diff --git a/manifest.json b/manifest.json index a70b50556..0bf312d79 100644 --- a/manifest.json +++ b/manifest.json @@ -1,6 +1,6 @@ { "variables": { - "${LATEST}": "3.340.4" + "${LATEST}": "3.340.5" }, "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json", "services": { diff --git a/psalm.baseline.xml b/psalm.baseline.xml index ece2ef789..8b7d03f27 100644 --- a/psalm.baseline.xml +++ b/psalm.baseline.xml @@ -315,6 +315,14 @@ ]]> + + + + + + ]]> + + diff --git a/src/Service/CognitoIdentityProvider/CHANGELOG.md b/src/Service/CognitoIdentityProvider/CHANGELOG.md index 9f9b9191a..aedcba928 100644 --- a/src/Service/CognitoIdentityProvider/CHANGELOG.md +++ b/src/Service/CognitoIdentityProvider/CHANGELOG.md @@ -2,6 +2,10 @@ ## NOT RELEASED +### Added + +- AWS api-change: Added the capacity to return available challenges in admin authentication and to set version 3 of the pre token generation event for M2M ATC. + ## 1.11.0 ### Added diff --git a/src/Service/CognitoIdentityProvider/composer.json b/src/Service/CognitoIdentityProvider/composer.json index f05787f1b..413aee200 100644 --- a/src/Service/CognitoIdentityProvider/composer.json +++ b/src/Service/CognitoIdentityProvider/composer.json @@ -28,7 +28,7 @@ }, "extra": { "branch-alias": { - "dev-master": "1.11-dev" + "dev-master": "1.12-dev" } } } diff --git a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php index 00689e852..f3faf71e0 100644 --- a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php +++ b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php @@ -163,10 +163,9 @@ public function adminAddUserToGroup($input): Result } /** - * Confirms user sign-up as an administrator. Unlike ConfirmSignUp [^1], your IAM credentials authorize user account - * confirmation. No confirmation code is required. + * Confirms user sign-up as an administrator. * - * This request sets a user account active in a user pool that requires confirmation of new user accounts [^2] before + * This request sets a user account active in a user pool that requires confirmation of new user accounts [^1] before * they can sign in. You can configure your user pool to not send confirmation codes to new users and instead confirm * them with this API operation on the back end. * @@ -176,17 +175,16 @@ public function adminAddUserToGroup($input): Result * > * > **Learn more** * > - * > - Signing Amazon Web Services API Requests [^3] - * > - Using the Amazon Cognito user pools API and user pool endpoints [^4] + * > - Signing Amazon Web Services API Requests [^2] + * > - Using the Amazon Cognito user pools API and user pool endpoints [^3] * > * * To configure your user pool to require administrative confirmation of users, set `AllowAdminCreateUserOnly` to `true` * in a `CreateUserPool` or `UpdateUserPool` request. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmSignUp.html - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#signing-up-users-in-your-app-and-confirming-them-as-admin - * [^3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html - * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#signing-up-users-in-your-app-and-confirming-them-as-admin + * [^2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html + * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#adminconfirmsignup @@ -235,18 +233,6 @@ public function adminConfirmSignUp($input): AdminConfirmSignUpResponse * * If `MessageAction` isn't set, the default is to send a welcome message via email or phone (SMS). * - * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register - * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in - * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^1]. Amazon Cognito uses the registered - * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, - * > activate their accounts, or sign in. - * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^3] in the *Amazon Cognito Developer Guide*. - * * This message is based on a template that you configured in your call to create or update a user pool. This template * includes your custom sign-up instructions and placeholders for user name and temporary password. * @@ -259,6 +245,18 @@ public function adminConfirmSignUp($input): AdminConfirmSignUpResponse * this case, you must update your message template and resend the password with a new `AdminCreateUser` request with a * `MessageAction` value of `RESEND`. * + * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register + * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in + * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^1]. Amazon Cognito uses the registered + * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, + * > activate their accounts, or sign in. + * > + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon + * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send + * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out + * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools + * > [^3] in the *Amazon Cognito Developer Guide*. + * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM * > permission in a policy. @@ -429,7 +427,7 @@ public function adminDisableUser($input): AdminDisableUserResponse } /** - * Activate sign-in for a user profile that previously had sign-in access disabled. + * Activates sign-in for a user profile that previously had sign-in access disabled. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -476,8 +474,10 @@ public function adminEnableUser($input): AdminEnableUserResponse } /** - * Given the username, returns details about a user profile in a user pool. This operation contributes to your monthly - * active user (MAU) count for the purpose of billing. You can specify alias attributes in the `Username` parameter. + * Given a username, returns details about a user profile in a user pool. You can specify alias attributes in the + * `Username` request parameter. + * + * This operation contributes to your monthly active user (MAU) count for the purpose of billing. