@aws-sdk/client-cognito-identity-provider

import { ExceptionOptionType as __ExceptionOptionType } from "@smithy/smithy-client"; import { DocumentType as __DocumentType } from "@smithy/types"; import { CognitoIdentityProviderServiceException as __BaseException } from "./CognitoIdentityProviderServiceException"; import { AccountRecoverySettingType, AccountTakeoverRiskConfigurationType, AdminCreateUserConfigType, AnalyticsConfigurationType, AnalyticsMetadataType, AssetType, AttributeType, AuthenticationResultType, AuthFactorType, AuthFlowType, ChallengeNameType, CodeDeliveryDetailsType, CompromisedCredentialsRiskConfigurationType, CustomDomainConfigType, DeletionProtectionType, DeviceConfigurationType, DeviceRememberedStatusType, DeviceType, EmailConfigurationType, EmailMfaSettingsType, ExplicitAuthFlowsType, FeedbackValueType, GroupType, IdentityProviderType, IdentityProviderTypeType, LambdaConfigType, LogConfigurationType, LogDeliveryConfigurationType, ManagedLoginBrandingType, MFAOptionType, OAuthFlowType, PreventUserExistenceErrorTypes, RefreshTokenRotationType, ResourceServerScopeType, ResourceServerType, RiskConfigurationType, RiskExceptionConfigurationType, SmsConfigurationType, SMSMfaSettingsType, SoftwareTokenMfaSettingsType, StatusType, TermsEnforcementType, TermsSourceType, TermsType, TokenValidityUnitsType, UserAttributeUpdateSettingsType, UserContextDataType, UserImportJobType, UserPoolAddOnsType, UserPoolClientType, UserPoolMfaType, UserPoolPolicyType, UserPoolTierType, UserType, VerificationMessageTemplateType, VerifiedAttributeType } from "./models_0"; /** * @public */ export interface GetTokensFromRefreshTokenResponse { /** * The object that your application receives after authentication. Contains tokens and * information for device authentication. * @public */ AuthenticationResult?: AuthenticationResultType | undefined; } /** * This exception is throw when your application requests token refresh with a refresh * token that has been invalidated by refresh-token rotation. * @public */ export declare class RefreshTokenReuseException extends __BaseException { readonly name: "RefreshTokenReuseException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionType<RefreshTokenReuseException, __BaseException>); } /** * @public */ export interface GetUICustomizationRequest { /** * The ID of the user pool that you want to query for branding settings. * @public */ UserPoolId: string | undefined; /** * The ID of the app client that you want to query for branding settings. * @public */ ClientId?: string | undefined; } /** * A container for the UI customization information for the hosted UI in a user * pool. * @public */ export interface UICustomizationType { /** * The ID of the user pool with hosted UI customizations. * @public */ UserPoolId?: string | undefined; /** * The app client ID for your UI customization. When this value isn't present, the * customization applies to all user pool app clients that don't have client-level * settings.. * @public */ ClientId?: string | undefined; /** * A URL path to the hosted logo image of your UI customization. * @public */ ImageUrl?: string | undefined; /** * The CSS values in the UI customization. * @public */ CSS?: string | undefined; /** * The CSS version number. * @public */ CSSVersion?: string | undefined; /** * The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ LastModifiedDate?: Date | undefined; /** * The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ CreationDate?: Date | undefined; } /** * @public */ export interface GetUICustomizationResponse { /** * Information about the classic hosted UI custom CSS and logo-image branding that you * applied to the user pool or app client. * @public */ UICustomization: UICustomizationType | undefined; } /** * Represents the request to get information about the user. * @public */ export interface GetUserRequest { /** * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for * <code>aws.cognito.signin.user.admin</code>. * @public */ AccessToken: string | undefined; } /** * Represents the response from the server from the request to get information about the * user. * @public */ export interface GetUserResponse { /** * The name of the user that you requested. * @public */ Username: string | undefined; /** * An array of name-value pairs representing user attributes. * Custom attributes are prepended with the <code>custom:</code> prefix. * @public */ UserAttributes: AttributeType[] | undefined; /** * * This response parameter is no longer supported. It provides * information only about SMS MFA configurations. It doesn't provide information about * time-based one-time password (TOTP) software token MFA configurations. To look up * information about either type of MFA configuration, use UserMFASettingList * instead. * @public */ MFAOptions?: MFAOptionType[] | undefined; /** * The user's preferred MFA. Users can prefer SMS message, email message, or TOTP * MFA. * @public */ PreferredMfaSetting?: string | undefined; /** * The MFA options that are activated for the