@aws-sdk/client-cognito-identity-provider

import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client"; import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException"; import { AccountRecoverySettingType, AccountTakeoverRiskConfigurationType, AdminCreateUserConfigType, AnalyticsConfigurationType, AnalyticsMetadataType, AttributeType, AuthenticationResultType, ChallengeNameType, CodeDeliveryDetailsType, CompromisedCredentialsRiskConfigurationType, CustomDomainConfigType, DeletionProtectionType, DeviceConfigurationType, DeviceRememberedStatusType, EmailConfigurationType, EmailMfaConfigType, EmailMfaSettingsType, ExplicitAuthFlowsType, FeedbackValueType, GroupType, IdentityProviderType, LambdaConfigType, LogConfigurationType, LogDeliveryConfigurationType, MFAOptionType, OAuthFlowType, PreventUserExistenceErrorTypes, ResourceServerScopeType, ResourceServerType, RiskConfigurationType, RiskExceptionConfigurationType, SmsConfigurationType, SmsMfaConfigType, SMSMfaSettingsType, SoftwareTokenMfaConfigType, SoftwareTokenMfaSettingsType, TokenValidityUnitsType, UICustomizationType, UserAttributeUpdateSettingsType, UserContextDataType, UserImportJobType, UserPoolAddOnsType, UserPoolClientType, UserPoolMfaType, UserPoolPolicyType, VerificationMessageTemplateType, VerifiedAttributeType } from "./models_0"; /** * The response to respond to the authentication challenge. * @public */ export interface RespondToAuthChallengeResponse { /** * The challenge name. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>. * @public */ ChallengeName?: ChallengeNameType; /** * The session that should be passed both ways in challenge-response calls to the * service. If the caller must pass another challenge, they return a session with other * challenge parameters. This session should be passed as it is to the next * <code>RespondToAuthChallenge</code> API call. * @public */ Session?: string; /** * The challenge parameters. For more information, see <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html">InitiateAuth</a>. * @public */ ChallengeParameters?: Record<string, string>; /** * The result returned by the server in response to the request to respond to the * authentication challenge. * @public */ AuthenticationResult?: AuthenticationResultType; } /** * @public */ export interface RevokeTokenRequest { /** * The refresh token that you want to revoke. * @public */ Token: string | undefined; /** * The client ID for the token that you want to revoke. * @public */ ClientId: string | undefined; /** * The secret for the client ID. This is required only if the client ID has a * secret. * @public */ ClientSecret?: string; } /** * @public */ export interface RevokeTokenResponse { } /** * Exception that is thrown when the request isn't authorized. This can happen due to an * invalid access token in the request. * @public */ export declare class UnauthorizedException extends __BaseException { readonly name: "UnauthorizedException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnauthorizedException, __BaseException>); } /** * Exception that is thrown when you attempt to perform an operation that isn't enabled * for the user pool client. * @public */ export declare class UnsupportedOperationException extends __BaseException { readonly name: "UnsupportedOperationException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnsupportedOperationException, __BaseException>); } /** * Exception that is thrown when an unsupported token is passed to an operation. * @public */ export declare class UnsupportedTokenTypeException extends __BaseException { readonly name: "UnsupportedTokenTypeException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<UnsupportedTokenTypeException, __BaseException>); } /** * @public */ export interface SetLogDeliveryConfigurationRequest { /** * The ID of the user pool where you want to configure logging. * @public */ UserPoolId: string | undefined; /** * A collection of the logging configurations for a user pool. * @public */ LogConfigurations: LogConfigurationType[] | undefined; } /** * @public */ export interface SetLogDeliveryConfigurationResponse { /** * The detailed activity logging configuration that you applied to the requested user * pool. * @public */ LogDeliveryConfiguration?: LogDeliveryConfigurationType; } /** * @public */ export interface SetRiskConfigurationRequest { /** * The user pool ID. * @public */ UserPoolId: string | undefined; /** * The app client ID. If <code>ClientId</code> is null, then the risk configuration is * mapped to <code>userPoolId</code>. When the client ID is null, the same risk * configuration is applied