- {aws_cdk_lib-2.175.0.dist-info → aws_cdk_lib-2.176.0.dist-info}/top_level.txt +0 -0
aws_cdk/aws_cognito/__init__.py
CHANGED
|
@@ -3494,7 +3494,7 @@ class CfnLogDeliveryConfiguration(
|
|
|
3494
3494
|
):
|
|
3495
3495
|
'''Sets up or modifies the logging configuration of a user pool.
|
|
3496
3496
|
|
|
3497
|
-
User pools can export user notification logs and
|
|
3497
|
+
User pools can export user notification logs and, when threat protection is active, user-activity logs. For more information, see `Exporting user pool logs <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ .
|
|
3498
3498
|
|
|
3499
3499
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-logdeliveryconfiguration.html
|
|
3500
3500
|
:cloudformationResource: AWS::Cognito::LogDeliveryConfiguration
|
|
@@ -3691,9 +3691,9 @@ class CfnLogDeliveryConfiguration(
|
|
|
3691
3691
|
)
|
|
3692
3692
|
class FirehoseConfigurationProperty:
|
|
3693
3693
|
def __init__(self, *, stream_arn: typing.Optional[builtins.str] = None) -> None:
|
|
3694
|
-
'''Configuration for the Amazon Data Firehose stream destination of user activity log export with
|
|
3694
|
+
'''Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
|
|
3695
3695
|
|
|
3696
|
-
:param stream_arn: The ARN of an Amazon Data Firehose stream that's the destination for
|
|
3696
|
+
:param stream_arn: The ARN of an Amazon Data Firehose stream that's the destination for threat protection log export.
|
|
3697
3697
|
|
|
3698
3698
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html
|
|
3699
3699
|
:exampleMetadata: fixture=_generated
|
|
@@ -3717,7 +3717,7 @@ class CfnLogDeliveryConfiguration(
|
|
|
3717
3717
|
|
|
3718
3718
|
@builtins.property
|
|
3719
3719
|
def stream_arn(self) -> typing.Optional[builtins.str]:
|
|
3720
|
-
'''The ARN of an Amazon Data Firehose stream that's the destination for
|
|
3720
|
+
'''The ARN of an Amazon Data Firehose stream that's the destination for threat protection log export.
|
|
3721
3721
|
|
|
3722
3722
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-firehoseconfiguration.html#cfn-cognito-logdeliveryconfiguration-firehoseconfiguration-streamarn
|
|
3723
3723
|
'''
|
|
@@ -3758,13 +3758,13 @@ class CfnLogDeliveryConfiguration(
|
|
|
3758
3758
|
) -> None:
|
|
3759
3759
|
'''The configuration of user event logs to an external AWS service like Amazon Data Firehose, Amazon S3, or Amazon CloudWatch Logs.
|
|
3760
3760
|
|
|
3761
|
-
This data type is a request parameter of
|
|
3761
|
+
This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
|
|
3762
3762
|
|
|
3763
|
-
:param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with
|
|
3763
|
+
:param cloud_watch_logs_configuration: Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with threat protection. This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
|
|
3764
3764
|
:param event_source: The source of events that your user pool sends for logging. To send error-level logs about user notification activity, set to ``userNotification`` . To send info-level logs about threat-protection user activity in user pools with the Plus feature plan, set to ``userAuthEvents`` .
|
|
3765
|
-
:param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with
|
|
3765
|
+
:param firehose_configuration: Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
|
|
3766
3766
|
:param log_level: The ``errorlevel`` selection of logs that a user pool sends for detailed activity logging. To send ``userNotification`` activity with `information about message delivery <https://docs.aws.amazon.com/cognito/latest/developerguide/exporting-quotas-and-usage.html>`_ , choose ``ERROR`` with ``CloudWatchLogsConfiguration`` . To send ``userAuthEvents`` activity with user logs from threat protection with the Plus feature plan, choose ``INFO`` with one of ``CloudWatchLogsConfiguration`` , ``FirehoseConfiguration`` , or ``S3Configuration`` .
|
|
3767
|
-
:param s3_configuration: Configuration for the Amazon S3 bucket destination of user activity log export with
|
|
3767
|
+
:param s3_configuration: Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
|
|
3768
3768
|
|
|
3769
3769
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html
|
|
3770
3770
|
:exampleMetadata: fixture=_generated
|
|
@@ -3812,9 +3812,9 @@ class CfnLogDeliveryConfiguration(
|
|
|
3812
3812
|
def cloud_watch_logs_configuration(
|
|
3813
3813
|
self,
|
|
3814
3814
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.CloudWatchLogsConfigurationProperty"]]:
|
|
3815
|
-
'''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with
|
|
3815
|
+
'''Configuration for the CloudWatch log group destination of user pool detailed activity logging, or of user activity log export with threat protection.
|
|
3816
3816
|
|
|
3817
|
-
This data type is a request parameter of
|
|
3817
|
+
This data type is a request parameter of ``API_SetLogDeliveryConfiguration`` and a response parameter of ``API_GetLogDeliveryConfiguration`` .
|
|
3818
3818
|
|
|
3819
3819
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-cloudwatchlogsconfiguration
|
|
3820
3820
|
'''
|
|
@@ -3836,7 +3836,7 @@ class CfnLogDeliveryConfiguration(
|
|
|
3836
3836
|
def firehose_configuration(
|
|
3837
3837
|
self,
|
|
3838
3838
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.FirehoseConfigurationProperty"]]:
|
|
3839
|
-
'''Configuration for the Amazon Data Firehose stream destination of user activity log export with
|
|
3839
|
+
'''Configuration for the Amazon Data Firehose stream destination of user activity log export with threat protection.
|
|
3840
3840
|
|
|
3841
3841
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-firehoseconfiguration
|
|
3842
3842
|
'''
|
|
@@ -3858,7 +3858,7 @@ class CfnLogDeliveryConfiguration(
|
|
|
3858
3858
|
def s3_configuration(
|
|
3859
3859
|
self,
|
|
3860
3860
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnLogDeliveryConfiguration.S3ConfigurationProperty"]]:
|
|
3861
|
-
'''Configuration for the Amazon S3 bucket destination of user activity log export with
|
|
3861
|
+
'''Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
|
|
3862
3862
|
|
|
3863
3863
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-logconfiguration.html#cfn-cognito-logdeliveryconfiguration-logconfiguration-s3configuration
|
|
3864
3864
|
'''
|
|
@@ -3883,9 +3883,9 @@ class CfnLogDeliveryConfiguration(
|
|
|
3883
3883
|
)
|
|
3884
3884
|
class S3ConfigurationProperty:
|
|
3885
3885
|
def __init__(self, *, bucket_arn: typing.Optional[builtins.str] = None) -> None:
|
|
3886
|
-
'''Configuration for the Amazon S3 bucket destination of user activity log export with
|
|
3886
|
+
'''Configuration for the Amazon S3 bucket destination of user activity log export with threat protection.
|
|
3887
3887
|
|
|
3888
|
-
:param bucket_arn: The ARN of an Amazon S3 bucket that's the destination for
|
|
3888
|
+
:param bucket_arn: The ARN of an Amazon S3 bucket that's the destination for threat protection log export.
|
|
3889
3889
|
|
|
3890
3890
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html
|
|
3891
3891
|
:exampleMetadata: fixture=_generated
|
|
@@ -3909,7 +3909,7 @@ class CfnLogDeliveryConfiguration(
|
|
|
3909
3909
|
|
|
3910
3910
|
@builtins.property
|
|
3911
3911
|
def bucket_arn(self) -> typing.Optional[builtins.str]:
|
|
3912
|
-
'''The ARN of an Amazon S3 bucket that's the destination for
|
|
3912
|
+
'''The ARN of an Amazon S3 bucket that's the destination for threat protection log export.
|
|
3913
3913
|
|
|
3914
3914
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-logdeliveryconfiguration-s3configuration.html#cfn-cognito-logdeliveryconfiguration-s3configuration-bucketarn
|
|
3915
3915
|
'''
|
|
@@ -4266,7 +4266,7 @@ class CfnManagedLoginBranding(
|
|
|
4266
4266
|
) -> None:
|
|
4267
4267
|
'''An image file from a managed login branding style in a user pool.
|
|
4268
4268
|
|
|
4269
|
-
This data type is a request parameter of
|
|
4269
|
+
This data type is a request parameter of ``API_CreateManagedLoginBranding`` and ``API_UpdateManagedLoginBranding`` , and a response parameter of ``API_DescribeManagedLoginBranding`` .
|
|
4270
4270
|
|
|
4271
4271
|
:param category: The category that the image corresponds to in your managed login configuration. Managed login has asset categories for different types of logos, backgrounds, and icons.
|
|
4272
4272
|
:param color_mode: The display-mode target of the asset: light, dark, or browser-adaptive. For example, Amazon Cognito displays a dark-mode image only when the browser or application is in dark mode, but displays a browser-adaptive file in all contexts.
|
|
@@ -4729,9 +4729,9 @@ class CfnUserPool(
|
|
|
4729
4729
|
:param scope: Scope in which this resource is defined.
|
|
4730
4730
|
:param id: Construct identifier for this resource (unique in its scope).
|
|
4731
4731
|
:param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
|
|
4732
|
-
:param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of
|
|
4733
|
-
:param alias_attributes: Attributes supported as an alias for this user pool.
|
|
4734
|
-
:param auto_verified_attributes: The attributes that you want your user pool to automatically verify.
|
|
4732
|
+
:param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
4733
|
+
:param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
|
|
4734
|
+
:param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
|
|
4735
4735
|
:param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
|
|
4736
4736
|
:param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
|
|
4737
4737
|
:param email_authentication_message:
|
|
@@ -4741,17 +4741,17 @@ class CfnUserPool(
|
|
|
4741
4741
|
:param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
|
|
4742
4742
|
:param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
|
|
4743
4743
|
:param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
|
|
4744
|
-
:param mfa_configuration:
|
|
4745
|
-
:param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of
|
|
4744
|
+
:param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
|
|
4745
|
+
:param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
4746
4746
|
:param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
|
|
4747
4747
|
:param sms_authentication_message: The contents of the SMS authentication message.
|
|
4748
|
-
:param sms_configuration: The
|
|
4748
|
+
:param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
|
|
4749
4749
|
:param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
|
|
4750
4750
|
:param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
|
|
4751
4751
|
:param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
|
|
4752
4752
|
:param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
|
|
4753
|
-
:param user_pool_add_ons:
|
|
4754
|
-
:param user_pool_name: A
|
|
4753
|
+
:param user_pool_add_ons: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
|
|
4754
|
+
:param user_pool_name: A friendly name for your user pool.
|
|
4755
4755
|
:param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
|
|
4756
4756
|
:param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
|
|
4757
4757
|
:param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
|
|
@@ -5080,10 +5080,7 @@ class CfnUserPool(
|
|
|
5080
5080
|
@builtins.property
|
|
5081
5081
|
@jsii.member(jsii_name="mfaConfiguration")
|
|
5082
5082
|
def mfa_configuration(self) -> typing.Optional[builtins.str]:
|
|
5083
|
-
'''
|
|
5084
|
-
|
|
5085
|
-
Valid values include:.
|
|
5086
|
-
'''
|
|
5083
|
+
'''Displays the state of multi-factor authentication (MFA) as on, off, or optional.'''
|
|
5087
5084
|
return typing.cast(typing.Optional[builtins.str], jsii.get(self, "mfaConfiguration"))
|
|
5088
5085
|
|
|
5089
5086
|
@mfa_configuration.setter
|
|
@@ -5150,7 +5147,7 @@ class CfnUserPool(
|
|
|
5150
5147
|
def sms_configuration(
|
|
5151
5148
|
self,
|
|
5152
5149
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SmsConfigurationProperty"]]:
|
|
5153
|
-
'''The
|
|
5150
|
+
'''The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.'''
|
|
5154
5151
|
return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.SmsConfigurationProperty"]], jsii.get(self, "smsConfiguration"))
|
|
5155
5152
|
|
|
5156
5153
|
@sms_configuration.setter
|
|
@@ -5233,7 +5230,7 @@ class CfnUserPool(
|
|
|
5233
5230
|
def user_pool_add_ons(
|
|
5234
5231
|
self,
|
|
5235
5232
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UserPoolAddOnsProperty"]]:
|
|
5236
|
-
'''
|
|
5233
|
+
'''Contains settings for activation of threat protection, including the operating mode and additional authentication types.'''
|
|
5237
5234
|
return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.UserPoolAddOnsProperty"]], jsii.get(self, "userPoolAddOns"))
|
|
5238
5235
|
|
|
5239
5236
|
@user_pool_add_ons.setter
|
|
@@ -5249,7 +5246,7 @@ class CfnUserPool(
|
|
|
5249
5246
|
@builtins.property
|
|
5250
5247
|
@jsii.member(jsii_name="userPoolName")
|
|
5251
5248
|
def user_pool_name(self) -> typing.Optional[builtins.str]:
|
|
5252
|
-
'''A
|
|
5249
|
+
'''A friendly name for your user pool.'''
|
|
5253
5250
|
return typing.cast(typing.Optional[builtins.str], jsii.get(self, "userPoolName"))
|
|
5254
5251
|
|
|
5255
5252
|
@user_pool_name.setter
|
|
@@ -5414,11 +5411,11 @@ class CfnUserPool(
|
|
|
5414
5411
|
|
|
5415
5412
|
Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
|
|
5416
5413
|
|
|
5417
|
-
This data type is a request and response parameter of
|
|
5414
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
5418
5415
|
|
|
5419
|
-
:param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the
|
|
5416
|
+
:param allow_admin_create_user_only: The setting for allowing self-service sign-up. When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the ``SignUp`` operation.