user. The possible values in this list are * <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and * <code>SOFTWARE_TOKEN_MFA</code>. * @public */ UserMFASettingList?: string[] | undefined; } /** * Represents the request to get user attribute verification. * @public */ export interface GetUserAttributeVerificationCodeRequest { /** * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for * <code>aws.cognito.signin.user.admin</code>. * @public */ AccessToken: string | undefined; /** * The name of the attribute that the user wants to verify, for example * <code>email</code>. * @public */ AttributeName: string | undefined; /** * A map of custom key-value pairs that you can provide as input for any custom workflows * that this action triggers. * You create custom workflows by assigning Lambda functions to user pool * triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes * the function that is assigned to the custom message trigger. When * Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as * input. This payload contains a <code>clientMetadata</code> attribute, which provides the * data that you assigned to the ClientMetadata parameter in your * GetUserAttributeVerificationCode request. In your function code in Lambda, you can process the <code>clientMetadata</code> value to enhance your workflow for * your specific needs. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Using Lambda triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the * following: * <ul> * <li> * Store the <code>ClientMetadata</code> value. This data is available only * to Lambda triggers that are assigned to a user pool to support custom * workflows. If your user pool configuration doesn't include triggers, the * <code>ClientMetadata</code> parameter serves no purpose. * </li> * <li> * Validate the <code>ClientMetadata</code> value. * </li> * <li> * Encrypt the <code>ClientMetadata</code> value. Don't send sensitive * information in this parameter. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; } /** * The verification code response returned by the server response to get the user * attribute verification code. * @public */ export interface GetUserAttributeVerificationCodeResponse { /** * Information about the delivery destination of the user attribute verification * code. * @public */ CodeDeliveryDetails?: CodeDeliveryDetailsType | undefined; } /** * @public */ export interface GetUserAuthFactorsRequest { /** * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for * <code>aws.cognito.signin.user.admin</code>. * @public */ AccessToken: string | undefined; } /** * @public */ export interface GetUserAuthFactorsResponse { /** * The name of the user who is eligible for the authentication factors in the * response. * @public */ Username: string | undefined; /** * The challenge method that Amazon Cognito returns to the user in response to sign-in requests. * Users can prefer SMS message, email message, or TOTP MFA. * @public */ PreferredMfaSetting?: string | undefined; /** * The MFA options that are activated for the user. The possible values in this list are * <code>SMS_MFA</code>, <code>EMAIL_OTP</code>, and * <code>SOFTWARE_TOKEN_MFA</code>. * @public */ UserMFASettingList?: string[] | undefined; /** * The authentication types that are available to the user with <code>USER_AUTH</code> * sign-in, for example <code>["PASSWORD", "WEB_AUTHN"]</code>. * @public */ ConfiguredUserAuthFactors?: AuthFactorType[] | undefined; } /** * @public */ export interface GetUserPoolMfaConfigRequest { /** * The ID of the user pool where you want to query WebAuthn and MFA configuration. * @public */ UserPoolId: string | undefined; } /** * Sets or shows configuration for user pool email message MFA and sign-in with one-time * passwords (OTPs). Includes the subject and body of the email message template for * sign-in and MFA messages. To activate this setting, your user pool must be in the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html"> * Essentials tier</a> or higher. * @public */ export interface EmailMfaConfigType { /** * The template for the email messages that your user pool sends to users with codes for * MFA and sign-in with email OTPs. The message must contain the <code>\{####\}</code> * placeholder. In the message, Amazon Cognito replaces this placeholder with the code. If you * don't provide this parameter, Amazon Cognito sends messages in the default format. * @public */ Message?: string | undefined; /** * The subject of the email messages that your user pool sends to users with codes for * MFA and email OTP sign-in. * @public */ Subject?: string | undefined; } /** * The configuration of multi-factor authentication (MFA) with SMS messages in a user * pool. * @public */ export interface SmsMfaConfigType { /** * The SMS authentication message that will be sent to users with the code they must sign * in with. The message must contain the <code>\{####\}</code> placeholder. Your user pool * replaces the placeholder with the MFA code. If this parameter isn't provided, your user * pool sends a default message. * @public */ SmsAuthenticationMessage?: string | undefined; /** * User pool configuration for delivery of SMS messages with Amazon Simple Notification Service. To send SMS * messages with Amazon SNS in the Amazon Web Services Region that you want, the Amazon Cognito user pool uses an * Identity and Access Management (IAM) role in your Amazon Web Services account. * You can set <code>SmsConfiguration</code> in <code>CreateUserPool</code> and <code> * UpdateUserPool</code>, or in <code>SetUserPoolMfaConfig</code>. * @public */ SmsConfiguration?: SmsConfigurationType | undefined; } /** * Settings for time-based one-time password (TOTP) multi-factor authentication (MFA) in * a user pool. Enables and disables availability of this feature. * @public */ export interface SoftwareTokenMfaConfigType { /** * The activation state of TOTP MFA. * @public */ Enabled?: boolean | undefined; } /** * @public * @enum */ export declare const UserVerificationType: { readonly PREFERRED: "preferred"; readonly REQUIRED: "required"; }; /** * @public */ export type UserVerificationType = (typeof UserVerificationType)[keyof typeof UserVerificationType]; /** * Settings for authentication (MFA) with passkey, or webauthN, biometric and * security-key devices in a user pool. Configures the following: * <ul> * <li> * Configuration for requiring user-verification support in passkeys. * </li> * <li> * The user pool relying-party ID. This is the domain, typically your user pool * domain, that user's passkey providers should trust as a receiver of passkey * authentication. * </li> * <li> * The providers that you want to allow as origins for passkey * authentication. * </li> * </ul> * @public */ export interface WebAuthnConfigurationType { /** * Sets or displays the authentication domain, typically your user pool domain, that * passkey providers must use as a relying party (RP) in their configuration. * Under the following conditions, the passkey relying party ID must be the * fully-qualified domain name of your custom domain: * <ul> * <li> * The user pool is configured for passkey authentication. * </li> * <li> * The user pool has a custom domain, whether or not it also has a prefix * domain. * </li> * <li> * Your application performs authentication with managed login or the classic * hosted UI. * </li> * </ul> * @public */ RelyingPartyId?: string | undefined; /** * When <code>required</code>, users can only register and sign in users with passkeys * that are capable of <a href="https://www.w3.org/TR/webauthn-2/#enum-userVerificationRequirement">user * verification</a>. When <code>preferred</code>, your user pool doesn't * require the use of authenticators with user verification but encourages it. * @public */ UserVerification?: UserVerificationType | undefined; } /** * @public */ export interface GetUserPoolMfaConfigResponse { /** * Shows user pool configuration for SMS message MFA. Includes the message template and * the SMS message sending configuration for Amazon SNS. * @public */ SmsMfaConfiguration?: SmsMfaConfigType | undefined; /** * Shows user pool configuration for time-based one-time password (TOTP) MFA. Includes * TOTP enabled or disabled state. * @public */ SoftwareTokenMfaConfiguration?: SoftwareTokenMfaConfigType | undefined; /** * Shows configuration for user pool email message MFA and sign-in with one-time * passwords (OTPs). Includes the subject and body of the email message template for * sign-in and MFA messages. To activate this setting, your user pool must be in the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html"> * Essentials tier</a> or higher. * @public */ EmailMfaConfiguration?: EmailMfaConfigType | undefined; /** * Displays the state of multi-factor authentication (MFA) as on, off, or optional. When * <code>ON</code>, all users must set up MFA before they can sign in. When * <code>OPTIONAL</code>, your application must make a client-side determination of * whether a user wants to register an MFA device. For user pools with adaptive * authentication with threat protection, choose <code>OPTIONAL</code>. * When <code>MfaConfiguration</code> is <code>OPTIONAL</code>, managed login * doesn't automatically prompt users to set up MFA. Amazon Cognito generates MFA prompts in * API responses and in managed login for users who have chosen and configured a preferred * MFA factor. * @public */ MfaConfiguration?: UserPoolMfaType | undefined; /** * Shows user pool configuration for sign-in with passkey authenticators like biometric * devices and security keys. Passkeys are not eligible MFA factors. They are instead an * eligible primary sign-in factor for <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice">choice-based authentication</a>, or the * <code>USER_AUTH</code> flow. * @public */ WebAuthnConfiguration?: WebAuthnConfigurationType | undefined; } /** * Represents the request to sign out all devices. * @public */ export interface GlobalSignOutRequest { /** * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for * <code>aws.cognito.signin.user.admin</code>. * @public */ AccessToken: string | undefined; } /** * The response to the request to sign out all devices. * @public */ export interface GlobalSignOutResponse { } /** * Initiates the authentication request. * @public */ export interface InitiateAuthRequest { /** * The authentication flow that you want to initiate. Each <code>AuthFlow</code> has * linked <code>AuthParameters</code> that you must submit. The following are some example * flows. * <dl> * <dt>USER_AUTH</dt> * <dd> * The entry point for <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice">choice-based authentication</a> with passwords, * one-time passwords, and WebAuthn authenticators. Request a preferred * authentication type or review available authentication types. From the * offered authentication types, select one in a challenge response and then * authenticate with that method in an additional challenge response. * To activate this setting, your user pool must be in the <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html"> * Essentials tier</a> or higher. * </dd> * <dt>USER_SRP_AUTH</dt> * <dd> * Username-password authentication with the Secure Remote Password (SRP) * protocol. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow">Use SRP password verification in custom * authentication flow</a>. * </dd> * <dt>REFRESH_TOKEN_AUTH and REFRESH_TOKEN</dt> * <dd> * Receive new ID and access tokens when you pass a * <code>REFRESH_TOKEN</code> parameter with a valid refresh token as the * value. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html">Using the refresh token</a>. * </dd> * <dt>CUSTOM_AUTH</dt> * <dd> * Custom authentication with Lambda triggers. For more information, see * <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html">Custom authentication challenge Lambda * triggers</a>. * </dd> * <dt>USER_PASSWORD_AUTH</dt> * <dd> * Client-side username-password authentication with the password sent * directly in the request. For more information about client-side and * server-side authentication, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-public-server-side.html">SDK authorization models</a>. * </dd> * </dl> * * <code>ADMIN_USER_PASSWORD_AUTH</code> is a flow type of <code>AdminInitiateAuth</code> * and isn't valid for InitiateAuth. <code>ADMIN_NO_SRP_AUTH</code> is a legacy server-side * username-password flow and isn't valid for InitiateAuth. * @public */ AuthFlow: AuthFlowType | undefined; /** * The authentication parameters. These are inputs corresponding to the * <code>AuthFlow</code> that you're invoking. * The following are some authentication flows and their parameters. Add a * <code>SECRET_HASH</code> parameter if your app client has a client secret. Add * <code>DEVICE_KEY</code> if you want to bypass multi-factor authentication with a * remembered device. * <dl> * <dt>USER_AUTH</dt> * <dd> * <ul> * <li> * * <code>USERNAME</code> (required) * </li> * <li> * * <code>PREFERRED_CHALLENGE</code>. If you don't provide a * value for <code>PREFERRED_CHALLENGE</code>, Amazon Cognito responds with the * <code>AvailableChallenges</code> parameter that specifies the * available sign-in methods. * </li> * </ul> * </dd> * <dt>USER_SRP_AUTH</dt> * <dd> * <ul> * <li> * * <code>USERNAME</code> (required) * </li> * <li> * * <code>SRP_A</code> (required) * </li> * </ul> * </dd> * <dt>USER_PASSWORD_AUTH</dt> * <dd> * <ul> * <li> * * <code>USERNAME</code> (required) * </li> * <li> * * <code>PASSWORD</code> (required) * </li> * </ul> * </dd> * <dt>REFRESH_TOKEN_AUTH/REFRESH_TOKEN</dt> * <dd> * <ul> * <li> * * <code>REFRESH_TOKEN</code>(required) * </li> * </ul> * </dd> * <dt>CUSTOM_AUTH</dt> * <dd> * <ul> * <li> * * <code>USERNAME</code> (required) * </li> * <li> * * <code>ChallengeName: SRP_A</code> (when doing SRP authentication * before custom challenges) * </li> * <li> * * <code>SRP_A: (An SRP_A value)</code> (when doing SRP * authentication before custom challenges) * </li> * </ul> * </dd> * </dl> * For more information about <code>SECRET_HASH</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash">Computing secret hash values</a>. For information about * <code>DEVICE_KEY</code>, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html">Working with user devices in your user pool</a>. * @public */ AuthParameters?: Record<string, string> | undefined; /** * A map of custom key-value pairs that you can provide as input for certain custom * workflows that this action triggers. * You create custom workflows by assigning Lambda functions to user pool triggers. * When you send an <code>InitiateAuth</code> request, Amazon Cognito invokes the Lambda functions * that are specified for various triggers. The <code>ClientMetadata</code> value is passed * as input to the functions for only the following triggers. * <ul> * <li> * Pre sign-up * </li> * <li> * Pre authentication * </li> * <li> * User migration * </li> * </ul> * When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload as input * to the function. This payload contains a <code>validationData</code> attribute with the * data that you assigned to the <code>ClientMetadata</code> parameter in your * <code>InitiateAuth</code> request. In your function, <code>validationData</code> can * contribute to operations that require data that isn't in the default * payload. * * <code>InitiateAuth</code> requests invokes the following triggers without * <code>ClientMetadata</code> as input. * <ul> * <li> * Post authentication * </li> * <li> * Custom message * </li> * <li> * Pre token generation * </li> * <li> * Create auth challenge * </li> * <li> * Define auth challenge * </li> * <li> * Custom email sender * </li> * <li> * Custom SMS sender * </li> * </ul> * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html"> * Using Lambda triggers</a> in the Amazon Cognito Developer Guide. * <note> * When you use the <code>ClientMetadata</code> parameter, note that Amazon Cognito won't do the * following: * <ul> * <li> * Store the <code>ClientMetadata</code> value. This data is available only * to Lambda triggers that are assigned to a user pool to support custom * workflows. If your user pool configuration doesn't include triggers, the * <code>ClientMetadata</code> parameter serves no purpose. * </li> * <li> * Validate the <code>ClientMetadata</code> value. * </li> * <li> * Encrypt the <code>ClientMetadata</code> value. Don't send sensitive * information in this parameter. * </li> * </ul> * </note> * @public */ ClientMetadata?: Record<string, string> | undefined; /** * The ID of the app client that your user wants to sign in to. * @public */ ClientId: string | undefined; /** * Information that supports analytics outcomes with Amazon Pinpoint, including the * user's endpoint ID. The endpoint ID is a destination for Amazon Pinpoint push notifications, for example a device identifier, * email address, or phone number. * @public */ AnalyticsMetadata?: AnalyticsMetadataType | undefined; /** * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat * protection evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito * when it makes API requests. * For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-viewing-threat-protection-app.html">Collecting data for threat protection in * applications</a>. * @public */ UserContextData?: UserContextDataType | undefined; /** * The optional session ID from a <code>ConfirmSignUp</code> API request. You can sign in * a user directly from the sign-up process with the <code>USER_AUTH</code> authentication * flow. When you pass the session ID to <code>InitiateAuth</code>, Amazon Cognito assumes the SMS * or email message one-time verification password from <code>ConfirmSignUp</code> as the * primary authentication factor. You're not required to submit this code a second * time. This option is only valid for users who have confirmed their sign-up and are * signing in for the first time within the authentication flow session duration of the * session ID. * @public */ Session?: string | undefined; } /** * Initiates the authentication response. * @public */ export interface InitiateAuthResponse { /** * The name of an additional authentication challenge that you must respond to. * Possible challenges include the following: * <note> * All of the following challenges require <code>USERNAME</code> and, when the app * client has a client secret, <code>SECRET_HASH</code> in the parameters. Include a * <code>DEVICE_KEY</code> for device authentication. * </note> * <ul> * <li> * * <code>WEB_AUTHN</code>: Respond to the challenge with the results of a * successful authentication with a WebAuthn authenticator, or passkey, as * <code>CREDENTIAL</code>. Examples of WebAuthn authenticators include * biometric devices and security keys. * </li> * <li> * * <code>PASSWORD</code>: Respond with the user's password as <code>PASSWORD</code>. * </li> * <li> * * <code>PASSWORD_SRP</code>: Respond with the initial SRP secret as <code>SRP_A</code>. * </li> * <li> * * <code>SELECT_CHALLENGE</code>: Respond with a challenge selection as <code>ANSWER</code>. * It must be one of the challenge types in the <code>AvailableChallenges</code> response * parameter. Add the parameters of the selected challenge, for example <code>USERNAME</code> * and <code>SMS_OTP</code>. * </li> * <li> * * <code>SMS_MFA</code>: Respond with the code that your user pool delivered in an SMS * message, as <code>SMS_MFA_CODE</code> * * </li> * <li> * * <code>EMAIL_MFA</code>: Respond with the code that your user pool delivered in an email * message, as <code>EMAIL_MFA_CODE</code> * * </li> * <li> * * <code>EMAIL_OTP</code>: Respond with the code that your user pool delivered in an email * message, as <code>EMAIL_OTP_CODE</code> . * </li> * <li> * * <code>SMS_OTP</code>: Respond with the code that your user pool delivered in an SMS * message, as <code>SMS_OTP_CODE</code>. * </li> * <li> * * <code>PASSWORD_VERIFIER</code>: Respond with the second stage of SRP secrets as * <code>PASSWORD_CLAIM_SIGNATURE</code>, <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, * and <code>TIMESTAMP</code>. * </li> * <li> * * <code>CUSTOM_CHALLENGE</code>: This is returned if your custom authentication * flow determines that the user should pass another challenge before tokens are * issued. The parameters of the challenge are determined by your Lambda function * and issued in the <code>ChallengeParameters</code> of a challenge response. * </li> * <li> * * <code>DEVICE_SRP_AUTH</code>: Respond with the initial parameters of device SRP * authentication. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device">Signing in with a device</a>. * </li> * <li> * * <code>DEVICE_PASSWORD_VERIFIER</code>: Respond with * <code>PASSWORD_CLAIM_SIGNATURE</code>, * <code>PASSWORD_CLAIM_SECRET_BLOCK</code>, and <code>TIMESTAMP</code> after * client-side SRP calculations. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device">Signing in with a device</a>. * </li> * <li> * * <code>NEW_PASSWORD_REQUIRED</code>: For users who are required to change their * passwords after successful first login. Respond to this challenge with * <code>NEW_PASSWORD</code> and any required attributes that Amazon Cognito returned in * the <code>requiredAttributes</code> parameter. You can also set values for * attributes that aren't required by your user pool and that your app client * can write. * Amazon Cognito only returns this challenge for users who have temporary passwords. * When you create passwordless users, you must provide values for all required * attributes. * <note> * In a <code>NEW_PASSWORD_REQUIRED</code> challenge response, you can't modify a required attribute that already has a value. * In <code>AdminRespondToAuthChallenge</code> or <code>RespondToAuthChallenge</code>, set a value for any keys that Amazon Cognito returned in the * <code>requiredAttributes</code> parameter, then use the <code>AdminUpdateUserAttributes</code> or <code>UpdateUserAttributes</code> API * operation to modify the value of any additional attributes. * </note> * </li> * <li> * * <code>MFA_SETUP</code>: For users who are required to setup an MFA factor * before they can sign in. The MFA types activated for the user pool will be * listed in the challenge parameters <code>MFAS_CAN_SETUP</code> value. * To set up time-based one-time password (TOTP) MFA, use the session returned * in this challenge from <code>InitiateAuth</code> or <code>AdminInitiateAuth</code> * as an input to <code>AssociateSoftwareToken</code>. Then, use the session returned * by <code>VerifySoftwareToken</code> as an input to * <code>RespondToAuthChallenge</code> or <code>AdminRespondToAuthChallenge</code> * with challenge name <code>MFA_SETUP</code> to complete sign-in. * * To set up SMS or email MFA, collect a <code>phone_number</code> or * <code>email</code> attribute for the user. Then restart the authentication * flow with an <code>InitiateAuth</code> or <code>AdminInitiateAuth</code> request. * * </li> * </ul> * @public */ ChallengeName?: ChallengeNameType | undefined; /** * The session identifier that links a challenge response to the initial authentication * request. If the user must pass another challenge, Amazon Cognito returns a session ID and * challenge parameters. * @public */ Session?: string | undefined; /** * The required parameters of the <code>ChallengeName</code> challenge. * All challenges require <code>USERNAME</code>. They also require * <code>SECRET_HASH</code> if your app client has a client secret. * @public */ ChallengeParameters?: Record<string, string> | undefined; /** * The result of a successful and complete authentication request. This result is only * returned if the user doesn't need to pass another challenge. If they must pass another * challenge before they get tokens, Amazon Cognito returns a challenge in * <code>ChallengeName</code>, <code>ChallengeParameters</code>, and * <code>Session</code> response parameters. * @public */ AuthenticationResult?: AuthenticationResultType | undefined; /** * This response parameter lists the available authentication challenges that users can * select from in <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice">choice-based authentication</a>. For example, they might be * able to choose between passkey authentication, a one-time password from an SMS message, * and a traditional password. * @public */ AvailableChallenges?: ChallengeNameType[] | undefined; } /** * Represents the request to list the devices. * @public */ export interface ListDevicesRequest { /** * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for * <code>aws.cognito.signin.user.admin</code>. * @public */ AccessToken: string | undefined; /** * The maximum number of devices that you want Amazon Cognito to return in the response. * @public */ Limit?: number | undefined; /** * This API operation returns a limited number of results. The pagination token is * an identifier that you can present in an additional API request with the same parameters. When * you include the pagination token, Amazon Cognito returns the next set of items after the current list. * Subsequent requests return a