feat(client-cognito-identity-provider): This release adds refresh token rotation.

Author: awstools

clients/client-cognito-identity-provider/README.md

@@ -776,6 +776,14 @@ GetSigningCertificate
 
 [Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/GetSigningCertificateCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetSigningCertificateCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetSigningCertificateCommandOutput/)
 
+</details>
+<details>
+<summary>
+GetTokensFromRefreshToken
+</summary>
+
+[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/GetTokensFromRefreshTokenCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetTokensFromRefreshTokenCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-cognito-identity-provider/Interface/GetTokensFromRefreshTokenCommandOutput/)
+
 </details>
 <details>
 <summary>

clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts

@@ -323,6 +323,11 @@ import {
   GetSigningCertificateCommandInput,
   GetSigningCertificateCommandOutput,
 } from "./commands/GetSigningCertificateCommand";
+import {
+  GetTokensFromRefreshTokenCommand,
+  GetTokensFromRefreshTokenCommandInput,
+  GetTokensFromRefreshTokenCommandOutput,
+} from "./commands/GetTokensFromRefreshTokenCommand";
 import {
   GetUICustomizationCommand,
   GetUICustomizationCommandInput,
@@ -586,6 +591,7 @@ const commands = {
   GetIdentityProviderByIdentifierCommand,
   GetLogDeliveryConfigurationCommand,
   GetSigningCertificateCommand,
+  GetTokensFromRefreshTokenCommand,
   GetUICustomizationCommand,
   GetUserCommand,
   GetUserAttributeVerificationCodeCommand,
@@ -1707,6 +1713,23 @@ export interface CognitoIdentityProvider {
     cb: (err: any, data?: GetSigningCertificateCommandOutput) => void
   ): void;
 
+  /**
+   * @see {@link GetTokensFromRefreshTokenCommand}
+   */
+  getTokensFromRefreshToken(
+    args: GetTokensFromRefreshTokenCommandInput,
+    options?: __HttpHandlerOptions
+  ): Promise<GetTokensFromRefreshTokenCommandOutput>;
+  getTokensFromRefreshToken(
+    args: GetTokensFromRefreshTokenCommandInput,
+    cb: (err: any, data?: GetTokensFromRefreshTokenCommandOutput) => void
+  ): void;
+  getTokensFromRefreshToken(
+    args: GetTokensFromRefreshTokenCommandInput,
+    options: __HttpHandlerOptions,
+    cb: (err: any, data?: GetTokensFromRefreshTokenCommandOutput) => void
+  ): void;
+
   /**
    * @see {@link GetUICustomizationCommand}
    */

clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts

@@ -253,6 +253,10 @@ import {
   GetSigningCertificateCommandInput,
   GetSigningCertificateCommandOutput,
 } from "./commands/GetSigningCertificateCommand";
+import {
+  GetTokensFromRefreshTokenCommandInput,
+  GetTokensFromRefreshTokenCommandOutput,
+} from "./commands/GetTokensFromRefreshTokenCommand";
 import { GetUICustomizationCommandInput, GetUICustomizationCommandOutput } from "./commands/GetUICustomizationCommand";
 import {
   GetUserAttributeVerificationCodeCommandInput,
@@ -450,6 +454,7 @@ export type ServiceInputTypes =
   | GetIdentityProviderByIdentifierCommandInput
   | GetLogDeliveryConfigurationCommandInput
   | GetSigningCertificateCommandInput
+  | GetTokensFromRefreshTokenCommandInput
   | GetUICustomizationCommandInput
   | GetUserAttributeVerificationCodeCommandInput
   | GetUserAuthFactorsCommandInput
@@ -568,6 +573,7 @@ export type ServiceOutputTypes =
   | GetIdentityProviderByIdentifierCommandOutput
   | GetLogDeliveryConfigurationCommandOutput
   | GetSigningCertificateCommandOutput
+  | GetTokensFromRefreshTokenCommandOutput
   | GetUICustomizationCommandOutput
   | GetUserAttributeVerificationCodeCommandOutput
   | GetUserAuthFactorsCommandOutput

clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts

@@ -193,6 +193,10 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons
  *  <p>This exception is thrown when Amazon Cognito encounters an unexpected exception with
  *             Lambda.</p>
  *
+ * @throws {@link UnsupportedOperationException} (client fault)
+ *  <p>Exception that is thrown when you attempt to perform an operation that isn't enabled
+ *             for the user pool client.</p>
+ *
  * @throws {@link UserLambdaValidationException} (client fault)
  *  <p>This exception is thrown when the Amazon Cognito service encounters a user validation exception
  *             with the Lambda service.</p>

clients/client-cognito-identity-provider/src/commands/CreateUserPoolClientCommand.ts

@@ -119,6 +119,10 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR
  *   EnableTokenRevocation: true || false,
  *   EnablePropagateAdditionalUserContextData: true || false,
  *   AuthSessionValidity: Number("int"),
+ *   RefreshTokenRotation: { // RefreshTokenRotationType
+ *     Feature: "ENABLED" || "DISABLED", // required
+ *     RetryGracePeriodSeconds: Number("int"),
+ *   },
  * };
  * const command = new CreateUserPoolClientCommand(input);
  * const response = await client.send(command);
@@ -175,6 +179,10 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR
  * //     EnableTokenRevocation: true || false,
  * //     EnablePropagateAdditionalUserContextData: true || false,
  * //     AuthSessionValidity: Number("int"),
+ * //     RefreshTokenRotation: { // RefreshTokenRotationType
+ * //       Feature: "ENABLED" || "DISABLED", // required
+ * //       RetryGracePeriodSeconds: Number("int"),
+ * //     },
  * //   },
  * // };
  *
@@ -186,6 +194,10 @@ export interface CreateUserPoolClientCommandOutput extends CreateUserPoolClientR
  * @see {@link CreateUserPoolClientCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link FeatureUnavailableInTierException} (client fault)
+ *  <p>This exception is thrown when a feature you attempted to configure isn't
+ *             available in your current feature plan.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *

clients/client-cognito-identity-provider/src/commands/CreateUserPoolDomainCommand.ts

@@ -91,6 +91,10 @@ export interface CreateUserPoolDomainCommandOutput extends CreateUserPoolDomainR
  * @see {@link CreateUserPoolDomainCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link ConcurrentModificationException} (client fault)
+ *  <p>This exception is thrown if two or more modifications are happening
+ *             concurrently.</p>
+ *
  * @throws {@link FeatureUnavailableInTierException} (client fault)
  *  <p>This exception is thrown when a feature you attempted to configure isn't
  *             available in your current feature plan.</p>

clients/client-cognito-identity-provider/src/commands/DeleteUserPoolDomainCommand.ts

@@ -57,6 +57,10 @@ export interface DeleteUserPoolDomainCommandOutput extends DeleteUserPoolDomainR
  * @see {@link DeleteUserPoolDomainCommandOutput} for command's `response` shape.
  * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
  *
+ * @throws {@link ConcurrentModificationException} (client fault)
+ *  <p>This exception is thrown if two or more modifications are happening
+ *             concurrently.</p>
+ *
  * @throws {@link InternalErrorException} (server fault)
  *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
  *

clients/client-cognito-identity-provider/src/commands/DescribeUserPoolClientCommand.ts

@@ -125,6 +125,10 @@ export interface DescribeUserPoolClientCommandOutput extends DescribeUserPoolCli
  * //     EnableTokenRevocation: true || false,
  * //     EnablePropagateAdditionalUserContextData: true || false,
  * //     AuthSessionValidity: Number("int"),
+ * //     RefreshTokenRotation: { // RefreshTokenRotationType
+ * //       Feature: "ENABLED" || "DISABLED", // required
+ * //       RetryGracePeriodSeconds: Number("int"),
+ * //     },
  * //   },
  * // };
  *

clients/client-cognito-identity-provider/src/commands/GetTokensFromRefreshTokenCommand.ts