|
|
5420
5417
|
:param invite_message_template: The template for the welcome message to new users. This template must include the ``{####}`` temporary password placeholder if you are creating users with passwords. If your users don't have passwords, you can omit the placeholder. See also `Customizing User Invitation Messages <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization>`_ .
|
|
5421
|
-
:param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of
|
|
5418
|
+
:param unused_account_validity_days: This parameter is no longer in use. Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of ``API_PasswordPolicyType`` . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` . The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter. The default value for this parameter is 7.
|
|
5422
5419
|
|
|
5423
5420
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
|
|
5424
5421
|
:exampleMetadata: fixture=_generated
|
|
@@ -5458,7 +5455,7 @@ class CfnUserPool(
|
|
|
5458
5455
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
5459
5456
|
'''The setting for allowing self-service sign-up.
|
|
5460
5457
|
|
|
5461
|
-
When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the
|
|
5458
|
+
When ``true`` , only administrators can create new user profiles. When ``false`` , users can register themselves and create a new user profile with the ``SignUp`` operation.
|
|
5462
5459
|
|
|
5463
5460
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html#cfn-cognito-userpool-admincreateuserconfig-allowadmincreateuseronly
|
|
5464
5461
|
'''
|
|
@@ -5484,7 +5481,7 @@ class CfnUserPool(
|
|
|
5484
5481
|
def unused_account_validity_days(self) -> typing.Optional[jsii.Number]:
|
|
5485
5482
|
'''This parameter is no longer in use.
|
|
5486
5483
|
|
|
5487
|
-
Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of
|
|
5484
|
+
Configure the duration of temporary passwords with the ``TemporaryPasswordValidityDays`` parameter of ``API_PasswordPolicyType`` . For older user pools that have a ``UnusedAccountValidityDays`` configuration, that value is effective until you set a value for ``TemporaryPasswordValidityDays`` .
|
|
5488
5485
|
|
|
5489
5486
|
The password expiration limit in days for administrator-created users. When this time expires, the user can't sign in with their temporary password. To reset the account after that time limit, you must call ``AdminCreateUser`` again, specifying ``RESEND`` for the ``MessageAction`` parameter.
|
|
5490
5487
|
|
|
@@ -5517,9 +5514,9 @@ class CfnUserPool(
|
|
|
5517
5514
|
*,
|
|
5518
5515
|
custom_auth_mode: typing.Optional[builtins.str] = None,
|
|
5519
5516
|
) -> None:
|
|
5520
|
-
'''
|
|
5517
|
+
'''Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
|
|
5521
5518
|
|
|
5522
|
-
:param custom_auth_mode: The operating mode of
|
|
5519
|
+
:param custom_auth_mode: The operating mode of threat protection in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
|
|
5523
5520
|
|
|
5524
5521
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html
|
|
5525
5522
|
:exampleMetadata: fixture=_generated
|
|
@@ -5543,7 +5540,7 @@ class CfnUserPool(
|
|
|
5543
5540
|
|
|
5544
5541
|
@builtins.property
|
|
5545
5542
|
def custom_auth_mode(self) -> typing.Optional[builtins.str]:
|
|
5546
|
-
'''The operating mode of
|
|
5543
|
+
'''The operating mode of threat protection in custom authentication with `Custom authentication challenge Lambda triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
|
|
5547
5544
|
|
|
5548
5545
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-advancedsecurityadditionalflows.html#cfn-cognito-userpool-advancedsecurityadditionalflows-customauthmode
|
|
5549
5546
|
'''
|
|
@@ -5730,17 +5727,17 @@ class CfnUserPool(
|
|
|
5730
5727
|
) -> None:
|
|
5731
5728
|
'''The device-remembering configuration for a user pool.
|
|
5732
5729
|
|
|
5733
|
-
A
|
|
5730
|
+
A ``API_DescribeUserPool`` request returns a null value for this object when the user pool isn't configured to remember devices. When device remembering is active, you can remember a user's device with a ``API_ConfirmDevice`` API request. Additionally. when the property ``DeviceOnlyRememberedOnUserPrompt`` is ``true`` , you must follow ``ConfirmDevice`` with an ``API_UpdateDeviceStatus`` API request that sets the user's device to ``remembered`` or ``not_remembered`` .
|
|
5734
5731
|
|
|
5735
|
-
To sign in with a remembered device, include ``DEVICE_KEY`` in the authentication parameters in your user's
|
|
5732
|
+
To sign in with a remembered device, include ``DEVICE_KEY`` in the authentication parameters in your user's ``API_InitiateAuth`` request. If your app doesn't include a ``DEVICE_KEY`` parameter, the ``API_InitiateAuth`` from Amazon Cognito includes newly-generated ``DEVICE_KEY`` and ``DEVICE_GROUP_KEY`` values under ``NewDeviceMetadata`` . Store these values to use in future device-authentication requests.
|
|
5736
5733
|
.. epigraph::
|
|
5737
5734
|
|
|
5738
5735
|
When you provide a value for any property of ``DeviceConfiguration`` , you activate the device remembering for the user pool.
|
|
5739
5736
|
|
|
5740
|
-
This data type is a request and response parameter of
|
|
5737
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
5741
5738
|
|
|
5742
5739
|
:param challenge_required_on_new_device: When true, a remembered device can sign in with device authentication instead of SMS and time-based one-time password (TOTP) factors for multi-factor authentication (MFA). .. epigraph:: Whether or not ``ChallengeRequiredOnNewDevice`` is true, users who sign in with devices that have not been confirmed or remembered must still provide a second factor in a user pool that requires MFA.
|
|
5743
|
-
:param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a
|
|
5740
|
+
:param device_only_remembered_on_user_prompt: When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a ``ConfirmDevice`` API request. In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an ``UpdateDeviceStatus`` API request. When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
|
|
5744
5741
|
|
|
5745
5742
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-deviceconfiguration.html
|
|
5746
5743
|
:exampleMetadata: fixture=_generated
|
|
@@ -5785,7 +5782,9 @@ class CfnUserPool(
|
|
|
5785
5782
|
def device_only_remembered_on_user_prompt(
|
|
5786
5783
|
self,
|
|
5787
5784
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
5788
|
-
'''When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a
|
|
5785
|
+
'''When true, Amazon Cognito doesn't automatically remember a user's device when your app sends a ``ConfirmDevice`` API request.
|
|
5786
|
+
|
|
5787
|
+
In your app, create a prompt for your user to choose whether they want to remember their device. Return the user's choice in an ``UpdateDeviceStatus`` API request.
|
|
5789
5788
|
|
|
5790
5789
|
When ``DeviceOnlyRememberedOnUserPrompt`` is ``false`` , Amazon Cognito immediately remembers devices that you register in a ``ConfirmDevice`` API request.
|
|
5791
5790
|
|
|
@@ -6096,7 +6095,7 @@ class CfnUserPool(
|
|
|
6096
6095
|
|
|
6097
6096
|
Amazon Cognito invokes triggers at several possible stages of user pool operations. Triggers can modify the outcome of the operations that invoked them.
|
|
6098
6097
|
|
|
6099
|
-
This data type is a request and response parameter of
|
|
6098
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6100
6099
|
|
|
6101
6100
|
:param create_auth_challenge: The configuration of a create auth challenge Lambda trigger, one of three triggers in the sequence of the `custom authentication challenge triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html>`_ .
|
|
6102
6101
|
:param custom_email_sender: The configuration of a custom email sender Lambda trigger. This trigger routes all email notifications from a user pool to a Lambda function that delivers the message using custom logic.
|
|
@@ -6359,7 +6358,7 @@ class CfnUserPool(
|
|
|
6359
6358
|
) -> None:
|
|
6360
6359
|
'''The minimum and maximum values of an attribute that is of the number type, for example ``custom:age`` .
|
|
6361
6360
|
|
|
6362
|
-
This data type is part of
|
|
6361
|
+
This data type is part of ``API_SchemaAttributeType`` . It defines the length constraints on number-type attributes that you configure in ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and displays the length constraints of all number-type attributes in the response to ``API_DescribeUserPool``
|
|
6363
6362
|
|
|
6364
6363
|
:param max_value: The maximum length of a number attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
|
|
6365
6364
|
:param min_value: The minimum value of an attribute that is of the number data type.
|
|
@@ -6446,10 +6445,10 @@ class CfnUserPool(
|
|
|
6446
6445
|
) -> None:
|
|
6447
6446
|
'''The password policy settings for a user pool, including complexity, history, and length requirements.
|
|
6448
6447
|
|
|
6449
|
-
This data type is a request and response parameter of
|
|
6448
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6450
6449
|
|
|
6451
6450
|
:param minimum_length: The minimum length of the password in the policy that you have set. This value can't be less than 6.
|
|
6452
|
-
:param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in
|
|
6451
|
+
:param password_history_size: The number of previous passwords that you want Amazon Cognito to restrict each user from reusing. Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` . Password history isn't enforced and isn't displayed in ``API_DescribeUserPool`` responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
|
|
6453
6452
|
:param require_lowercase: The requirement in a password policy that users must include at least one lowercase letter in their password.
|
|
6454
6453
|
:param require_numbers: The requirement in a password policy that users must include at least one number in their password.
|
|
6455
6454
|
:param require_symbols: The requirement in a password policy that users must include at least one symbol in their password.
|
|
@@ -6517,7 +6516,7 @@ class CfnUserPool(
|
|
|
6517
6516
|
|
|
6518
6517
|
Users can't set a password that matches any of ``n`` previous passwords, where ``n`` is the value of ``PasswordHistorySize`` .
|
|
6519
6518
|
|
|
6520
|
-
Password history isn't enforced and isn't displayed in
|
|
6519
|
+
Password history isn't enforced and isn't displayed in ``API_DescribeUserPool`` responses when you set this value to ``0`` or don't provide it. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
|
|
6521
6520
|
|
|
6522
6521
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-passwordpolicy.html#cfn-cognito-userpool-passwordpolicy-passwordhistorysize
|
|
6523
6522
|
'''
|
|
@@ -6610,10 +6609,10 @@ class CfnUserPool(
|
|
|
6610
6609
|
) -> None:
|
|
6611
6610
|
'''A list of user pool policies. Contains the policy that sets password-complexity requirements.
|
|
6612
6611
|
|
|
6613
|
-
This data type is a request and response parameter of
|
|
6612
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6614
6613
|
|
|
6615
6614
|
:param password_policy: The password policy settings for a user pool, including complexity, history, and length requirements.
|
|
6616
|
-
:param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. This data type is a request and response parameter of
|
|
6615
|
+
:param sign_in_policy: The policy for allowed types of authentication in a user pool. To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6617
6616
|
|
|
6618
6617
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html
|
|
6619
6618
|
:exampleMetadata: fixture=_generated
|
|
@@ -6668,7 +6667,7 @@ class CfnUserPool(
|
|
|
6668
6667
|
|
|
6669
6668
|
To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
|
|
6670
6669
|
|
|
6671
|
-
This data type is a request and response parameter of
|
|
6670
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6672
6671
|
|
|
6673
6672
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-policies.html#cfn-cognito-userpool-policies-signinpolicy
|
|
6674
6673
|
'''
|
|
@@ -6700,7 +6699,7 @@ class CfnUserPool(
|
|
|
6700
6699
|
) -> None:
|
|
6701
6700
|
'''The properties of a pre token generation Lambda trigger.
|
|
6702
6701
|
|
|
6703
|
-
This data type is a request and response parameter of
|
|
6702
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6704
6703
|
|
|
6705
6704
|
:param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
|
|
6706
6705
|
:param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
|
|
@@ -6780,7 +6779,7 @@ class CfnUserPool(
|
|
|
6780
6779
|
|
|
6781
6780
|
For example, if ``verified_email`` has a priority of ``1`` and ``verified_phone_number`` has a priority of ``2`` , your user pool sends account-recovery messages to a verified email address but falls back to an SMS message if the user has a verified phone number. The ``admin_only`` option prevents self-service account recovery.
|
|
6782
6781
|
|
|
6783
|
-
This data type is a request and response parameter of
|
|
6782
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6784
6783
|
|
|
6785
6784
|
:param name: The recovery method that this object sets a recovery option for.
|
|
6786
6785
|
:param priority: Your priority preference for using the specified attribute in account recovery. The highest priority is ``1`` .
|
|
@@ -6871,7 +6870,7 @@ class CfnUserPool(
|
|
|
6871
6870
|
|
|
6872
6871
|
Developer-only ``dev:`` attributes are a legacy feature of user pools, and are read-only to all app clients. You can create and update developer-only attributes only with IAM-authenticated API operations. Use app client read/write permissions instead.
|
|
6873
6872
|
|
|
6874
|
-
This data type is a request and response parameter of
|
|
6873
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
6875
6874
|
|
|
6876
6875
|
:param attribute_data_type: The data format of the values for your attribute. When you choose an ``AttributeDataType`` , Amazon Cognito validates the input against the data type. A custom attribute value in your user's ID token is always a string, for example ``"custom:isMember" : "true"`` or ``"custom:YearsAsMember" : "12"`` .
