From b2fefb3d5497e8cae3d137684c562e8dc6d0cd5e Mon Sep 17 00:00:00 2001 From: awstools Date: Thu, 12 Sep 2024 18:16:38 +0000 Subject: [PATCH] feat(client-cognito-identity-provider): Added email MFA option to user pools with advanced security features. --- .../src/commands/AdminCreateUserCommand.ts | 2 +- .../src/commands/AdminInitiateAuthCommand.ts | 8 +- .../commands/AdminResetUserPasswordCommand.ts | 2 +- .../AdminRespondToAuthChallengeCommand.ts | 10 +- .../AdminSetUserMFAPreferenceCommand.ts | 14 +- .../AdminUpdateUserAttributesCommand.ts | 2 +- .../src/commands/CreateUserPoolCommand.ts | 2 +- .../src/commands/ForgotPasswordCommand.ts | 2 +- ...GetUserAttributeVerificationCodeCommand.ts | 2 +- .../commands/GetUserPoolMfaConfigCommand.ts | 4 + .../src/commands/InitiateAuthCommand.ts | 8 +- .../commands/ResendConfirmationCodeCommand.ts | 2 +- .../commands/RespondToAuthChallengeCommand.ts | 18 +- .../src/commands/RevokeTokenCommand.ts | 3 +- .../commands/SetUserMFAPreferenceCommand.ts | 4 + .../commands/SetUserPoolMfaConfigCommand.ts | 10 +- .../src/commands/SignUpCommand.ts | 2 +- .../commands/UpdateUserAttributesCommand.ts | 2 +- .../src/commands/UpdateUserPoolCommand.ts | 2 +- .../src/models/models_0.ts | 276 ++++++++++-------- .../src/models/models_1.ts | 131 ++++++++- .../src/protocols/Aws_json1_1.ts | 16 +- .../aws-models/cognito-identity-provider.json | 186 +++++++++--- 23 files changed, 499 insertions(+), 209 deletions(-) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts index 78a429115a6d..27815cee94df 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts @@ -48,7 +48,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts index 3b7c5845f3f5..dbe99a0fd1c7 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts @@ -46,7 +46,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode @@ -110,7 +110,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * const command = new AdminInitiateAuthCommand(input); * const response = await client.send(command); * // { // AdminInitiateAuthResponse - * // ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", + * // ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", * // Session: "STRING_VALUE", * // ChallengeParameters: { // ChallengeParametersType * // "": "STRING_VALUE", @@ -139,6 +139,10 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

* + * @throws {@link InvalidEmailRoleAccessPolicyException} (client fault) + *

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP + * status code: 400.

+ * * @throws {@link InvalidLambdaResponseException} (client fault) *

This exception is thrown when Amazon Cognito encounters an invalid Lambda response.

* diff --git a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts index 570712f11de9..d024bea40d04 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts @@ -48,7 +48,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts index db146324b3d5..abdef5eee632 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts @@ -54,7 +54,7 @@ export interface AdminRespondToAuthChallengeCommandOutput * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode @@ -92,7 +92,7 @@ export interface AdminRespondToAuthChallengeCommandOutput * const input = { // AdminRespondToAuthChallengeRequest * UserPoolId: "STRING_VALUE", // required * ClientId: "STRING_VALUE", // required - * ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required + * ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required * ChallengeResponses: { // ChallengeResponsesType * "": "STRING_VALUE", * }, @@ -119,7 +119,7 @@ export interface AdminRespondToAuthChallengeCommandOutput * const command = new AdminRespondToAuthChallengeCommand(input); * const response = await client.send(command); * // { // AdminRespondToAuthChallengeResponse - * // ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", + * // ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", * // Session: "STRING_VALUE", * // ChallengeParameters: { // ChallengeParametersType * // "": "STRING_VALUE", @@ -162,6 +162,10 @@ export interface AdminRespondToAuthChallengeCommandOutput * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

* + * @throws {@link InvalidEmailRoleAccessPolicyException} (client fault) + *

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP + * status code: 400.

+ * * @throws {@link InvalidLambdaResponseException} (client fault) *

This exception is thrown when Amazon Cognito encounters an invalid Lambda response.

* diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts index e1fb1794bc03..9d54f555fdb3 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserMFAPreferenceCommand.ts @@ -36,11 +36,11 @@ export interface AdminSetUserMFAPreferenceCommandInput extends AdminSetUserMFAPr export interface AdminSetUserMFAPreferenceCommandOutput extends AdminSetUserMFAPreferenceResponse, __MetadataBearer {} /** - *

The user's multi-factor authentication (MFA) preference, including which MFA options - * are activated, and if any are preferred. Only one factor can be set as preferred. The - * preferred MFA factor will be used to authenticate a user if multiple factors are - * activated. If multiple options are activated and no preference is set, a challenge to - * choose an MFA option will be returned during sign-in.

+ *

Sets the user's multi-factor authentication (MFA) preference, including which MFA + * options are activated, and if any are preferred. Only one factor can be set as + * preferred. The preferred MFA factor will be used to authenticate a user if multiple + * factors are activated. If multiple options are activated and no preference is set, a + * challenge to choose an MFA option will be returned during sign-in.

* *

Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For * this operation, you must use IAM credentials to authorize requests, and you must @@ -76,6 +76,10 @@ export interface AdminSetUserMFAPreferenceCommandOutput extends AdminSetUserMFAP * Enabled: true || false, * PreferredMfa: true || false, * }, + * EmailMfaSettings: { // EmailMfaSettingsType + * Enabled: true || false, + * PreferredMfa: true || false, + * }, * Username: "STRING_VALUE", // required * UserPoolId: "STRING_VALUE", // required * }; diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts index 63b216fd9bfd..c3b2d66380ca 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts @@ -44,7 +44,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts index 3526b557b703..101197b80459 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts @@ -40,7 +40,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts index adf629487684..4a963b6bfbe4 100644 --- a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts @@ -62,7 +62,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts index 64bd0800998d..16a52e84be86 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts @@ -59,7 +59,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts index 35dafff14444..2dcba20e352d 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserPoolMfaConfigCommand.ts @@ -56,6 +56,10 @@ export interface GetUserPoolMfaConfigCommandOutput extends GetUserPoolMfaConfigR * // SoftwareTokenMfaConfiguration: { // SoftwareTokenMfaConfigType * // Enabled: true || false, * // }, + * // EmailMfaConfiguration: { // EmailMfaConfigType + * // Message: "STRING_VALUE", + * // Subject: "STRING_VALUE", + * // }, * // MfaConfiguration: "OFF" || "ON" || "OPTIONAL", * // }; * diff --git a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts index acf08a60a103..b41bcbb5e1b6 100644 --- a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts @@ -53,7 +53,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode @@ -88,7 +88,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * const command = new InitiateAuthCommand(input); * const response = await client.send(command); * // { // InitiateAuthResponse - * // ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", + * // ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", * // Session: "STRING_VALUE", * // ChallengeParameters: { // ChallengeParametersType * // "": "STRING_VALUE", @@ -121,6 +121,10 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

* + * @throws {@link InvalidEmailRoleAccessPolicyException} (client fault) + *

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP + * status code: 400.

+ * * @throws {@link InvalidLambdaResponseException} (client fault) *

This exception is thrown when Amazon Cognito encounters an invalid Lambda response.

* diff --git a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts index dc1c1e59c5de..d0ff9774ecc3 100644 --- a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts @@ -52,7 +52,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts index 1a44f3dc5797..80ae6171dac9 100644 --- a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts @@ -10,12 +10,8 @@ import { ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; import { commonParams } from "../endpoint/EndpointParameters"; -import { - RespondToAuthChallengeRequest, - RespondToAuthChallengeRequestFilterSensitiveLog, - RespondToAuthChallengeResponse, - RespondToAuthChallengeResponseFilterSensitiveLog, -} from "../models/models_0"; +import { RespondToAuthChallengeRequest, RespondToAuthChallengeRequestFilterSensitiveLog } from "../models/models_0"; +import { RespondToAuthChallengeResponse, RespondToAuthChallengeResponseFilterSensitiveLog } from "../models/models_1"; import { de_RespondToAuthChallengeCommand, se_RespondToAuthChallengeCommand } from "../protocols/Aws_json1_1"; /** @@ -58,7 +54,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode @@ -75,7 +71,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * const client = new CognitoIdentityProviderClient(config); * const input = { // RespondToAuthChallengeRequest * ClientId: "STRING_VALUE", // required - * ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required + * ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", // required * Session: "STRING_VALUE", * ChallengeResponses: { // ChallengeResponsesType * "": "STRING_VALUE", @@ -94,7 +90,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * const command = new RespondToAuthChallengeCommand(input); * const response = await client.send(command); * // { // RespondToAuthChallengeResponse - * // ChallengeName: "SMS_MFA" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", + * // ChallengeName: "SMS_MFA" || "EMAIL_OTP" || "SOFTWARE_TOKEN_MFA" || "SELECT_MFA_TYPE" || "MFA_SETUP" || "PASSWORD_VERIFIER" || "CUSTOM_CHALLENGE" || "DEVICE_SRP_AUTH" || "DEVICE_PASSWORD_VERIFIER" || "ADMIN_NO_SRP_AUTH" || "NEW_PASSWORD_REQUIRED", * // Session: "STRING_VALUE", * // ChallengeParameters: { // ChallengeParametersType * // "": "STRING_VALUE", @@ -141,6 +137,10 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * @throws {@link InternalErrorException} (server fault) *

This exception is thrown when Amazon Cognito encounters an internal error.

* + * @throws {@link InvalidEmailRoleAccessPolicyException} (client fault) + *

This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP + * status code: 400.

+ * * @throws {@link InvalidLambdaResponseException} (client fault) *

This exception is thrown when Amazon Cognito encounters an invalid Lambda response.