@@ -0,0 +1,162 @@
+// smithy-typescript generated code
+import { getEndpointPlugin } from "@smithy/middleware-endpoint";
+import { getSerdePlugin } from "@smithy/middleware-serde";
+import { Command as $Command } from "@smithy/smithy-client";
+import { MetadataBearer as __MetadataBearer } from "@smithy/types";
+
+import {
+  CognitoIdentityProviderClientResolvedConfig,
+  ServiceInputTypes,
+  ServiceOutputTypes,
+} from "../CognitoIdentityProviderClient";
+import { commonParams } from "../endpoint/EndpointParameters";
+import {
+  GetTokensFromRefreshTokenRequest,
+  GetTokensFromRefreshTokenRequestFilterSensitiveLog,
+  GetTokensFromRefreshTokenResponse,
+  GetTokensFromRefreshTokenResponseFilterSensitiveLog,
+} from "../models/models_0";
+import { de_GetTokensFromRefreshTokenCommand, se_GetTokensFromRefreshTokenCommand } from "../protocols/Aws_json1_1";
+
+/**
+ * @public
+ */
+export type { __MetadataBearer };
+export { $Command };
+/**
+ * @public
+ *
+ * The input for {@link GetTokensFromRefreshTokenCommand}.
+ */
+export interface GetTokensFromRefreshTokenCommandInput extends GetTokensFromRefreshTokenRequest {}
+/**
+ * @public
+ *
+ * The output of {@link GetTokensFromRefreshTokenCommand}.
+ */
+export interface GetTokensFromRefreshTokenCommandOutput extends GetTokensFromRefreshTokenResponse, __MetadataBearer {}
+
+/**
+ * <p>Given a refresh token, issues new ID, access, and optionally refresh tokens for the
+ *             user who owns the submitted token. This operation issues a new refresh token and
+ *             invalidates the original refresh token after an optional grace period when refresh token
+ *             rotation is enabled. If refresh token rotation is disabled, issues new ID and access
+ *             tokens only.</p>
+ * @example
+ * Use a bare-bones client and the command you need to make an API call.
+ * ```javascript
+ * import { CognitoIdentityProviderClient, GetTokensFromRefreshTokenCommand } from "@aws-sdk/client-cognito-identity-provider"; // ES Modules import
+ * // const { CognitoIdentityProviderClient, GetTokensFromRefreshTokenCommand } = require("@aws-sdk/client-cognito-identity-provider"); // CommonJS import
+ * const client = new CognitoIdentityProviderClient(config);
+ * const input = { // GetTokensFromRefreshTokenRequest
+ *   RefreshToken: "STRING_VALUE", // required
+ *   ClientId: "STRING_VALUE", // required
+ *   ClientSecret: "STRING_VALUE",
+ *   DeviceKey: "STRING_VALUE",
+ *   ClientMetadata: { // ClientMetadataType
+ *     "<keys>": "STRING_VALUE",
+ *   },
+ * };
+ * const command = new GetTokensFromRefreshTokenCommand(input);
+ * const response = await client.send(command);
+ * // { // GetTokensFromRefreshTokenResponse
+ * //   AuthenticationResult: { // AuthenticationResultType
+ * //     AccessToken: "STRING_VALUE",
+ * //     ExpiresIn: Number("int"),
+ * //     TokenType: "STRING_VALUE",
+ * //     RefreshToken: "STRING_VALUE",
+ * //     IdToken: "STRING_VALUE",
+ * //     NewDeviceMetadata: { // NewDeviceMetadataType
+ * //       DeviceKey: "STRING_VALUE",
+ * //       DeviceGroupKey: "STRING_VALUE",
+ * //     },
+ * //   },
+ * // };
+ *
+ * ```
+ *
+ * @param GetTokensFromRefreshTokenCommandInput - {@link GetTokensFromRefreshTokenCommandInput}
+ * @returns {@link GetTokensFromRefreshTokenCommandOutput}
+ * @see {@link GetTokensFromRefreshTokenCommandInput} for command's `input` shape.
+ * @see {@link GetTokensFromRefreshTokenCommandOutput} for command's `response` shape.
+ * @see {@link CognitoIdentityProviderClientResolvedConfig | config} for CognitoIdentityProviderClient's `config` shape.
+ *
+ * @throws {@link ForbiddenException} (client fault)
