diff --git a/manifest.json b/manifest.json
index 2a4664ce6..eadfb4d05 100644
--- a/manifest.json
+++ b/manifest.json
@@ -1,6 +1,6 @@
{
"variables": {
- "${LATEST}": "3.329.0"
+ "${LATEST}": "3.330.0"
},
"endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
"services": {
diff --git a/psalm.baseline.xml b/psalm.baseline.xml
index e1806f5e9..774653373 100644
--- a/psalm.baseline.xml
+++ b/psalm.baseline.xml
@@ -312,4 +312,12 @@
]]>
+
+
+ ]]>
+
+
diff --git a/src/Service/CognitoIdentityProvider/CHANGELOG.md b/src/Service/CognitoIdentityProvider/CHANGELOG.md
index 5de17eaf5..529702794 100644
--- a/src/Service/CognitoIdentityProvider/CHANGELOG.md
+++ b/src/Service/CognitoIdentityProvider/CHANGELOG.md
@@ -2,6 +2,10 @@
## NOT RELEASED
+### Added
+
+- AWS api-change: Add support for users to sign up and sign in without passwords, using email and SMS OTPs and Passkeys. Add support for Passkeys based on WebAuthn. Add support for enhanced branding customization for hosted authentication pages with Amazon Cognito Managed Login. Add feature tiers with new pricing.
+
### Changed
- use strict comparison `null !==` instead of `!`
diff --git a/src/Service/CognitoIdentityProvider/composer.json b/src/Service/CognitoIdentityProvider/composer.json
index c4478538e..b863a0277 100644
--- a/src/Service/CognitoIdentityProvider/composer.json
+++ b/src/Service/CognitoIdentityProvider/composer.json
@@ -28,7 +28,7 @@
},
"extra": {
"branch-alias": {
- "dev-master": "1.9-dev"
+ "dev-master": "1.10-dev"
}
}
}
diff --git a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php
index 57ee3d10c..afde3ac8d 100644
--- a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php
+++ b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php
@@ -237,11 +237,11 @@ public function adminConfirmSignUp($input): AdminConfirmSignUpResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^3] in the *Amazon Cognito Developer Guide*.
*
* This message is based on a template that you configured in your call to create or update a user pool. This template
* includes your custom sign-up instructions and placeholders for user name and temporary password.
@@ -249,7 +249,11 @@ public function adminConfirmSignUp($input): AdminConfirmSignUpResponse
* Alternatively, you can call `AdminCreateUser` with `SUPPRESS` for the `MessageAction` parameter, and Amazon Cognito
* won't send any email.
*
- * In either case, the user will be in the `FORCE_CHANGE_PASSWORD` state until they sign in and change their password.
+ * In either case, if the user has a password, they will be in the `FORCE_CHANGE_PASSWORD` state until they sign in and
+ * set their password. Your invitation message template must have the `{####}` password placeholder if your users have
+ * passwords. If your template doesn't have this placeholder, Amazon Cognito doesn't deliver the invitation message. In
+ * this case, you must update your message template and resend the password with a new `AdminCreateUser` request with a
+ * `MessageAction` value of `RESEND`.
*
* > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this
* > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM
@@ -468,7 +472,8 @@ public function adminEnableUser($input): AdminEnableUserResponse
}
/**
- * Gets the specified user by user name in a user pool as an administrator. Works on any user.
+ * Gets the specified user by user name in a user pool as an administrator. Works on any user. This operation
+ * contributes to your monthly active user (MAU) count for the purpose of billing.
*
* > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this
* > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM
@@ -523,11 +528,11 @@ public function adminGetUser($input): AdminGetUserResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^3] in the *Amazon Cognito Developer Guide*.
*
* > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this
* > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM
@@ -556,6 +561,7 @@ public function adminGetUser($input): AdminGetUserResponse
* ClientMetadata?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* ContextData?: null|ContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|AdminInitiateAuthRequest $input
*
@@ -661,11 +667,11 @@ public function adminRemoveUserFromGroup($input): Result
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^4] in the *Amazon Cognito Developer Guide*.
*
* Deactivates a user's password, requiring them to change it. If a user tries to sign in after the API is called,
* Amazon Cognito responds with a `PasswordResetRequiredException` error. Your app must then perform the actions that
@@ -813,11 +819,11 @@ public function adminSetUserPassword($input): AdminSetUserPasswordResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^3] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^3] in the *Amazon Cognito Developer Guide*.
*
* Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user. To
* delete an attribute from your user, submit the attribute in your API request with a blank value.
@@ -1024,7 +1030,7 @@ public function associateSoftwareToken($input = []): AssociateSoftwareTokenRespo
* @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#changepassword
*
* @param array{
- * PreviousPassword: string,
+ * PreviousPassword?: null|string,
* ProposedPassword: string,
* AccessToken: string,
* '@region'?: string|null,
@@ -1166,6 +1172,7 @@ public function confirmForgotPassword($input): ConfirmForgotPasswordResponse
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
* ClientMetadata?: null|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|ConfirmSignUpRequest $input
*
@@ -1286,11 +1293,11 @@ public function createGroup($input): CreateGroupResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^6]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^7] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^6]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^7] in the *Amazon Cognito Developer Guide*.
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html
* [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html
@@ -1417,11 +1424,11 @@ public function getUser($input): GetUserResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^5] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^5] in the *Amazon Cognito Developer Guide*.
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html
* [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
@@ -1439,6 +1446,7 @@ public function getUser($input): GetUserResponse
* ClientId: string,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|InitiateAuthRequest $input
*
@@ -1592,11 +1600,11 @@ public function listUsers($input): ListUsersResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^4] in the *Amazon Cognito Developer Guide*.
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
* [^2]: https://console.aws.amazon.com/pinpoint/home/
@@ -1676,11 +1684,11 @@ public function resendConfirmationCode($input): ResendConfirmationCodeResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^5] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^5] in the *Amazon Cognito Developer Guide*.
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
* [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
@@ -1874,16 +1882,24 @@ public function setUserMfaPreference($input): SetUserMFAPreferenceResponse
* > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up,
* > activate their accounts, or sign in.
* >
- * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Servicesservice, Amazon Simple
- * > Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send messages
- * > only to verified phone numbers. After you test your app while in the sandbox environment, you can move out of the
- * > sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools [^4] in
- * > the *Amazon Cognito Developer Guide*.
+ * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon
+ * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send
+ * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out
+ * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools
+ * > [^4] in the *Amazon Cognito Developer Guide*.
+ *
+ * You might receive a `LimitExceeded` exception in response to this request if you have exceeded a rate quota for email
+ * or SMS messages, and if your user pool automatically verifies email addresses or phone numbers. When you get this
+ * exception in the response, the user is successfully created and is in an `UNCONFIRMED` state. You can send a new code
+ * with the ResendConfirmationCode [^5] request, or confirm the user as an administrator with an AdminConfirmSignUp [^6]
+ * request.