* diff --git a/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts index a342838cbda7..b8c83b3aa4e3 100644 --- a/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/RevokeTokenCommand.ts @@ -10,8 +10,7 @@ import { ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; import { commonParams } from "../endpoint/EndpointParameters"; -import { RevokeTokenRequest, RevokeTokenRequestFilterSensitiveLog } from "../models/models_0"; -import { RevokeTokenResponse } from "../models/models_1"; +import { RevokeTokenRequest, RevokeTokenRequestFilterSensitiveLog, RevokeTokenResponse } from "../models/models_1"; import { de_RevokeTokenCommand, se_RevokeTokenCommand } from "../protocols/Aws_json1_1"; /** diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts index e65be70c153c..8cc29173418d 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserMFAPreferenceCommand.ts @@ -67,6 +67,10 @@ export interface SetUserMFAPreferenceCommandOutput extends SetUserMFAPreferenceR * Enabled: true || false, * PreferredMfa: true || false, * }, + * EmailMfaSettings: { // EmailMfaSettingsType + * Enabled: true || false, + * PreferredMfa: true || false, + * }, * AccessToken: "STRING_VALUE", // required * }; * const command = new SetUserMFAPreferenceCommand(input); diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts index 322d0aca6e4c..f09da6f9a4a3 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts @@ -41,7 +41,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode @@ -69,6 +69,10 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * SoftwareTokenMfaConfiguration: { // SoftwareTokenMfaConfigType * Enabled: true || false, * }, + * EmailMfaConfiguration: { // EmailMfaConfigType + * Message: "STRING_VALUE", + * Subject: "STRING_VALUE", + * }, * MfaConfiguration: "OFF" || "ON" || "OPTIONAL", * }; * const command = new SetUserPoolMfaConfigCommand(input); @@ -85,6 +89,10 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * // SoftwareTokenMfaConfiguration: { // SoftwareTokenMfaConfigType * // Enabled: true || false, * // }, + * // EmailMfaConfiguration: { // EmailMfaConfigType + * // Message: "STRING_VALUE", + * // Subject: "STRING_VALUE", + * // }, * // MfaConfiguration: "OFF" || "ON" || "OPTIONAL", * // }; * diff --git a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts index 9fb777205cbb..a58f4e90c3a9 100644 --- a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts @@ -48,7 +48,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts index adeaea145413..644566e30500 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts @@ -56,7 +56,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts index c2d2edc33bcb..2bfc29d3e0a8 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts @@ -40,7 +40,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M * Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must * receive SMS messages might not be able to sign up, activate their accounts, or sign * in.

- *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, + *

If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, * Amazon Simple Notification Service might place your account in the SMS sandbox. In * sandbox * mode diff --git a/clients/client-cognito-identity-provider/src/models/models_0.ts b/clients/client-cognito-identity-provider/src/models/models_0.ts index c30d54363f14..db6f4049d205 100644 --- a/clients/client-cognito-identity-provider/src/models/models_0.ts +++ b/clients/client-cognito-identity-provider/src/models/models_0.ts @@ -1687,7 +1687,7 @@ export interface AdminGetUserResponse { /** *

The MFA options that are activated for the user. The possible values in this list are - * SMS_MFA and SOFTWARE_TOKEN_MFA.

+ * SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA.

* @public */ UserMFASettingList?: string[]; @@ -2044,6 +2044,7 @@ export const ChallengeNameType = { CUSTOM_CHALLENGE: "CUSTOM_CHALLENGE", DEVICE_PASSWORD_VERIFIER: "DEVICE_PASSWORD_VERIFIER", DEVICE_SRP_AUTH: "DEVICE_SRP_AUTH", + EMAIL_OTP: "EMAIL_OTP", MFA_SETUP: "MFA_SETUP", NEW_PASSWORD_REQUIRED: "NEW_PASSWORD_REQUIRED", PASSWORD_VERIFIER: "PASSWORD_VERIFIER", @@ -2077,13 +2078,21 @@ export interface AdminInitiateAuthResponse { *
  • *

    * SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are - * SMS_MFA for text SMS MFA, and SOFTWARE_TOKEN_MFA - * for time-based one-time password (TOTP) software token MFA.

    + * SMS_MFA for SMS message MFA, EMAIL_OTP for email + * message MFA, and SOFTWARE_TOKEN_MFA for time-based one-time + * password (TOTP) software token MFA.

    *
    • *
  • *

    * SMS_MFA: Next challenge is to supply an - * SMS_MFA_CODE, delivered via SMS.

    + * SMS_MFA_CODEthat your user pool delivered + * in an SMS message.

    + *
    • + *
  • + *

    + * EMAIL_OTP: Next challenge is to supply an + * EMAIL_OTP_CODE that your user pool delivered + * in an email message.

    *
    • *
  • *

    @@ -2184,6 +2193,27 @@ export interface AdminInitiateAuthResponse { AuthenticationResult?: AuthenticationResultType; } +/** + *

    This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP + * status code: 400.

    + * @public + */ +export class InvalidEmailRoleAccessPolicyException extends __BaseException { + readonly name: "InvalidEmailRoleAccessPolicyException" = "InvalidEmailRoleAccessPolicyException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "InvalidEmailRoleAccessPolicyException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, InvalidEmailRoleAccessPolicyException.prototype); + } +} + /** *

    This exception is thrown when Amazon Cognito can't find a multi-factor authentication * (MFA) method.

    @@ -2921,27 +2951,6 @@ export interface AdminResetUserPasswordRequest { */ export interface AdminResetUserPasswordResponse {} -/** - *

    This exception is thrown when Amazon Cognito isn't allowed to use your email identity. HTTP - * status code: 400.

    - * @public - */ -export class InvalidEmailRoleAccessPolicyException extends __BaseException { - readonly name: "InvalidEmailRoleAccessPolicyException" = "InvalidEmailRoleAccessPolicyException"; - readonly $fault: "client" = "client"; - /** - * @internal - */ - constructor(opts: __ExceptionOptionType) { - super({ - name: "InvalidEmailRoleAccessPolicyException", - $fault: "client", - ...opts, - }); - Object.setPrototypeOf(this, InvalidEmailRoleAccessPolicyException.prototype); - } -} - /** *

    The request to respond to the authentication challenge, as an administrator.

    * @public @@ -2978,11 +2987,22 @@ export interface AdminRespondToAuthChallengeRequest { *
    *

    * "ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE": - * "[SMS_code]", "USERNAME": "[username]"\} + * "[code]", "USERNAME": "[username]"\} + *

    + *
    + *
    EMAIL_OTP
    + *
    + *

    + * "ChallengeName": "EMAIL_OTP", "ChallengeResponses": \{"EMAIL_OTP_CODE": + * "[code]", "USERNAME": "[username]"\} *

    *
    *
    PASSWORD_VERIFIER
    *
    + *

    This challenge response is part of the SRP flow. Amazon Cognito requires + * that your application respond to this challenge within a few seconds. When + * the response time exceeds this period, your user pool returns a + * NotAuthorizedException error.

    *

    * "ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": * \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", @@ -3271,6 +3291,29 @@ export class SoftwareTokenMFANotFoundException extends __BaseException { } } +/** + *

    User preferences for multi-factor authentication with email messages. Activates or + * deactivates email MFA and sets it as the preferred MFA method when multiple methods are + * available. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ +export interface EmailMfaSettingsType { + /** + *

    Specifies whether email message MFA is active for a user. When the value of this + * parameter is Enabled, the user will be prompted for MFA during all sign-in + * attempts, unless device tracking is turned on and the device has been trusted.

    + * @public + */ + Enabled?: boolean; + + /** + *

    Specifies whether email message MFA is the user's preferred method.

    + * @public + */ + PreferredMfa?: boolean; +} + /** *

    The type used for enabling SMS multi-factor authentication (MFA) at the user level. * Phone numbers don't need to be verified to be used for SMS MFA. If an MFA type is @@ -3282,7 +3325,7 @@ export class SoftwareTokenMFANotFoundException extends __BaseException { */ export interface SMSMfaSettingsType { /** - *

    Specifies whether SMS text message MFA is activated. If an MFA type is activated for a + *

    Specifies whether SMS message MFA is activated. If an MFA type is activated for a * user, the user will be prompted for MFA during all sign-in attempts, unless device * tracking is turned on and the device has been trusted.

    * @public @@ -3325,17 +3368,28 @@ export interface SoftwareTokenMfaSettingsType { */ export interface AdminSetUserMFAPreferenceRequest { /** - *

    The SMS text message MFA settings.

    + *

    User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as + * the preferred MFA method when multiple methods are available.

    * @public */ SMSMfaSettings?: SMSMfaSettingsType; /** - *

    The time-based one-time password software token MFA settings.

    + *

    User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates + * TOTP MFA and sets it as the preferred MFA method when multiple methods are + * available.

    * @public */ SoftwareTokenMfaSettings?: SoftwareTokenMfaSettingsType; + /** + *

    User preferences for email message MFA. Activates or deactivates email MFA and sets it + * as the preferred MFA method when multiple methods are available. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ + EmailMfaSettings?: EmailMfaSettingsType; + /** *

    The username of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If @@ -3347,7 +3401,7 @@ export interface AdminSetUserMFAPreferenceRequest { Username: string | undefined; /** - *

    The user pool ID.

    + *

    The ID of the user pool where you want to set a user's MFA preferences.

    * @public */ UserPoolId: string | undefined; @@ -6333,7 +6387,7 @@ export interface CreateUserPoolClientRequest { TokenValidityUnits?: TokenValidityUnitsType; /** - *

    The list of user attributes that you want your app client to have read-only access to. + *

    The list of user attributes that you want your app client to have read access to. * After your user authenticates in your app, their access token authorizes them to read * their own attribute value for any attribute in this list. An example of this kind of * activity is when your user selects a link to view their profile information. Your app @@ -6342,7 +6396,7 @@ export interface CreateUserPoolClientRequest { *

    When you don't specify the ReadAttributes for your app client, your * app can read the values of email_verified, * phone_number_verified, and the Standard attributes of your user pool. - * When your user pool has read access to these default attributes, + * When your user pool app client has read access to these default attributes, * ReadAttributes doesn't return any information. Amazon Cognito only * populates ReadAttributes in the API response if you have specified your own * custom set of read attributes.