|
|
6877
6876
|
:param developer_only_attribute: .. epigraph:: You should use `WriteAttributes <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UserPoolClientType.html#CognitoUserPools-Type-UserPoolClientType-WriteAttributes>`_ in the user pool client to control how attributes can be mutated for new use cases instead of using ``DeveloperOnlyAttribute`` . Specifies whether the attribute type is developer only. This attribute can only be modified by an administrator. Users won't be able to modify this attribute using their access token. For example, ``DeveloperOnlyAttribute`` can be modified using AdminUpdateUserAttributes but can't be updated using UpdateUserAttributes.
|
|
@@ -7042,7 +7041,7 @@ class CfnUserPool(
|
|
|
7042
7041
|
|
|
7043
7042
|
To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher.
|
|
7044
7043
|
|
|
7045
|
-
This data type is a request and response parameter of
|
|
7044
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
7046
7045
|
|
|
7047
7046
|
:param allowed_first_auth_factors: The sign-in methods that a user pool supports as the first factor. You can permit users to start authentication with a standard username and password, or with other one-time password and hardware factors. Supports values of ``EMAIL_OTP`` , ``SMS_OTP`` , ``WEB_AUTHN`` and ``PASSWORD`` ,
|
|
7048
7047
|
|
|
@@ -7113,7 +7112,7 @@ class CfnUserPool(
|
|
|
7113
7112
|
|
|
7114
7113
|
To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account .
|
|
7115
7114
|
|
|
7116
|
-
This data type is a request parameter of
|
|
7115
|
+
This data type is a request parameter of ``API_CreateUserPool`` , ``API_UpdateUserPool`` , and ``API_SetUserPoolMfaConfig`` , and a response parameter of ``API_CreateUserPool`` , ``API_UpdateUserPool`` , and ``API_GetUserPoolMfaConfig`` .
|
|
7117
7116
|
|
|
7118
7117
|
:param external_id: The external ID provides additional security for your IAM role. You can use an ``ExternalId`` with the IAM role that you use with Amazon SNS to send SMS messages for your user pool. If you provide an ``ExternalId`` , your Amazon Cognito user pool includes it in the request to assume your IAM role. You can configure the role trust policy to require that Amazon Cognito, and any principal, provide the ``ExternalID`` . If you use the Amazon Cognito Management Console to create a role for SMS multi-factor authentication (MFA), Amazon Cognito creates a role with the required permissions and a trust policy that demonstrates use of the ``ExternalId`` . For more information about the ``ExternalId`` of a role, see `How to use an external ID when granting access to your AWS resources to a third party <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html>`_ .
|
|
7119
7118
|
:param sns_caller_arn: The Amazon Resource Name (ARN) of the Amazon SNS caller. This is the ARN of the IAM role in your AWS account that Amazon Cognito will use to send SMS messages. SMS messages are subject to a `spending limit <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html>`_ .
|
|
@@ -7209,7 +7208,7 @@ class CfnUserPool(
|
|
|
7209
7208
|
) -> None:
|
|
7210
7209
|
'''The minimum and maximum length values of an attribute that is of the string type, for example ``custom:department`` .
|
|
7211
7210
|
|
|
7212
|
-
This data type is part of
|
|
7211
|
+
This data type is part of ``API_SchemaAttributeType`` . It defines the length constraints on string-type attributes that you configure in ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and displays the length constraints of all string-type attributes in the response to ``API_DescribeUserPool``
|
|
7213
7212
|
|
|
7214
7213
|
:param max_length: The maximum length of a string attribute value. Must be a number less than or equal to ``2^1023`` , represented as a string with a length of 131072 characters or fewer.
|
|
7215
7214
|
:param min_length: The minimum length of a string attribute value.
|
|
@@ -7288,7 +7287,7 @@ class CfnUserPool(
|
|
|
7288
7287
|
a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For
|
|
7289
7288
|
more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
|
|
7290
7289
|
|
|
7291
|
-
:param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. You can verify an updated email address or phone number with a
|
|
7290
|
+
:param attributes_require_verification_before_update: Requires that your user verifies their email address, phone number, or both before Amazon Cognito updates the value of that attribute. When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value. You can verify an updated email address or phone number with a ``API_VerifyUserAttribute`` API request. You can also call the ``API_AdminUpdateUserAttributes`` API and set ``email_verified`` or ``phone_number_verified`` to true. When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
|
|
7292
7291
|
|
|
7293
7292
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userattributeupdatesettings.html
|
|
7294
7293
|
:exampleMetadata: fixture=_generated
|
|
@@ -7318,7 +7317,7 @@ class CfnUserPool(
|
|
|
7318
7317
|
|
|
7319
7318
|
When you update a user attribute that has this option activated, Amazon Cognito sends a verification message to the new phone number or email address. Amazon Cognito doesn’t change the value of the attribute until your user responds to the verification message and confirms the new value.
|
|
7320
7319
|
|
|
7321
|
-
You can verify an updated email address or phone number with a
|
|
7320
|
+
You can verify an updated email address or phone number with a ``API_VerifyUserAttribute`` API request. You can also call the ``API_AdminUpdateUserAttributes`` API and set ``email_verified`` or ``phone_number_verified`` to true.
|
|
7322
7321
|
|
|
7323
7322
|
When ``AttributesRequireVerificationBeforeUpdate`` is false, your user pool doesn't require that your users verify attribute changes before Amazon Cognito updates them. In a user pool where ``AttributesRequireVerificationBeforeUpdate`` is false, API operations that change attribute values can immediately update a user’s ``email`` or ``phone_number`` attribute.
|
|
7324
7323
|
|
|
@@ -7354,16 +7353,16 @@ class CfnUserPool(
|
|
|
7354
7353
|
advanced_security_additional_flows: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPool.AdvancedSecurityAdditionalFlowsProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
|
|
7355
7354
|
advanced_security_mode: typing.Optional[builtins.str] = None,
|
|
7356
7355
|
) -> None:
|
|
7357
|
-
'''
|
|
7356
|
+
'''Contains settings for activation of threat protection, including the operating mode and additional authentication types.
|
|
7358
7357
|
|
|
7359
|
-
|
|
7358
|
+
To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` .
|
|
7360
7359
|
|
|
7361
7360
|
For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
|
|
7362
7361
|
|
|
7363
|
-
This data type is a request and response parameter of
|
|
7362
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
7364
7363
|
|
|
7365
|
-
:param advanced_security_additional_flows:
|
|
7366
|
-
:param advanced_security_mode: The operating mode of
|
|
7364
|
+
:param advanced_security_additional_flows: Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
|
|
7365
|
+
:param advanced_security_mode: The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
|
|
7367
7366
|
|
|
7368
7367
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html
|
|
7369
7368
|
:exampleMetadata: fixture=_generated
|
|
@@ -7395,7 +7394,7 @@ class CfnUserPool(
|
|
|
7395
7394
|
def advanced_security_additional_flows(
|
|
7396
7395
|
self,
|
|
7397
7396
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.AdvancedSecurityAdditionalFlowsProperty"]]:
|
|
7398
|
-
'''
|
|
7397
|
+
'''Threat protection configuration options for additional authentication types in your user pool, including custom authentication.
|
|
7399
7398
|
|
|
7400
7399
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecurityadditionalflows
|
|
7401
7400
|
'''
|
|
@@ -7404,7 +7403,7 @@ class CfnUserPool(
|
|
|
7404
7403
|
|
|
7405
7404
|
@builtins.property
|
|
7406
7405
|
def advanced_security_mode(self) -> typing.Optional[builtins.str]:
|
|
7407
|
-
'''The operating mode of
|
|
7406
|
+
'''The operating mode of threat protection for standard authentication types in your user pool, including username-password and secure remote password (SRP) authentication.
|
|
7408
7407
|
|
|
7409
7408
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-userpooladdons.html#cfn-cognito-userpool-userpooladdons-advancedsecuritymode
|
|
7410
7409
|
'''
|
|
@@ -7437,7 +7436,7 @@ class CfnUserPool(
|
|
|
7437
7436
|
|
|
7438
7437
|
When case sensitivity is set to ``False`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user.
|
|
7439
7438
|
|
|
7440
|
-
This configuration is immutable after you set it. For more information, see
|
|
7439
|
+
This configuration is immutable after you set it. For more information, see ``API_UsernameConfigurationType`` .
|
|
7441
7440
|
|
|
7442
7441
|
:param case_sensitive: Specifies whether user name case sensitivity will be applied for all users in the user pool through Amazon Cognito APIs. For most use cases, set case sensitivity to ``False`` (case insensitive) as a best practice. When usernames and email addresses are case insensitive, users can sign in as the same user when they enter a different capitalization of their user name. Valid values include: - **true** - Enables case sensitivity for all username input. When this option is set to ``true`` , users must sign in using the exact capitalization of their given username, such as “UserName”. This is the default value. - **false** - Enables case insensitivity for all username input. For example, when this option is set to ``false`` , users can sign in using ``username`` , ``USERNAME`` , or ``UserName`` . This option also enables both ``preferred_username`` and ``email`` alias to be case insensitive, in addition to the ``username`` attribute.
|
|
7443
7442
|
|
|
@@ -7515,7 +7514,7 @@ class CfnUserPool(
|
|
|
7515
7514
|
) -> None:
|
|
7516
7515
|
'''The template for the verification message that your user pool delivers to users who set an email address or phone number attribute.
|
|
7517
7516
|
|
|
7518
|
-
This data type is a request and response parameter of
|
|
7517
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
7519
7518
|
|
|
7520
7519
|
:param default_email_option: The configuration of verification emails to contain a clickable link or a verification code. For link, your template body must contain link text in the format ``{##Click here##}`` . "Click here" in the example is a customizable string. For code, your template body must contain a code placeholder in the format ``{####}`` .
|
|
7521
7520
|
:param email_message: The template for email messages that Amazon Cognito sends to your users. You can set an ``EmailMessage`` template only if the value of `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` . When your `EmailSendingAccount <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_EmailConfigurationType.html#CognitoUserPools-Type-EmailConfigurationType-EmailSendingAccount>`_ is ``DEVELOPER`` , your user pool sends email messages with your own Amazon SES configuration.
|
|
@@ -7750,26 +7749,26 @@ class CfnUserPoolClient(
|
|
|
7750
7749
|
:param id: Construct identifier for this resource (unique in its scope).
|
|
7751
7750
|
:param user_pool_id: The ID of the user pool where you want to create an app client.
|
|
7752
7751
|
:param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
|
|
7753
|
-
:param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token
|
|
7754
|
-
:param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your
|
|
7755
|
-
:param allowed_o_auth_scopes: The OAuth
|
|
7752
|
+
:param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate for clients in managed login authentication. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
|
|
7753
|
+
:param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 authorization server features in your app client. This parameter must have a value of ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
|
|
7754
|
+
:param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
|
|
7756
7755
|
:param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
|
|
7757
7756
|
:param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
|
|
7758
|
-
:param callback_ur_ls: A list of allowed redirect
|
|
7757
|
+
:param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
|
|
7759
7758
|
:param client_name: A friendly name for the app client that you want to create.
|
|
7760
7759
|
:param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
|
|
7761
|
-
:param enable_propagate_additional_user_context_data:
|
|
7762
|
-
:param enable_token_revocation: Activates or deactivates token revocation
|
|
7763
|
-
:param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your
|
|
7764
|
-
:param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
7760
|
+
:param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
|
|
7761
|
+
:param enable_token_revocation: Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client. Revoke tokens with ``API_RevokeToken`` . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
|
|
7762
|
+
:param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
|
|
7763
|
+
:param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
7765
7764
|
:param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
|
|
7766
|
-
:param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
7765
|
+
:param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
7767
7766
|
:param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
|
|
7768
|
-
:param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a
|
|
7767
|
+
:param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
|
|
7769
7768
|
:param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
|
|
7770
|
-
:param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This
|
|
7769
|
+
:param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
|
|
7771
7770
|
:param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
|
|
7772
|
-
:param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an
|
|
7771
|
+
:param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
|
|
7773
7772
|
'''
|
|
7774
7773
|
if __debug__:
|
|
7775
7774
|
type_hints = typing.get_type_hints(_typecheckingstub__87712ca9ae8faf9f73a6c5d11987fcf280543ea093bcc4253c800c0151725828)
|
|
@@ -7891,7 +7890,7 @@ class CfnUserPoolClient(
|
|
|
7891
7890
|
@builtins.property
|
|
7892
7891
|
@jsii.member(jsii_name="allowedOAuthFlows")
|
|
7893
7892
|
def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
7894
|
-
'''The OAuth grant types that you want your app client to generate.'''
|
|
7893
|
+
'''The OAuth grant types that you want your app client to generate for clients in managed login authentication.'''
|
|
7895
7894
|
return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthFlows"))
|
|
7896
7895
|
|
|
7897
7896
|
@allowed_o_auth_flows.setter
|
|
@@ -7909,7 +7908,7 @@ class CfnUserPoolClient(
|
|
|
7909
7908
|
def allowed_o_auth_flows_user_pool_client(
|
|
7910
7909
|
self,
|
|
7911
7910
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
7912
|
-
'''Set to ``true`` to use OAuth 2.0 features in your
|
|
7911
|
+
'''Set to ``true`` to use OAuth 2.0 authorization server features in your app client.'''
|
|
7913
7912
|
return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "allowedOAuthFlowsUserPoolClient"))
|
|
7914
7913
|
|
|
7915
7914
|
@allowed_o_auth_flows_user_pool_client.setter
|
|
@@ -7925,7 +7924,7 @@ class CfnUserPoolClient(
|
|
|
7925
7924
|
@builtins.property
|
|
7926
7925
|
@jsii.member(jsii_name="allowedOAuthScopes")
|
|
7927
7926
|
def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
7928
|
-
'''The OAuth
|
|
7927
|
+
'''The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.'''