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
* [^2]: https://console.aws.amazon.com/pinpoint/home/
* [^3]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html
* [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html
+ * [^6]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html
*
* @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html
* @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#signup
@@ -1892,7 +1908,7 @@ public function setUserMfaPreference($input): SetUserMFAPreferenceResponse
* ClientId: string,
* SecretHash?: null|string,
* Username: string,
- * Password: string,
+ * Password?: null|string,
* UserAttributes?: null|array,
* ValidationData?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
diff --git a/src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php b/src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php
index adecfc5e1..435bc3d29 100644
--- a/src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php
+++ b/src/Service/CognitoIdentityProvider/src/Enum/AuthFlowType.php
@@ -9,6 +9,7 @@ final class AuthFlowType
public const CUSTOM_AUTH = 'CUSTOM_AUTH';
public const REFRESH_TOKEN = 'REFRESH_TOKEN';
public const REFRESH_TOKEN_AUTH = 'REFRESH_TOKEN_AUTH';
+ public const USER_AUTH = 'USER_AUTH';
public const USER_PASSWORD_AUTH = 'USER_PASSWORD_AUTH';
public const USER_SRP_AUTH = 'USER_SRP_AUTH';
@@ -20,6 +21,7 @@ public static function exists(string $value): bool
self::CUSTOM_AUTH => true,
self::REFRESH_TOKEN => true,
self::REFRESH_TOKEN_AUTH => true,
+ self::USER_AUTH => true,
self::USER_PASSWORD_AUTH => true,
self::USER_SRP_AUTH => true,
][$value]);
diff --git a/src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php b/src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php
index cafb17633..d005269e0 100644
--- a/src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php
+++ b/src/Service/CognitoIdentityProvider/src/Enum/ChallengeNameType.php
@@ -11,10 +11,15 @@ final class ChallengeNameType
public const EMAIL_OTP = 'EMAIL_OTP';
public const MFA_SETUP = 'MFA_SETUP';
public const NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED';
+ public const PASSWORD = 'PASSWORD';
+ public const PASSWORD_SRP = 'PASSWORD_SRP';
public const PASSWORD_VERIFIER = 'PASSWORD_VERIFIER';
+ public const SELECT_CHALLENGE = 'SELECT_CHALLENGE';
public const SELECT_MFA_TYPE = 'SELECT_MFA_TYPE';
public const SMS_MFA = 'SMS_MFA';
+ public const SMS_OTP = 'SMS_OTP';
public const SOFTWARE_TOKEN_MFA = 'SOFTWARE_TOKEN_MFA';
+ public const WEB_AUTHN = 'WEB_AUTHN';
public static function exists(string $value): bool
{
@@ -26,10 +31,15 @@ public static function exists(string $value): bool
self::EMAIL_OTP => true,
self::MFA_SETUP => true,
self::NEW_PASSWORD_REQUIRED => true,
+ self::PASSWORD => true,
+ self::PASSWORD_SRP => true,
self::PASSWORD_VERIFIER => true,
+ self::SELECT_CHALLENGE => true,
self::SELECT_MFA_TYPE => true,
self::SMS_MFA => true,
+ self::SMS_OTP => true,
self::SOFTWARE_TOKEN_MFA => true,
+ self::WEB_AUTHN => true,
][$value]);
}
}
diff --git a/src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php b/src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php
index 962ea4ba4..288926f15 100644
--- a/src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php
+++ b/src/Service/CognitoIdentityProvider/src/Exception/InvalidParameterException.php
@@ -3,10 +3,29 @@
namespace AsyncAws\CognitoIdentityProvider\Exception;
use AsyncAws\Core\Exception\Http\ClientException;
+use Symfony\Contracts\HttpClient\ResponseInterface;
/**
* This exception is thrown when the Amazon Cognito service encounters an invalid parameter.
*/
final class InvalidParameterException extends ClientException
{
+ /**
+ * The reason code of the exception.
+ *
+ * @var string|null
+ */
+ private $reasonCode;
+
+ public function getReasonCode(): ?string
+ {
+ return $this->reasonCode;
+ }
+
+ protected function populateResult(ResponseInterface $response): void
+ {
+ $data = $response->toArray(false);
+
+ $this->reasonCode = isset($data['reasonCode']) ? (string) $data['reasonCode'] : null;
+ }
}
diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php
index c03f49d12..796547f5a 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php
@@ -11,7 +11,7 @@
use AsyncAws\Core\Stream\StreamFactory;
/**
- * Represents the request to create a user in the specified user pool.
+ * Creates a new user in the specified user pool.
*/
final class AdminCreateUserRequest extends Input
{
@@ -55,6 +55,10 @@ final class AdminCreateUserRequest extends Input
* this in your call to AdminCreateUser or in the **Users** tab of the Amazon Cognito console for managing your user
* pools.
*
+ * You must also provide an email address or phone number when you expect the user to do passwordless sign-in with an
+ * email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you
+ * don't submit a `TemporaryPassword`.
+ *
* In your call to `AdminCreateUser`, you can set the `email_verified` attribute to `True`, and you can set the
* `phone_number_verified` attribute to `True`. You can also do this by calling AdminUpdateUserAttributes [^1].
*
@@ -92,15 +96,25 @@ final class AdminCreateUserRequest extends Input
* The user's temporary password. This password must conform to the password policy that you specified when you created
* the user pool.
*
+ * The exception to the requirement for a password is when your user pool supports passwordless sign-in with email or
+ * SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a
+ * passwordless user when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool
+ * [^2] and UpdateUserPool [^3].
+ *
* The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary
* password in the sign-in page, along with a new password to be used in all future sign-ins.
*
- * This parameter isn't required. If you don't specify a value, Amazon Cognito generates one for you.
+ * If you don't specify a value, Amazon Cognito generates one for you unless you have passwordless options active for
+ * your user pool.
*
* The temporary password can only be used until the user account expiration limit that you set for your user pool. To
* reset the account after that time limit, you must call `AdminCreateUser` again and specify `RESEND` for the
* `MessageAction` parameter.
*
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html
+ *
* @var string|null
*/
private $temporaryPassword;
diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php
index 8ad7a3f66..d209e958c 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php
@@ -34,24 +34,48 @@ final class AdminInitiateAuthRequest extends Input
private $clientId;
/**
- * The authentication flow for this call to run. The API action will depend on this value. For example:
+ * The authentication flow that you want to initiate. The `AuthParameters` that you must submit are linked to the flow
+ * that you submit. For example:
*
- * - `REFRESH_TOKEN_AUTH` will take in a valid refresh token and return new tokens.