    @@ -6717,7 +6771,7 @@ export interface UserPoolClientType { TokenValidityUnits?: TokenValidityUnitsType; /** - *

    The list of user attributes that you want your app client to have read-only access to. + *

    The list of user attributes that you want your app client to have read access to. * After your user authenticates in your app, their access token authorizes them to read * their own attribute value for any attribute in this list. An example of this kind of * activity is when your user selects a link to view their profile information. Your app @@ -6726,7 +6780,7 @@ export interface UserPoolClientType { *

    When you don't specify the ReadAttributes for your app client, your * app can read the values of email_verified, * phone_number_verified, and the Standard attributes of your user pool. - * When your user pool has read access to these default attributes, + * When your user pool app client has read access to these default attributes, * ReadAttributes doesn't return any information. Amazon Cognito only * populates ReadAttributes in the API response if you have specified your own * custom set of read attributes.

    @@ -8259,7 +8313,7 @@ export interface GetUserResponse { /** *

    The MFA options that are activated for the user. The possible values in this list are - * SMS_MFA and SOFTWARE_TOKEN_MFA.

    + * SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA.

    * @public */ UserMFASettingList?: string[]; @@ -8347,14 +8401,40 @@ export interface GetUserPoolMfaConfigRequest { } /** - *

    The SMS text message multi-factor authentication (MFA) configuration type.

    + *

    Sets or shows user pool email message configuration for MFA. Includes the subject and + * body of the email message template for MFA messages. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ +export interface EmailMfaConfigType { + /** + *

    The template for the email message that your user pool sends to users with an MFA + * code. The message must contain the \{####\} placeholder. In the message, + * Amazon Cognito replaces this placeholder with the code. If you don't provide this parameter, + * Amazon Cognito sends messages in the default format.

    + * @public + */ + Message?: string; + + /** + *

    The subject of the email message that your user pool sends to users with an MFA + * code.

    + * @public + */ + Subject?: string; +} + +/** + *

    Configures user pool SMS messages for multi-factor authentication (MFA). Sets the + * message template and the SMS message sending configuration for Amazon SNS.

    * @public */ export interface SmsMfaConfigType { /** - *

    The SMS authentication message that will be sent to users with the code they must sign - * in. The message must contain the ‘\{####\}’ placeholder, which is replaced with the code. - * If the message isn't included, and default message will be used.

    + *

    The SMS message that your user pool sends to users with an MFA code. The message must + * contain the \{####\} placeholder. In the message, Amazon Cognito replaces this + * placeholder with the code. If you don't provide this parameter, Amazon Cognito sends + * messages in the default format.

    * @public */ SmsAuthenticationMessage?: string; @@ -8370,7 +8450,8 @@ export interface SmsMfaConfigType { } /** - *

    The type used for enabling software token MFA at the user pool level.

    + *

    Configures a user pool for time-based one-time password (TOTP) multi-factor + * authentication (MFA). Enables or disables TOTP.

    * @public */ export interface SoftwareTokenMfaConfigType { @@ -8386,17 +8467,27 @@ export interface SoftwareTokenMfaConfigType { */ export interface GetUserPoolMfaConfigResponse { /** - *

    The SMS text message multi-factor authentication (MFA) configuration.

    + *

    Shows user pool SMS message configuration for MFA. Includes the message template and + * the SMS message sending configuration for Amazon SNS.

    * @public */ SmsMfaConfiguration?: SmsMfaConfigType; /** - *

    The software token multi-factor authentication (MFA) configuration.

    + *

    Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes + * TOTP enabled or disabled state.

    * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; + /** + *

    Shows user pool email message configuration for MFA. Includes the subject and body of + * the email message template for MFA messages. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ + EmailMfaConfiguration?: EmailMfaConfigType; + /** *

    The multi-factor authentication (MFA) configuration. Valid values include:

    *
      @@ -8636,7 +8727,14 @@ export interface InitiateAuthResponse { *
    • *

      * SMS_MFA: Next challenge is to supply an - * SMS_MFA_CODE, delivered via SMS.

      + * SMS_MFA_CODEthat your user pool delivered + * in an SMS message.

      + *
      • + *
    • + *

      + * EMAIL_OTP: Next challenge is to supply an + * EMAIL_OTP_CODE that your user pool delivered + * in an email message.

      *
      • *
    • *

      @@ -9503,11 +9601,22 @@ export interface RespondToAuthChallengeRequest { *

      *

      * "ChallengeName": "SMS_MFA", "ChallengeResponses": \{"SMS_MFA_CODE": - * "[SMS_code]", "USERNAME": "[username]"\} + * "[code]", "USERNAME": "[username]"\} + *

      + *
      + *
      EMAIL_OTP
      + *
      + *

      + * "ChallengeName": "EMAIL_OTP", "ChallengeResponses": \{"EMAIL_OTP_CODE": + * "[code]", "USERNAME": "[username]"\} *

      *
      *
      PASSWORD_VERIFIER
      *
      + *

      This challenge response is part of the SRP flow. Amazon Cognito requires + * that your application respond to this challenge within a few seconds. When + * the response time exceeds this period, your user pool returns a + * NotAuthorizedException error.

      *

      * "ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": * \{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", @@ -9647,64 +9756,6 @@ export interface RespondToAuthChallengeRequest { ClientMetadata?: Record; } -/** - *

      The response to respond to the authentication challenge.

      - * @public - */ -export interface RespondToAuthChallengeResponse { - /** - *

      The challenge name. For more information, see InitiateAuth.

      - * @public - */ - ChallengeName?: ChallengeNameType; - - /** - *

      The session that should be passed both ways in challenge-response calls to the - * service. If the caller must pass another challenge, they return a session with other - * challenge parameters. This session should be passed as it is to the next - * RespondToAuthChallenge API call.

      - * @public - */ - Session?: string; - - /** - *

      The challenge parameters. For more information, see InitiateAuth.

      - * @public - */ - ChallengeParameters?: Record; - - /** - *

      The result returned by the server in response to the request to respond to the - * authentication challenge.

      - * @public - */ - AuthenticationResult?: AuthenticationResultType; -} - -/** - * @public - */ -export interface RevokeTokenRequest { - /** - *

      The refresh token that you want to revoke.

      - * @public - */ - Token: string | undefined; - - /** - *

      The client ID for the token that you want to revoke.

      - * @public - */ - ClientId: string | undefined; - - /** - *

      The secret for the client ID. This is required only if the client ID has a - * secret.

      - * @public - */ - ClientSecret?: string; -} - /** * @internal */ @@ -10342,24 +10393,3 @@ export const RespondToAuthChallengeRequestFilterSensitiveLog = (obj: RespondToAu ...(obj.ChallengeResponses && { ChallengeResponses: SENSITIVE_STRING }), ...(obj.UserContextData && { UserContextData: SENSITIVE_STRING }), }); - -/** - * @internal - */ -export const RespondToAuthChallengeResponseFilterSensitiveLog = (obj: RespondToAuthChallengeResponse): any => ({ - ...obj, - ...(obj.Session && { Session: SENSITIVE_STRING }), - ...(obj.AuthenticationResult && { - AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), - }), -}); - -/** - * @internal - */ -export const RevokeTokenRequestFilterSensitiveLog = (obj: RevokeTokenRequest): any => ({ - ...obj, - ...(obj.Token && { Token: SENSITIVE_STRING }), - ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), - ...(obj.ClientSecret && { ClientSecret: SENSITIVE_STRING }), -}); diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts index 642c4696b01c..b9dfd90fd3ab 100644 --- a/clients/client-cognito-identity-provider/src/models/models_1.ts +++ b/clients/client-cognito-identity-provider/src/models/models_1.ts @@ -11,6 +11,9 @@ import { AnalyticsMetadataType, AttributeType, AttributeTypeFilterSensitiveLog, + AuthenticationResultType, + AuthenticationResultTypeFilterSensitiveLog, + ChallengeNameType, CodeDeliveryDetailsType, CompromisedCredentialsRiskConfigurationType, CustomDomainConfigType, @@ -18,6 +21,8 @@ import { DeviceConfigurationType, DeviceRememberedStatusType, EmailConfigurationType, + EmailMfaConfigType, + EmailMfaSettingsType, ExplicitAuthFlowsType, FeedbackValueType, GroupType, @@ -53,6 +58,64 @@ import { VerifiedAttributeType, } from "./models_0"; +/** + *

      The response to respond to the authentication challenge.

      + * @public + */ +export interface RespondToAuthChallengeResponse { + /** + *

      The challenge name. For more information, see InitiateAuth.

      + * @public + */ + ChallengeName?: ChallengeNameType; + + /** + *

      The session that should be passed both ways in challenge-response calls to the + * service. If the caller must pass another challenge, they return a session with other + * challenge parameters. This session should be passed as it is to the next + * RespondToAuthChallenge API call.

      + * @public + */ + Session?: string; + + /** + *

      The challenge parameters. For more information, see InitiateAuth.

      + * @public + */ + ChallengeParameters?: Record; + + /** + *

      The result returned by the server in response to the request to respond to the + * authentication challenge.

      + * @public + */ + AuthenticationResult?: AuthenticationResultType; +} + +/** + * @public + */ +export interface RevokeTokenRequest { + /** + *

      The refresh token that you want to revoke.

      + * @public + */ + Token: string | undefined; + + /** + *

      The client ID for the token that you want to revoke.

      + * @public + */ + ClientId: string | undefined; + + /** + *

      The secret for the client ID. This is required only if the client ID has a + * secret.

      + * @public + */ + ClientSecret?: string; +} + /** * @public */ @@ -245,17 +308,28 @@ export interface SetUICustomizationResponse { */ export interface SetUserMFAPreferenceRequest { /** - *

      The SMS text message multi-factor authentication (MFA) settings.

      + *

      User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as + * the preferred MFA method when multiple methods are available.

      * @public */ SMSMfaSettings?: SMSMfaSettingsType; /** - *

      The time-based one-time password (TOTP) software token MFA settings.

      + *

      User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates + * TOTP MFA and sets it as the preferred MFA method when multiple methods are + * available.

      * @public */ SoftwareTokenMfaSettings?: SoftwareTokenMfaSettingsType; + /** + *

      User preferences for email message MFA. Activates or deactivates email MFA and sets it + * as the preferred MFA method when multiple methods are available. To activate this setting, + * advanced security features must be active in your user pool.

      + * @public + */ + EmailMfaSettings?: EmailMfaSettingsType; + /** *

      A valid access token that Amazon Cognito issued to the user whose MFA preference you want to * set.