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -616,7 +616,7 @@ public function adminInitiateAuth($input): AdminInitiateAuthResponse } /** - * Given a username and a group name. removes them from the group. User pool groups are identifiers that you can + * Given a username and a group name, removes them from the group. User pool groups are identifiers that you can * reference from the contents of ID and access tokens, and set preferred IAM roles for identity-pool authentication. * For more information, see Adding groups to a user pool [^1]. * @@ -668,29 +668,21 @@ public function adminRemoveUserFromGroup($input): Result /** * Resets the specified user's password in a user pool. This operation doesn't change the user's password, but sends a - * password-reset code. This operation is the administrative authentication API equivalent to ForgotPassword [^1]. + * password-reset code. * - * This operation deactivates a user's password, requiring them to change it. If a user tries to sign in after the API - * request, Amazon Cognito responds with a `PasswordResetRequiredException` error. Your app must then complete the - * forgot-password flow by prompting the user for their code and a new password, then submitting those values in a - * ConfirmForgotPassword [^2] request. In addition, if the user pool has phone verification selected and a verified - * phone number exists for the user, or if email verification is selected and a verified email exists for the user, - * calling this API will also result in sending a message to the end user with the code to change their password. - * - * To use this API operation, your user pool must have self-service account recovery configured. Use - * AdminSetUserPassword [^3] if you manage passwords as an administrator. + * To use this API operation, your user pool must have self-service account recovery configured. * * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in - * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^4]. Amazon Cognito uses the registered + * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^1]. Amazon Cognito uses the registered * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^5]*, you can send + * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^6] in the *Amazon Cognito Developer Guide*. + * > [^3] in the *Amazon Cognito Developer Guide*. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -698,18 +690,15 @@ public function adminRemoveUserFromGroup($input): Result * > * > **Learn more** * > - * > - Signing Amazon Web Services API Requests [^7] - * > - Using the Amazon Cognito user pools API and user pool endpoints [^8] + * > - Signing Amazon Web Services API Requests [^4] + * > - Using the Amazon Cognito user pools API and user pool endpoints [^5] * > * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html - * [^4]: https://console.aws.amazon.com/pinpoint/home/ - * [^5]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html - * [^6]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html - * [^7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html - * [^8]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^1]: https://console.aws.amazon.com/pinpoint/home/ + * [^2]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html + * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html + * [^4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html + * [^5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#adminresetuserpassword @@ -832,22 +821,10 @@ public function adminSetUserPassword($input): AdminSetUserPasswordResponse } /** - * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register - * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in - * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^1]. Amazon Cognito uses the registered - * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, - * > activate their accounts, or sign in. - * > - * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^2]*, you can send - * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out - * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^3] in the *Amazon Cognito Developer Guide*. - * * Updates the specified user's attributes. To delete an attribute from your user, submit the attribute in your API * request with a blank value. * - * For custom attributes, you must prepend the `custom:` prefix to the attribute name. + * For custom attributes, you must add a `custom:` prefix to the attribute name, for example `custom:department`. * * This operation can set a user's email address or phone number as verified and permit immediate sign-in in user pools * that require verification of these attributes. To do this, set the `email_verified` or `phone_number_verified` @@ -859,15 +836,27 @@ public function adminSetUserPassword($input): AdminSetUserPasswordResponse * > * > **Learn more** * > - * > - Signing Amazon Web Services API Requests [^4] - * > - Using the Amazon Cognito user pools API and user pool endpoints [^5] + * > - Signing Amazon Web Services API Requests [^1] + * > - Using the Amazon Cognito user pools API and user pool endpoints [^2] * > * - * [^1]: https://console.aws.amazon.com/pinpoint/home/ - * [^2]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html - * [^4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html - * [^5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register + * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in + * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^3]. Amazon Cognito uses the registered + * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, + * > activate their accounts, or sign in. + * > + * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon + * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^4]*, you can send + * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out + * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools + * > [^5] in the *Amazon Cognito Developer Guide*. + * + * [^1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^3]: https://console.aws.amazon.com/pinpoint/home/ + * [^4]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html + * [^5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#adminupdateuserattributes @@ -988,25 +977,15 @@ public function adminUserGlobalSignOut($input): AdminUserGlobalSignOutResponse * `AssociateSoftwareToken` request with either the user's access token, or a session string from a challenge response * that you received from Amazon Cognito. * - * > Amazon Cognito disassociates an existing software token when you verify the new token in a VerifySoftwareToken [^1] - * > API request. If you don't verify the software token and your user pool doesn't require MFA, the user can then - * > authenticate with user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito - * > generates an `MFA_SETUP` or `SOFTWARE_TOKEN_SETUP` challenge each time your user signs in. Complete setup with - * > `AssociateSoftwareToken` and `VerifySoftwareToken`. - * > - * > After you set up software token MFA for your user, Amazon Cognito generates a `SOFTWARE_TOKEN_MFA` challenge when - * > they authenticate. Respond to this challenge with your user's TOTP. - * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in * > policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user - * > pools API and user pool endpoints [^2]. + * > pools API and user pool endpoints [^1]. * * Authorize this action with a signed-in user's access token. It must include the scope * `aws.cognito.signin.user.admin`. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#associatesoftwaretoken @@ -1042,7 +1021,7 @@ public function associateSoftwareToken($input = []): AssociateSoftwareTokenRespo } /** - * Changes the password for a specified user in a user pool. + * Changes the password for the currently signed-in user. * * Authorize this action with a signed-in user's access token. It must include the scope * `aws.cognito.signin.user.admin`. @@ -1169,25 +1148,20 @@ public function confirmForgotPassword($input): ConfirmForgotPasswordResponse } /** - * This public API operation submits a code that Amazon Cognito sent to your user when they signed up in your user pool - * via the SignUp [^1] API operation. After your user enters their code, they confirm ownership of the email address or - * phone number that they provided, and their user account becomes active. Depending on your user pool configuration, + * Confirms the account of a new user. This public API operation submits a code that Amazon Cognito sent to your user + * when they signed up in your user pool. After your user enters their code, they confirm ownership of the email address + * or phone number that they provided, and their user account becomes active. Depending on your user pool configuration, * your users will receive their confirmation code in an email or SMS message. * * Local users who signed up in your user pool are the only type of user who can confirm sign-up with a code. Users who - * federate through an external identity provider (IdP) have already been confirmed by their IdP. Administrator-created - * users, users created with the AdminCreateUser [^2] API operation, confirm their accounts when they respond to their - * invitation email message and choose a password. They do not receive a confirmation code. Instead, they receive a - * temporary password. + * federate through an external identity provider (IdP) have already been confirmed by their IdP. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in * > policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user - * > pools API and user pool endpoints [^3]. + * > pools API and user pool endpoints [^1]. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmSignUp.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#confirmsignup @@ -1246,7 +1220,7 @@ public function confirmSignUp($input): ConfirmSignUpResponse } /** - * Creates a new group in the specified user pool. For more information about user pool groups see Adding groups to a + * Creates a new group in the specified user pool. For more information about user pool groups, see Adding groups to a * user pool [^1]. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this @@ -1300,43 +1274,35 @@ public function createGroup($input): CreateGroupResponse } /** - * Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the - * user's password. For the `Username` parameter, you can use the username or user alias. The method used to send the - * confirmation code is sent according to the specified AccountRecoverySetting. For more information, see Recovering - * User Accounts [^1] in the *Amazon Cognito Developer Guide*. To use the confirmation code for resetting the password, - * call ConfirmForgotPassword [^2]. + * Sends a password-reset confirmation code for the currently signed-in user. * - * If neither a verified phone number nor a verified email exists, this API returns `InvalidParameterException`. If your - * app client has a client secret and you don't provide a `SECRET_HASH` parameter, this API returns - * `NotAuthorizedException`. + * For the `Username` parameter, you can use the username or user alias. * - * To use this API operation, your user pool must have self-service account recovery configured. Use - * AdminSetUserPassword [^3] if you manage passwords as an administrator. + * If neither a verified phone number nor a verified email exists, Amazon Cognito responds with an + * `InvalidParameterException` error . If your app client has a client secret and you don't provide a `SECRET_HASH` + * parameter, this API returns `NotAuthorizedException`. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in * > policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user - * > pools API and user pool endpoints [^4]. + * > pools API and user pool endpoints [^1]. * * > This action might generate an SMS text message. Starting June 1, 2021, US telecom carriers require you to register * > an origination phone number before you can send SMS messages to US phone numbers. If you use SMS text messages in - * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^5]. Amazon Cognito uses the registered + * > Amazon Cognito, you must register a phone number with Amazon Pinpoint [^2]. Amazon Cognito uses the registered * > number automatically. Otherwise, Amazon Cognito users who must receive SMS messages might not be able to sign up, * > activate their accounts, or sign in. * > * > If you have never used SMS text messages with Amazon Cognito or any other Amazon Web Services service, Amazon - * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^6]*, you can send + * > Simple Notification Service might place your account in the SMS sandbox. In *sandbox mode [^3]*, you can send * > messages only to verified phone numbers. After you test your app while in the sandbox environment, you can move out * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools - * > [^7] in