- * - `USER_SRP_AUTH` will take in `USERNAME` and `SRP_A` and return the Secure Remote Password (SRP) protocol variables
- * to be used for next challenge execution.
- * - `ADMIN_USER_PASSWORD_AUTH` will take in `USERNAME` and `PASSWORD` and return the next challenge or tokens.
+ * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered
+ * authentication types, select one in a challenge response and then authenticate with that method in an additional
+ * challenge response.
+ * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid
+ * refresh token as the value.
+ * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when
+ * you pass `USERNAME` and `SRP_A` parameters..
+ * - `ADMIN_USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you
+ * pass `USERNAME` and `PASSWORD` parameters.
*
- * Valid values include:
+ * Valid values include the following:
*
- * - `USER_SRP_AUTH`: Authentication flow for the Secure Remote Password (SRP) protocol.
- * - `REFRESH_TOKEN_AUTH`/`REFRESH_TOKEN`: Authentication flow for refreshing the access token and ID token by supplying
- * a valid refresh token.
- * - `CUSTOM_AUTH`: Custom authentication flow.
- * - `ADMIN_NO_SRP_AUTH`: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is
- * enabled for calling the app client.
- * - `ADMIN_USER_PASSWORD_AUTH`: Admin-based user password authentication. This replaces the `ADMIN_NO_SRP_AUTH`
- * authentication flow. In this flow, Amazon Cognito receives the password in the request instead of using the SRP
- * process to verify passwords.
+ * - `USER_AUTH`:
+ *
+ * The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
+ * - `USER_SRP_AUTH`:
+ *
+ * Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP
+ * password verification in custom authentication flow [^1].
+ * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`:
+ *
+ * Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh
+ * token [^2].
+ * - `CUSTOM_AUTH`:
+ *
+ * Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda
+ * triggers [^3].
+ * - `ADMIN_USER_PASSWORD_AUTH`:
+ *
+ * Username-password authentication with the password sent directly in the request. For more information, see Admin
+ * authentication flow [^4].
+ *
+ * `USER_PASSWORD_AUTH` is a flow type of InitiateAuth [^5] and isn't valid for AdminInitiateAuth.
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow
+ * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html
+ * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+ * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
*
* @required
*
@@ -63,6 +87,9 @@ final class AdminInitiateAuthRequest extends Input
* The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required
* values depend on the value of `AuthFlow`:
*
+ * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for
+ * `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the
+ * available sign-in methods.
* - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is
* configured with a client secret), `DEVICE_KEY`.
* - For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app
@@ -107,6 +134,8 @@ final class AdminInitiateAuthRequest extends Input
* - Pre token generation
* - Create auth challenge
* - Define auth challenge
+ * - Custom email sender
+ * - Custom SMS sender
*
* For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer
* Guide*.
@@ -142,6 +171,14 @@ final class AdminInitiateAuthRequest extends Input
*/
private $contextData;
+ /**
+ * The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process
+ * with the `USER_AUTH` authentication flow.
+ *
+ * @var string|null
+ */
+ private $session;
+
/**
* @param array{
* UserPoolId?: string,
@@ -151,6 +188,7 @@ final class AdminInitiateAuthRequest extends Input
* ClientMetadata?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* ContextData?: null|ContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* } $input
*/
@@ -163,6 +201,7 @@ public function __construct(array $input = [])
$this->clientMetadata = $input['ClientMetadata'] ?? null;
$this->analyticsMetadata = isset($input['AnalyticsMetadata']) ? AnalyticsMetadataType::create($input['AnalyticsMetadata']) : null;
$this->contextData = isset($input['ContextData']) ? ContextDataType::create($input['ContextData']) : null;
+ $this->session = $input['Session'] ?? null;
parent::__construct($input);
}
@@ -175,6 +214,7 @@ public function __construct(array $input = [])
* ClientMetadata?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* ContextData?: null|ContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|AdminInitiateAuthRequest $input
*/
@@ -222,6 +262,11 @@ public function getContextData(): ?ContextDataType
return $this->contextData;
}
+ public function getSession(): ?string
+ {
+ return $this->session;
+ }
+
public function getUserPoolId(): ?string
{
return $this->userPoolId;
@@ -304,6 +349,13 @@ public function setContextData(?ContextDataType $value): self
return $this;
}
+ public function setSession(?string $value): self
+ {
+ $this->session = $value;
+
+ return $this;
+ }
+
public function setUserPoolId(?string $value): self
{
$this->userPoolId = $value;
@@ -355,6 +407,9 @@ private function requestBody(): array
if (null !== $v = $this->contextData) {
$payload['ContextData'] = $v->requestBody();
}
+ if (null !== $v = $this->session) {
+ $payload['Session'] = $v;
+ }
return $payload;
}
diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php
index 38e23cc8e..6228cb27d 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php
@@ -43,10 +43,10 @@ final class AdminUpdateUserAttributesRequest extends Input
* responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can
* sign in and receive messages with the original attribute value until they verify the new value.
*
- * To update the value of an attribute that requires verification in the same API request, include the `email_verified`
- * or `phone_number_verified` attribute, with a value of `true`. If you set the `email_verified` or
- * `phone_number_verified` value for an `email` or `phone_number` attribute that requires verification to `true`, Amazon
- * Cognito doesn’t send a verification message to your user.
+ * To skip the verification message and update the value of an attribute that requires verification in the same API
+ * request, include the `email_verified` or `phone_number_verified` attribute, with a value of `true`. If you set the
+ * `email_verified` or `phone_number_verified` value for an `email` or `phone_number` attribute that requires
+ * verification to `true`, Amazon Cognito doesn’t send a verification message to your user.
*
* @required
*
diff --git a/src/Service/CognitoIdentityProvider/src/Input/ChangePasswordRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ChangePasswordRequest.php
index 612876e0a..252e186ee 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/ChangePasswordRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/ChangePasswordRequest.php
@@ -13,9 +13,8 @@
final class ChangePasswordRequest extends Input
{
/**
- * The old password.
- *
- * @required
+ * The user's previous password. Required if the user has a password. If the user has no password and only signs in with
+ * passwordless authentication options, you can omit this parameter.