new pagination token. By use of this token, you can paginate * through the full list of items. * @public */ PaginationToken?: string | undefined; } /** * Represents the response to list devices. * @public */ export interface ListDevicesResponse { /** * An array of devices and their details. Each entry that's returned includes device * information, last-accessed and created dates, and the device key. * @public */ Devices?: DeviceType[] | undefined; /** * The identifier that Amazon Cognito returned with the previous request to this operation. When * you include a pagination token in your request, Amazon Cognito returns the next set of items in * the list. By use of this token, you can paginate through the full list of items. * @public */ PaginationToken?: string | undefined; } /** * @public */ export interface ListGroupsRequest { /** * The ID of the user pool where you want to list user groups. * @public */ UserPoolId: string | undefined; /** * The maximum number of groups that you want Amazon Cognito to return in the response. * @public */ Limit?: number | undefined; /** * This API operation returns a limited number of results. The pagination token is * an identifier that you can present in an additional API request with the same parameters. When * you include the pagination token, Amazon Cognito returns the next set of items after the current list. * Subsequent requests return a new pagination token. By use of this token, you can paginate * through the full list of items. * @public */ NextToken?: string | undefined; } /** * @public */ export interface ListGroupsResponse { /** * An array of groups and their details. Each entry that's returned includes * description, precedence, and IAM role values. * @public */ Groups?: GroupType[] | undefined; /** * The identifier that Amazon Cognito returned with the previous request to this operation. When * you include a pagination token in your request, Amazon Cognito returns the next set of items in * the list. By use of this token, you can paginate through the full list of items. * @public */ NextToken?: string | undefined; } /** * @public */ export interface ListIdentityProvidersRequest { /** * The ID of the user pool where you want to list IdPs. * @public */ UserPoolId: string | undefined; /** * The maximum number of IdPs that you want Amazon Cognito to return in the response. * @public */ MaxResults?: number | undefined; /** * This API operation returns a limited number of results. The pagination token is * an identifier that you can present in an additional API request with the same parameters. When * you include the pagination token, Amazon Cognito returns the next set of items after the current list. * Subsequent requests return a new pagination token. By use of this token, you can paginate * through the full list of items. * @public */ NextToken?: string | undefined; } /** * The details of a user pool identity provider (IdP), including name and type. * @public */ export interface ProviderDescription { /** * The name of the IdP, for example <code>MySAMLProvider</code>. * @public */ ProviderName?: string | undefined; /** * The type of the provider, for example <code>SAML</code>. Amazon Cognito supports SAML 2.0, * OIDC, and social IdPs. User pools list supported social IdPs by name in this response * parameter: Facebook, Google, Login with Amazon, and Sign in with Apple. * @public */ ProviderType?: IdentityProviderTypeType | undefined; /** * The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ LastModifiedDate?: Date | undefined; /** * The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a * human-readable format like ISO 8601 or a Java <code>Date</code> object. * @public */ CreationDate?: Date | undefined; } /** * @public */ export interface ListIdentityProvidersResponse { /** * An array of the IdPs in your user pool. For each, the response includes identifiers, * the IdP name and type, and trust-relationship details like the issuer URL. * @public */ Providers: ProviderDescription[] | undefined; /** * The identifier that Amazon Cognito returned with the previous request to this operation. When * you include a pagination token in your request, Amazon Cognito returns the next set of items in * the list. By use of this token, you can paginate through the full list of items. * @public */ NextToken?: string | undefined; } /** * @public */ export interface ListResourceServersRequest { /** * The ID of the user pool where you want to list resource servers. * @public */ UserPoolId: string | undefined; /** * The maximum number of resource servers that you want Amazon Cognito to return in the * response. * @public */ MaxResults?: number | undefined; /** * This API operation returns a limited number of results. The pagination token is * an identifier that you can present in an additional API request with the same parameters. When * you include the pagination token, Amazon Cognito returns the next set of items after the current list. * Subsequent requests return a new pagination token. By use of this token, you can pagina