|
|
7929
7928
|
return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "allowedOAuthScopes"))
|
|
7930
7929
|
|
|
7931
7930
|
@allowed_o_auth_scopes.setter
|
|
@@ -7972,7 +7971,7 @@ class CfnUserPoolClient(
|
|
|
7972
7971
|
@builtins.property
|
|
7973
7972
|
@jsii.member(jsii_name="callbackUrLs")
|
|
7974
7973
|
def callback_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
7975
|
-
'''A list of allowed redirect
|
|
7974
|
+
'''A list of allowed redirect, or callback, URLs for managed login authentication.'''
|
|
7976
7975
|
return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "callbackUrLs"))
|
|
7977
7976
|
|
|
7978
7977
|
@callback_ur_ls.setter
|
|
@@ -8013,7 +8012,7 @@ class CfnUserPoolClient(
|
|
|
8013
8012
|
def enable_propagate_additional_user_context_data(
|
|
8014
8013
|
self,
|
|
8015
8014
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8016
|
-
'''
|
|
8015
|
+
'''When ``true`` , your application can include additional ``UserContextData`` in authentication requests.'''
|
|
8017
8016
|
return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enablePropagateAdditionalUserContextData"))
|
|
8018
8017
|
|
|
8019
8018
|
@enable_propagate_additional_user_context_data.setter
|
|
@@ -8031,10 +8030,7 @@ class CfnUserPoolClient(
|
|
|
8031
8030
|
def enable_token_revocation(
|
|
8032
8031
|
self,
|
|
8033
8032
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8034
|
-
'''Activates or deactivates token revocation.
|
|
8035
|
-
|
|
8036
|
-
For more information about revoking tokens, see `RevokeToken <https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html>`_ .
|
|
8037
|
-
'''
|
|
8033
|
+
'''Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client.'''
|
|
8038
8034
|
return typing.cast(typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]], jsii.get(self, "enableTokenRevocation"))
|
|
8039
8035
|
|
|
8040
8036
|
@enable_token_revocation.setter
|
|
@@ -8050,7 +8046,7 @@ class CfnUserPoolClient(
|
|
|
8050
8046
|
@builtins.property
|
|
8051
8047
|
@jsii.member(jsii_name="explicitAuthFlows")
|
|
8052
8048
|
def explicit_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8053
|
-
'''The authentication flows that you want your user pool client to support.'''
|
|
8049
|
+
'''The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.'''
|
|
8054
8050
|
return typing.cast(typing.Optional[typing.List[builtins.str]], jsii.get(self, "explicitAuthFlows"))
|
|
8055
8051
|
|
|
8056
8052
|
@explicit_auth_flows.setter
|
|
@@ -8231,7 +8227,7 @@ class CfnUserPoolClient(
|
|
|
8231
8227
|
|
|
8232
8228
|
Amazon Pinpoint isn't available in all AWS Regions. For a list of available Regions, see `Amazon Cognito and Amazon Pinpoint Region availability <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html#cognito-user-pools-find-region-mappings>`_ .
|
|
8233
8229
|
|
|
8234
|
-
This data type is a request parameter of
|
|
8230
|
+
This data type is a request parameter of ``API_CreateUserPoolClient`` and ``API_UpdateUserPoolClient`` , and a response parameter of ``API_DescribeUserPoolClient`` .
|
|
8235
8231
|
|
|
8236
8232
|
:param application_arn: The Amazon Resource Name (ARN) of an Amazon Pinpoint project that you want to connect to your user pool app client. Amazon Cognito publishes events to the Amazon Pinpoint project that ``ApplicationArn`` declares. You can also configure your application to pass an endpoint ID in the ``AnalyticsMetadata`` parameter of sign-in operations. The endpoint ID is information about the destination for push notifications
|
|
8237
8233
|
:param application_id: Your Amazon Pinpoint project ID.
|
|
@@ -8352,9 +8348,9 @@ class CfnUserPoolClient(
|
|
|
8352
8348
|
id_token: typing.Optional[builtins.str] = None,
|
|
8353
8349
|
refresh_token: typing.Optional[builtins.str] = None,
|
|
8354
8350
|
) -> None:
|
|
8355
|
-
'''The
|
|
8351
|
+
'''The units that validity times are represented in.
|
|
8356
8352
|
|
|
8357
|
-
The default unit for
|
|
8353
|
+
The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
|
|
8358
8354
|
|
|
8359
8355
|
:param access_token: A time unit for the value that you set in the ``AccessTokenValidity`` parameter. The default ``AccessTokenValidity`` time unit is ``hours`` . ``AccessTokenValidity`` duration can range from five minutes to one day.
|
|
8360
8356
|
:param id_token: A time unit for the value that you set in the ``IdTokenValidity`` parameter. The default ``IdTokenValidity`` time unit is ``hours`` . ``IdTokenValidity`` duration can range from five minutes to one day.
|
|
@@ -8492,26 +8488,26 @@ class CfnUserPoolClientProps:
|
|
|
8492
8488
|
|
|
8493
8489
|
:param user_pool_id: The ID of the user pool where you want to create an app client.
|
|
8494
8490
|
:param access_token_validity: The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for ``AccessTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``AccessTokenValidity`` to ``10`` and ``TokenValidityUnits`` to ``hours`` , your user can authorize access with their access token for 10 hours. The default time unit for ``AccessTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
|
|
8495
|
-
:param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token
|
|
8496
|
-
:param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 features in your
|
|
8497
|
-
:param allowed_o_auth_scopes: The OAuth
|
|
8491
|
+
:param allowed_o_auth_flows: The OAuth grant types that you want your app client to generate for clients in managed login authentication. To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow. - **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint. - **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user. - **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
|
|
8492
|
+
:param allowed_o_auth_flows_user_pool_client: Set to ``true`` to use OAuth 2.0 authorization server features in your app client. This parameter must have a value of ``true`` before you can configure the following features in your app client. - ``CallBackURLs`` : Callback URLs. - ``LogoutURLs`` : Sign-out redirect URLs. - ``AllowedOAuthScopes`` : OAuth 2.0 scopes. - ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants. To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
|
|
8493
|
+
:param allowed_o_auth_scopes: The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with. Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
|
|
8498
8494
|
:param analytics_configuration: The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign. In AWS Regions where Amazon Pinpoint isn't available, user pools might not have access to analytics or might be configurable with campaigns in the US East (N. Virginia) Region. For more information, see `Using Amazon Pinpoint analytics <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html>`_ .
|
|
8499
8495
|
:param auth_session_validity: Amazon Cognito creates a session token for each API request in an authentication flow. ``AuthSessionValidity`` is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
|
|
8500
|
-
:param callback_ur_ls: A list of allowed redirect
|
|
8496
|
+
:param callback_ur_ls: A list of allowed redirect, or callback, URLs for managed login authentication. These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes. A redirect URI must meet the following requirements: - Be an absolute URI. - Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter. - Not include a fragment component. See `OAuth 2.0 - Redirection Endpoint <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6749#section-3.1.2>`_ . Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only. App callback URLs such as myapp://example are also supported.
|
|
8501
8497
|
:param client_name: A friendly name for the app client that you want to create.
|
|
8502
8498
|
:param default_redirect_uri: The default redirect URI. In app clients with one assigned IdP, replaces ``redirect_uri`` in authentication requests. Must be in the ``CallbackURLs`` list.
|
|
8503
|
-
:param enable_propagate_additional_user_context_data:
|
|
8504
|
-
:param enable_token_revocation: Activates or deactivates token revocation
|
|
8505
|
-
:param explicit_auth_flows: The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your
|
|
8506
|
-
:param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
8499
|
+
:param enable_propagate_additional_user_context_data: When ``true`` , your application can include additional ``UserContextData`` in authentication requests. This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
|
|
8500
|
+
:param enable_token_revocation: Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client. Revoke tokens with ``API_RevokeToken`` . If you don't include this parameter, token revocation is automatically activated for the new user pool client.
|
|
8501
|
+
:param explicit_auth_flows: The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions. .. epigraph:: If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` . The values for authentication flow options include the following. - ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` . To activate this setting, your user pool must be in the `Essentials tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html>`_ or higher. - ``ALLOW_ADMIN_USER_PASSWORD_AUTH`` : Enable admin based user password authentication flow ``ADMIN_USER_PASSWORD_AUTH`` . This setting replaces the ``ADMIN_NO_SRP_AUTH`` setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. - ``ALLOW_CUSTOM_AUTH`` : Enable Lambda trigger based authentication. - ``ALLOW_USER_PASSWORD_AUTH`` : Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. - ``ALLOW_USER_SRP_AUTH`` : Enable SRP-based authentication. - ``ALLOW_REFRESH_TOKEN_AUTH`` : Enable authflow to refresh tokens. In some environments, you will see the values ``ADMIN_NO_SRP_AUTH`` , ``CUSTOM_AUTH_FLOW_ONLY`` , or ``USER_PASSWORD_AUTH`` . You can't assign these legacy ``ExplicitAuthFlows`` values to user pool clients at the same time as values that begin with ``ALLOW_`` , like ``ALLOW_USER_SRP_AUTH`` .
|
|
8502
|
+
:param generate_secret: When ``true`` , generates a client secret for the app client. Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
8507
8503
|
:param id_token_validity: The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for ``IdTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``IdTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``hours`` , your user can authenticate their session with their ID token for 10 hours. The default time unit for ``IdTokenValidity`` in an API request is hours. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
|
|
8508
|
-
:param logout_ur_ls: A list of allowed logout URLs for managed login authentication. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
8504
|
+
:param logout_ur_ls: A list of allowed logout URLs for managed login authentication. When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
8509
8505
|
:param prevent_user_existence_errors: Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to ``ENABLED`` and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to ``LEGACY`` , those APIs return a ``UserNotFoundException`` exception if the user doesn't exist in the user pool. Valid values include: - ``ENABLED`` - This prevents user existence-related errors. - ``LEGACY`` - This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented. Defaults to ``LEGACY`` when you don't provide a value.
|
|
8510
|
-
:param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a
|
|
8506
|
+
:param read_attributes: The list of user attributes that you want your app client to have read access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data. When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
|
|
8511
8507
|
:param refresh_token_validity: The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for ``RefreshTokenValidity`` as ``seconds`` , ``minutes`` , ``hours`` , or ``days`` , set a ``TokenValidityUnits`` value in your API request. For example, when you set ``RefreshTokenValidity`` as ``10`` and ``TokenValidityUnits`` as ``days`` , your user can refresh their session and retrieve new access and ID tokens for 10 days. The default time unit for ``RefreshTokenValidity`` in an API request is days. You can't set ``RefreshTokenValidity`` to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. *Valid range* is displayed below in seconds. If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
|
|
8512
|
-
:param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This
|
|
8508
|
+
:param supported_identity_providers: A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` . This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
|
|
8513
8509
|
:param token_validity_units: The units that validity times are represented in. The default unit for refresh tokens is days, and the default for ID and access tokens are hours.
|
|
8514
|
-
:param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an
|
|
8510
|
+
:param write_attributes: The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value. When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes. If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see `Specifying IdP Attribute Mappings for Your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-specifying-attribute-mapping.html>`_ .
|
|
8515
8511
|
|
|
8516
8512
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html
|
|
8517
8513
|
:exampleMetadata: fixture=_generated
|
|
@@ -8660,13 +8656,13 @@ class CfnUserPoolClientProps:
|
|
|
8660
8656
|
|
|
8661
8657
|
@builtins.property
|
|
8662
8658
|
def allowed_o_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8663
|
-
'''The OAuth grant types that you want your app client to generate.
|
|
8659
|
+
'''The OAuth grant types that you want your app client to generate for clients in managed login authentication.
|
|
8664
8660
|
|
|
8665
8661
|
To create an app client that generates client credentials grants, you must add ``client_credentials`` as the only allowed OAuth flow.
|
|
8666
8662
|
|
|
8667
8663
|
- **code** - Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the ``/oauth2/token`` endpoint.
|
|
8668
|
-
- **implicit** - Issue the access token
|
|
8669
|
-
- **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user
|
|
8664
|
+
- **implicit** - Issue the access token, and the ID token when scopes like ``openid`` and ``profile`` are requested, directly to your user.
|
|
8665
|
+
- **client_credentials** - Issue the access token from the ``/oauth2/token`` endpoint directly to a non-person user, authorized by a combination of the client ID and client secret.
|
|
8670
8666
|
|
|
8671
8667
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows
|
|
8672
8668
|
'''
|
|
@@ -8677,16 +8673,16 @@ class CfnUserPoolClientProps:
|
|
|
8677
8673
|
def allowed_o_auth_flows_user_pool_client(
|
|
8678
8674
|
self,
|
|
8679
8675
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8680
|
-
'''Set to ``true`` to use OAuth 2.0 features in your
|
|
8676
|
+
'''Set to ``true`` to use OAuth 2.0 authorization server features in your app client.
|
|
8681
8677
|
|
|
8682
|
-
|
|
8678
|
+
This parameter must have a value of ``true`` before you can configure the following features in your app client.
|
|
8683
8679
|
|
|
8684
8680
|
- ``CallBackURLs`` : Callback URLs.
|
|
8685
8681
|
- ``LogoutURLs`` : Sign-out redirect URLs.
|
|
8686
8682
|
- ``AllowedOAuthScopes`` : OAuth 2.0 scopes.