*
* @var string|null
*/
@@ -41,7 +40,7 @@ final class ChangePasswordRequest extends Input
/**
* @param array{
- * PreviousPassword?: string,
+ * PreviousPassword?: null|string,
* ProposedPassword?: string,
* AccessToken?: string,
* '@region'?: string|null,
@@ -57,7 +56,7 @@ public function __construct(array $input = [])
/**
* @param array{
- * PreviousPassword?: string,
+ * PreviousPassword?: null|string,
* ProposedPassword?: string,
* AccessToken?: string,
* '@region'?: string|null,
@@ -133,10 +132,9 @@ public function setProposedPassword(?string $value): self
private function requestBody(): array
{
$payload = [];
- if (null === $v = $this->previousPassword) {
- throw new InvalidArgument(\sprintf('Missing parameter "PreviousPassword" for "%s". The value cannot be null.', __CLASS__));
+ if (null !== $v = $this->previousPassword) {
+ $payload['PreviousPassword'] = $v;
}
- $payload['PreviousPassword'] = $v;
if (null === $v = $this->proposedPassword) {
throw new InvalidArgument(\sprintf('Missing parameter "ProposedPassword" for "%s". The value cannot be null.', __CLASS__));
}
diff --git a/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php
index 9233c23fe..f9e1f39b9 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php
@@ -105,6 +105,14 @@ final class ConfirmSignUpRequest extends Input
*/
private $clientMetadata;
+ /**
+ * The optional session ID from a `SignUp` API request. You can sign in a user directly from the sign-up process with
+ * the `USER_AUTH` authentication flow.
+ *
+ * @var string|null
+ */
+ private $session;
+
/**
* @param array{
* ClientId?: string,
@@ -115,6 +123,7 @@ final class ConfirmSignUpRequest extends Input
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
* ClientMetadata?: null|array,
+ * Session?: null|string,
* '@region'?: string|null,
* } $input
*/
@@ -128,6 +137,7 @@ public function __construct(array $input = [])
$this->analyticsMetadata = isset($input['AnalyticsMetadata']) ? AnalyticsMetadataType::create($input['AnalyticsMetadata']) : null;
$this->userContextData = isset($input['UserContextData']) ? UserContextDataType::create($input['UserContextData']) : null;
$this->clientMetadata = $input['ClientMetadata'] ?? null;
+ $this->session = $input['Session'] ?? null;
parent::__construct($input);
}
@@ -141,6 +151,7 @@ public function __construct(array $input = [])
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
* ClientMetadata?: null|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|ConfirmSignUpRequest $input
*/
@@ -182,6 +193,11 @@ public function getSecretHash(): ?string
return $this->secretHash;
}
+ public function getSession(): ?string
+ {
+ return $this->session;
+ }
+
public function getUserContextData(): ?UserContextDataType
{
return $this->userContextData;
@@ -263,6 +279,13 @@ public function setSecretHash(?string $value): self
return $this;
}
+ public function setSession(?string $value): self
+ {
+ $this->session = $value;
+
+ return $this;
+ }
+
public function setUserContextData(?UserContextDataType $value): self
{
$this->userContextData = $value;
@@ -314,6 +337,9 @@ private function requestBody(): array
}
}
}
+ if (null !== $v = $this->session) {
+ $payload['Session'] = $v;
+ }
return $payload;
}
diff --git a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php
index 862e58e2f..e288b8130 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php
@@ -16,24 +16,49 @@
final class InitiateAuthRequest extends Input
{
/**
- * The authentication flow for this call to run. The API action will depend on this value. For example:
+ * The authentication flow that you want to initiate. The `AuthParameters` that you must submit are linked to the flow
+ * that you submit. For example:
*
- * - `REFRESH_TOKEN_AUTH` takes in a valid refresh token and returns new tokens.
- * - `USER_SRP_AUTH` takes in `USERNAME` and `SRP_A` and returns the SRP variables to be used for next challenge
- * execution.
- * - `USER_PASSWORD_AUTH` takes in `USERNAME` and `PASSWORD` and returns the next challenge or tokens.
+ * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered
+ * authentication types, select one in a challenge response and then authenticate with that method in an additional
+ * challenge response.
+ * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid
+ * refresh token as the value.
+ * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when
+ * you pass `USERNAME` and `SRP_A` parameters.
+ * - `USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you pass
+ * `USERNAME` and `PASSWORD` parameters.
*
- * Valid values include:
+ * Valid values include the following:
*
- * - `USER_SRP_AUTH`: Authentication flow for the Secure Remote Password (SRP) protocol.
- * - `REFRESH_TOKEN_AUTH`/`REFRESH_TOKEN`: Authentication flow for refreshing the access token and ID token by supplying
- * a valid refresh token.
- * - `CUSTOM_AUTH`: Custom authentication flow.
- * - `USER_PASSWORD_AUTH`: Non-SRP authentication flow; user name and password are passed directly. If a user migration
- * Lambda trigger is set, this flow will invoke the user migration Lambda if it doesn't find the user name in the user
- * pool.
+ * - `USER_AUTH`:
*
- * `ADMIN_NO_SRP_AUTH` isn't a valid value.
+ * The entry point for sign-in with passwords, one-time passwords, biometric devices, and security keys.
+ * - `USER_SRP_AUTH`:
+ *
+ * Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP
+ * password verification in custom authentication flow [^1].
+ * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`:
+ *
+ * Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh
+ * token [^2].
+ * - `CUSTOM_AUTH`:
+ *
+ * Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda
+ * triggers [^3].
+ * - `USER_PASSWORD_AUTH`:
+ *
+ * Username-password authentication with the password sent directly in the request. For more information, see Admin
+ * authentication flow [^4].
+ *
+ * `ADMIN_USER_PASSWORD_AUTH` is a flow type of AdminInitiateAuth [^5] and isn't valid for InitiateAuth.
+ * `ADMIN_NO_SRP_AUTH` is a legacy server-side username-password flow and isn't valid for InitiateAuth.
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow
+ * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html
+ * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html
+ * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
*
* @required
*
@@ -45,6 +70,9 @@ final class InitiateAuthRequest extends Input
* The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required
* values depend on the value of `AuthFlow`:
*
+ * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for
+ * `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the
+ * available sign-in methods.
* - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is
* configured with a client secret), `DEVICE_KEY`.
* - For `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client
@@ -89,6 +117,8 @@ final class InitiateAuthRequest extends Input
* - Pre token generation
* - Create auth challenge
* - Define auth challenge
+ * - Custom email sender
+ * - Custom SMS sender
*
* For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer
* Guide*.
@@ -133,6 +163,14 @@ final class InitiateAuthRequest extends Input
*/
private $userContextData;
+ /**
+ * The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process
+ * with the `USER_AUTH` authentication flow.