to all the clients in the userPool. * Otherwise, <code>ClientId</code> is mapped to the client. When the client ID isn't * null, the user pool configuration is overridden and the risk configuration for the * client is used instead. * @public */ ClientId?: string; /** * The compromised credentials risk configuration. * @public */ CompromisedCredentialsRiskConfiguration?: CompromisedCredentialsRiskConfigurationType; /** * The account takeover risk configuration. * @public */ AccountTakeoverRiskConfiguration?: AccountTakeoverRiskConfigurationType; /** * The configuration to override the risk decision. * @public */ RiskExceptionConfiguration?: RiskExceptionConfigurationType; } /** * @public */ export interface SetRiskConfigurationResponse { /** * The risk configuration. * @public */ RiskConfiguration: RiskConfigurationType | undefined; } /** * @public */ export interface SetUICustomizationRequest { /** * The user pool ID for the user pool. * @public */ UserPoolId: string | undefined; /** * The client ID for the client app. * @public */ ClientId?: string; /** * The CSS values in the UI customization. * @public */ CSS?: string; /** * The uploaded logo image for the UI customization. * @public */ ImageFile?: Uint8Array; } /** * @public */ export interface SetUICustomizationResponse { /** * The UI customization information. * @public */ UICustomization: UICustomizationType | undefined; } /** * @public */ export interface SetUserMFAPreferenceRequest { /** * User preferences for SMS message MFA. Activates or deactivates SMS MFA and sets it as * the preferred MFA method when multiple methods are available. * @public */ SMSMfaSettings?: SMSMfaSettingsType; /** * User preferences for time-based one-time password (TOTP) MFA. Activates or deactivates * TOTP MFA and sets it as the preferred MFA method when multiple methods are * available. * @public */ SoftwareTokenMfaSettings?: SoftwareTokenMfaSettingsType; /** * User preferences for email message MFA. Activates or deactivates email MFA and sets it * as the preferred MFA method when multiple methods are available. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html"> * advanced security features</a> must be active in your user pool. * @public */ EmailMfaSettings?: EmailMfaSettingsType; /** * A valid access token that Amazon Cognito issued to the user whose MFA preference you want to * set. * @public */ AccessToken: string | undefined; } /** * @public */ export interface SetUserMFAPreferenceResponse { } /** * @public */ export interface SetUserPoolMfaConfigRequest { /** * The user pool ID. * @public */ UserPoolId: string | undefined; /** * Configures user pool SMS messages for MFA. Sets the message template and the SMS * message sending configuration for Amazon SNS. * @public */ SmsMfaConfiguration?: SmsMfaConfigType; /** * Configures a user pool for time-based one-time password (TOTP) MFA. Enables or * disables TOTP. * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; /** * Configures user pool email messages for MFA. Sets the subject and body of the email * message template for MFA messages. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html"> * advanced security features</a> must be active in your user pool. * @public */ EmailMfaConfiguration?: EmailMfaConfigType; /** * The MFA configuration. If you set the MfaConfiguration value to ‘ON’, only users who * have set up an MFA factor can sign in. To learn more, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html">Adding Multi-Factor * Authentication (MFA) to a user pool</a>. Valid values include: * <ul> * <li> * * <code>OFF</code> MFA won't be used for any users. * </li> * <li> * * <code>ON</code> MFA is required for all users to sign in. * </li> * <li> * * <code>OPTIONAL</code> MFA will be required only for individual users who have * an MFA factor activated. * </li> * </ul> * @public */ MfaConfiguration?: UserPoolMfaType; } /** * @public */ export interface SetUserPoolMfaConfigResponse { /** * Shows user pool SMS message configuration for MFA. Includes the message template and * the SMS message sending configuration for Amazon SNS. * @public */ SmsMfaConfiguration?: SmsMfaConfigType; /** * Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes * TOTP enabled or disabled state. * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType; /** * Shows user pool email message configuration for MFA. Includes the subject and body of * the email message template for MFA messages. To activate this setting, <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html"> * advanced security features</a> must be active in your user pool. * @public */ EmailMfaConfiguration?: EmailMfaConfigType; /** * The MFA configuration. Valid values include: * <ul> * <li> * * <code>OFF</code> MFA won't be used for any users. * </li> * <li> * * <code>ON</code> MFA is required for all users to sign in. * </li> * <li> * * <code>OPTIONAL</code> MFA will be required only for individual users who have * an MFA factor enabled. * </li> * </ul> * @public */ MfaConfiguration?: UserPoolMfaType; } /** * Represents the request to set user settings. * @public */ export interface SetUserSettingsRequest { /** * A valid access token that Amazon Cognito issued to the user whose user settings you want to * configure. * @public */ AccessToken: string | undefined; /** * You can use this parameter only to set an SMS configuration that uses SMS for * delivery. * @public */ MFAOptions: MFAOptionType[] | undefined; } /** * The response from the server for a set user settings request. * @public */ export interface SetUserSettingsResponse { } /** * Represents the request to register a user. * @public */ export interface SignUpRequest { /** * The ID of the client associated with the user pool. * @public */ ClientId: string | undefined; /** * A keyed-hash message authentication code (HMAC) calculated using the secret key of a * user pool client and username plus the client ID in the message. * @public */ SecretHash?: string; /** * The username of the user that you want to sign up. The value of this parameter is * typically a username, but can be any alias attribute in your user pool. * @public */ Username: string | undefined; /** * The password of the user you want to register. * @public */ Password: string | undefined; /** * An array of name-value pairs representing user attributes. * For custom attributes, you must prepend the <code>custom:</code> prefix to the * attribute name. * @public */ UserAttributes?: AttributeType[]; /** * Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda * trigger. This set of key-value pairs are for custom validation of information that you * collect from your users but don't need to retain. * Your Lambda function can analyze this additional data and act on it. Your function * might perform external API operations like logging user attributes and validation data * to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns * to Amazon Cognito, like automatically confirming the user if they sign up from within your * network. * For more information about the pre sign-up Lambda trigger, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html">Pre sign-up Lambda trigger</a>. * @public */ ValidationData?: AttributeType[]; /** * The Amazon Pinpoint analytics metadata that contributes to your metrics for * <code>SignUp</code> calls. * @public */ AnalyticsMetadata?: AnalyticsMetadataType; /** * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced * security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito * when it makes API requests. * @public */ UserContextData?: UserContextDataType; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * You create custom workflows by assigning Lambda functions to user pool triggers. * When you use the SignUp API action, Amazon Cognito invokes any functions that are assigned to the * following triggers: pre sign-up, custom * message, and post confirmation. When Amazon Cognito invokes * any of these functions, it passes a JSON payload, which the function receives as input. * This payload contains a <code>clientMetadata</code> attribute, which provides the data * that you assigned to the ClientMetadata parameter in your SignUp request. In your * function code in Lambda, you can process the <code>clientMetadata</code> value to enhance * your workflow for your specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Customizing user pool Workflows with Lambda Triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the * following: * <ul> * <li> * Store the ClientMetadata value. This data is available only to Lambda * triggers that are assigned to a user pool to support custom workflows. If * your user pool configuration doesn't include triggers, the ClientMetadata * parameter serves no purpose. * </li> * <li> * Validate the ClientMetadata value. * </li> * <li> * Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive * information. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string>; } /** * The response from the server for a registration request. * @public */ export interface SignUpResponse { /** * A response from the server indicating that a user registration has been * confirmed. * @public */ UserConfirmed: boolean | undefined; /** * The code delivery details returned by the server response to the user registration * request. * @public */ CodeDeliveryDetails?: CodeDeliveryDetailsType; /** * The 128-bit ID of the authenticated user. This isn't the same as * <code>username</code>. * @public */ UserSub: string | undefined; } /** * Represents the request to start the user import job. * @public */ export interface StartUserImportJobRequest { /** * The user pool ID for the user pool that the users are being imported into. * @public */ UserPoolId: string | undefined; /** * The job ID for the user import job. * @public */ JobId: string | undefined; } /** * Represents the response from the server to the request to start the user import * job. * @public */ export interface StartUserImportJobResponse { /** * The job object that represents the user import job. * @public */ UserImportJob?: UserImportJobType; } /** * Represents the request to stop the user import job. * @public */ export interface StopUserImportJobRequest { /** * The user pool ID for the user pool that the users are being imported into. * @public */ UserPoolId: string | undefined; /** * The job ID for the user import job. * @public */ JobId: string | undefined; } /** * Represents the response from the server to the request to stop the user import * job. * @public */ export interface StopUserImportJobResponse { /** * The job object that represents the user import job. * @public */ UserImportJob?: UserImportJobType; } /** * @public */ export interface TagResourceRequest { /** * The Amazon Resource Name (ARN) of the user pool to assign the tags to. * @public */ ResourceArn: string | undefined; /** * The tags to assign to the user pool. * @public */ Tags: Record<string, string> | undefined; } /** * @public */ export interface TagResourceResponse { } /** * @public */ export interface UntagResourceRequest { /** * The Amazon Resource Name (ARN) of the user pool that the tags are assigned to. * @public */ ResourceArn: string | undefined; /** * The keys of the tags to remove from the user pool. * @public */ TagKeys: string[] | undefined; } /** * @public */ export interface UntagResourceResponse { } /** * @public */ export interface UpdateAuthEventFeedbackRequest { /** * The user pool ID. * @public */ UserPoolId: string | undefined; /** * The username of the user that you want to query or modify. The value of this parameter * is typically your user's username, but it can be any of their alias attributes. If * <code>username</code> isn't an alias attribute in your user pool, this value * must be the <code>sub</code> of a local user or the username of a user from a * third-party IdP. * @public */ Username: string | undefined; /** * The event ID. * @public */ EventId: string | undefined; /** * The feedback token. * @public */ FeedbackToken: string | undefined; /** * The authentication event feedback value. When you provide a <code>FeedbackValue</code> * value of <code>valid</code>, you tell Amazon Cognito that you trust a user session where Amazon Cognito * has evaluated some level of risk. When you provide a <code>FeedbackValue</code> value of * <code>invalid</code>, you tell Amazon Cognito that you don't trust a user session, or you * don't believe that Amazon Cognito evaluated a high-enough risk level. * @public */ FeedbackValue: FeedbackValueType | undefined; } /** * @public */ export interface UpdateAuthEventFeedbackResponse { } /** * Represents the request to update the device status. * @public */ export interface UpdateDeviceStatusRequest { /** * A valid access token that Amazon Cognito issued to the user whose device status you want to * update. * @public */ AccessToken: string | undefined; /** * The device key. * @public */ DeviceKey: string | undefined; /** * The status of whether a device is remembered. * @public */ DeviceRememberedStatus?: DeviceRememberedStatusType; } /** * The response to the request to update the device status. * @public */ export interface UpdateDeviceStatusResponse { } /** * @public */ export interface UpdateGroupRequest { /** * The name of the group. * @public */ GroupName: string | undefined; /** * The user pool ID for the user pool. * @public */ UserPoolId: string | undefined; /** * A string containing the new description of the group. * @public */ Description?: string; /** * The new role Amazon Resource Name (ARN) for the group. This is used for setting the * <code>cognito:roles</code> and <code>cognito:preferred_role</code> claims in the * token. * @public */ RoleArn?: string; /** * The new precedence value for the group. For more information about this parameter, see * <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html">CreateGroup</a>. * @public */ Precedence?: number; } /** * @public */ export interface UpdateGroupResponse { /** * The group object for the group. * @public */ Group?: GroupType; } /** * @public */ export interface UpdateIdentityProviderRequest { /** * The user pool ID. * @public */ UserPoolId: string | undefined; /** * The IdP name. * @public */ ProviderName: string | undefined; /** * The scopes, URLs, and identifiers for your external identity provider. The following * examples describe the provider detail keys for each IdP type. These values and their * schema are subject to change. Social IdP <code>authorize_scopes</code> values must match * the values listed here. * <dl> * <dt>OpenID Connect (OIDC)</dt> * <dd> * Amazon Cognito accepts the following elements when it can't discover endpoint * URLs from <code>oidc_issuer</code>: <code>attributes_url</code>, * <code>authorize_url</code>, <code>jwks_uri</code>, * <code>token_url</code>. * Create or update request: <code>"ProviderDetails": \{ * "attributes_request_method": "GET", "attributes_url": * "https://auth.example.com/userInfo", "authorize_scopes": "openid profile * email", "authorize_url": "https://auth.example.com/authorize", * "client_id": "1example23456789", "client_secret": * "provider-app-client-secret", "jwks_uri": * "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": * "https://auth.example.com", "token_url": "https://example.com/token" * \}</code> * * Describe response: <code>"ProviderDetails": \{ "attributes_request_method": * "GET", "attributes_url": "https://auth.example.com/userInfo", * "attributes_url_add_attributes": "false", "authorize_scopes": "openid * profile email", "authorize_url": "https://auth.example.com/authorize", * "client_id": "1example23456789", "client_secret": * "provider-app-client-secret", "jwks_uri": * "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": * "https://auth.example.com", "token_url": "https://example.com/token" * \}</code> * * </dd> * <dt>SAML</dt> * <dd> * Create or update request with Metadata URL: <code>"ProviderDetails": \{ "IDPInit": "true", * "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": * "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": * "rsa-sha256" \}</code> * * Create or update request with Metadata file: <code>"ProviderDetails": \{ "IDPInit": "true", * "IDPSignout": "true", "EncryptedResponses" : "true", * "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": * "rsa-sha256" \}</code> * * The value of <code>MetadataFile</code> must be the plaintext metadata document with all * quote (") characters escaped by backslashes. * Describe response: <code>"ProviderDetails": \{ "IDPInit": "true", * "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", * "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": * "rsa-sha256", "SLORedirectBindingURI": * "https://auth.example.com/slo/saml", "SSORedirectBindingURI": * "https://auth.example.com/sso/saml" \}</code> * * </dd> * <dt>LoginWithAmazon</dt> * <dd> * Create or update request: <code>"ProviderDetails": \{ "authorize_scopes": * "profile postal_code", "client_id": * "amzn1.application-oa2-client.1example23456789", "client_secret": * "provider-app-client-secret"</code> * * Describe response: <code>"ProviderDetails": \{ "attributes_url": * "https://api.amazon.com/user/profile", "attributes_url_add_attributes": * "false", "authorize_scopes": "profile postal_code", "authorize_url": * "https://www.amazon.com/ap/oa", "client_id": * "amzn1.application-oa2-client.1example23456789", "client_secret": * "provider-app-client-secret", "token_request_method": "POST", * "token_url": "https://api.amazon.com/auth/o2/token" \}</code> * * </dd> * <dt>Google</dt> * <dd> * Create or update request: <code>"ProviderDetails": \{ "authorize_scopes": * "email profile openid", "client_id": * "1example23456789.apps.googleusercontent.com", "client_secret": * "provider-app-client-secret" \}</code> * * Describe response: <code>"ProviderDetails": \{ "attributes_url": * "https://people.googleapis.com/v1/people/me?personFields=", * "attributes_url_add_attributes": "true", "authorize_scopes": "email * profile openid", "authorize_url": * "https://accounts.google.com/o/oauth2/v2/auth", "client_id": * "1example23456789.apps.googleusercontent.com", "client_secret": * "provider-app-client-secret", "oidc_issuer": * "https://accounts.google.com", "token_request_method": "POST", * "token_url": "https://www.googleapis.com/oauth2/v4/token" * \}</code> * * </dd> * <dt>SignInWithApple</dt> * <dd> * Create or update request: <code>"ProviderDetails": \{ "authorize_scopes": * "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", * "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" \}</code> * * Describe response: <code>"ProviderDetails": \{ * "attributes_url_add_attributes": "false", "authorize_scopes": "email * name", "authorize_url": "https://appleid.apple.com/auth/authorize", * "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": * "https://appleid.apple.com", "team_id": "2EXAMPLE", * "token_request_method": "POST", "token_url": * "https://appleid.apple.com/auth/token" \}</code> * * </dd> * <dt>Facebook</dt> * <dd> * Create or update request: <code>"ProviderDetails": \{ "api_version": "v17.0", * "authorize_scopes": "public_profile, email", "client_id": "1example23456789", * "client_secret": "provider-app-client-secret" \}</code> * * Describe response: <code>"ProviderDetails": * \{ "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", * "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", * "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": * "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": * "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" \}</code> * * </dd> * </dl> * @public */ ProviderDetails?: Record<string, string>; /** * The IdP attribute mapping to be changed. * @public */ AttributeMapping?: Record<string, string>; /** * A list of IdP identifiers. * @public */ IdpIdentifiers?: string[]; } /** * @public */ export interface UpdateIdentityProviderResponse { /** * The identity provider details. * @public */ IdentityProvider: IdentityProviderType | undefined; } /** * @public */ export interface UpdateResourceServerRequest { /** * The user pool ID for the user pool. * @public */ UserPoolId: string | undefined; /** * A unique resource server identifier for the resource server. The identifier can be an * API friendly name like <code>solar-system-data</code>. You can also set an API URL like * <code>https://solar-system-data-api.example.com</code> as your identifier. * Amazon Cognito represents scopes in the access token in the format * <code>$resource-server-identifier/$scope</code>. Longer scope-identifier strings * increase the size of your access tokens. * @public */ Identifier: string | undefined; /** * The name of the resource server. * @public */ Name: string | undefined; /** * The scope values to be set for the resource server. * @public */ Scopes?: ResourceServerScopeType[]; } /** * @public */ export interface UpdateResourceServerResponse { /** * The resource server. * @public */ ResourceServer: ResourceServerType | undefined; } /** * Represents the request to update user attributes. * @public */ export interface UpdateUserAttributesRequest { /** * An array of name-value pairs representing user attributes. * For custom attributes, you must prepend the <code>custom:</code> prefix to the * attribute name. * If you have set an attribute to require verification before Amazon Cognito updates its value, * this request doesn’t immediately update the value of that attribute. After your user * receives and responds to a verification message to verify the new value, Amazon Cognito updates * the attribute value. Your user can sign in and receive messages with the original * attribute value until they verify the new value. * @public */ UserAttributes: AttributeType[] | undefined; /** * A valid access token that Amazon Cognito issued to the user whose user attributes you want to * update. * @public */ AccessToken: string | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action initiates. * You create custom workflows by assigning Lambda functions to user pool triggers. When * you use the UpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned * to the custom message trigger. When Amazon Cognito invokes this function, it * passes a JSON payload, which the function receives as input. This payload contains a * <code>clientMetadata</code> attribute, which provides the data that you assigned to * the ClientMetadata parameter in your UpdateUserAttributes request. In your function code * in Lambda, you can process the <code>clientMetadata</code> value to enhance your workflow * for your specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Customizing user pool Workflows with Lambda Triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the * following: * <ul> * <li> * Store the ClientMetadata value. This data is available only to Lambda * triggers that are assigned to a user pool to support custom workflows. If * your user pool configuration doesn't include triggers, the ClientMetadata * parameter serves no purpose. * </li> * <li> * Validate the ClientMetadata value. * </li> * <li> * Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive * information. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string>; } /** * Represents the response from the server for the request to update user * attributes. * @public */ export interface UpdateUserAttributesResponse { /** * The code delivery details list from the server for the request to update user * attributes. * @public */ CodeDeliveryDetailsList?: CodeDeliveryDetailsType[]; } /** * Represents the request to update the user pool. * @public */ export interface UpdateUserPoolRequest { /** * The user pool ID for the user pool you want to update. * @public */ UserPoolId: string | undefined; /** * A container with the policies you want to update in a user pool. * @public */ Policies?: UserPoolPolicyType; /** * When active, <code>DeletionProtection</code> prevents accidental deletion of your user * pool. Before you can delete a user pool that you have protected against deletion, you * must deactivate this feature. * When you try to delete a protected user pool in a <code>DeleteUserPool</code> API request, * Amazon Cognito returns an <code>InvalidParameterException</code> error. To delete a protected user pool, * send a new <code>DeleteUserPool</code> request after you deactivate deletion protection in an * <code>UpdateUserPool</code> API request. * @public */ DeletionProtection?: DeletionProtectionType; /** * The Lambda configuration information from the request to update the user pool. * @public */ LambdaConfig?: LambdaConfigType; /** * The attributes that are automatically verified when Amazon Cognito requests to update user * pools. * @public */ AutoVerifiedAttributes?: VerifiedAttributeType[]; /** * This parameter is no longer used. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html">VerificationMessageTemplateType</a>. * @public */ SmsVerificationMessage?: string; /** * This parameter is no longer used. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html">VerificationMessageTemplateType</a>. * @public */ EmailVerificationMessage?: string; /** * This parameter is no longer used. See <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerificationMessageTemplateType.html">VerificationMessageTemplateType</a>. * @public */ EmailVerificationSubject?: string; /** * The template for verification messages. * @public */ VerificationMessageTemplate?: VerificationMessageTemplateType; /** * The contents of the SMS authentication message. * @public */ SmsAuthenticationMessage?: string; /** * The settings for updates to user attributes. These settings include the property <code>AttributesRequireVerificationBeforeUpdate</code>, * a user-pool setting that tells Amazon Cognito how to handle changes to the value of your users' email address and phone number attributes. For * more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-email-phone-verification.html#user-pool-settings-verifications-verify-attribute-updates"> * Verifying updates to email addresses and phone numbers</a>. * @public */ UserAttributeUpdateSettings?: UserAttributeUpdateSettingsType; /** * Possible values include: * <ul> * <li> * * <code>OFF</code> - MFA tokens aren't required and can't be specified during user * registration. * </li> * <li> * * <code>ON</code> - MFA tokens are required for all user registrations. You can * only specify ON when you're initially creating a user pool. You can use the * <a href="https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html">SetUserPoolMfaConfig</a> API operation to turn MFA "ON" for existing * user pools. * </li> * <li> * * <code>OPTIONAL</code> - Users have the option when registering to create an MFA * token. * </li> * </ul> * @public */ MfaConfiguration?: UserPoolMfaType; /** * The device-remembering configuration for a user pool. A null value indicates that you * have deactivated device remembering in your user pool. * <note> * When you provide a value for any <code>DeviceConfiguration</code> field, you * activate the Amazon Cognito device-remembering feature. * </note> * @public */ DeviceConfiguration?: DeviceConfigurationType; /** * The email configuration of your user pool. The email configuration type sets your * preferred sending method, Amazon Web Services Region, and sender for email invitation and verification * messages from your user pool. * @public */ EmailConfiguration?: EmailConfigurationType; /** * The SMS configuration with the settings that your Amazon Cognito user pool must use to send an * SMS message from your Amazon Web Services account through Amazon Simple Notification Service. To send SMS messages * with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an