|
|
8687
8683
|
- ``AllowedOAuthFlows`` : Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
|
|
8688
8684
|
|
|
8689
|
-
To use
|
|
8685
|
+
To use authorization server features, configure one of these features in the Amazon Cognito console or set ``AllowedOAuthFlowsUserPoolClient`` to ``true`` in a ``CreateUserPoolClient`` or ``UpdateUserPoolClient`` API request. If you don't set a value for ``AllowedOAuthFlowsUserPoolClient`` in a request with the AWS CLI or SDKs, it defaults to ``false`` . When ``false`` , only SDK-based API sign-in is permitted.
|
|
8690
8686
|
|
|
8691
8687
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflowsuserpoolclient
|
|
8692
8688
|
'''
|
|
@@ -8695,7 +8691,9 @@ class CfnUserPoolClientProps:
|
|
|
8695
8691
|
|
|
8696
8692
|
@builtins.property
|
|
8697
8693
|
def allowed_o_auth_scopes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8698
|
-
'''The OAuth
|
|
8694
|
+
'''The OAuth, OpenID Connect (OIDC), and custom scopes that you want to permit your app client to authorize access with.
|
|
8695
|
+
|
|
8696
|
+
Scopes govern access control to user pool self-service API operations, user data from the ``userInfo`` endpoint, and third-party APIs. Scope values include ``phone`` , ``email`` , ``openid`` , and ``profile`` . The ``aws.cognito.signin.user.admin`` scope authorizes user self-service operations. Custom scopes with resource servers authorize access to external APIs.
|
|
8699
8697
|
|
|
8700
8698
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes
|
|
8701
8699
|
'''
|
|
@@ -8728,9 +8726,11 @@ class CfnUserPoolClientProps:
|
|
|
8728
8726
|
|
|
8729
8727
|
@builtins.property
|
|
8730
8728
|
def callback_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8731
|
-
'''A list of allowed redirect
|
|
8729
|
+
'''A list of allowed redirect, or callback, URLs for managed login authentication.
|
|
8732
8730
|
|
|
8733
|
-
|
|
8731
|
+
These URLs are the paths where you want to send your users' browsers after they complete authentication with managed login or a third-party IdP. Typically, callback URLs are the home of an application that uses OAuth or OIDC libraries to process authentication outcomes.
|
|
8732
|
+
|
|
8733
|
+
A redirect URI must meet the following requirements:
|
|
8734
8734
|
|
|
8735
8735
|
- Be an absolute URI.
|
|
8736
8736
|
- Be registered with the authorization server. Amazon Cognito doesn't accept authorization requests with ``redirect_uri`` values that aren't in the list of ``CallbackURLs`` that you provide in this parameter.
|
|
@@ -8771,9 +8771,9 @@ class CfnUserPoolClientProps:
|
|
|
8771
8771
|
def enable_propagate_additional_user_context_data(
|
|
8772
8772
|
self,
|
|
8773
8773
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8774
|
-
'''
|
|
8774
|
+
'''When ``true`` , your application can include additional ``UserContextData`` in authentication requests.
|
|
8775
8775
|
|
|
8776
|
-
For more information about propagation of user context data, see `Adding
|
|
8776
|
+
This data includes the IP address, and contributes to analysis by threat protection features. For more information about propagation of user context data, see `Adding session data to API requests <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint>`_ . If you don’t include this parameter, you can't send the source IP address to Amazon Cognito threat protection features. You can only activate ``EnablePropagateAdditionalUserContextData`` in an app client that has a client secret.
|
|
8777
8777
|
|
|
8778
8778
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-enablepropagateadditionalusercontextdata
|
|
8779
8779
|
'''
|
|
@@ -8784,7 +8784,9 @@ class CfnUserPoolClientProps:
|
|
|
8784
8784
|
def enable_token_revocation(
|
|
8785
8785
|
self,
|
|
8786
8786
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8787
|
-
'''Activates or deactivates token revocation
|
|
8787
|
+
'''Activates or deactivates `token revocation <https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html>`_ in the target app client.
|
|
8788
|
+
|
|
8789
|
+
Revoke tokens with ``API_RevokeToken`` .
|
|
8788
8790
|
|
|
8789
8791
|
If you don't include this parameter, token revocation is automatically activated for the new user pool client.
|
|
8790
8792
|
|
|
@@ -8795,14 +8797,13 @@ class CfnUserPoolClientProps:
|
|
|
8795
8797
|
|
|
8796
8798
|
@builtins.property
|
|
8797
8799
|
def explicit_auth_flows(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8798
|
-
'''The authentication flows that you want your user pool client to support.
|
|
8800
|
+
'''The `authentication flows <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow-methods.html>`_ that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
|
|
8799
8801
|
|
|
8800
|
-
For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
|
|
8801
8802
|
.. epigraph::
|
|
8802
8803
|
|
|
8803
|
-
If you don't specify a value for ``ExplicitAuthFlows`` , your
|
|
8804
|
+
If you don't specify a value for ``ExplicitAuthFlows`` , your app client supports ``ALLOW_REFRESH_TOKEN_AUTH`` , ``ALLOW_USER_SRP_AUTH`` , and ``ALLOW_CUSTOM_AUTH`` .
|
|
8804
8805
|
|
|
8805
|
-
|
|
8806
|
+
The values for authentication flow options include the following.
|
|
8806
8807
|
|
|
8807
8808
|
- ``ALLOW_USER_AUTH`` : Enable selection-based sign-in with ``USER_AUTH`` . This setting covers username-password, secure remote password (SRP), passwordless, and passkey authentication. This authentiation flow can do username-password and SRP authentication without other ``ExplicitAuthFlows`` permitting them. For example users can complete an SRP challenge through ``USER_AUTH`` without the flow ``USER_SRP_AUTH`` being active for the app client. This flow doesn't include ``CUSTOM_AUTH`` .
|
|
8808
8809
|
|
|
@@ -8828,7 +8829,7 @@ class CfnUserPoolClientProps:
|
|
|
8828
8829
|
) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
|
|
8829
8830
|
'''When ``true`` , generates a client secret for the app client.
|
|
8830
8831
|
|
|
8831
|
-
Client secrets are used with server-side and machine-to-machine applications. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
8832
|
+
Client secrets are used with server-side and machine-to-machine applications. Client secrets are automatically generated; you can't specify a secret value. For more information, see `App client types <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html#user-pool-settings-client-app-client-types>`_ .
|
|
8832
8833
|
|
|
8833
8834
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-generatesecret
|
|
8834
8835
|
'''
|
|
@@ -8857,7 +8858,7 @@ class CfnUserPoolClientProps:
|
|
|
8857
8858
|
def logout_ur_ls(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8858
8859
|
'''A list of allowed logout URLs for managed login authentication.
|
|
8859
8860
|
|
|
8860
|
-
For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
8861
|
+
When you pass ``logout_uri`` and ``client_id`` parameters to ``/logout`` , Amazon Cognito signs out your user and redirects them to the logout URL. This parameter describes the URLs that you want to be the permitted targets of ``logout_uri`` . A typical use of these URLs is when a user selects "Sign out" and you redirect them to your public homepage. For more information, see `Logout endpoint <https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html>`_ .
|
|
8861
8862
|
|
|
8862
8863
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-logouturls
|
|
8863
8864
|
'''
|
|
@@ -8886,9 +8887,11 @@ class CfnUserPoolClientProps:
|
|
|
8886
8887
|
def read_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8887
8888
|
'''The list of user attributes that you want your app client to have read access to.
|
|
8888
8889
|
|
|
8889
|
-
After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list.
|
|
8890
|
+
After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list.
|
|
8891
|
+
|
|
8892
|
+
An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a ``API_GetUser`` API request to retrieve and display your user's profile data.
|
|
8890
8893
|
|
|
8891
|
-
When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the
|
|
8894
|
+
When you don't specify the ``ReadAttributes`` for your app client, your app can read the values of ``email_verified`` , ``phone_number_verified`` , and the standard attributes of your user pool. When your user pool app client has read access to these default attributes, ``ReadAttributes`` doesn't return any information. Amazon Cognito only populates ``ReadAttributes`` in the API response if you have specified your own custom set of read attributes.
|
|
8892
8895
|
|
|
8893
8896
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-readattributes
|
|
8894
8897
|
'''
|
|
@@ -8922,7 +8925,7 @@ class CfnUserPoolClientProps:
|
|
|
8922
8925
|
|
|
8923
8926
|
The following are supported: ``COGNITO`` , ``Facebook`` , ``Google`` , ``SignInWithApple`` , and ``LoginWithAmazon`` . You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example ``MySAMLIdP`` or ``MyOIDCIdP`` .
|
|
8924
8927
|
|
|
8925
|
-
This
|
|
8928
|
+
This parameter sets the IdPs that `managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ will display on the login page for your app client. The removal of ``COGNITO`` from this list doesn't prevent authentication operations for local users with the user pools API in an AWS SDK. The only way to prevent SDK-based authentication is to block access with a `AWS WAF rule <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-waf.html>`_ .
|
|
8926
8929
|
|
|
8927
8930
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-supportedidentityproviders
|
|
8928
8931
|
'''
|
|
@@ -8946,7 +8949,9 @@ class CfnUserPoolClientProps:
|
|
|
8946
8949
|
def write_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
8947
8950
|
'''The list of user attributes that you want your app client to have write access to.
|
|
8948
8951
|
|
|
8949
|
-
After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.
|
|
8952
|
+
After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list.
|
|
8953
|
+
|
|
8954
|
+
An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an ``API_UpdateUserAttributes`` API request and sets ``family_name`` to the new value.
|
|
8950
8955
|
|
|
8951
8956
|
When you don't specify the ``WriteAttributes`` for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, ``WriteAttributes`` doesn't return any information. Amazon Cognito only populates ``WriteAttributes`` in the API response if you have specified your own custom set of write attributes.
|
|
8952
8957
|
|
|
@@ -9012,9 +9017,9 @@ class CfnUserPoolDomain(
|
|
|
9012
9017
|
'''
|
|
9013
9018
|
:param scope: Scope in which this resource is defined.
|
|
9014
9019
|
:param id: Construct identifier for this resource (unique in its scope).
|
|
9015
|
-
:param domain: The
|
|
9016
|
-
:param user_pool_id: The ID of the user pool that is associated with the
|
|
9017
|
-
:param custom_domain_config: The configuration for a custom domain that hosts
|
|
9020
|
+
:param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
|
|
9021
|
+
:param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
|
|
9022
|
+
:param custom_domain_config: The configuration for a custom domain that hosts managed login for your application. In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` . When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
|
|
9018
9023
|
:param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
|
|
9019
9024
|
'''
|
|
9020
9025
|
if __debug__:
|
|
@@ -9086,7 +9091,7 @@ class CfnUserPoolDomain(
|
|
|
9086
9091
|
@builtins.property
|
|
9087
9092
|
@jsii.member(jsii_name="domain")
|
|
9088
9093
|
def domain(self) -> builtins.str:
|
|
9089
|
-
'''The
|
|
9094
|
+
'''The name of the domain that you want to update.'''
|
|
9090
9095
|
return typing.cast(builtins.str, jsii.get(self, "domain"))
|
|
9091
9096
|
|
|
9092
9097
|
@domain.setter
|
|
@@ -9099,7 +9104,7 @@ class CfnUserPoolDomain(
|
|
|
9099
9104
|
@builtins.property
|
|
9100
9105
|
@jsii.member(jsii_name="userPoolId")
|
|
9101
9106
|
def user_pool_id(self) -> builtins.str:
|
|
9102
|
-
'''The ID of the user pool that is associated with the
|
|
9107
|
+
'''The ID of the user pool that is associated with the domain you're updating.'''
|
|
9103
9108
|
return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
|
|
9104
9109
|
|
|
9105
9110
|
@user_pool_id.setter
|
|
@@ -9114,7 +9119,7 @@ class CfnUserPoolDomain(
|
|
|
9114
9119
|
def custom_domain_config(
|
|
9115
9120
|
self,
|
|
9116
9121
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolDomain.CustomDomainConfigTypeProperty"]]:
|
|
9117
|
-
'''The configuration for a custom domain that hosts
|
|
9122
|
+
'''The configuration for a custom domain that hosts managed login for your application.'''
|
|
9118
9123
|
return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolDomain.CustomDomainConfigTypeProperty"]], jsii.get(self, "customDomainConfig"))
|
|
9119
9124
|
|
|
9120
9125
|
@custom_domain_config.setter
|
|
@@ -9153,7 +9158,7 @@ class CfnUserPoolDomain(
|
|
|
9153
9158
|
) -> None:
|
|
9154
9159
|
'''The configuration for a hosted UI custom domain.
|
|
9155
9160
|
|
|
9156
|
-
This data type is a request parameter of
|
|
9161
|
+
This data type is a request parameter of ``API_CreateUserPoolDomain`` and ``API_UpdateUserPoolDomain`` .
|
|
9157
9162
|
|
|
9158
9163
|
:param certificate_arn: The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL certificate. You use this certificate for the subdomain of your custom domain.
|
|
9159
9164
|
|
|
@@ -9221,9 +9226,9 @@ class CfnUserPoolDomainProps:
|
|
|
9221
9226
|
) -> None:
|
|
9222
9227
|
'''Properties for defining a ``CfnUserPoolDomain``.