+ *
+ * @var string|null
+ */
+ private $session;
+
/**
* @param array{
* AuthFlow?: AuthFlowType::*,
@@ -141,6 +179,7 @@ final class InitiateAuthRequest extends Input
* ClientId?: string,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* } $input
*/
@@ -152,6 +191,7 @@ public function __construct(array $input = [])
$this->clientId = $input['ClientId'] ?? null;
$this->analyticsMetadata = isset($input['AnalyticsMetadata']) ? AnalyticsMetadataType::create($input['AnalyticsMetadata']) : null;
$this->userContextData = isset($input['UserContextData']) ? UserContextDataType::create($input['UserContextData']) : null;
+ $this->session = $input['Session'] ?? null;
parent::__construct($input);
}
@@ -163,6 +203,7 @@ public function __construct(array $input = [])
* ClientId?: string,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
* UserContextData?: null|UserContextDataType|array,
+ * Session?: null|string,
* '@region'?: string|null,
* }|InitiateAuthRequest $input
*/
@@ -205,6 +246,11 @@ public function getClientMetadata(): array
return $this->clientMetadata ?? [];
}
+ public function getSession(): ?string
+ {
+ return $this->session;
+ }
+
public function getUserContextData(): ?UserContextDataType
{
return $this->userContextData;
@@ -280,6 +326,13 @@ public function setClientMetadata(array $value): self
return $this;
}
+ public function setSession(?string $value): self
+ {
+ $this->session = $value;
+
+ return $this;
+ }
+
public function setUserContextData(?UserContextDataType $value): self
{
$this->userContextData = $value;
@@ -327,6 +380,9 @@ private function requestBody(): array
if (null !== $v = $this->userContextData) {
$payload['UserContextData'] = $v->requestBody();
}
+ if (null !== $v = $this->session) {
+ $payload['Session'] = $v;
+ }
return $payload;
}
diff --git a/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php
index b4d1af0d6..aea06b837 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php
@@ -53,8 +53,8 @@ final class ListUsersRequest extends Input
private $paginationToken;
/**
- * A filter string of the form "*AttributeName**Filter-Type* "*AttributeValue*"". Quotation marks within the filter
- * string must be escaped using the backslash (`\`) character. For example, `"family_name = \"Reddy\""`.
+ * A filter string of the form `"AttributeName Filter-Type "AttributeValue"`. Quotation marks within the filter string
+ * must be escaped using the backslash (`\`) character. For example, `"family_name = \"Reddy\""`.
*
* - *AttributeName*: The name of the attribute to search for. You can only search for one attribute at a time.
* - *Filter-Type*: For an exact match, use `=`, for example, "`given_name = \"Jon\"`". For a prefix ("starts with")
diff --git a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php
index 6e02bcd34..2578ea88e 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php
@@ -52,13 +52,41 @@ final class RespondToAuthChallengeRequest extends Input
* parameters.
*
* ! You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret.
+ * ! Include a `DEVICE_KEY` for device authentication.
*
- * - `SMS_MFA`:
+ * - `SELECT_CHALLENGE`:
*
- * `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}`
+ * `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge
+ * name]"}`
+ *
+ * Available challenges are `PASSWORD`, `PASSWORD_SRP`, `EMAIL_OTP`, `SMS_OTP`, and `WEB_AUTHN`.
+ *
+ * Complete authentication in the `SELECT_CHALLENGE` response for `PASSWORD`, `PASSWORD_SRP`, and `WEB_AUTHN`:
+ *
+ * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]",
+ * "CREDENTIAL": "[AuthenticationResponseJSON]"}`
+ *
+ * See AuthenticationResponseJSON [^1].
+ * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]",
+ * "PASSWORD": "[password]"}`
+ * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]",
+ * "SRP_A": "[SRP_A]"}`
+ *
+ * For `SMS_OTP` and `EMAIL_OTP`, respond with the username and answer. Your user pool will send a code for the user
+ * to submit in the next challenge response.
+ *
+ * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}`
+ * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}`
+ *
+ * - `SMS_OTP`:
+ *
+ * `"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}`
* - `EMAIL_OTP`:
*
* `"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}`
+ * - `SMS_MFA`:
+ *
+ * `"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}`
* - `PASSWORD_VERIFIER`:
*
* This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this
@@ -110,11 +138,12 @@ final class RespondToAuthChallengeRequest extends Input
* `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
* SOFTWARE_TOKEN_MFA]"}`
*
- * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`,
- * see Working with user devices in your user pool [^2].
+ * For more information about `SECRET_HASH`, see Computing secret hash values [^2]. For information about `DEVICE_KEY`,
+ * see Working with user devices in your user pool [^3].
*
- * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
- * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+ * [^1]: https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson
+ * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+ * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
*
* @var array|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php b/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php
index 55cbd844e..24fef509a 100644
--- a/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php
+++ b/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php
@@ -45,7 +45,14 @@ final class SignUpRequest extends Input
/**
* The password of the user you want to register.
*
- * @required
+ * Users can sign up without a password when your user pool supports passwordless sign-in with email or SMS OTPs. To
+ * create a user with no password, omit this parameter or submit a blank value. You can only create a passwordless user
+ * when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool [^2] and
+ * UpdateUserPool [^3].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html
*
* @var string|null
*/
@@ -126,7 +133,7 @@ final class SignUpRequest extends Input
* ClientId?: string,
* SecretHash?: null|string,
* Username?: string,
- * Password?: string,
+ * Password?: null|string,
* UserAttributes?: null|array,
* ValidationData?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
@@ -154,7 +161,7 @@ public function __construct(array $input = [])
* ClientId?: string,
* SecretHash?: null|string,
* Username?: string,
- * Password?: string,
+ * Password?: null|string,
* UserAttributes?: null|array,
* ValidationData?: null|array,
* AnalyticsMetadata?: null|AnalyticsMetadataType|array,
@@ -334,10 +341,9 @@ private function requestBody(): array
throw new InvalidArgument(\sprintf('Missing parameter "Username" for "%s". The value cannot be null.', __CLASS__));
}
$payload['Username'] = $v;
- if (null === $v = $this->password) {
- throw new InvalidArgument(\sprintf('Missing parameter "Password" for "%s". The value cannot be null.', __CLASS__));
+ if (null !== $v = $this->password) {
+ $payload['Password'] = $v;
}
- $payload['Password'] = $v;
if (null !== $v = $this->userAttributes) {
$index = -1;
$payload['UserAttributes'] = [];
diff --git a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php
index f5c173407..475500a31 100644
--- a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php
+++ b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php
@@ -17,6 +17,14 @@ class AdminInitiateAuthResponse extends Result
* The name of the challenge that you're responding to with this call. This is returned in the `AdminInitiateAuth`
* response if you must pass another challenge.
*
+ * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a passkey, or webauthN,
+ * factor. These are typically biometric devices or security keys.
+ * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required),
+ * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`.
+ * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH`
+ * (required if the app client is configured with a client secret), `DEVICE_KEY`.
+ * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge
+ * types in the `AvailableChallenges` response parameter.
* - `MFA_SETUP`: If MFA is required, users who don't have at least one of the MFA methods set up are presented with an
* `MFA_SETUP` challenge. The user must set up at least one MFA type to continue to authenticate.