+ *  <p>This exception is thrown when WAF doesn't allow your request based on a web
+ *             ACL that's associated with your user pool.</p>
+ *
+ * @throws {@link InternalErrorException} (server fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an internal error.</p>
+ *
+ * @throws {@link InvalidLambdaResponseException} (client fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an invalid Lambda response.</p>
+ *
+ * @throws {@link InvalidParameterException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters an invalid
+ *             parameter.</p>
+ *
+ * @throws {@link NotAuthorizedException} (client fault)
+ *  <p>This exception is thrown when a user isn't authorized.</p>
+ *
+ * @throws {@link RefreshTokenReuseException} (client fault)
+ *  <p>This exception is throw when your application requests token refresh with a refresh
+ *             token that has been invalidated by refresh-token rotation.</p>
+ *
+ * @throws {@link ResourceNotFoundException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service can't find the requested
+ *             resource.</p>
+ *
+ * @throws {@link TooManyRequestsException} (client fault)
+ *  <p>This exception is thrown when the user has made too many requests for a given
+ *             operation.</p>
+ *
+ * @throws {@link UnexpectedLambdaException} (client fault)
+ *  <p>This exception is thrown when Amazon Cognito encounters an unexpected exception with
+ *             Lambda.</p>
+ *
+ * @throws {@link UserLambdaValidationException} (client fault)
+ *  <p>This exception is thrown when the Amazon Cognito service encounters a user validation exception
+ *             with the Lambda service.</p>
+ *
+ * @throws {@link UserNotFoundException} (client fault)
+ *  <p>This exception is thrown when a user isn't found.</p>
+ *
+ * @throws {@link CognitoIdentityProviderServiceException}
+ * <p>Base exception class for all service exceptions from CognitoIdentityProvider service.</p>
+ *
+ *
+ * @public
+ */
+export class GetTokensFromRefreshTokenCommand extends $Command
+  .classBuilder<
+    GetTokensFromRefreshTokenCommandInput,
+    GetTokensFromRefreshTokenCommandOutput,
+    CognitoIdentityProviderClientResolvedConfig,
+    ServiceInputTypes,
+    ServiceOutputTypes
+  >()
+  .ep(commonParams)
+  .m(function (this: any, Command: any, cs: any, config: CognitoIdentityProviderClientResolvedConfig, o: any) {
+    return [
+      getSerdePlugin(config, this.serialize, this.deserialize),
+      getEndpointPlugin(config, Command.getEndpointParameterInstructions()),
+    ];
+  })
+  .s("AWSCognitoIdentityProviderService", "GetTokensFromRefreshToken", {})
+  .n("CognitoIdentityProviderClient", "GetTokensFromRefreshTokenCommand")
+  .f(GetTokensFromRefreshTokenRequestFilterSensitiveLog, GetTokensFromRefreshTokenResponseFilterSensitiveLog)
+  .ser(se_GetTokensFromRefreshTokenCommand)
+  .de(de_GetTokensFromRefreshTokenCommand)
+  .build() {
+  /** @internal type navigation helper, not in runtime. */
+  protected declare static __types: {
+    api: {
+      input: GetTokensFromRefreshTokenRequest;
+      output: GetTokensFromRefreshTokenResponse;
+    };
+    sdk: {
+      input: GetTokensFromRefreshTokenCommandInput;
+      output: GetTokensFromRefreshTokenCommandOutput;
+    };
+  };
+}

clients/client-cognito-identity-provider/src/commands/GetUserAuthFactorsCommand.ts

@@ -15,7 +15,7 @@ import {
   GetUserAuthFactorsRequestFilterSensitiveLog,
   GetUserAuthFactorsResponse,
   GetUserAuthFactorsResponseFilterSensitiveLog,
-} from "../models/models_0";
+} from "../models/models_1";
 import { de_GetUserAuthFactorsCommand, se_GetUserAuthFactorsCommand } from "../protocols/Aws_json1_1";
 
 /**