|
|
9223
9228
|
|
|
9224
|
-
:param domain: The
|
|
9225
|
-
:param user_pool_id: The ID of the user pool that is associated with the
|
|
9226
|
-
:param custom_domain_config: The configuration for a custom domain that hosts
|
|
9229
|
+
:param domain: The name of the domain that you want to update. For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
|
|
9230
|
+
:param user_pool_id: The ID of the user pool that is associated with the domain you're updating.
|
|
9231
|
+
:param custom_domain_config: The configuration for a custom domain that hosts managed login for your application. In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` . When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain. Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
|
|
9227
9232
|
:param managed_login_version: A version number that indicates the state of managed login for your domain. Version ``1`` is hosted UI (classic). Version ``2`` is the newer managed login with the branding designer. For more information, see `Managed login <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managed-login.html>`_ .
|
|
9228
9233
|
|
|
9229
9234
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html
|
|
@@ -9263,11 +9268,9 @@ class CfnUserPoolDomainProps:
|
|
|
9263
9268
|
|
|
9264
9269
|
@builtins.property
|
|
9265
9270
|
def domain(self) -> builtins.str:
|
|
9266
|
-
'''The
|
|
9271
|
+
'''The name of the domain that you want to update.
|
|
9267
9272
|
|
|
9268
|
-
|
|
9269
|
-
|
|
9270
|
-
This string can include only lowercase letters, numbers, and hyphens. Don't use a hyphen for the first or last character. Use periods to separate subdomain names.
|
|
9273
|
+
For custom domains, this is the fully-qualified domain name, for example ``auth.example.com`` . For prefix domains, this is the prefix alone, such as ``myprefix`` .
|
|
9271
9274
|
|
|
9272
9275
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-domain
|
|
9273
9276
|
'''
|
|
@@ -9277,7 +9280,7 @@ class CfnUserPoolDomainProps:
|
|
|
9277
9280
|
|
|
9278
9281
|
@builtins.property
|
|
9279
9282
|
def user_pool_id(self) -> builtins.str:
|
|
9280
|
-
'''The ID of the user pool that is associated with the
|
|
9283
|
+
'''The ID of the user pool that is associated with the domain you're updating.
|
|
9281
9284
|
|
|
9282
9285
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-userpoolid
|
|
9283
9286
|
'''
|
|
@@ -9289,11 +9292,13 @@ class CfnUserPoolDomainProps:
|
|
|
9289
9292
|
def custom_domain_config(
|
|
9290
9293
|
self,
|
|
9291
9294
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolDomain.CustomDomainConfigTypeProperty]]:
|
|
9292
|
-
'''The configuration for a custom domain that hosts
|
|
9295
|
+
'''The configuration for a custom domain that hosts managed login for your application.
|
|
9296
|
+
|
|
9297
|
+
In an ``UpdateUserPoolDomain`` request, this parameter specifies an SSL certificate for the managed login hosted webserver. The certificate must be an ACM ARN in ``us-east-1`` .
|
|
9293
9298
|
|
|
9294
|
-
|
|
9299
|
+
When you create a custom domain, the passkey RP ID defaults to the custom domain. If you had a prefix domain active, this will cause passkey integration for your prefix domain to stop working due to a mismatch in RP ID. To keep the prefix domain passkey integration working, you can explicitly set RP ID to the prefix domain.
|
|
9295
9300
|
|
|
9296
|
-
|
|
9301
|
+
Update the RP ID in a ``API_SetUserPoolMfaConfig`` request.
|
|
9297
9302
|
|
|
9298
9303
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooldomain.html#cfn-cognito-userpooldomain-customdomainconfig
|
|
9299
9304
|
'''
|
|
@@ -9333,7 +9338,7 @@ class CfnUserPoolGroup(
|
|
|
9333
9338
|
|
|
9334
9339
|
Contains details about the group and the way that it contributes to IAM role decisions with identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials for the role associated with their highest-priority group.
|
|
9335
9340
|
|
|
9336
|
-
This data type is a response parameter of
|
|
9341
|
+
This data type is a response parameter of ``API_AdminListGroupsForUser`` , ``API_CreateGroup`` , ``API_GetGroup`` , ``API_ListGroups`` , and ``API_UpdateGroup`` .
|
|
9337
9342
|
|
|
9338
9343
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolgroup.html
|
|
9339
9344
|
:cloudformationResource: AWS::Cognito::UserPoolGroup
|
|
@@ -10072,9 +10077,9 @@ class CfnUserPoolProps:
|
|
|
10072
10077
|
'''Properties for defining a ``CfnUserPool``.
|
|
10073
10078
|
|
|
10074
10079
|
:param account_recovery_setting: The available verified method a user can use to recover their password when they call ``ForgotPassword`` . You can use this setting to define a preferred method when a user has more than one method available. With this setting, SMS doesn't qualify for a valid password recovery mechanism if the user also has SMS multi-factor authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy behavior to determine the recovery method where SMS is preferred through email.
|
|
10075
|
-
:param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of
|
|
10076
|
-
:param alias_attributes: Attributes supported as an alias for this user pool.
|
|
10077
|
-
:param auto_verified_attributes: The attributes that you want your user pool to automatically verify.
|
|
10080
|
+
:param admin_create_user_config: The settings for administrator creation of users in a user pool. Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
10081
|
+
:param alias_attributes: Attributes supported as an alias for this user pool. For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
|
|
10082
|
+
:param auto_verified_attributes: The attributes that you want your user pool to automatically verify. For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
|
|
10078
10083
|
:param deletion_protection: When active, ``DeletionProtection`` prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
|
|
10079
10084
|
:param device_configuration: The device-remembering configuration for a user pool. Device remembering or device tracking is a "Remember me on this device" option for user pools that perform authentication with the device key of a trusted device in the back end, instead of a user-provided MFA code. For more information about device authentication, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`_ . A null value indicates that you have deactivated device remembering in your user pool. .. epigraph:: When you provide a value for any ``DeviceConfiguration`` field, you activate the Amazon Cognito device-remembering feature. For more infor
|
|
10080
10085
|
:param email_authentication_message:
|
|
@@ -10084,17 +10089,17 @@ class CfnUserPoolProps:
|
|
|
10084
10089
|
:param email_verification_subject: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
|
|
10085
10090
|
:param enabled_mfas: Set enabled MFA options on a specified user pool. To disable all MFAs after it has been enabled, set ``MfaConfiguration`` to ``OFF`` and remove EnabledMfas. MFAs can only be all disabled if ``MfaConfiguration`` is ``OFF`` . After you enable ``SMS_MFA`` , you can only disable it by setting ``MfaConfiguration`` to ``OFF`` . Can be one of the following values: - ``SMS_MFA`` - Enables MFA with SMS for the user pool. To select this option, you must also provide values for ``SmsConfiguration`` . - ``SOFTWARE_TOKEN_MFA`` - Enables software token MFA for the user pool. - ``EMAIL_OTP`` - Enables MFA with email for the user pool. To select this option, you must provide values for ``EmailConfiguration`` and within those, set ``EmailSendingAccount`` to ``DEVELOPER`` . Allowed values: ``SMS_MFA`` | ``SOFTWARE_TOKEN_MFA`` | ``EMAIL_OTP``
|
|
10086
10091
|
:param lambda_config: A collection of user pool Lambda triggers. Amazon Cognito invokes triggers at several possible stages of authentication operations. Triggers can modify the outcome of the operations that invoked them.
|
|
10087
|
-
:param mfa_configuration:
|
|
10088
|
-
:param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of
|
|
10092
|
+
:param mfa_configuration: Displays the state of multi-factor authentication (MFA) as on, off, or optional. When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` . When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
|
|
10093
|
+
:param policies: A list of user pool policies. Contains the policy that sets password-complexity requirements. This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
10089
10094
|
:param schema: An array of attributes for the new user pool. You can add custom attributes and modify the properties of default attributes. The specifications in this parameter set the required attributes in your user pool. For more information, see `Working with user attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html>`_ .
|
|
10090
10095
|
:param sms_authentication_message: The contents of the SMS authentication message.
|
|
10091
|
-
:param sms_configuration: The
|
|
10096
|
+
:param sms_configuration: The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service. To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
|
|
10092
10097
|
:param sms_verification_message: This parameter is no longer used. See `VerificationMessageTemplateType <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-verificationmessagetemplate.html>`_ .
|
|
10093
10098
|
:param user_attribute_update_settings: The settings for updates to user attributes. These settings include the property ``AttributesRequireVerificationBeforeUpdate`` , a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For more information, see `Verifying updates to email addresses and phone numbers <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates>`_ .
|
|
10094
10099
|
:param username_attributes: Specifies whether a user can use an email address or phone number as a username when they sign up.
|
|
10095
10100
|
:param username_configuration: Sets the case sensitivity option for sign-in usernames. When ``CaseSensitive`` is ``false`` (case insensitive), users can sign in with any combination of capital and lowercase letters. For example, ``username`` , ``USERNAME`` , or ``UserName`` , or for email, ``email@example.com`` or ``EMaiL@eXamplE.Com`` . For most use cases, set case sensitivity to ``false`` as a best practice. When usernames and email addresses are case insensitive, Amazon Cognito treats any variation in case as the same user, and prevents a case variation from being assigned to the same attribute for a different user. When ``CaseSensitive`` is ``true`` (case sensitive), Amazon Cognito interprets ``USERNAME`` and ``UserName`` as distinct users. This configuration is immutable after you set it.
|
|
10096
|
-
:param user_pool_add_ons:
|
|
10097
|
-
:param user_pool_name: A
|
|
10101
|
+
:param user_pool_add_ons: Contains settings for activation of threat protection, including the operating mode and additional authentication types. To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` . For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
|
|
10102
|
+
:param user_pool_name: A friendly name for your user pool.
|
|
10098
10103
|
:param user_pool_tags: The tag keys and values to assign to the user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
|
|
10099
10104
|
:param user_pool_tier: The user pool `feature plan <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-sign-in-feature-plans.html>`_ , or tier. This parameter determines the eligibility of the user pool for features like managed login, access-token customization, and threat protection. Defaults to ``ESSENTIALS`` .
|
|
10100
10105
|
:param verification_message_template: The template for the verification message that your user pool delivers to users who set an email address or phone number attribute. Set the email message type that corresponds to your ``DefaultEmailOption`` selection. For ``CONFIRM_WITH_LINK`` , specify an ``EmailMessageByLink`` and leave ``EmailMessage`` blank. For ``CONFIRM_WITH_CODE`` , specify an ``EmailMessage`` and leave ``EmailMessageByLink`` blank. When you supply both parameters with either choice, Amazon Cognito returns an error.
|
|
@@ -10349,7 +10354,7 @@ class CfnUserPoolProps:
|
|
|
10349
10354
|
|
|
10350
10355
|
Contains settings for allowing user sign-up, customizing invitation messages to new users, and the amount of time before temporary passwords expire.
|
|
10351
10356
|
|
|
10352
|
-
This data type is a request and response parameter of
|
|
10357
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
10353
10358
|
|
|
10354
10359
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-admincreateuserconfig
|
|
10355
10360
|
'''
|
|
@@ -10360,7 +10365,7 @@ class CfnUserPoolProps:
|
|
|
10360
10365
|
def alias_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
10361
10366
|
'''Attributes supported as an alias for this user pool.
|
|
10362
10367
|
|
|
10363
|
-
|
|
10368
|
+
For more information about alias attributes, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
|
|
10364
10369
|
|
|
10365
10370
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-aliasattributes
|
|
10366
10371
|
'''
|
|
@@ -10371,7 +10376,7 @@ class CfnUserPoolProps:
|
|
|
10371
10376
|
def auto_verified_attributes(self) -> typing.Optional[typing.List[builtins.str]]:
|
|
10372
10377
|
'''The attributes that you want your user pool to automatically verify.
|
|
10373
10378
|
|
|
10374
|
-
|
|
10379
|
+
For more information, see `Verifying contact information at sign-up <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#allowing-users-to-sign-up-and-confirm-themselves>`_ .
|
|
10375
10380
|
|
|
10376
10381
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-autoverifiedattributes
|
|
10377
10382
|
'''
|
|
@@ -10491,11 +10496,11 @@ class CfnUserPoolProps:
|
|
|
10491
10496
|
|
|
10492
10497
|
@builtins.property
|
|
10493
10498
|
def mfa_configuration(self) -> typing.Optional[builtins.str]:
|
|
10494
|
-
'''
|
|
10499
|
+
'''Displays the state of multi-factor authentication (MFA) as on, off, or optional.
|
|
10495
10500
|
|
|
10496
|
-
|
|
10497
|
-
|
|
10498
|
-
|
|
10501
|
+
When ``ON`` , all users must set up MFA before they can sign in. When ``OPTIONAL`` , your application must make a client-side determination of whether a user wants to register an MFA device. For user pools with adaptive authentication with threat protection, choose ``OPTIONAL`` .
|
|
10502
|
+
|
|
10503
|
+
When ``MfaConfiguration`` is ``OPTIONAL`` , managed login doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in API responses and in managed login for users who have chosen and configured a preferred MFA factor.
|
|
10499
10504
|
|
|
10500
10505
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-mfaconfiguration
|
|
10501
10506
|
'''
|
|
@@ -10508,7 +10513,7 @@ class CfnUserPoolProps:
|
|
|
10508
10513
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.PoliciesProperty]]:
|
|
10509
10514
|
'''A list of user pool policies. Contains the policy that sets password-complexity requirements.