Identity and Access Management * (IAM) role in your Amazon Web Services account. * @public */ SmsConfiguration?: SmsConfigurationType; /** * The tag keys and values to assign to the user pool. A tag is a label that you can use * to categorize and manage user pools in different ways, such as by purpose, owner, * environment, or other criteria. * @public */ UserPoolTags?: Record<string, string>; /** * The configuration for <code>AdminCreateUser</code> requests. * @public */ AdminCreateUserConfig?: AdminCreateUserConfigType; /** * User pool add-ons. Contains settings for activation of advanced security features. To * log user security information but take no action, set to <code>AUDIT</code>. To * configure automatic security responses to risky traffic to your user pool, set to * <code>ENFORCED</code>. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html">Adding advanced security to a user pool</a>. * @public */ UserPoolAddOns?: UserPoolAddOnsType; /** * The available verified method a user can use to recover their password when they call * <code>ForgotPassword</code>. You can use this setting to define a preferred method * when a user has more than one method available. With this setting, SMS doesn't qualify * for a valid password recovery mechanism if the user also has SMS multi-factor * authentication (MFA) activated. In the absence of this setting, Amazon Cognito uses the legacy * behavior to determine the recovery method where SMS is preferred through email. * @public */ AccountRecoverySetting?: AccountRecoverySettingType; } /** * Represents the response from the server when you make a request to update the user * pool. * @public */ export interface UpdateUserPoolResponse { } /** * Represents the request to update the user pool client. * @public */ export interface UpdateUserPoolClientRequest { /** * The user pool ID for the user pool where you want to update the user pool * client. * @public */ UserPoolId: string | undefined; /** * The ID of the client associated with the user pool. * @public */ ClientId: string | undefined; /** * The client name from the update user pool client request. * @public */ ClientName?: string; /** * The refresh token time limit. After this limit expires, your user can't use * their refresh token. To specify the time unit for <code>RefreshTokenValidity</code> as * <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or <code>days</code>, * set a <code>TokenValidityUnits</code> value in your API request. * For example, when you set <code>RefreshTokenValidity</code> as <code>10</code> and * <code>TokenValidityUnits</code> as <code>days</code>, your user can refresh their session * and retrieve new access and ID tokens for 10 days. * The default time unit for <code>RefreshTokenValidity</code> in an API request is days. * You can't set <code>RefreshTokenValidity</code> to 0. If you do, Amazon Cognito overrides the * value with the default value of 30 days. Valid range is displayed below * in seconds. * If you don't specify otherwise in the configuration of your app client, your refresh * tokens are valid for 30 days. * @public */ RefreshTokenValidity?: number; /** * The access token time limit. After this limit expires, your user can't use * their access token. To specify the time unit for <code>AccessTokenValidity</code> as * <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or <code>days</code>, * set a <code>TokenValidityUnits</code> value in your API request. * For example, when you set <code>AccessTokenValidity</code> to <code>10</code> and * <code>TokenValidityUnits</code> to <code>hours</code>, your user can authorize access with * their access token for 10 hours. * The default time unit for <code>AccessTokenValidity</code> in an API request is hours. * Valid range is displayed below in seconds. * If you don't specify otherwise in the configuration of your app client, your access * tokens are valid for one hour. * @public */ AccessTokenValidity?: number; /** * The ID token time limit. After this limit expires, your user can't use * their ID token. To specify the time unit for <code>IdTokenValidity</code> as * <code>seconds</code>, <code>minutes</code>, <code>hours</code>, or <code>days</code>, * set a <code>TokenValidityUnits</code> value in your API request. * For example, when you set <code>IdTokenValidity</code> as <code>10</code> and * <code>TokenValidityUnits</code> as <code>hours</code>, your user can authenticate their * session with their ID token for 10 hours. * The default time unit for <code>IdTokenValidity</code> in an API request is hours. * Valid range is displayed below in seconds. *