      @@ -280,17 +354,27 @@ export interface SetUserPoolMfaConfigRequest { UserPoolId: string | undefined; /** - *

      The SMS text message MFA configuration.

      + *

      Configures user pool SMS messages for MFA. Sets the message template and the SMS + * message sending configuration for Amazon SNS.

      * @public */ SmsMfaConfiguration?: SmsMfaConfigType; /** - *

      The software token MFA configuration.

      + *

      Configures a user pool for time-based one-time password (TOTP) MFA. Enables or + * disables TOTP.

      * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; + /** + *

      Configures user pool email messages for MFA. Sets the subject and body of the email + * message template for MFA messages. To activate this setting, + * advanced security features must be active in your user pool.

      + * @public + */ + EmailMfaConfiguration?: EmailMfaConfigType; + /** *

      The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who * have set up an MFA factor can sign in. To learn more, see Adding Multi-Factor @@ -320,17 +404,27 @@ export interface SetUserPoolMfaConfigRequest { */ export interface SetUserPoolMfaConfigResponse { /** - *

      The SMS text message MFA configuration.

      + *

      Shows user pool SMS message configuration for MFA. Includes the message template and + * the SMS message sending configuration for Amazon SNS.

      * @public */ SmsMfaConfiguration?: SmsMfaConfigType; /** - *

      The software token MFA configuration.

      + *

      Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes + * TOTP enabled or disabled state.

      * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; + /** + *

      Shows user pool email message configuration for MFA. Includes the subject and body of + * the email message template for MFA messages. To activate this setting, + * advanced security features must be active in your user pool.

      + * @public + */ + EmailMfaConfiguration?: EmailMfaConfigType; + /** *

      The MFA configuration. Valid values include:

      *
        @@ -1291,7 +1385,7 @@ export interface UpdateUserPoolClientRequest { TokenValidityUnits?: TokenValidityUnitsType; /** - *

        The list of user attributes that you want your app client to have read-only access to. + *

        The list of user attributes that you want your app client to have read access to. * After your user authenticates in your app, their access token authorizes them to read * their own attribute value for any attribute in this list. An example of this kind of * activity is when your user selects a link to view their profile information. Your app @@ -1300,7 +1394,7 @@ export interface UpdateUserPoolClientRequest { *

        When you don't specify the ReadAttributes for your app client, your * app can read the values of email_verified, * phone_number_verified, and the Standard attributes of your user pool. - * When your user pool has read access to these default attributes, + * When your user pool app client has read access to these default attributes, * ReadAttributes doesn't return any information. Amazon Cognito only * populates ReadAttributes in the API response if you have specified your own * custom set of read attributes.

        @@ -1741,6 +1835,27 @@ export interface VerifyUserAttributeRequest { */ export interface VerifyUserAttributeResponse {} +/** + * @internal + */ +export const RespondToAuthChallengeResponseFilterSensitiveLog = (obj: RespondToAuthChallengeResponse): any => ({ + ...obj, + ...(obj.Session && { Session: SENSITIVE_STRING }), + ...(obj.AuthenticationResult && { + AuthenticationResult: AuthenticationResultTypeFilterSensitiveLog(obj.AuthenticationResult), + }), +}); + +/** + * @internal + */ +export const RevokeTokenRequestFilterSensitiveLog = (obj: RevokeTokenRequest): any => ({ + ...obj, + ...(obj.Token && { Token: SENSITIVE_STRING }), + ...(obj.ClientId && { ClientId: SENSITIVE_STRING }), + ...(obj.ClientSecret && { ClientSecret: SENSITIVE_STRING }), +}); + /** * @internal */ diff --git a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts index fa2ec0f7e12d..e21e011a7ebe 100644 --- a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts +++ b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts @@ -399,6 +399,8 @@ import { DeviceType, DuplicateProviderException, EmailConfigurationType, + EmailMfaConfigType, + EmailMfaSettingsType, EventFeedbackType, EventFilterType, ExpiredCodeException, @@ -476,7 +478,6 @@ import { ResourceNotFoundException, ResourceServerScopeType, RespondToAuthChallengeRequest, - RevokeTokenRequest, RiskConfigurationType, RiskExceptionConfigurationType, S3ConfigurationType, @@ -519,6 +520,7 @@ import { } from "../models/models_0"; import { EnableSoftwareTokenMFAException, + RevokeTokenRequest, SetLogDeliveryConfigurationRequest, SetRiskConfigurationRequest, SetRiskConfigurationResponse, @@ -3989,6 +3991,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): case "InvalidUserPoolConfigurationException": case "com.amazonaws.cognitoidentityprovider#InvalidUserPoolConfigurationException": throw await de_InvalidUserPoolConfigurationExceptionRes(parsedOutput, context); + case "InvalidEmailRoleAccessPolicyException": + case "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException": + throw await de_InvalidEmailRoleAccessPolicyExceptionRes(parsedOutput, context); case "MFAMethodNotFoundException": case "com.amazonaws.cognitoidentityprovider#MFAMethodNotFoundException": throw await de_MFAMethodNotFoundExceptionRes(parsedOutput, context); @@ -4001,9 +4006,6 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): case "UserPoolAddOnNotEnabledException": case "com.amazonaws.cognitoidentityprovider#UserPoolAddOnNotEnabledException": throw await de_UserPoolAddOnNotEnabledExceptionRes(parsedOutput, context); - case "InvalidEmailRoleAccessPolicyException": - case "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException": - throw await de_InvalidEmailRoleAccessPolicyExceptionRes(parsedOutput, context); case "CodeMismatchException": case "com.amazonaws.cognitoidentityprovider#CodeMismatchException": throw await de_CodeMismatchExceptionRes(parsedOutput, context); @@ -4903,6 +4905,10 @@ const de_UserPoolTaggingExceptionRes = async ( // se_EmailConfigurationType omitted. +// se_EmailMfaConfigType omitted. + +// se_EmailMfaSettingsType omitted. + // se_EventFiltersType omitted. // se_ExplicitAuthFlowsListType omitted. @@ -5451,6 +5457,8 @@ const de_DeviceType = (output: any, context: __SerdeContext): DeviceType => { // de_EmailConfigurationType omitted. +// de_EmailMfaConfigType omitted. + // de_EnableSoftwareTokenMFAException omitted. // de_EventContextDataType omitted. diff --git a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json index 22d6a7ee5da7..a7802bf3f966 100644 --- a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json +++ b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json @@ -1669,7 +1669,7 @@ } ], "traits": { - "smithy.api#documentation": "

        Creates a new user in the specified user pool.

        \n

        If MessageAction isn't set, the default is to send a welcome message via\n email or phone (SMS).

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        This message is based on a template that you configured in your call to create or\n update a user pool. This template includes your custom sign-up instructions and\n placeholders for user name and temporary password.

        \n

        Alternatively, you can call AdminCreateUser with SUPPRESS\n for the MessageAction parameter, and Amazon Cognito won't send any email.

        \n

        In either case, the user will be in the FORCE_CHANGE_PASSWORD state until\n they sign in and change their password.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         ", + "smithy.api#documentation": "

        Creates a new user in the specified user pool.

        \n

        If MessageAction isn't set, the default is to send a welcome message via\n email or phone (SMS).

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        This message is based on a template that you configured in your call to create or\n update a user pool. This template includes your custom sign-up instructions and\n placeholders for user name and temporary password.

        \n

        Alternatively, you can call AdminCreateUser with SUPPRESS\n for the MessageAction parameter, and Amazon Cognito won't send any email.

        \n

        In either case, the user will be in the FORCE_CHANGE_PASSWORD state until\n they sign in and change their password.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         ", "smithy.api#examples": [ { "title": "An AdminCreateUser request for for a test user named John.", @@ -2414,7 +2414,7 @@ "UserMFASettingList": { "target": "com.amazonaws.cognitoidentityprovider#UserMFASettingListType", "traits": { - "smithy.api#documentation": "

        The MFA options that are activated for the user. The possible values in this list are\n SMS_MFA and SOFTWARE_TOKEN_MFA.

        " + "smithy.api#documentation": "

        The MFA options that are activated for the user. The possible values in this list are\n SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA.

        " } } }, @@ -2435,6 +2435,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException" + }, { "target": "com.amazonaws.cognitoidentityprovider#InvalidLambdaResponseException" }, @@ -2479,7 +2482,7 @@ } ], "traits": { - "smithy.api#documentation": "

        Initiates the authentication flow, as an administrator.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "

        Initiates the authentication flow, as an administrator.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#AdminInitiateAuthRequest": { @@ -2542,7 +2545,7 @@ "ChallengeName": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeNameType", "traits": { - "smithy.api#documentation": "

        The name of the challenge that you're responding to with this call. This is returned\n in the AdminInitiateAuth response if you must pass another\n challenge.

        \n
          \n
        • \n

          \n MFA_SETUP: If MFA is required, users who don't have at least one\n of the MFA methods set up are presented with an MFA_SETUP\n challenge. The user must set up at least one MFA type to continue to\n authenticate.

          \n
          • \n
        • \n

          \n SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are\n SMS_MFA for text SMS MFA, and SOFTWARE_TOKEN_MFA\n for time-based one-time password (TOTP) software token MFA.

          \n
          • \n
        • \n

          \n SMS_MFA: Next challenge is to supply an\n SMS_MFA_CODE, delivered via SMS.

          \n
          • \n
        • \n

          \n PASSWORD_VERIFIER: Next challenge is to supply\n PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after\n the client-side SRP calculations.

          \n
          • \n
        • \n

          \n CUSTOM_CHALLENGE: This is returned if your custom authentication\n flow determines that the user should pass another challenge before tokens are\n issued.

          \n
          • \n
        • \n

          \n DEVICE_SRP_AUTH: If device tracking was activated in your user\n pool and the previous challenges were passed, this challenge is returned so that\n Amazon Cognito can start tracking this device.

          \n
          • \n
        • \n

          \n DEVICE_PASSWORD_VERIFIER: Similar to\n PASSWORD_VERIFIER, but for devices only.

          \n
          • \n
        • \n

          \n ADMIN_NO_SRP_AUTH: This is returned if you must authenticate with\n USERNAME and PASSWORD directly. An app client must\n be enabled to use this flow.