* - `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are `SMS_MFA` for SMS message MFA, `EMAIL_OTP` for email
@@ -37,6 +45,12 @@ class AdminInitiateAuthResponse extends Result
* `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and
* that your app client can write. For more information, see AdminRespondToAuthChallenge [^1].
*
+ * Amazon Cognito only returns this challenge for users who have temporary passwords. Because of this, and because in
+ * some cases you can create users who don't have values for required attributes, take care to collect and submit
+ * required-attribute values for all users who don't have passwords. You can create a user in the Amazon Cognito
+ * console without, for example, a required `birthdate` attribute. The API response from Amazon Cognito won't prompt
+ * you to submit a birthdate for the user if they don't have a password.
+ *
* > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value.
* > In `AdminRespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the
* > `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` API operation to modify the value of any
diff --git a/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php
index 1d3bf3b27..28840e112 100644
--- a/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php
+++ b/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php
@@ -2,6 +2,7 @@
namespace AsyncAws\CognitoIdentityProvider\Result;
+use AsyncAws\Core\Response;
use AsyncAws\Core\Result;
/**
@@ -9,4 +10,29 @@
*/
class ConfirmSignUpResponse extends Result
{
+ /**
+ * You can automatically sign users in with the one-time password that they provided in a successful `ConfirmSignUp`
+ * request. To do this, pass the `Session` parameter from the `ConfirmSignUp` response in the `Session` parameter of an
+ * InitiateAuth [^1] or AdminInitiateAuth [^2] request.
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ *
+ * @var string|null
+ */
+ private $session;
+
+ public function getSession(): ?string
+ {
+ $this->initialize();
+
+ return $this->session;
+ }
+
+ protected function populateResult(Response $response): void
+ {
+ $data = $response->toArray();
+
+ $this->session = isset($data['Session']) ? (string) $data['Session'] : null;
+ }
}
diff --git a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php
index d6b2b6ea2..091bd6594 100644
--- a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php
+++ b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php
@@ -21,6 +21,14 @@ class InitiateAuthResponse extends Result
*
* > All of the following challenges require `USERNAME` and `SECRET_HASH` (if applicable) in the parameters.
*
+ * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a passkey, or webauthN,
+ * factor. These are typically biometric devices or security keys.
+ * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required),
+ * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`.
+ * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH`
+ * (required if the app client is configured with a client secret), `DEVICE_KEY`.
+ * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge
+ * types in the `AvailableChallenges` response parameter.
* - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your user pool delivered in an SMS message.
* - `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
* - `PASSWORD_VERIFIER`: Next challenge is to supply `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and
@@ -36,6 +44,12 @@ class InitiateAuthResponse extends Result
* `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and
* that your app client can write. For more information, see RespondToAuthChallenge [^1].
*
+ * Amazon Cognito only returns this challenge for users who have temporary passwords. Because of this, and because in
+ * some cases you can create users who don't have values for required attributes, take care to collect and submit
+ * required-attribute values for all users who don't have passwords. You can create a user in the Amazon Cognito
+ * console without, for example, a required `birthdate` attribute. The API response from Amazon Cognito won't prompt
+ * you to submit a birthdate for the user if they don't have a password.
+ *
* > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value.
* > In `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes`
* > parameter, then use the `UpdateUserAttributes` API operation to modify the value of any additional attributes.
@@ -56,8 +70,8 @@ class InitiateAuthResponse extends Result
/**
* The session that should pass both ways in challenge-response calls to the service. If the caller must pass another
- * challenge, they return a session with other challenge parameters. This session should be passed as it is to the next
- * `RespondToAuthChallenge` API call.
+ * challenge, they return a session with other challenge parameters. Include this session identifier in a
+ * `RespondToAuthChallenge` API request.
*
* @var string|null
*/
@@ -67,7 +81,7 @@ class InitiateAuthResponse extends Result
* The challenge parameters. These are returned in the `InitiateAuth` response if you must pass another challenge. The
* responses in this parameter should be used to compute inputs to the next call (`RespondToAuthChallenge`).
*
- * All challenges require `USERNAME` and `SECRET_HASH` (if applicable).
+ * All challenges require `USERNAME`. They also require `SECRET_HASH` if your app client has a client secret.
*
* @var array
*/
@@ -82,6 +96,15 @@ class InitiateAuthResponse extends Result
*/
private $authenticationResult;
+ /**
+ * This response parameter prompts a user to select from multiple available challenges that they can complete
+ * authentication with. For example, they might be able to continue with passwordless authentication or with a one-time
+ * password from an SMS message.
+ *
+ * @var list
+ */
+ private $availableChallenges;
+
public function getAuthenticationResult(): ?AuthenticationResultType
{
$this->initialize();
@@ -89,6 +112,16 @@ public function getAuthenticationResult(): ?AuthenticationResultType
return $this->authenticationResult;
}
+ /**
+ * @return list
+ */
+ public function getAvailableChallenges(): array
+ {
+ $this->initialize();
+
+ return $this->availableChallenges;
+ }
+
/**
* @return ChallengeNameType::*|null
*/
@@ -124,6 +157,7 @@ protected function populateResult(Response $response): void
$this->session = isset($data['Session']) ? (string) $data['Session'] : null;
$this->challengeParameters = empty($data['ChallengeParameters']) ? [] : $this->populateResultChallengeParametersType($data['ChallengeParameters']);
$this->authenticationResult = empty($data['AuthenticationResult']) ? null : $this->populateResultAuthenticationResultType($data['AuthenticationResult']);
+ $this->availableChallenges = empty($data['AvailableChallenges']) ? [] : $this->populateResultAvailableChallengeListType($data['AvailableChallenges']);
}
private function populateResultAuthenticationResultType(array $json): AuthenticationResultType
@@ -138,6 +172,22 @@ private function populateResultAuthenticationResultType(array $json): Authentica
]);
}
+ /**
+ * @return list
+ */
+ private function populateResultAvailableChallengeListType(array $json): array
+ {
+ $items = [];
+ foreach ($json as $item) {
+ $a = isset($item) ? (string) $item : null;
+ if (null !== $a) {
+ $items[] = $a;
+ }
+ }
+
+ return $items;
+ }
+
/**
* @return array
*/
diff --git a/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php b/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php
index d41a89d24..b9c7c46ae 100644
--- a/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php
+++ b/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php
@@ -32,6 +32,14 @@ class SignUpResponse extends Result
*/
private $userSub;
+ /**
+ * A session Id that you can pass to `ConfirmSignUp` when you want to immediately sign in your user with the `USER_AUTH`
+ * flow after they complete sign-up.