|
|
10510
10515
|
|
|
10511
|
-
This data type is a request and response parameter of
|
|
10516
|
+
This data type is a request and response parameter of ``API_CreateUserPool`` and ``API_UpdateUserPool`` , and a response parameter of ``API_DescribeUserPool`` .
|
|
10512
10517
|
|
|
10513
10518
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-policies
|
|
10514
10519
|
'''
|
|
@@ -10541,7 +10546,7 @@ class CfnUserPoolProps:
|
|
|
10541
10546
|
def sms_configuration(
|
|
10542
10547
|
self,
|
|
10543
10548
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.SmsConfigurationProperty]]:
|
|
10544
|
-
'''The
|
|
10549
|
+
'''The settings for your Amazon Cognito user pool to send SMS messages with Amazon Simple Notification Service.
|
|
10545
10550
|
|
|
10546
10551
|
To send SMS messages with Amazon SNS in the AWS Region that you want, the Amazon Cognito user pool uses an AWS Identity and Access Management (IAM) role in your AWS account . For more information see `SMS message settings <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html>`_ .
|
|
10547
10552
|
|
|
@@ -10606,9 +10611,9 @@ class CfnUserPoolProps:
|
|
|
10606
10611
|
def user_pool_add_ons(
|
|
10607
10612
|
self,
|
|
10608
10613
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPool.UserPoolAddOnsProperty]]:
|
|
10609
|
-
'''
|
|
10614
|
+
'''Contains settings for activation of threat protection, including the operating mode and additional authentication types.
|
|
10610
10615
|
|
|
10611
|
-
|
|
10616
|
+
To log user security information but take no action, set to ``AUDIT`` . To configure automatic security responses to potentially unwanted traffic to your user pool, set to ``ENFORCED`` .
|
|
10612
10617
|
|
|
10613
10618
|
For more information, see `Adding advanced security to a user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html>`_ . To activate this setting, your user pool must be on the `Plus tier <https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-plus.html>`_ .
|
|
10614
10619
|
|
|
@@ -10619,7 +10624,7 @@ class CfnUserPoolProps:
|
|
|
10619
10624
|
|
|
10620
10625
|
@builtins.property
|
|
10621
10626
|
def user_pool_name(self) -> typing.Optional[builtins.str]:
|
|
10622
|
-
'''A
|
|
10627
|
+
'''A friendly name for your user pool.
|
|
10623
10628
|
|
|
10624
10629
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpool.html#cfn-cognito-userpool-userpoolname
|
|
10625
10630
|
'''
|
|
@@ -10869,7 +10874,7 @@ class CfnUserPoolResourceServer(
|
|
|
10869
10874
|
|
|
10870
10875
|
This data type is a member of ``ResourceServerScopeType`` . For more information, see `Scopes, M2M, and API authorization with resource servers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html>`_ .
|
|
10871
10876
|
|
|
10872
|
-
This data type is a request parameter of
|
|
10877
|
+
This data type is a request parameter of ``API_CreateResourceServer`` and a response parameter of ``API_DescribeResourceServer`` .
|
|
10873
10878
|
|
|
10874
10879
|
:param scope_description: A friendly description of a custom scope.
|
|
10875
10880
|
:param scope_name: The name of the scope. Amazon Cognito renders custom scopes in the format ``resourceServerIdentifier/ScopeName`` . For example, if this parameter is ``exampleScope`` in the resource server with the identifier ``exampleResourceServer`` , you request and receive the scope ``exampleResourceServer/exampleScope`` .
|
|
@@ -11153,8 +11158,8 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11153
11158
|
:param id: Construct identifier for this resource (unique in its scope).
|
|
11154
11159
|
:param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
|
|
11155
11160
|
:param user_pool_id: The ID of the user pool that has the risk configuration applied.
|
|
11156
|
-
:param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with
|
|
11157
|
-
:param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with
|
|
11161
|
+
:param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with threat protection.
|
|
11162
|
+
:param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
|
|
11158
11163
|
:param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
|
|
11159
11164
|
'''
|
|
11160
11165
|
if __debug__:
|
|
@@ -11237,7 +11242,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11237
11242
|
def account_takeover_risk_configuration(
|
|
11238
11243
|
self,
|
|
11239
11244
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]]:
|
|
11240
|
-
'''The settings for automated responses and notification templates for adaptive authentication with
|
|
11245
|
+
'''The settings for automated responses and notification templates for adaptive authentication with threat protection.'''
|
|
11241
11246
|
return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty"]], jsii.get(self, "accountTakeoverRiskConfiguration"))
|
|
11242
11247
|
|
|
11243
11248
|
@account_takeover_risk_configuration.setter
|
|
@@ -11255,7 +11260,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11255
11260
|
def compromised_credentials_risk_configuration(
|
|
11256
11261
|
self,
|
|
11257
11262
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]]:
|
|
11258
|
-
'''Settings for compromised-credentials actions and authentication types with
|
|
11263
|
+
'''Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.'''
|
|
11259
11264
|
return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty"]], jsii.get(self, "compromisedCredentialsRiskConfiguration"))
|
|
11260
11265
|
|
|
11261
11266
|
@compromised_credentials_risk_configuration.setter
|
|
@@ -11300,9 +11305,9 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11300
11305
|
) -> None:
|
|
11301
11306
|
'''The automated response to a risk level for adaptive authentication in full-function, or ``ENFORCED`` , mode.
|
|
11302
11307
|
|
|
11303
|
-
You can assign an action to each risk level that
|
|
11308
|
+
You can assign an action to each risk level that threat protection evaluates.
|
|
11304
11309
|
|
|
11305
|
-
This data type is a request parameter of
|
|
11310
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11306
11311
|
|
|
11307
11312
|
:param event_action: The action to take for the attempted account takeover action for the associated risk level. Valid values are as follows: - ``BLOCK`` : Block the request. - ``MFA_IF_CONFIGURED`` : Present an MFA challenge if possible. MFA is possible if the user pool has active MFA methods that the user can set up. For example, if the user pool only supports SMS message MFA but the user doesn't have a phone number attribute, MFA setup isn't possible. If MFA setup isn't possible, allow the request. - ``MFA_REQUIRED`` : Present an MFA challenge if possible. Block the request if a user hasn't set up MFA. To sign in with required MFA, users must have an email address or phone number attribute, or a registered TOTP factor. - ``NO_ACTION`` : Take no action. Permit sign-in.
|
|
11308
11313
|
:param notify: Determines whether Amazon Cognito sends a user a notification message when your user pools assesses a user's session at the associated risk level.
|
|
@@ -11385,13 +11390,13 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11385
11390
|
low_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
|
|
11386
11391
|
medium_action: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
|
|
11387
11392
|
) -> None:
|
|
11388
|
-
'''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with
|
|
11393
|
+
'''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection features.
|
|
11389
11394
|
|
|
11390
|
-
This data type is a request parameter of
|
|
11395
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11391
11396
|
|
|
11392
|
-
:param high_action: The action that you assign to a high-risk assessment by
|
|
11393
|
-
:param low_action: The action that you assign to a low-risk assessment by
|
|
11394
|
-
:param medium_action: The action that you assign to a medium-risk assessment by
|
|
11397
|
+
:param high_action: The action that you assign to a high-risk assessment by threat protection.
|
|
11398
|
+
:param low_action: The action that you assign to a low-risk assessment by threat protection.
|
|
11399
|
+
:param medium_action: The action that you assign to a medium-risk assessment by threat protection.
|
|
11395
11400
|
|
|
11396
11401
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html
|
|
11397
11402
|
:exampleMetadata: fixture=_generated
|
|
@@ -11434,7 +11439,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11434
11439
|
def high_action(
|
|
11435
11440
|
self,
|
|
11436
11441
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
|
|
11437
|
-
'''The action that you assign to a high-risk assessment by
|
|
11442
|
+
'''The action that you assign to a high-risk assessment by threat protection.
|
|
11438
11443
|
|
|
11439
11444
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-highaction
|
|
11440
11445
|
'''
|
|
@@ -11445,7 +11450,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11445
11450
|
def low_action(
|
|
11446
11451
|
self,
|
|
11447
11452
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
|
|
11448
|
-
'''The action that you assign to a low-risk assessment by
|
|
11453
|
+
'''The action that you assign to a low-risk assessment by threat protection.
|
|
11449
11454
|
|
|
11450
11455
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-lowaction
|
|
11451
11456
|
'''
|
|
@@ -11456,7 +11461,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11456
11461
|
def medium_action(
|
|
11457
11462
|
self,
|
|
11458
11463
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionTypeProperty"]]:
|
|
11459
|
-
'''The action that you assign to a medium-risk assessment by
|
|
11464
|
+
'''The action that you assign to a medium-risk assessment by threat protection.
|
|
11460
11465
|
|
|
11461
11466
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoveractionstype-mediumaction
|
|
11462
11467
|
'''
|
|
@@ -11489,12 +11494,12 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11489
11494
|
actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
|
|
11490
11495
|
notify_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
|
|
11491
11496
|
) -> None:
|
|
11492
|
-
'''The settings for automated responses and notification templates for adaptive authentication with
|
|
11497
|
+
'''The settings for automated responses and notification templates for adaptive authentication with threat protection features.
|
|
11493
11498
|
|
|
11494
|
-
This data type is a request parameter of
|
|
11499
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11495
11500
|
|
|
11496
|
-
:param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with
|
|
11497
|
-
:param notify_configuration: The settings for composing and sending an email message when
|
|
11501
|
+
:param actions: A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
|
|
11502
|
+
:param notify_configuration: The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication. When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
|
|
11498
11503
|
|
|
11499
11504
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html
|
|
11500
11505
|
:exampleMetadata: fixture=_generated
|
|
@@ -11566,7 +11571,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11566
11571
|
def actions(
|
|
11567
11572
|
self,
|
|
11568
11573
|
) -> typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.AccountTakeoverActionsTypeProperty"]:
|
|
11569
|
-
'''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with
|
|
11574
|
+
'''A list of account-takeover actions for each level of risk that Amazon Cognito might assess with threat protection.
|
|
11570
11575
|
|
|
11571
11576
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfigurationtype-actions
|
|
11572
11577
|
'''
|
|
@@ -11578,7 +11583,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11578
11583
|
def notify_configuration(
|
|
11579
11584
|
self,
|
|
11580
11585
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPoolRiskConfigurationAttachment.NotifyConfigurationTypeProperty"]]:
|
|
11581
|
-
'''The settings for composing and sending an email message when
|
|
11586
|
+
'''The settings for composing and sending an email message when threat protection assesses a risk level with adaptive authentication.
|
|
11582
11587
|
|
|
11583
11588
|
When you choose to notify users in ``AccountTakeoverRiskConfiguration`` , Amazon Cognito sends an email message using the method and template that you set with this data type.
|
|
11584
11589
|
|
|
@@ -11605,9 +11610,9 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11605
11610
|
)
|
|
11606
11611
|
class CompromisedCredentialsActionsTypeProperty:
|
|
11607
11612
|
def __init__(self, *, event_action: builtins.str) -> None:
|
|
11608
|
-
'''Settings for user pool actions when Amazon Cognito detects compromised credentials with
|
|
11613
|
+
'''Settings for user pool actions when Amazon Cognito detects compromised credentials with threat protection in full-function ``ENFORCED`` mode.
|
|
11609
11614
|
|
|
11610
|
-
This data type is a request parameter of
|
|
11615
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11611
11616
|
|
|
11612
11617
|
:param event_action: The action that Amazon Cognito takes when it detects compromised credentials.
|
|
11613
11618
|
|
|
@@ -11664,9 +11669,9 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11664
11669
|
actions: typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsActionsTypeProperty", typing.Dict[builtins.str, typing.Any]]],
|
|
11665
11670
|
event_filter: typing.Optional[typing.Sequence[builtins.str]] = None,
|
|
11666
11671
|
) -> None:
|
|
11667
|
-
'''Settings for compromised-credentials actions and authentication-event sources with
|
|
11672
|
+
'''Settings for compromised-credentials actions and authentication-event sources with threat protection in full-function ``ENFORCED`` mode.
|
|
11668
11673
|
|
|
11669
|
-
This data type is a request parameter of
|
|
11674
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11670
11675
|
|
|
11671
11676
|
:param actions: Settings for the actions that you want your user pool to take when Amazon Cognito detects compromised credentials.
|
|
11672
11677
|
:param event_filter: Settings for the sign-in activity where you want to configure compromised-credentials actions. Defaults to all events.
|
|
@@ -11756,9 +11761,9 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11756
11761
|
no_action_email: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnUserPoolRiskConfigurationAttachment.NotifyEmailTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
|
|
11757
11762
|
reply_to: typing.Optional[builtins.str] = None,
|
|
11758
11763
|
) -> None:
|
|
11759
|
-
'''The configuration for Amazon SES email messages that
|
|
11764
|
+
'''The configuration for Amazon SES email messages that threat protection sends to a user when your adaptive authentication automated response has a *Notify* action.
|
|
11760
11765
|
|
|
11761
|
-
This data type is a request parameter of
|
|
11766
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11762
11767
|
|
|
11763
11768
|
:param source_arn: The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the ``From`` parameter.
|
|
11764
11769
|
:param block_email: The template for the email message that your user pool sends when a detected risk event is blocked.
|
|
@@ -11920,9 +11925,9 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
11920
11925
|
html_body: typing.Optional[builtins.str] = None,
|
|
11921
11926
|
text_body: typing.Optional[builtins.str] = None,
|
|
11922
11927
|
) -> None:
|
|
11923
|
-
'''The template for email messages that
|
|
11928
|
+
'''The template for email messages that threat protection sends to a user when your threat protection automated response has a *Notify* action.