          \n
          • \n
        • \n

          \n NEW_PASSWORD_REQUIRED: For users who are required to change their\n passwords after successful first login. Respond to this challenge with\n NEW_PASSWORD and any required attributes that Amazon Cognito returned in\n the requiredAttributes parameter. You can also set values for\n attributes that aren't required by your user pool and that your app client can\n write. For more information, see AdminRespondToAuthChallenge.

          \n \n

          In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.

          \n           \n
          • \n
        • \n

          \n MFA_SETUP: For users who are required to set up an MFA factor\n before they can sign in. The MFA types activated for the user pool will be\n listed in the challenge parameters MFAS_CAN_SETUP value.

          \n

          To set up software token MFA, use the session returned here from\n InitiateAuth as an input to\n AssociateSoftwareToken, and use the session returned by\n VerifySoftwareToken as an input to\n RespondToAuthChallenge with challenge name\n MFA_SETUP to complete sign-in. To set up SMS MFA, users will\n need help from an administrator to add a phone number to their account and then\n call InitiateAuth again to restart sign-in.

          \n
          • \n
        " + "smithy.api#documentation": "

        The name of the challenge that you're responding to with this call. This is returned\n in the AdminInitiateAuth response if you must pass another\n challenge.

        \n
          \n
        • \n

          \n MFA_SETUP: If MFA is required, users who don't have at least one\n of the MFA methods set up are presented with an MFA_SETUP\n challenge. The user must set up at least one MFA type to continue to\n authenticate.

          \n
          • \n
        • \n

          \n SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are\n SMS_MFA for SMS message MFA, EMAIL_OTP for email \n message MFA, and SOFTWARE_TOKEN_MFA for time-based one-time \n password (TOTP) software token MFA.

          \n
          • \n
        • \n

          \n SMS_MFA: Next challenge is to supply an\n SMS_MFA_CODEthat your user pool delivered\n in an SMS message.

          \n
          • \n
        • \n

          \n EMAIL_OTP: Next challenge is to supply an\n EMAIL_OTP_CODE that your user pool delivered \n in an email message.

          \n
          • \n
        • \n

          \n PASSWORD_VERIFIER: Next challenge is to supply\n PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after\n the client-side SRP calculations.

          \n
          • \n
        • \n

          \n CUSTOM_CHALLENGE: This is returned if your custom authentication\n flow determines that the user should pass another challenge before tokens are\n issued.

          \n
          • \n
        • \n

          \n DEVICE_SRP_AUTH: If device tracking was activated in your user\n pool and the previous challenges were passed, this challenge is returned so that\n Amazon Cognito can start tracking this device.

          \n
          • \n
        • \n

          \n DEVICE_PASSWORD_VERIFIER: Similar to\n PASSWORD_VERIFIER, but for devices only.

          \n
          • \n
        • \n

          \n ADMIN_NO_SRP_AUTH: This is returned if you must authenticate with\n USERNAME and PASSWORD directly. An app client must\n be enabled to use this flow.

          \n
          • \n
        • \n

          \n NEW_PASSWORD_REQUIRED: For users who are required to change their\n passwords after successful first login. Respond to this challenge with\n NEW_PASSWORD and any required attributes that Amazon Cognito returned in\n the requiredAttributes parameter. You can also set values for\n attributes that aren't required by your user pool and that your app client can\n write. For more information, see AdminRespondToAuthChallenge.

          \n \n

          In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.

          \n           \n
          • \n
        • \n

          \n MFA_SETUP: For users who are required to set up an MFA factor\n before they can sign in. The MFA types activated for the user pool will be\n listed in the challenge parameters MFAS_CAN_SETUP value.

          \n

          To set up software token MFA, use the session returned here from\n InitiateAuth as an input to\n AssociateSoftwareToken, and use the session returned by\n VerifySoftwareToken as an input to\n RespondToAuthChallenge with challenge name\n MFA_SETUP to complete sign-in. To set up SMS MFA, users will\n need help from an administrator to add a phone number to their account and then\n call InitiateAuth again to restart sign-in.

          \n
          • \n
        " } }, "Session": { @@ -3029,7 +3032,7 @@ } ], "traits": { - "smithy.api#documentation": "

        Resets the specified user's password in a user pool as an administrator. Works on any\n user.

        \n

        To use this API operation, your user pool must have self-service account recovery\n configured. Use AdminSetUserPassword if you manage passwords as an administrator.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Deactivates a user's password, requiring them to change it. If a user tries to sign in\n after the API is called, Amazon Cognito responds with a\n PasswordResetRequiredException error. Your app must then perform the\n actions that reset your user's password: the forgot-password flow. In addition, if the\n user pool has phone verification selected and a verified phone number exists for the\n user, or if email verification is selected and a verified email exists for the user,\n calling this API will also result in sending a message to the end user with the code to\n change their password.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "

        Resets the specified user's password in a user pool as an administrator. Works on any\n user.

        \n

        To use this API operation, your user pool must have self-service account recovery\n configured. Use AdminSetUserPassword if you manage passwords as an administrator.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Deactivates a user's password, requiring them to change it. If a user tries to sign in\n after the API is called, Amazon Cognito responds with a\n PasswordResetRequiredException error. Your app must then perform the\n actions that reset your user's password: the forgot-password flow. In addition, if the\n user pool has phone verification selected and a verified phone number exists for the\n user, or if email verification is selected and a verified email exists for the user,\n calling this API will also result in sending a message to the end user with the code to\n change their password.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#AdminResetUserPasswordRequest": { @@ -3090,6 +3093,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException" + }, { "target": "com.amazonaws.cognitoidentityprovider#InvalidLambdaResponseException" }, @@ -3143,7 +3149,7 @@ } ], "traits": { - "smithy.api#documentation": "

        Some API operations in a user pool generate a challenge, like a prompt for an MFA\n code, for device authentication that bypasses MFA, or for a custom authentication\n challenge. An AdminRespondToAuthChallenge API request provides the answer\n to that challenge, like a code or a secure remote password (SRP). The parameters of a\n response to an authentication challenge vary with the type of challenge.

        \n

        For more information about custom authentication challenges, see Custom\n authentication challenge Lambda triggers.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "

        Some API operations in a user pool generate a challenge, like a prompt for an MFA\n code, for device authentication that bypasses MFA, or for a custom authentication\n challenge. An AdminRespondToAuthChallenge API request provides the answer\n to that challenge, like a code or a secure remote password (SRP). The parameters of a\n response to an authentication challenge vary with the type of challenge.

        \n

        For more information about custom authentication challenges, see Custom\n authentication challenge Lambda triggers.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#AdminRespondToAuthChallengeRequest": { @@ -3173,7 +3179,7 @@ "ChallengeResponses": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType", "traits": { - "smithy.api#documentation": "

        The responses to the challenge that you received in the previous request. Each\n challenge has its own required response parameters. The following examples are partial\n JSON request bodies that highlight challenge-response parameters.

        \n \n

        You must provide a SECRET_HASH parameter in all challenge responses to an app\n client that has a client secret.

        \n         \n
        \n
        SMS_MFA
        \n
        \n

        \n \"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n \"[SMS_code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n [timestamp], \"USERNAME\": \"[username]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        CUSTOM_CHALLENGE
        \n
        \n

        \n \"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        NEW_PASSWORD_REQUIRED
        \n
        \n

        \n \"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n \"[username]\"}\n

        \n

        To set any required attributes that InitiateAuth returned in\n an requiredAttributes parameter, add\n \"userAttributes.[attribute_name]\": \"[attribute_value]\".\n This parameter can also set values for writable attributes that aren't\n required by your user pool.

        \n \n

        In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

        \n         \n
        \n
        SOFTWARE_TOKEN_MFA
        \n
        \n

        \n \"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n [authenticator_code]}\n

        \n
        \n
        DEVICE_SRP_AUTH
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n \"[srp_a]\"}\n

        \n
        \n
        DEVICE_PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}\n

        \n
        \n
        MFA_SETUP
        \n
        \n

        \n \"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\"}, \"SESSION\": \"[Session ID from\n VerifySoftwareToken]\"\n

        \n
        \n
        SELECT_MFA_TYPE
        \n
        \n

        \n \"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}\n

        \n
        \n
        \n

        For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

        " + "smithy.api#documentation": "

        The responses to the challenge that you received in the previous request. Each\n challenge has its own required response parameters. The following examples are partial\n JSON request bodies that highlight challenge-response parameters.

        \n \n

        You must provide a SECRET_HASH parameter in all challenge responses to an app\n client that has a client secret.

        \n         \n
        \n
        SMS_MFA
        \n
        \n

        \n \"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n \"[code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        EMAIL_OTP
        \n
        \n

        \n \"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n \"[code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        PASSWORD_VERIFIER
        \n
        \n

        This challenge response is part of the SRP flow. Amazon Cognito requires \n that your application respond to this challenge within a few seconds. When\n the response time exceeds this period, your user pool returns a\n NotAuthorizedException error.

        \n

        \n \"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n [timestamp], \"USERNAME\": \"[username]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        CUSTOM_CHALLENGE
        \n
        \n

        \n \"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        NEW_PASSWORD_REQUIRED
        \n
        \n

        \n \"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n \"[username]\"}\n

        \n

        To set any required attributes that InitiateAuth returned in\n an requiredAttributes parameter, add\n \"userAttributes.[attribute_name]\": \"[attribute_value]\".\n This parameter can also set values for writable attributes that aren't\n required by your user pool.