+ *
+ * @var string|null
+ */
+ private $session;
+
public function getCodeDeliveryDetails(): ?CodeDeliveryDetailsType
{
$this->initialize();
@@ -39,6 +47,13 @@ public function getCodeDeliveryDetails(): ?CodeDeliveryDetailsType
return $this->codeDeliveryDetails;
}
+ public function getSession(): ?string
+ {
+ $this->initialize();
+
+ return $this->session;
+ }
+
public function getUserConfirmed(): bool
{
$this->initialize();
@@ -60,6 +75,7 @@ protected function populateResult(Response $response): void
$this->userConfirmed = filter_var($data['UserConfirmed'], \FILTER_VALIDATE_BOOLEAN);
$this->codeDeliveryDetails = empty($data['CodeDeliveryDetails']) ? null : $this->populateResultCodeDeliveryDetailsType($data['CodeDeliveryDetails']);
$this->userSub = (string) $data['UserSub'];
+ $this->session = isset($data['Session']) ? (string) $data['Session'] : null;
}
private function populateResultCodeDeliveryDetailsType(array $json): CodeDeliveryDetailsType
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php
index bc12aa352..f188ab74b 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php
@@ -3,18 +3,27 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * An Amazon Pinpoint analytics endpoint.
+ * Information that your application adds to authentication requests. Applies an endpoint ID to the analytics data that
+ * your user pool sends to Amazon Pinpoint.
*
- * An endpoint uniquely identifies a mobile device, email address, or phone number that can receive messages from Amazon
- * Pinpoint analytics. For more information about Amazon Web Services Regions that can contain Amazon Pinpoint resources
- * for use with Amazon Cognito user pools, see Using Amazon Pinpoint analytics with Amazon Cognito user pools [^1].
+ * An endpoint ID uniquely identifies a mobile device, email address or phone number that can receive messages from
+ * Amazon Pinpoint analytics. For more information about Amazon Web Services Regions that can contain Amazon Pinpoint
+ * resources for use with Amazon Cognito user pools, see Using Amazon Pinpoint analytics with Amazon Cognito user pools
+ * [^1].
+ *
+ * This data type is a request parameter of authentication operations like InitiateAuth [^2], AdminInitiateAuth [^3],
+ * RespondToAuthChallenge [^4], and AdminRespondToAuthChallenge [^5].
*
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
*/
final class AnalyticsMetadataType
{
/**
- * The endpoint ID.
+ * The endpoint ID. Information that you want to pass to Amazon Pinpoint about where to send notifications.
*
* @var string|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php
index 633f175e0..274327053 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php
@@ -5,7 +5,12 @@
use AsyncAws\Core\Exception\InvalidArgument;
/**
- * Specifies whether the attribute is standard or custom.
+ * The name and value of a user attribute.
+ *
+ * This data type is a request parameter of AdminUpdateUserAttributes [^1] and UpdateUserAttributes [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html
*/
final class AttributeType
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php
index 849729e68..fac6bd802 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php
@@ -3,12 +3,21 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The authentication result.
+ * The object that your application receives after authentication. Contains tokens and information for device
+ * authentication.
+ *
+ * This data type is a response parameter of authentication operations like InitiateAuth [^1], AdminInitiateAuth [^2],
+ * RespondToAuthChallenge [^3], and AdminRespondToAuthChallenge [^4].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
+ * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
*/
final class AuthenticationResultType
{
/**
- * A valid access token that Amazon Cognito issued to the user who you want to authenticate.
+ * Your user's access token.
*
* @var string|null
*/
@@ -22,21 +31,21 @@ final class AuthenticationResultType
private $expiresIn;
/**
- * The token type.
+ * The intended use of the token, for example `Bearer`.
*
* @var string|null
*/
private $tokenType;
/**
- * The refresh token.
+ * Your user's refresh token.
*
* @var string|null
*/
private $refreshToken;
/**
- * The ID token.
+ * Your user's ID token.
*
* @var string|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php
index 6e096679f..243cd5de7 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php
@@ -6,6 +6,12 @@
/**
* The delivery details for an email or SMS message that Amazon Cognito sent for authentication or verification.
+ *
+ * This data type is a response parameter of operations that send a code for user profile confirmation, verification, or
+ * management, for example ForgotPassword [^1] and SignUp [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html
*/
final class CodeDeliveryDetailsType
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php
index 26646ff50..847e09c16 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php
@@ -5,7 +5,13 @@
use AsyncAws\Core\Exception\InvalidArgument;
/**
- * Contextual user data type used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
+ * Contextual user data used for evaluating the risk of an authentication event by user pool threat protection.
+ *
+ * This data type is a request parameter of server-side authentication operations like AdminInitiateAuth [^1] and
+ * AdminRespondToAuthChallenge [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
*/
final class ContextDataType
{
@@ -17,21 +23,21 @@ final class ContextDataType
private $ipAddress;
/**
- * Your server endpoint where this API is invoked.
+ * The name of your application's service endpoint.
*
* @var string
*/
private $serverName;
/**
- * Your server path where this API is invoked.
+ * The path of your application's service endpoint.
*
* @var string
*/
private $serverPath;
/**
- * HttpHeaders received on your server in same order.
+ * The HTTP headers from your user's authentication request.
*
* @var HttpHeader[]
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php
index 09bdc51bc..9c8ccb138 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php
@@ -7,7 +7,11 @@
* as the preferred MFA method when multiple methods are available. To activate this setting, advanced security features
* [^1] must be active in your user pool.
*
+ * This data type is a request parameter of SetUserMFAPreference [^2] and AdminSetUserMFAPreference [^3].
+ *
* [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html
*/
final class EmailMfaSettingsType
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php
index 1d2fa4065..946146a5f 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php
@@ -3,7 +3,18 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The group type.
+ * A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with
+ * identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials
+ * for the role associated with their highest-priority group.
+ *
+ * This data type is a response parameter of AdminListGroupsForUser [^1], CreateGroup [^2], GetGroup [^3], ListGroups
+ * [^4], and UpdateGroup [^5].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html
+ * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html
*/
final class GroupType
{
@@ -15,21 +26,22 @@ final class GroupType
private $groupName;
/**
- * The user pool ID for the user pool.
+ * The ID of the user pool that contains the group.
*
* @var string|null
*/
private $userPoolId;
/**
- * A string containing the description of the group.
+ * A friendly description of the group.
*
* @var string|null
*/
private $description;
/**
- * The role Amazon Resource Name (ARN) for the group.
+ * The ARN of the IAM role associated with the group. If a group has the highest priority of a user's groups, users who
+ * authenticate with an identity pool get credentials for the `RoleArn` that's associated with the group.
*
* @var string|null
*/
@@ -47,7 +59,7 @@ final class GroupType
* in tokens for users in each group. If the two groups have different role ARNs, the `cognito:preferred_role` claim
* isn't set in users' tokens.
*
- * The default `Precedence` value is null.
+ * The default `Precedence` value is `null`.
*
* @var int|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php b/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php
index 08634aa65..a59e82a50 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php
@@ -3,7 +3,13 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The HTTP header.