|
|
11924
11929
|
|
|
11925
|
-
This data type is a request parameter of
|
|
11930
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
11926
11931
|
|
|
11927
11932
|
:param subject: The subject of the threat protection email notification.
|
|
11928
11933
|
:param html_body: The body of an email notification formatted in HTML. Choose an ``HtmlBody`` or a ``TextBody`` to send an HTML-formatted or plaintext message, respectively.
|
|
@@ -12018,7 +12023,7 @@ class CfnUserPoolRiskConfigurationAttachment(
|
|
|
12018
12023
|
) -> None:
|
|
12019
12024
|
'''Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
|
|
12020
12025
|
|
|
12021
|
-
This data type is a request parameter of
|
|
12026
|
+
This data type is a request parameter of ``API_SetRiskConfiguration`` and a response parameter of ``API_DescribeRiskConfiguration`` .
|
|
12022
12027
|
|
|
12023
12028
|
:param blocked_ip_range_list: An always-block IP address list. Overrides the risk decision and always blocks authentication requests. This parameter is displayed and set in CIDR notation.
|
|
12024
12029
|
:param skipped_ip_range_list: An always-allow IP address list. Risk detection isn't performed on the IP addresses in this range list. This parameter is displayed and set in CIDR notation.
|
|
@@ -12106,8 +12111,8 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
|
|
|
12106
12111
|
|
|
12107
12112
|
:param client_id: The app client where this configuration is applied. When this parameter isn't present, the risk configuration applies to all user pool app clients that don't have client-level settings.
|
|
12108
12113
|
:param user_pool_id: The ID of the user pool that has the risk configuration applied.
|
|
12109
|
-
:param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with
|
|
12110
|
-
:param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with
|
|
12114
|
+
:param account_takeover_risk_configuration: The settings for automated responses and notification templates for adaptive authentication with threat protection.
|
|
12115
|
+
:param compromised_credentials_risk_configuration: Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
|
|
12111
12116
|
:param risk_exception_configuration: Exceptions to the risk evaluation configuration, including always-allow and always-block IP address ranges.
|
|
12112
12117
|
|
|
12113
12118
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html
|
|
@@ -12228,7 +12233,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
|
|
|
12228
12233
|
def account_takeover_risk_configuration(
|
|
12229
12234
|
self,
|
|
12230
12235
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.AccountTakeoverRiskConfigurationTypeProperty]]:
|
|
12231
|
-
'''The settings for automated responses and notification templates for adaptive authentication with
|
|
12236
|
+
'''The settings for automated responses and notification templates for adaptive authentication with threat protection.
|
|
12232
12237
|
|
|
12233
12238
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-accounttakeoverriskconfiguration
|
|
12234
12239
|
'''
|
|
@@ -12239,7 +12244,7 @@ class CfnUserPoolRiskConfigurationAttachmentProps:
|
|
|
12239
12244
|
def compromised_credentials_risk_configuration(
|
|
12240
12245
|
self,
|
|
12241
12246
|
) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnUserPoolRiskConfigurationAttachment.CompromisedCredentialsRiskConfigurationTypeProperty]]:
|
|
12242
|
-
'''Settings for compromised-credentials actions and authentication types with
|
|
12247
|
+
'''Settings for compromised-credentials actions and authentication types with threat protection in full-function ``ENFORCED`` mode.
|
|
12243
12248
|
|
|
12244
12249
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolriskconfigurationattachment.html#cfn-cognito-userpoolriskconfigurationattachment-compromisedcredentialsriskconfiguration
|
|
12245
12250
|
'''
|
|
@@ -12277,7 +12282,7 @@ class CfnUserPoolUICustomizationAttachment(
|
|
|
12277
12282
|
):
|
|
12278
12283
|
'''A container for the UI customization information for the hosted UI in a user pool.
|
|
12279
12284
|
|
|
12280
|
-
This data type is a response parameter of
|
|
12285
|
+
This data type is a response parameter of ``API_DescribeUserPoolClient`` .
|
|
12281
12286
|
|
|
12282
12287
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
|
|
12283
12288
|
:cloudformationResource: AWS::Cognito::UserPoolUICustomizationAttachment
|
|
@@ -12311,8 +12316,8 @@ class CfnUserPoolUICustomizationAttachment(
|
|
|
12311
12316
|
:param scope: Scope in which this resource is defined.
|
|
12312
12317
|
:param id: Construct identifier for this resource (unique in its scope).
|
|
12313
12318
|
:param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
|
|
12314
|
-
:param user_pool_id: The ID of the user pool.
|
|
12315
|
-
:param css:
|
|
12319
|
+
:param user_pool_id: The ID of the user pool where you want to apply branding to the classic hosted UI.
|
|
12320
|
+
:param css: A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client. To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
|
|
12316
12321
|
'''
|
|
12317
12322
|
if __debug__:
|
|
12318
12323
|
type_hints = typing.get_type_hints(_typecheckingstub__bf3306ea8a9b6f4ebe73eb42059e52138281652a9e2e36e507fd8658eb5da33a)
|
|
@@ -12375,7 +12380,7 @@ class CfnUserPoolUICustomizationAttachment(
|
|
|
12375
12380
|
@builtins.property
|
|
12376
12381
|
@jsii.member(jsii_name="userPoolId")
|
|
12377
12382
|
def user_pool_id(self) -> builtins.str:
|
|
12378
|
-
'''The ID of the user pool.'''
|
|
12383
|
+
'''The ID of the user pool where you want to apply branding to the classic hosted UI.'''
|
|
12379
12384
|
return typing.cast(builtins.str, jsii.get(self, "userPoolId"))
|
|
12380
12385
|
|
|
12381
12386
|
@user_pool_id.setter
|
|
@@ -12388,7 +12393,7 @@ class CfnUserPoolUICustomizationAttachment(
|
|
|
12388
12393
|
@builtins.property
|
|
12389
12394
|
@jsii.member(jsii_name="css")
|
|
12390
12395
|
def css(self) -> typing.Optional[builtins.str]:
|
|
12391
|
-
'''
|
|
12396
|
+
'''A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.'''
|
|
12392
12397
|
return typing.cast(typing.Optional[builtins.str], jsii.get(self, "css"))
|
|
12393
12398
|
|
|
12394
12399
|
@css.setter
|
|
@@ -12415,8 +12420,8 @@ class CfnUserPoolUICustomizationAttachmentProps:
|
|
|
12415
12420
|
'''Properties for defining a ``CfnUserPoolUICustomizationAttachment``.
|
|
12416
12421
|
|
|
12417
12422
|
:param client_id: The app client ID for your UI customization. When this value isn't present, the customization applies to all user pool app clients that don't have client-level settings..
|
|
12418
|
-
:param user_pool_id: The ID of the user pool.
|
|
12419
|
-
:param css:
|
|
12423
|
+
:param user_pool_id: The ID of the user pool where you want to apply branding to the classic hosted UI.
|
|
12424
|
+
:param css: A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client. To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
|
|
12420
12425
|
|
|
12421
12426
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html
|
|
12422
12427
|
:exampleMetadata: fixture=_generated
|
|
@@ -12461,7 +12466,7 @@ class CfnUserPoolUICustomizationAttachmentProps:
|
|
|
12461
12466
|
|
|
12462
12467
|
@builtins.property
|
|
12463
12468
|
def user_pool_id(self) -> builtins.str:
|
|
12464
|
-
'''The ID of the user pool.
|
|
12469
|
+
'''The ID of the user pool where you want to apply branding to the classic hosted UI.
|
|
12465
12470
|
|
|
12466
12471
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-userpoolid
|
|
12467
12472
|
'''
|
|
@@ -12471,7 +12476,9 @@ class CfnUserPoolUICustomizationAttachmentProps:
|
|
|
12471
12476
|
|
|
12472
12477
|
@builtins.property
|
|
12473
12478
|
def css(self) -> typing.Optional[builtins.str]:
|
|
12474
|
-
'''
|
|
12479
|
+
'''A plaintext CSS file that contains the custom fields that you want to apply to your user pool or app client.
|
|
12480
|
+
|
|
12481
|
+
To download a template, go to the Amazon Cognito console. Navigate to your user pool *App clients* tab, select *Login pages* , edit *Hosted UI (classic) style* , and select the link to ``CSS template.css`` .
|
|
12475
12482
|
|
|
12476
12483
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluicustomizationattachment.html#cfn-cognito-userpooluicustomizationattachment-css
|
|
12477
12484
|
'''
|
|
@@ -12552,9 +12559,9 @@ class CfnUserPoolUser(
|
|
|
12552
12559
|
:param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
|
|
12553
12560
|
:param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
|
|
12554
12561
|
:param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
|
|
12555
|
-
:param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your
|
|
12562
|
+
:param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply: - **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter. - **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter. You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
|
|
12556
12563
|
:param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
|
|
12557
|
-
:param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function
|
|
12564
|
+
:param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
|
|
12558
12565
|
'''
|
|
12559
12566
|
if __debug__:
|
|
12560
12567
|
type_hints = typing.get_type_hints(_typecheckingstub__392de74de1133635a0d4d21dbd0cb3290007171e021625ff9a125983463dd374)
|
|
@@ -12749,7 +12756,7 @@ class CfnUserPoolUser(
|
|
|
12749
12756
|
) -> None:
|
|
12750
12757
|
'''The name and value of a user attribute.
|
|
12751
12758
|
|
|
12752
|
-
This data type is a request parameter of
|
|
12759
|
+
This data type is a request parameter of ``API_AdminUpdateUserAttributes`` and ``API_UpdateUserAttributes`` .
|
|
12753
12760
|
|
|
12754
12761
|
:param name: The name of the attribute.
|
|
12755
12762
|
:param value: The value of the attribute.
|
|
@@ -12842,9 +12849,9 @@ class CfnUserPoolUserProps:
|
|
|
12842
12849
|
:param desired_delivery_mediums: Specify ``EMAIL`` if email will be used to send the welcome message. Specify ``SMS`` if the phone number will be used. The default value is ``SMS`` . You can specify more than one value.
|
|
12843
12850
|
:param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the ``UserAttributes`` parameter already exists as an alias with a different user, this request migrates the alias from the previous user to the newly-created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
|
|
12844
12851
|
:param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists, and to reset the temporary-password duration with a new temporary password. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
|
|
12845
|
-
:param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your
|
|
12852
|
+
:param user_attributes: An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than ``Username`` . However, any attributes that you specify as required (when creating a user pool or in the *Attributes* tab of the console) either you should supply (in your call to ``AdminCreateUser`` ) or the user should supply (when they sign up in response to your welcome message). For custom attributes, you must prepend the ``custom:`` prefix to the attribute name. To send a message inviting the user to sign up, you must specify the user's email address or phone number. You can do this in your call to AdminCreateUser or in the *Users* tab of the Amazon Cognito console for managing your user pools. You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` . In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply: - **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter. - **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter. You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
|
|
12846
12853
|
:param username: The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter. - The username can't be a duplicate of another username in the same user pool. - You can't change the value of a username after you create it. - You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see `Customizing sign-in attributes <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-aliases>`_ .
|
|
12847
|
-
:param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function
|
|
12854
|
+
:param validation_data: Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain. Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
|
|
12848
12855
|
|
|
12849
12856
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html
|
|
12850
12857
|
:exampleMetadata: fixture=_generated
|
|
@@ -12989,10 +12996,12 @@ class CfnUserPoolUserProps:
|
|
|
12989
12996
|
|
|
12990
12997
|
You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you don't submit a ``TemporaryPassword`` .
|
|
12991
12998
|
|
|
12992
|
-
In your
|
|
12999
|
+
In your ``AdminCreateUser`` request, you can set the ``email_verified`` and ``phone_number_verified`` attributes to ``true`` . The following conditions apply:
|
|
13000
|
+
|
|
13001
|
+
- **email** - The email address where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``email_verified`` to ``true`` , or if you set ``EMAIL`` in the ``DesiredDeliveryMediums`` parameter.
|
|
13002
|
+
- **phone_number** - The phone number where you want the user to receive their confirmation code and username. You must provide a value for the ``email`` when you want to set ``phone_number`` to ``true`` , or if you set ``SMS`` in the ``DesiredDeliveryMediums`` parameter.
|
|
12993
13003
|
|
|
12994
|
-
|
|
12995
|
-
- *phone_number* : The phone number of the user to whom the message that contains the code and username will be sent. Required if the ``phone_number_verified`` attribute is set to ``True`` , or if ``"SMS"`` is specified in the ``DesiredDeliveryMediums`` parameter.
|
|
13004
|
+
You can also set attributes verified with ``API_AdminUpdateUserAttributes`` .
|
|
12996
13005
|
|
|
12997
13006
|
:see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-userattributes
|
|
12998
13007
|
'''
|
|
@@ -13022,7 +13031,7 @@ class CfnUserPoolUserProps:
|
|
|
13022
13031
|
|
|
13023
13032
|
This set of key-value pairs are for custom validation of information that you collect from your users but don't need to retain.
|
|
13024
13033
|
|
|
13025
|
-
Your Lambda function can analyze this additional data and act on it. Your function
|
|
13034
|
+
Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and verify select users or perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs.
|
|
13026
13035
|
|
|
13027
13036
|
For more information about the pre sign-up Lambda trigger, see `Pre sign-up Lambda trigger <https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html>`_ .
|
|
13028
13037
|
|