        \n \n

        In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

        \n         \n
        \n
        SOFTWARE_TOKEN_MFA
        \n
        \n

        \n \"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n [authenticator_code]}\n

        \n
        \n
        DEVICE_SRP_AUTH
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n \"[srp_a]\"}\n

        \n
        \n
        DEVICE_PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}\n

        \n
        \n
        MFA_SETUP
        \n
        \n

        \n \"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\"}, \"SESSION\": \"[Session ID from\n VerifySoftwareToken]\"\n

        \n
        \n
        SELECT_MFA_TYPE
        \n
        \n

        \n \"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}\n

        \n
        \n
        \n

        For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

        " } }, "Session": { @@ -3271,7 +3277,7 @@ } ], "traits": { - "smithy.api#documentation": "

        The user's multi-factor authentication (MFA) preference, including which MFA options\n are activated, and if any are preferred. Only one factor can be set as preferred. The\n preferred MFA factor will be used to authenticate a user if multiple factors are\n activated. If multiple options are activated and no preference is set, a challenge to\n choose an MFA option will be returned during sign-in.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "

        Sets the user's multi-factor authentication (MFA) preference, including which MFA\n options are activated, and if any are preferred. Only one factor can be set as\n preferred. The preferred MFA factor will be used to authenticate a user if multiple\n factors are activated. If multiple options are activated and no preference is set, a\n challenge to choose an MFA option will be returned during sign-in.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#AdminSetUserMFAPreferenceRequest": { @@ -3280,13 +3286,19 @@ "SMSMfaSettings": { "target": "com.amazonaws.cognitoidentityprovider#SMSMfaSettingsType", "traits": { - "smithy.api#documentation": "

        The SMS text message MFA settings.

        " + "smithy.api#documentation": "

        User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as\n the preferred MFA method when multiple methods are available.

        " } }, "SoftwareTokenMfaSettings": { "target": "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaSettingsType", "traits": { - "smithy.api#documentation": "

        The time-based one-time password software token MFA settings.

        " + "smithy.api#documentation": "

        User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates\n TOTP MFA and sets it as the preferred MFA method when multiple methods are\n available.

        " + } + }, + "EmailMfaSettings": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaSettingsType", + "traits": { + "smithy.api#documentation": "

        User preferences for email message MFA. Activates or deactivates email MFA and sets it\n as the preferred MFA method when multiple methods are available. To activate this setting, \n advanced security features must be active in your user pool.

        " } }, "Username": { @@ -3299,7 +3311,7 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "

        The user pool ID.

        ", + "smithy.api#documentation": "

        The ID of the user pool where you want to set a user's MFA preferences.

        ", "smithy.api#required": {} } } @@ -3670,7 +3682,7 @@ } ], "traits": { - "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Updates the specified user's attributes, including developer attributes, as an\n administrator. Works on any user. To delete an attribute from your user, submit the\n attribute in your API request with a blank value.

        \n

        For custom attributes, you must prepend the custom: prefix to the\n attribute name.

        \n

        In addition to updating user attributes, this API can also be used to mark phone and\n email as verified.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Updates the specified user's attributes, including developer attributes, as an\n administrator. Works on any user. To delete an attribute from your user, submit the\n attribute in your API request with a blank value.

        \n

        For custom attributes, you must prepend the custom: prefix to the\n attribute name.

        \n

        In addition to updating user attributes, this API can also be used to mark phone and\n email as verified.

        \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#AdminUpdateUserAttributesRequest": { @@ -4368,6 +4380,12 @@ "smithy.api#enumValue": "SMS_MFA" } }, + "EMAIL_OTP": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "EMAIL_OTP" + } + }, "SOFTWARE_TOKEN_MFA": { "target": "smithy.api#Unit", "traits": { @@ -5602,7 +5620,7 @@ } ], "traits": { - "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Creates a new Amazon Cognito user pool and sets the password policy for the\n pool.

        \n \n

        If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         ", + "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Creates a new Amazon Cognito user pool and sets the password policy for the\n pool.

        \n \n

        If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         ", "smithy.api#examples": [ { "title": "Example user pool with email and username sign-in", @@ -6217,7 +6235,7 @@ "ReadAttributes": { "target": "com.amazonaws.cognitoidentityprovider#ClientPermissionListType", "traits": { - "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read-only access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " + "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool app client has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " } }, "WriteAttributes": { @@ -7923,6 +7941,64 @@ "smithy.api#documentation": "

        The email configuration of your user pool. The email configuration type sets your\n preferred sending method, Amazon Web Services Region, and sender for messages from your user\n pool.

        \n \n

        Amazon Cognito can send email messages with Amazon Simple Email Service resources in the Amazon Web Services Region where\n you created your user pool, and in alternate Regions in some cases. For more\n information on the supported Regions, see Email settings for Amazon Cognito user pools.

        \n         " } }, + "com.amazonaws.cognitoidentityprovider#EmailMfaConfigType": { + "type": "structure", + "members": { + "Message": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaMessageType", + "traits": { + "smithy.api#documentation": "

        The template for the email message that your user pool sends to users with an MFA\n code. The message must contain the {####} placeholder. In the message,\n Amazon Cognito replaces this placeholder with the code. If you don't provide this parameter,\n Amazon Cognito sends messages in the default format.

        " + } + }, + "Subject": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaSubjectType", + "traits": { + "smithy.api#documentation": "

        The subject of the email message that your user pool sends to users with an MFA\n code.

        " + } + } + }, + "traits": { + "smithy.api#documentation": "

        Sets or shows user pool email message configuration for MFA. Includes the subject and\n body of the email message template for MFA messages. To activate this setting, \n advanced security features must be active in your user pool.

        " + } + }, + "com.amazonaws.cognitoidentityprovider#EmailMfaMessageType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 6, + "max": 20000 + }, + "smithy.api#pattern": "^[\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\s*]*\\{####\\}[\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\s*]*$" + } + }, + "com.amazonaws.cognitoidentityprovider#EmailMfaSettingsType": { + "type": "structure", + "members": { + "Enabled": { + "target": "com.amazonaws.cognitoidentityprovider#BooleanType", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "

        Specifies whether email message MFA is active for a user. When the value of this\n parameter is Enabled, the user will be prompted for MFA during all sign-in\n attempts, unless device tracking is turned on and the device has been trusted.

        " + } + }, + "PreferredMfa": { + "target": "com.amazonaws.cognitoidentityprovider#BooleanType", + "traits": { + "smithy.api#default": false, + "smithy.api#documentation": "

        Specifies whether email message MFA is the user's preferred method.

        " + } + } + }, + "traits": { + "smithy.api#documentation": "

        User preferences for multi-factor authentication with email messages. Activates or\n deactivates email MFA and sets it as the preferred MFA method when multiple methods are\n available. To activate this setting, \n advanced security features must be active in your user pool.

        " + } + }, + "com.amazonaws.cognitoidentityprovider#EmailMfaSubjectType": { + "type": "string", + "traits": { + "smithy.api#pattern": "^[\\p{L}\\p{M}\\p{S}\\p{N}\\p{P}\\s]+$" + } + }, "com.amazonaws.cognitoidentityprovider#EmailNotificationBodyType": { "type": "string", "traits": { @@ -8472,7 +8548,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Calling this API causes a message to be sent to the end user with a confirmation code\n that is required to change the user's password. For the Username parameter,\n you can use the username or user alias. The method used to send the confirmation code is\n sent according to the specified AccountRecoverySetting. For more information, see Recovering\n User Accounts in the Amazon Cognito Developer Guide. To\n use the confirmation code for resetting the password, call ConfirmForgotPassword.

        \n

        If neither a verified phone number nor a verified email exists, this API returns\n InvalidParameterException. If your app client has a client secret and\n you don't provide a SECRET_HASH parameter, this API returns\n NotAuthorizedException.

        \n

        To use this API operation, your user pool must have self-service account recovery\n configured. Use AdminSetUserPassword if you manage passwords as an administrator.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Calling this API causes a message to be sent to the end user with a confirmation code\n that is required to change the user's password. For the Username parameter,\n you can use the username or user alias. The method used to send the confirmation code is\n sent according to the specified AccountRecoverySetting. For more information, see Recovering\n User Accounts in the Amazon Cognito Developer Guide. To\n use the confirmation code for resetting the password, call ConfirmForgotPassword.

        \n

        If neither a verified phone number nor a verified email exists, this API returns\n InvalidParameterException. If your app client has a client secret and\n you don't provide a SECRET_HASH parameter, this API returns\n NotAuthorizedException.

        \n

        To use this API operation, your user pool must have self-service account recovery\n configured. Use AdminSetUserPassword if you manage passwords as an administrator.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -9108,7 +9184,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Generates a user attribute verification code for the specified attribute name. Sends a\n message to a user with a code that they must return in a VerifyUserAttribute\n request.

        \n

        Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Generates a user attribute verification code for the specified attribute name. Sends a\n message to a user with a code that they must return in a VerifyUserAttribute\n request.

        \n

        Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -9206,13 +9282,19 @@ "SmsMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SmsMfaConfigType", "traits": { - "smithy.api#documentation": "

        The SMS text message multi-factor authentication (MFA) configuration.

        " + "smithy.api#documentation": "

        Shows user pool SMS message configuration for MFA. Includes the message template and\n the SMS message sending configuration for Amazon SNS.

        " } }, "SoftwareTokenMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaConfigType", "traits": { - "smithy.api#documentation": "

        The software token multi-factor authentication (MFA) configuration.

        " + "smithy.api#documentation": "

        Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes\n TOTP enabled or disabled state.

        " + } + }, + "EmailMfaConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaConfigType", + "traits": { + "smithy.api#documentation": "

        Shows user pool email message configuration for MFA. Includes the subject and body of\n the email message template for MFA messages. To activate this setting, \n advanced security features must be active in your user pool.

        " } }, "MfaConfiguration": { @@ -9274,7 +9356,7 @@ "UserMFASettingList": { "target": "com.amazonaws.cognitoidentityprovider#UserMFASettingListType", "traits": { - "smithy.api#documentation": "

        The MFA options that are activated for the user. The possible values in this list are\n SMS_MFA and SOFTWARE_TOKEN_MFA.

        " + "smithy.api#documentation": "

        The MFA options that are activated for the user. The possible values in this list are\n SMS_MFA, EMAIL_OTP, and SOFTWARE_TOKEN_MFA.

        " } } }, @@ -9613,6 +9695,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException" + }, { "target": "com.amazonaws.cognitoidentityprovider#InvalidLambdaResponseException" }, @@ -9655,7 +9740,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user\n with a federated IdP with InitiateAuth. For more information, see Adding user pool sign-in through a third party.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#examples": [ { "title": "Example username and password sign-in for a user who has TOTP MFA", @@ -9745,7 +9830,7 @@ "ChallengeName": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeNameType", "traits": { - "smithy.api#documentation": "

        The name of the challenge that you're responding to with this call. This name is\n returned in the InitiateAuth response if you must pass another\n challenge.