+ * The HTTP header in the `ContextData` parameter.
+ *
+ * This data type is a request parameter of server-side authentication operations like AdminInitiateAuth [^1] and
+ * AdminRespondToAuthChallenge [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
*/
final class HttpHeader
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php
index a83db7abe..84bc19e0e 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php
@@ -3,19 +3,30 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The new device metadata type.
+ * Information that your user pool responds with in `AuthenticationResult`when you configure it to remember devices and
+ * a user signs in with an unrecognized device. Amazon Cognito presents a new device key that you can use to set up
+ * device authentication [^1] in a "Remember me on this device" authentication model.
+ *
+ * This data type is a response parameter of authentication operations like InitiateAuth [^2], AdminInitiateAuth [^3],
+ * RespondToAuthChallenge [^4], and AdminRespondToAuthChallenge [^5].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+ * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html
+ * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
+ * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
*/
final class NewDeviceMetadataType
{
/**
- * The device key.
+ * The device key, an identifier used in generating the `DEVICE_PASSWORD_VERIFIER` for device SRP authentication.
*
* @var string|null
*/
private $deviceKey;
/**
- * The device group key.
+ * The device group key, an identifier used in generating the `DEVICE_PASSWORD_VERIFIER` for device SRP authentication.
*
* @var string|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php
index e12600a1c..febd65f3e 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php
@@ -3,11 +3,14 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The type used for enabling SMS multi-factor authentication (MFA) at the user level. Phone numbers don't need to be
- * verified to be used for SMS MFA. If an MFA type is activated for a user, the user will be prompted for MFA during all
- * sign-in attempts, unless device tracking is turned on and the device has been trusted. If you would like MFA to be
- * applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users and turn on
- * Adaptive Authentication for the user pool.
+ * A user's preference for using SMS message multi-factor authentication (MFA). Turns SMS MFA on and off, and can set
+ * SMS as preferred when other MFA options are available. You can't turn off SMS MFA for any of your users when MFA is
+ * required in your user pool; you can only set the type that your user prefers.
+ *
+ * This data type is a request parameter of SetUserMFAPreference [^1] and AdminSetUserMFAPreference [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html
*/
final class SMSMfaSettingsType
{
@@ -20,7 +23,8 @@ final class SMSMfaSettingsType
private $enabled;
/**
- * Specifies whether SMS is the preferred MFA method.
+ * Specifies whether SMS is the preferred MFA method. If true, your user pool prompts the specified user for a code
+ * delivered by SMS message after username-password sign-in succeeds.
*
* @var bool|null
*/
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php
index e28c87d9b..8937125f6 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php
@@ -3,10 +3,14 @@
namespace AsyncAws\CognitoIdentityProvider\ValueObject;
/**
- * The type used for enabling software token MFA at the user level. If an MFA type is activated for a user, the user
- * will be prompted for MFA during all sign-in attempts, unless device tracking is turned on and the device has been
- * trusted. If you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate
- * MFA for users and turn on Adaptive Authentication for the user pool.
+ * A user's preference for using time-based one-time password (TOTP) multi-factor authentication (MFA). Turns TOTP MFA
+ * on and off, and can set TOTP as preferred when other MFA options are available. You can't turn off TOTP MFA for any
+ * of your users when MFA is required in your user pool; you can only set the type that your user prefers.
+ *
+ * This data type is a request parameter of SetUserMFAPreference [^1] and AdminSetUserMFAPreference [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html
*/
final class SoftwareTokenMfaSettingsType
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php
index 061b73e4b..2e6dca7ed 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php
@@ -5,6 +5,12 @@
/**
* Contextual data, such as the user's device fingerprint, IP address, or location, used for evaluating the risk of an
* unexpected event by Amazon Cognito advanced security.
+ *
+ * This data type is a request parameter of public-client authentication operations like InitiateAuth [^1] and
+ * RespondToAuthChallenge [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
*/
final class UserContextDataType
{
diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php
index b12ca6362..75d2e24ad 100644
--- a/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php
+++ b/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php
@@ -6,25 +6,31 @@
/**
* A user profile in a Amazon Cognito user pool.
+ *
+ * This data type is a response parameter to AdminCreateUser [^1] and ListUsers [^2].
+ *
+ * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html
+ * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html
*/
final class UserType
{
/**
- * The user name of the user you want to describe.
+ * The user's username.
*
* @var string|null
*/
private $username;
/**
- * A container with information about the user type attributes.
+ * Names and values of a user's attributes, for example `email`.
*
* @var AttributeType[]|null
*/
private $attributes;
/**
- * The creation date of the user.
+ * The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your
+ * SDK might render the output in a human-readable format like ISO 8601 or a Java `Date` object.
*
* @var \DateTimeImmutable|null
*/
@@ -39,7 +45,7 @@ final class UserType
private $userLastModifiedDate;
/**
- * Specifies whether the user is enabled.
+ * Indicates whether the user's account is enabled or disabled.
*
* @var bool|null
*/
@@ -62,7 +68,7 @@ final class UserType
private $userStatus;
/**
- * The MFA options for the user.
+ * The user's MFA configuration.
*
* @var MFAOptionType[]|null
*/
diff --git a/src/Service/Sns/CHANGELOG.md b/src/Service/Sns/CHANGELOG.md
index eac05e402..4dcb1b2ed 100644
--- a/src/Service/Sns/CHANGELOG.md
+++ b/src/Service/Sns/CHANGELOG.md
@@ -5,6 +5,7 @@
### Changed
- use strict comparison `null !==` instead of `!`
+- AWS enhancement: Documentation updates.
## 1.7.4
diff --git a/src/Service/Sns/src/Input/CreateTopicInput.php b/src/Service/Sns/src/Input/CreateTopicInput.php
index e507f8862..bcd726807 100644
--- a/src/Service/Sns/src/Input/CreateTopicInput.php
+++ b/src/Service/Sns/src/Input/CreateTopicInput.php
@@ -54,11 +54,8 @@ final class CreateTopicInput extends Input
*
* The following attributes apply only to FIFO topics [^4]:
*
- * - `ArchivePolicy` – Adds or updates an inline policy document to archive messages stored in the specified Amazon
- * SNS topic.
- * - `BeginningArchiveTime` – The earliest starting point at which a message in the topic’s archive can be replayed
- * from. This point in time is based on the configured message retention period set by the topic’s message archiving
- * policy.
+ * - `ArchivePolicy` – The policy that sets the retention period for messages stored in the message archive of an
+ * Amazon SNS FIFO topic.
* - `ContentBasedDeduplication` – Enables content-based deduplication for FIFO topics.
*
* - By default, `ContentBasedDeduplication` is set to `false`. If you create a FIFO topic and this attribute is