        \n

        Valid values include the following:

        \n \n

        All of the following challenges require USERNAME and\n SECRET_HASH (if applicable) in the parameters.

        \n         \n
          \n
        • \n

          \n SMS_MFA: Next challenge is to supply an\n SMS_MFA_CODE, delivered via SMS.

          \n
          • \n
        • \n

          \n PASSWORD_VERIFIER: Next challenge is to supply\n PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after\n the client-side SRP calculations.

          \n
          • \n
        • \n

          \n CUSTOM_CHALLENGE: This is returned if your custom authentication\n flow determines that the user should pass another challenge before tokens are\n issued.

          \n
          • \n
        • \n

          \n DEVICE_SRP_AUTH: If device tracking was activated on your user\n pool and the previous challenges were passed, this challenge is returned so that\n Amazon Cognito can start tracking this device.

          \n
          • \n
        • \n

          \n DEVICE_PASSWORD_VERIFIER: Similar to\n PASSWORD_VERIFIER, but for devices only.

          \n
          • \n
        • \n

          \n NEW_PASSWORD_REQUIRED: For users who are required to change their\n passwords after successful first login.

          \n

          Respond to this challenge with NEW_PASSWORD and any required\n attributes that Amazon Cognito returned in the requiredAttributes parameter.\n You can also set values for attributes that aren't required by your user pool\n and that your app client can write. For more information, see RespondToAuthChallenge.

          \n \n

          In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

          \n           \n
          • \n
        • \n

          \n MFA_SETUP: For users who are required to setup an MFA factor\n before they can sign in. The MFA types activated for the user pool will be\n listed in the challenge parameters MFAS_CAN_SETUP value.

          \n

          To set up software token MFA, use the session returned here from\n InitiateAuth as an input to\n AssociateSoftwareToken. Use the session returned by\n VerifySoftwareToken as an input to\n RespondToAuthChallenge with challenge name\n MFA_SETUP to complete sign-in. To set up SMS MFA, an\n administrator should help the user to add a phone number to their account, and\n then the user should call InitiateAuth again to restart\n sign-in.

          \n
          • \n
        " + "smithy.api#documentation": "

        The name of the challenge that you're responding to with this call. This name is\n returned in the InitiateAuth response if you must pass another\n challenge.

        \n

        Valid values include the following:

        \n \n

        All of the following challenges require USERNAME and\n SECRET_HASH (if applicable) in the parameters.

        \n         \n
          \n
        • \n

          \n SMS_MFA: Next challenge is to supply an\n SMS_MFA_CODEthat your user pool delivered\n in an SMS message.

          \n
          • \n
        • \n

          \n EMAIL_OTP: Next challenge is to supply an\n EMAIL_OTP_CODE that your user pool delivered \n in an email message.

          \n
          • \n
        • \n

          \n PASSWORD_VERIFIER: Next challenge is to supply\n PASSWORD_CLAIM_SIGNATURE,\n PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after\n the client-side SRP calculations.

          \n
          • \n
        • \n

          \n CUSTOM_CHALLENGE: This is returned if your custom authentication\n flow determines that the user should pass another challenge before tokens are\n issued.

          \n
          • \n
        • \n

          \n DEVICE_SRP_AUTH: If device tracking was activated on your user\n pool and the previous challenges were passed, this challenge is returned so that\n Amazon Cognito can start tracking this device.

          \n
          • \n
        • \n

          \n DEVICE_PASSWORD_VERIFIER: Similar to\n PASSWORD_VERIFIER, but for devices only.

          \n
          • \n
        • \n

          \n NEW_PASSWORD_REQUIRED: For users who are required to change their\n passwords after successful first login.

          \n

          Respond to this challenge with NEW_PASSWORD and any required\n attributes that Amazon Cognito returned in the requiredAttributes parameter.\n You can also set values for attributes that aren't required by your user pool\n and that your app client can write. For more information, see RespondToAuthChallenge.

          \n \n

          In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

          \n           \n
          • \n
        • \n

          \n MFA_SETUP: For users who are required to setup an MFA factor\n before they can sign in. The MFA types activated for the user pool will be\n listed in the challenge parameters MFAS_CAN_SETUP value.

          \n

          To set up software token MFA, use the session returned here from\n InitiateAuth as an input to\n AssociateSoftwareToken. Use the session returned by\n VerifySoftwareToken as an input to\n RespondToAuthChallenge with challenge name\n MFA_SETUP to complete sign-in. To set up SMS MFA, an\n administrator should help the user to add a phone number to their account, and\n then the user should call InitiateAuth again to restart\n sign-in.

          \n
          • \n
        " } }, "Session": { @@ -11817,7 +11902,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Resends the confirmation (for confirmation of registration) to a specific user in the\n user pool.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Resends the confirmation (for confirmation of registration) to a specific user in the\n user pool.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -12034,6 +12119,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#InternalErrorException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#InvalidEmailRoleAccessPolicyException" + }, { "target": "com.amazonaws.cognitoidentityprovider#InvalidLambdaResponseException" }, @@ -12088,7 +12176,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Some API operations in a user pool generate a challenge, like a prompt for an MFA\n code, for device authentication that bypasses MFA, or for a custom authentication\n challenge. A RespondToAuthChallenge API request provides the answer to that\n challenge, like a code or a secure remote password (SRP). The parameters of a response\n to an authentication challenge vary with the type of challenge.

        \n

        For more information about custom authentication challenges, see Custom\n authentication challenge Lambda triggers.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Some API operations in a user pool generate a challenge, like a prompt for an MFA\n code, for device authentication that bypasses MFA, or for a custom authentication\n challenge. A RespondToAuthChallenge API request provides the answer to that\n challenge, like a code or a secure remote password (SRP). The parameters of a response\n to an authentication challenge vary with the type of challenge.

        \n

        For more information about custom authentication challenges, see Custom\n authentication challenge Lambda triggers.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -12118,7 +12206,7 @@ "ChallengeResponses": { "target": "com.amazonaws.cognitoidentityprovider#ChallengeResponsesType", "traits": { - "smithy.api#documentation": "

        The responses to the challenge that you received in the previous request. Each\n challenge has its own required response parameters. The following examples are partial\n JSON request bodies that highlight challenge-response parameters.

        \n \n

        You must provide a SECRET_HASH parameter in all challenge responses to an app\n client that has a client secret.

        \n         \n
        \n
        SMS_MFA
        \n
        \n

        \n \"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n \"[SMS_code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n [timestamp], \"USERNAME\": \"[username]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        CUSTOM_CHALLENGE
        \n
        \n

        \n \"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        NEW_PASSWORD_REQUIRED
        \n
        \n

        \n \"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n \"[username]\"}\n

        \n

        To set any required attributes that InitiateAuth returned in\n an requiredAttributes parameter, add\n \"userAttributes.[attribute_name]\": \"[attribute_value]\".\n This parameter can also set values for writable attributes that aren't\n required by your user pool.

        \n \n

        In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

        \n         \n
        \n
        SOFTWARE_TOKEN_MFA
        \n
        \n

        \n \"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n [authenticator_code]}\n

        \n
        \n
        DEVICE_SRP_AUTH
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n \"[srp_a]\"}\n

        \n
        \n
        DEVICE_PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}\n

        \n
        \n
        MFA_SETUP
        \n
        \n

        \n \"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\"}, \"SESSION\": \"[Session ID from\n VerifySoftwareToken]\"\n

        \n
        \n
        SELECT_MFA_TYPE
        \n
        \n

        \n \"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}\n

        \n
        \n
        \n

        For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

        " + "smithy.api#documentation": "

        The responses to the challenge that you received in the previous request. Each\n challenge has its own required response parameters. The following examples are partial\n JSON request bodies that highlight challenge-response parameters.

        \n \n

        You must provide a SECRET_HASH parameter in all challenge responses to an app\n client that has a client secret.

        \n         \n
        \n
        SMS_MFA
        \n
        \n

        \n \"ChallengeName\": \"SMS_MFA\", \"ChallengeResponses\": {\"SMS_MFA_CODE\":\n \"[code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        EMAIL_OTP
        \n
        \n

        \n \"ChallengeName\": \"EMAIL_OTP\", \"ChallengeResponses\": {\"EMAIL_OTP_CODE\":\n \"[code]\", \"USERNAME\": \"[username]\"}\n

        \n
        \n
        PASSWORD_VERIFIER
        \n
        \n

        This challenge response is part of the SRP flow. Amazon Cognito requires \n that your application respond to this challenge within a few seconds. When\n the response time exceeds this period, your user pool returns a\n NotAuthorizedException error.

        \n

        \n \"ChallengeName\": \"PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"PASSWORD_CLAIM_SIGNATURE\": \"[claim_signature]\",\n \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\", \"TIMESTAMP\":\n [timestamp], \"USERNAME\": \"[username]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        CUSTOM_CHALLENGE
        \n
        \n

        \n \"ChallengeName\": \"CUSTOM_CHALLENGE\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"ANSWER\": \"[challenge_answer]\"}\n

        \n

        Add \"DEVICE_KEY\" when you sign in with a remembered\n device.

        \n
        \n
        NEW_PASSWORD_REQUIRED
        \n
        \n

        \n \"ChallengeName\": \"NEW_PASSWORD_REQUIRED\", \"ChallengeResponses\":\n {\"NEW_PASSWORD\": \"[new_password]\", \"USERNAME\":\n \"[username]\"}\n

        \n

        To set any required attributes that InitiateAuth returned in\n an requiredAttributes parameter, add\n \"userAttributes.[attribute_name]\": \"[attribute_value]\".\n This parameter can also set values for writable attributes that aren't\n required by your user pool.

        \n \n

        In a NEW_PASSWORD_REQUIRED challenge response, you can't modify a required attribute that already has a value. \nIn RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, \nthen use the UpdateUserAttributes API operation to modify the value of any additional attributes.

        \n         \n
        \n
        SOFTWARE_TOKEN_MFA
        \n
        \n

        \n \"ChallengeName\": \"SOFTWARE_TOKEN_MFA\", \"ChallengeResponses\":\n {\"USERNAME\": \"[username]\", \"SOFTWARE_TOKEN_MFA_CODE\":\n [authenticator_code]}\n

        \n
        \n
        DEVICE_SRP_AUTH
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_SRP_AUTH\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"DEVICE_KEY\": \"[device_key]\", \"SRP_A\":\n \"[srp_a]\"}\n

        \n
        \n
        DEVICE_PASSWORD_VERIFIER
        \n
        \n

        \n \"ChallengeName\": \"DEVICE_PASSWORD_VERIFIER\", \"ChallengeResponses\":\n {\"DEVICE_KEY\": \"[device_key]\", \"PASSWORD_CLAIM_SIGNATURE\":\n \"[claim_signature]\", \"PASSWORD_CLAIM_SECRET_BLOCK\": \"[secret_block]\",\n \"TIMESTAMP\": [timestamp], \"USERNAME\": \"[username]\"}\n

        \n
        \n
        MFA_SETUP
        \n
        \n

        \n \"ChallengeName\": \"MFA_SETUP\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\"}, \"SESSION\": \"[Session ID from\n VerifySoftwareToken]\"\n

        \n
        \n
        SELECT_MFA_TYPE
        \n
        \n

        \n \"ChallengeName\": \"SELECT_MFA_TYPE\", \"ChallengeResponses\": {\"USERNAME\":\n \"[username]\", \"ANSWER\": \"[SMS_MFA or SOFTWARE_TOKEN_MFA]\"}\n

        \n
        \n
        \n

        For more information about SECRET_HASH, see Computing secret hash values. For information about\n DEVICE_KEY, see Working with user devices in your user pool.

        " } }, "AnalyticsMetadata": { @@ -12411,7 +12499,7 @@ "target": "com.amazonaws.cognitoidentityprovider#BooleanType", "traits": { "smithy.api#default": false, - "smithy.api#documentation": "

        Specifies whether SMS text message MFA is activated. If an MFA type is activated for a\n user, the user will be prompted for MFA during all sign-in attempts, unless device\n tracking is turned on and the device has been trusted.

        " + "smithy.api#documentation": "

        Specifies whether SMS message MFA is activated. If an MFA type is activated for a\n user, the user will be prompted for MFA during all sign-in attempts, unless device\n tracking is turned on and the device has been trusted.

        " } }, "PreferredMfa": { @@ -12852,13 +12940,19 @@ "SMSMfaSettings": { "target": "com.amazonaws.cognitoidentityprovider#SMSMfaSettingsType", "traits": { - "smithy.api#documentation": "

        The SMS text message multi-factor authentication (MFA) settings.

        " + "smithy.api#documentation": "

        User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as\n the preferred MFA method when multiple methods are available.

        " } }, "SoftwareTokenMfaSettings": { "target": "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaSettingsType", "traits": { - "smithy.api#documentation": "

        The time-based one-time password (TOTP) software token MFA settings.

        " + "smithy.api#documentation": "

        User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates\n TOTP MFA and sets it as the preferred MFA method when multiple methods are\n available.

        " + } + }, + "EmailMfaSettings": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaSettingsType", + "traits": { + "smithy.api#documentation": "

        User preferences for email message MFA. Activates or deactivates email MFA and sets it\n as the preferred MFA method when multiple methods are available. To activate this setting, \n advanced security features must be active in your user pool.

        " } }, "AccessToken": { @@ -12915,7 +13009,7 @@ } ], "traits": { - "smithy.api#documentation": "

        Sets the user pool multi-factor authentication (MFA) configuration.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         " + "smithy.api#documentation": "

        Sets the user pool multi-factor authentication (MFA) configuration.

        \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         " } }, "com.amazonaws.cognitoidentityprovider#SetUserPoolMfaConfigRequest": { @@ -12931,13 +13025,19 @@ "SmsMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SmsMfaConfigType", "traits": { - "smithy.api#documentation": "

        The SMS text message MFA configuration.

        " + "smithy.api#documentation": "

        Configures user pool SMS messages for MFA. Sets the message template and the SMS\n message sending configuration for Amazon SNS.

        " } }, "SoftwareTokenMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaConfigType", "traits": { - "smithy.api#documentation": "

        The software token MFA configuration.

        " + "smithy.api#documentation": "

        Configures a user pool for time-based one-time password (TOTP) MFA. Enables or\n disables TOTP.

        " + } + }, + "EmailMfaConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaConfigType", + "traits": { + "smithy.api#documentation": "

        Configures user pool email messages for MFA. Sets the subject and body of the email\n message template for MFA messages. To activate this setting, \n advanced security features must be active in your user pool.

        " } }, "MfaConfiguration": { @@ -12957,13 +13057,19 @@ "SmsMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SmsMfaConfigType", "traits": { - "smithy.api#documentation": "

        The SMS text message MFA configuration.

        " + "smithy.api#documentation": "

        Shows user pool SMS message configuration for MFA. Includes the message template and\n the SMS message sending configuration for Amazon SNS.

        " } }, "SoftwareTokenMfaConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaConfigType", "traits": { - "smithy.api#documentation": "

        The software token MFA configuration.

        " + "smithy.api#documentation": "

        Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes\n TOTP enabled or disabled state.

        " + } + }, + "EmailMfaConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#EmailMfaConfigType", + "traits": { + "smithy.api#documentation": "

        Shows user pool email message configuration for MFA. Includes the subject and body of\n the email message template for MFA messages. To activate this setting, \n advanced security features must be active in your user pool.

        " } }, "MfaConfiguration": { @@ -13108,7 +13214,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        Registers the user in the specified user pool and creates a user name, password, and\n user attributes.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        Registers the user in the specified user pool and creates a user name, password, and\n user attributes.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -13253,7 +13359,7 @@ "SmsAuthenticationMessage": { "target": "com.amazonaws.cognitoidentityprovider#SmsVerificationMessageType", "traits": { - "smithy.api#documentation": "

        The SMS authentication message that will be sent to users with the code they must sign\n in. The message must contain the ‘{####}’ placeholder, which is replaced with the code.\n If the message isn't included, and default message will be used.

        " + "smithy.api#documentation": "

        The SMS message that your user pool sends to users with an MFA code. The message must\n contain the {####} placeholder. In the message, Amazon Cognito replaces this\n placeholder with the code. If you don't provide this parameter, Amazon Cognito sends\n messages in the default format.

        " } }, "SmsConfiguration": { @@ -13264,7 +13370,7 @@ } }, "traits": { - "smithy.api#documentation": "

        The SMS text message multi-factor authentication (MFA) configuration type.

        " + "smithy.api#documentation": "

        Configures user pool SMS messages for multi-factor authentication (MFA). Sets the\n message template and the SMS message sending configuration for Amazon SNS.

        " } }, "com.amazonaws.cognitoidentityprovider#SmsVerificationMessageType": { @@ -13313,7 +13419,7 @@ } }, "traits": { - "smithy.api#documentation": "

        The type used for enabling software token MFA at the user pool level.

        " + "smithy.api#documentation": "

        Configures a user pool for time-based one-time password (TOTP) multi-factor\n authentication (MFA). Enables or disables TOTP.

        " } }, "com.amazonaws.cognitoidentityprovider#SoftwareTokenMfaSettingsType": { @@ -14393,7 +14499,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

        With this operation, your users can update one or more of their attributes with their\n own credentials. You authorize this API request with the user's access token. To delete\n an attribute from your user, submit the attribute in your API request with a blank\n value. Custom attribute values in this request must include the custom:\n prefix.

        \n

        Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", + "smithy.api#documentation": "

        With this operation, your users can update one or more of their attributes with their\n own credentials. You authorize this API request with the user's access token. To delete\n an attribute from your user, submit the attribute in your API request with a blank\n value. Custom attribute values in this request must include the custom:\n prefix.

        \n

        Authorize this action with a signed-in user's access token. It must include the scope aws.cognito.signin.user.admin.

        \n \n

        Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

        \n         \n \n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         ", "smithy.api#optionalAuth": {} } }, @@ -14485,7 +14591,7 @@ } ], "traits": { - "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Updates the specified user pool with the specified attributes. You can get a list of\n the current user pool settings using DescribeUserPool.

        \n \n

        If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " + "smithy.api#documentation": "\n

        This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers\n require you to register an origination phone number before you can send SMS messages\n to US phone numbers. If you use SMS text messages in Amazon Cognito, you must register a\n phone number with Amazon Pinpoint.\n Amazon Cognito uses the registered number automatically. Otherwise, Amazon Cognito users who must\n receive SMS messages might not be able to sign up, activate their accounts, or sign\n in.

        \n

        If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice,\n Amazon Simple Notification Service might place your account in the SMS sandbox. In \n sandbox\n mode\n , you can send messages only to verified phone\n numbers. After you test your app while in the sandbox environment, you can move out\n of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools in the Amazon Cognito\n Developer Guide.

        \n         \n

        Updates the specified user pool with the specified attributes. You can get a list of\n the current user pool settings using DescribeUserPool.

        \n \n

        If you don't provide a value for an attribute, Amazon Cognito sets it to its default value.

        \n         \n \n

        Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

        \n

        \n Learn more\n

        \n \n         " } }, "com.amazonaws.cognitoidentityprovider#UpdateUserPoolClient": { @@ -14577,7 +14683,7 @@ "ReadAttributes": { "target": "com.amazonaws.cognitoidentityprovider#ClientPermissionListType", "traits": { - "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read-only access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " + "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool app client has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " } }, "WriteAttributes": { @@ -15313,7 +15419,7 @@ "ReadAttributes": { "target": "com.amazonaws.cognitoidentityprovider#ClientPermissionListType", "traits": { - "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read-only access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " + "smithy.api#documentation": "

        The list of user attributes that you want your app client to have read access to.\n After your user authenticates in your app, their access token authorizes them to read\n their own attribute value for any attribute in this list. An example of this kind of\n activity is when your user selects a link to view their profile information. Your app\n makes a GetUser API request to retrieve and display your user's profile\n data.

        \n

        When you don't specify the ReadAttributes for your app client, your\n app can read the values of email_verified,\n phone_number_verified, and the Standard attributes of your user pool.\n When your user pool app client has read access to these default attributes,\n ReadAttributes doesn't return any information. Amazon Cognito only\n populates ReadAttributes in the API response if you have specified your own\n custom set of read attributes.

        " } }, "WriteAttributes": {