the *Amazon Cognito Developer Guide*. + * > [^4] in the *Amazon Cognito Developer Guide*. * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html - * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html - * [^5]: https://console.aws.amazon.com/pinpoint/home/ - * [^6]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html - * [^7]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^2]: https://console.aws.amazon.com/pinpoint/home/ + * [^3]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html + * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#forgotpassword @@ -1392,7 +1358,7 @@ public function forgotPassword($input): ForgotPasswordResponse } /** - * Gets the user attributes and metadata for a user. + * Gets user attributes and and MFA settings for the currently signed-in user. * * Authorize this action with a signed-in user's access token. It must include the scope * `aws.cognito.signin.user.admin`. @@ -1441,8 +1407,10 @@ public function getUser($input): GetUserResponse } /** - * Initiates sign-in for a user in the Amazon Cognito user directory. You can't sign in a user with a federated IdP with - * `InitiateAuth`. For more information, see Adding user pool sign-in through a third party [^1]. + * Declares an authentication flow and initiates sign-in for a user in the Amazon Cognito user directory. Amazon Cognito + * might respond with an additional challenge or an `AuthenticationResult` that contains the outcome of a successful + * authentication. You can't sign in a user with a federated IdP with `InitiateAuth`. For more information, see + * Authentication [^1]. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in @@ -1461,7 +1429,7 @@ public function getUser($input): GetUserResponse * > of the sandbox and into production. For more information, see SMS message settings for Amazon Cognito user pools * > [^5] in the *Amazon Cognito Developer Guide*. * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-identity-federation.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * [^3]: https://console.aws.amazon.com/pinpoint/home/ * [^4]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html @@ -1524,7 +1492,7 @@ public function initiateAuth($input): InitiateAuthResponse } /** - * Lists the groups associated with a user pool. + * Given a user pool ID, returns user pool groups and their details. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -1570,7 +1538,7 @@ public function listGroups($input): ListGroupsResponse } /** - * Lists users and their basic details in a user pool. + * Given a user pool ID, returns a list of users and their basic details in a user pool. * * > Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For this * > operation, you must use IAM credentials to authorize requests, and you must grant yourself the corresponding IAM @@ -1618,7 +1586,9 @@ public function listUsers($input): ListUsersResponse } /** - * Resends the confirmation (for confirmation of registration) to a specific user in the user pool. + * Resends the code that confirms a new account for a user who has signed up in your user pool. Amazon Cognito sends + * confirmation codes to the user attribute in the `AutoVerifiedAttributes` property of your user pool. When you prompt + * new users for the confirmation code, include a "Resend code" option that generates a call to this API operation. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in @@ -1852,20 +1822,15 @@ public function revokeToken($input): RevokeTokenResponse * you want MFA to be applied selectively based on the assessed risk level of sign-in attempts, deactivate MFA for users * and turn on Adaptive Authentication for the user pool. * - * This operation doesn't reset an existing TOTP MFA for a user. To register a new TOTP factor for a user, make an - * AssociateSoftwareToken [^1] request. For more information, see TOTP software token MFA [^2]. - * * Authorize this action with a signed-in user's access token. It must include the scope * `aws.cognito.signin.user.admin`. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in * > policies. For more information about authorization models in Amazon Cognito, see Using the Amazon Cognito user - * > pools API and user pool endpoints [^3]. + * > pools API and user pool endpoints [^1]. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#setusermfapreference @@ -1905,7 +1870,7 @@ public function setUserMfaPreference($input): SetUserMFAPreferenceResponse } /** - * Registers the user in the specified user pool and creates a user name, password, and user attributes. + * Registers a user with an app client and requests a user name, password, and user attributes in the user pool. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in @@ -1926,16 +1891,12 @@ public function setUserMfaPreference($input): SetUserMFAPreferenceResponse * * You might receive a `LimitExceeded` exception in response to this request if you have exceeded a rate quota for email * or SMS messages, and if your user pool automatically verifies email addresses or phone numbers. When you get this - * exception in the response, the user is successfully created and is in an `UNCONFIRMED` state. You can send a new code - * with the ResendConfirmationCode [^5] request, or confirm the user as an administrator with an AdminConfirmSignUp [^6] - * request. + * exception in the response, the user is successfully created and is in an `UNCONFIRMED` state. * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html * [^2]: https://console.aws.amazon.com/pinpoint/home/ * [^3]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ResendConfirmationCode.html - * [^6]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminConfirmSignUp.html * * @see https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html * @see https://docs.aws.amazon.com/aws-sdk-php/v3/api/api-cognito-idp-2016-04-18.html#signup @@ -1996,8 +1957,9 @@ public function signUp($input): SignUpResponse } /** - * Use this API to register a user's entered time-based one-time password (TOTP) code and mark the user's software token - * MFA status as "verified" if successful. The request takes an access token or a session string, but not both. + * Registers the current user's time-based one-time password (TOTP) authenticator with a code generated in their + * authenticator app from a private key that's supplied by your user pool. Marks the user's software token MFA status as + * "verified" if successful. The request takes an access token or a session string, but not both. * * > Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. * > For this operation, you can't use IAM credentials to authorize requests, and you can't grant IAM permissions in diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminAddUserToGroupRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminAddUserToGroupRequest.php index 553be217c..3da96d216 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminAddUserToGroupRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminAddUserToGroupRequest.php @@ -19,9 +19,9 @@ final class AdminAddUserToGroupRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminConfirmSignUpRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminConfirmSignUpRequest.php index 52731b46c..8177ca786 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminConfirmSignUpRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminConfirmSignUpRequest.php @@ -22,9 +22,9 @@ final class AdminConfirmSignUpRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -41,8 +41,7 @@ final class AdminConfirmSignUpRequest extends Input * you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in Lambda, you * can process the ClientMetadata value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php index 204ff2815..63c3466ac 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminCreateUserRequest.php @@ -59,17 +59,19 @@ final class AdminCreateUserRequest extends Input * email or SMS OTP. These attributes must be provided when passwordless options are the only available, or when you * don't submit a `TemporaryPassword`. * - * In your call to `AdminCreateUser`, you can set the `email_verified` attribute to `True`, and you can set the - * `phone_number_verified` attribute to `True`. You can also do this by calling AdminUpdateUserAttributes [^1]. + * In your `AdminCreateUser` request, you can set the `email_verified` and `phone_number_verified` attributes to `true`. + * The following conditions apply: * - * - **email**: The email address of the user to whom the message that contains the code and username will be sent. - * Required if the `email_verified` attribute is set to `True`, or if `"EMAIL"` is specified in the - * `DesiredDeliveryMediums` parameter. - * - **phone_number**: The phone number of the user to whom the message that contains the code and username will be - * sent. Required if the `phone_number_verified` attribute is set to `True`, or if `"SMS"` is specified in the + * - `email`: + * + * The email address where you want the user to receive their confirmation code and username. You must provide a value + * for the `email` when you want to set `email_verified` to `true`, or if you set `EMAIL` in the * `DesiredDeliveryMediums` parameter. + * - `phone_number`: * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html + * The phone number where you want the user to receive their confirmation code and username. You must provide a value + * for the `email` when you want to set `phone_number` to `true`, or if you set `SMS` in the `DesiredDeliveryMediums` + * parameter. * * @var AttributeType[]|null */ @@ -79,10 +81,9 @@ final class AdminCreateUserRequest extends Input * Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value * pairs are for custom validation of information that you collect from your users but don't need to retain. * - * Your Lambda function can analyze this additional data and act on it. Your function might perform external API - * operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also - * affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign - * up from within your network. + * Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and + * verify select users or perform external API operations like logging user attributes and validation data to Amazon + * CloudWatch Logs. * * For more information about the pre sign-up Lambda trigger, see Pre sign-up Lambda trigger [^1]. * @@ -98,8 +99,7 @@ final class AdminCreateUserRequest extends Input * * The exception to the requirement for a password is when your user pool supports passwordless sign-in with email or * SMS OTPs. To create a user with no password, omit this parameter or submit a blank value. You can only create a - * passwordless user when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool - * [^2] and UpdateUserPool [^3]. + * passwordless user when passwordless sign-in is available. * * The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary * password in the sign-in page, along with a new password to be used in all future sign-ins. @@ -111,10 +111,6 @@ final class AdminCreateUserRequest extends Input * reset the account after that time limit, you must call `AdminCreateUser` again and specify `RESEND` for the * `MessageAction` parameter. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html - * * @var string|null */ private $temporaryPassword; @@ -161,8 +157,7 @@ final class AdminCreateUserRequest extends Input * AdminCreateUser request. In your function code in Lambda, you can process the `clientMetadata` value to enhance your * workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminDeleteUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminDeleteUserRequest.php index dcd2b2717..d9b77c25a 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminDeleteUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminDeleteUserRequest.php @@ -22,9 +22,9 @@ final class AdminDeleteUserRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminDisableUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminDisableUserRequest.php index 413317e23..f061a3679 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminDisableUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminDisableUserRequest.php @@ -22,9 +22,9 @@ final class AdminDisableUserRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminEnableUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminEnableUserRequest.php index d9793250b..4ea43a3f1 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminEnableUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminEnableUserRequest.php @@ -22,9 +22,9 @@ final class AdminEnableUserRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminGetUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminGetUserRequest.php index c7baae5a1..b235f5c52 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminGetUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminGetUserRequest.php @@ -22,9 +22,9 @@ final class AdminGetUserRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php index b77d567b3..3b846a54c 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php @@ -35,47 +35,37 @@ final class AdminInitiateAuthRequest extends Input /** * The authentication flow that you want to initiate. Each `AuthFlow` has linked `AuthParameters` that you must submit. - * The following are some example flows and their parameters. - * - * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered - * authentication types, select one in a challenge response and then authenticate with that method in an additional - * challenge response. - * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid - * refresh token as the value. - * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when - * you pass `USERNAME` and `SRP_A` parameters.. - * - `ADMIN_USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you - * pass `USERNAME` and `PASSWORD` parameters. - * - * *All flows* + * The following are some example flows. * * - `USER_AUTH`: * - * The entry point for sign-in with passwords, one-time passwords, and WebAuthN authenticators. + * The entry point for choice-based authentication [^1] with passwords, one-time passwords, and WebAuthn + * authenticators. Request a preferred authentication type or review available authentication types. From the offered + * authentication types, select one in a challenge response and then authenticate with that method in an additional + * challenge response. To activate this setting, your user pool must be in the Essentials tier [^2] or higher. * - `USER_SRP_AUTH`: * * Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP - * password verification in custom authentication flow [^1]. + * password verification in custom authentication flow [^3]. * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`: * - * Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh - * token [^2]. + * Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid refresh token as the value. + * For more information, see Using the refresh token [^4]. * - `CUSTOM_AUTH`: * * Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda - * triggers [^3]. + * triggers [^5]. * - `ADMIN_USER_PASSWORD_AUTH`: * - * Username-password authentication with the password sent directly in the request. For more information, see Admin - * authentication flow [^4]. - * - * `USER_PASSWORD_AUTH` is a flow type of InitiateAuth [^5] and isn't valid for AdminInitiateAuth. + * Server-side username-password authentication with the password sent directly in the request. For more information + * about client-side and server-side authentication, see SDK authorization models [^6]. * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html - * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html + * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow + * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html + * [^5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html + * [^6]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-public-server-side.html * * @required * @@ -85,7 +75,7 @@ final class AdminInitiateAuthRequest extends Input /** * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required - * values depend on the value of `AuthFlow`: + * values depend on the value of `AuthFlow` for example: * * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for * `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the @@ -137,8 +127,7 @@ final class AdminInitiateAuthRequest extends Input * - Custom email sender * - Custom SMS sender * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > @@ -156,16 +145,18 @@ final class AdminInitiateAuthRequest extends Input private $clientMetadata; /** - * The analytics metadata for collecting Amazon Pinpoint metrics. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminRemoveUserFromGroupRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminRemoveUserFromGroupRequest.php index dcd8e9bb5..08fb62d3a 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminRemoveUserFromGroupRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminRemoveUserFromGroupRequest.php @@ -19,9 +19,9 @@ final class AdminRemoveUserFromGroupRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminResetUserPasswordRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminResetUserPasswordRequest.php index 6a632dec4..027fc8f26 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminResetUserPasswordRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminResetUserPasswordRequest.php @@ -22,9 +22,9 @@ final class AdminResetUserPasswordRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -42,8 +42,7 @@ final class AdminResetUserPasswordRequest extends Input * request. In your function code in Lambda, you can process the `clientMetadata` value to enhance your workflow for * your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminSetUserPasswordRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminSetUserPasswordRequest.php index 2fb63dc28..f4ababb00 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminSetUserPasswordRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminSetUserPasswordRequest.php @@ -19,9 +19,9 @@ final class AdminSetUserPasswordRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php index da54c5e2f..9ed5256ae 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminUpdateUserAttributesRequest.php @@ -23,9 +23,9 @@ final class AdminUpdateUserAttributesRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -64,8 +64,7 @@ final class AdminUpdateUserAttributesRequest extends Input * parameter in your AdminUpdateUserAttributes request. In your function code in Lambda, you can process the * `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminUserGlobalSignOutRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminUserGlobalSignOutRequest.php index 7c812c73f..f161c061d 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminUserGlobalSignOutRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminUserGlobalSignOutRequest.php @@ -22,9 +22,9 @@ final class AdminUserGlobalSignOutRequest extends Input private $userPoolId; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/AssociateSoftwareTokenRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AssociateSoftwareTokenRequest.php index 6e07cf61d..f6c3dd54c 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AssociateSoftwareTokenRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AssociateSoftwareTokenRequest.php @@ -9,8 +9,10 @@ final class AssociateSoftwareTokenRequest extends Input { /** - * A valid access token that Amazon Cognito issued to the user whose software token you want to generate. You can - * provide either an access token or a session ID in the request. + * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for + * `aws.cognito.signin.user.admin`. + * + * You can provide either an access token or a session ID in the request. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Input/ConfirmForgotPasswordRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ConfirmForgotPasswordRequest.php index 80d4362f5..591668b43 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ConfirmForgotPasswordRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ConfirmForgotPasswordRequest.php @@ -16,8 +16,8 @@ final class ConfirmForgotPasswordRequest extends Input { /** * The ID of the app client where the user wants to reset their password. This parameter is an identifier of the client - * application that users are resetting their password from, but this operation resets users' passwords for all app - * clients in the user pool. + * application that users are resetting their password from, but this operation resets users' irrespective of the app + * clients they sign in to. * * @required * @@ -36,9 +36,9 @@ final class ConfirmForgotPasswordRequest extends Input private $secretHash; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -47,11 +47,7 @@ final class ConfirmForgotPasswordRequest extends Input private $username; /** - * The confirmation code that your user pool sent in response to an AdminResetUserPassword [^1] or a ForgotPassword [^2] - * request. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html + * The confirmation code that your user pool delivered when your user requested to reset their password. * * @required * @@ -69,16 +65,18 @@ final class ConfirmForgotPasswordRequest extends Input private $password; /** - * The Amazon Pinpoint analytics metadata for collecting metrics for `ConfirmForgotPassword` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -98,8 +96,7 @@ final class ConfirmForgotPasswordRequest extends Input * parameter in your ConfirmForgotPassword request. In your function code in Lambda, you can process the * `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php index 7b7629c89..f67473ed5 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ConfirmSignUpRequest.php @@ -34,9 +34,9 @@ final class ConfirmSignUpRequest extends Input private $secretHash; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -74,16 +74,18 @@ final class ConfirmSignUpRequest extends Input private $forceAliasCreation; /** - * The Amazon Pinpoint analytics metadata for collecting metrics for `ConfirmSignUp` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -103,8 +105,7 @@ final class ConfirmSignUpRequest extends Input * ConfirmSignUp request. In your function code in Lambda, you can process the `clientMetadata` value to enhance your * workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/ForgotPasswordRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ForgotPasswordRequest.php index c67c62855..d67a91f11 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ForgotPasswordRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ForgotPasswordRequest.php @@ -15,7 +15,7 @@ final class ForgotPasswordRequest extends Input { /** - * The ID of the client associated with the user pool. + * The ID of the user pool app client associated with the current signed-in user. * * @required * @@ -34,9 +34,9 @@ final class ForgotPasswordRequest extends Input private $secretHash; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -47,9 +47,9 @@ final class ForgotPasswordRequest extends Input private $userContextData; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -58,7 +58,9 @@ final class ForgotPasswordRequest extends Input private $username; /** - * The Amazon Pinpoint analytics metadata that contributes to your metrics for `ForgotPassword` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ @@ -74,8 +76,7 @@ final class ForgotPasswordRequest extends Input * assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in Lambda, you can * process the `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/GetUserRequest.php b/src/Service/CognitoIdentityProvider/src/Input/GetUserRequest.php index e867763d8..d7558e4e8 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/GetUserRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/GetUserRequest.php @@ -13,7 +13,8 @@ final class GetUserRequest extends Input { /** - * A non-expired access token for the user whose information you want to query. + * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for + * `aws.cognito.signin.user.admin`. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php index 3e14dd00f..cc063d3af 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php @@ -17,48 +17,40 @@ final class InitiateAuthRequest extends Input { /** * The authentication flow that you want to initiate. Each `AuthFlow` has linked `AuthParameters` that you must submit. - * The following are some example flows and their parameters. - * - * - `USER_AUTH`: Request a preferred authentication type or review available authentication types. From the offered - * authentication types, select one in a challenge response and then authenticate with that method in an additional - * challenge response. - * - `REFRESH_TOKEN_AUTH`: Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid - * refresh token as the value. - * - `USER_SRP_AUTH`: Receive secure remote password (SRP) variables for the next challenge, `PASSWORD_VERIFIER`, when - * you pass `USERNAME` and `SRP_A` parameters. - * - `USER_PASSWORD_AUTH`: Receive new tokens or the next challenge, for example `SOFTWARE_TOKEN_MFA`, when you pass - * `USERNAME` and `PASSWORD` parameters. - * - * *All flows* + * The following are some example flows. * * - `USER_AUTH`: * - * The entry point for sign-in with passwords, one-time passwords, and WebAuthN authenticators. + * The entry point for choice-based authentication [^1] with passwords, one-time passwords, and WebAuthn + * authenticators. Request a preferred authentication type or review available authentication types. From the offered + * authentication types, select one in a challenge response and then authenticate with that method in an additional + * challenge response. To activate this setting, your user pool must be in the Essentials tier [^2] or higher. * - `USER_SRP_AUTH`: * * Username-password authentication with the Secure Remote Password (SRP) protocol. For more information, see Use SRP - * password verification in custom authentication flow [^1]. + * password verification in custom authentication flow [^3]. * - `REFRESH_TOKEN_AUTH and REFRESH_TOKEN`: * - * Provide a valid refresh token and receive new ID and access tokens. For more information, see Using the refresh - * token [^2]. + * Receive new ID and access tokens when you pass a `REFRESH_TOKEN` parameter with a valid refresh token as the value. + * For more information, see Using the refresh token [^4]. * - `CUSTOM_AUTH`: * * Custom authentication with Lambda triggers. For more information, see Custom authentication challenge Lambda - * triggers [^3]. + * triggers [^5]. * - `USER_PASSWORD_AUTH`: * - * Username-password authentication with the password sent directly in the request. For more information, see Admin - * authentication flow [^4]. + * Client-side username-password authentication with the password sent directly in the request. For more information + * about client-side and server-side authentication, see SDK authorization models [^6]. * - * `ADMIN_USER_PASSWORD_AUTH` is a flow type of AdminInitiateAuth [^5] and isn't valid for InitiateAuth. + * `ADMIN_USER_PASSWORD_AUTH` is a flow type of `AdminInitiateAuth` and isn't valid for InitiateAuth. * `ADMIN_NO_SRP_AUTH` is a legacy server-side username-password flow and isn't valid for InitiateAuth. * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html - * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Built-in-authentication-flow-and-challenges - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html + * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#Using-SRP-password-verification-in-custom-authentication-flow + * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-refresh-token.html + * [^5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-challenge.html + * [^6]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-public-server-side.html * * @required * @@ -67,21 +59,21 @@ final class InitiateAuthRequest extends Input private $authFlow; /** - * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required - * values depend on the value of `AuthFlow`: - * - * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for - * `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the - * available sign-in methods. - * - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is - * configured with a client secret), `DEVICE_KEY`. - * - For `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client - * is configured with a client secret), `DEVICE_KEY`. - * - For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `SECRET_HASH` (required if the app client is - * configured with a client secret), `DEVICE_KEY`. - * - For `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), - * `DEVICE_KEY`. To start the authentication flow with password verification, include `ChallengeName: SRP_A` and - * `SRP_A: (The SRP_A Value)`. + * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. + * + * The required values are specific to the InitiateAuthRequest$AuthFlow. + * + * The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client + * has a client secret. + * + * - `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, + * Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods. + * - `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `DEVICE_KEY`. + * - `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `DEVICE_KEY`. + * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `DEVICE_KEY`. + * - `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), `DEVICE_KEY`. + * To start the authentication flow with password verification, include `ChallengeName: SRP_A` and `SRP_A: (The SRP_A + * Value)`. * * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`, * see Working with user devices in your user pool [^2]. @@ -96,21 +88,20 @@ final class InitiateAuthRequest extends Input /** * A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers. * - * You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API - * action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value - * is passed as input to the functions for only the following triggers: + * You create custom workflows by assigning Lambda functions to user pool triggers. When you send an `InitiateAuth` + * request, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The `ClientMetadata` + * value is passed as input to the functions for only the following triggers. * - * - Pre signup + * - Pre sign-up * - Pre authentication * - User migration * - * When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives - * as input. This payload contains a `validationData` attribute, which provides the data that you assigned to the - * ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the - * `validationData` value to enhance your workflow for your specific needs. + * When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload as input to the function. This + * payload contains a `validationData` attribute with the data that you assigned to the `ClientMetadata` parameter in + * your `InitiateAuth` request. In your function, `validationData` can contribute to operations that require data that + * isn't in the default payload. * - * When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but - * it doesn't provide the ClientMetadata value as input: + * `InitiateAuth` requests invokes the following triggers without `ClientMetadata` as input. * * - Post authentication * - Custom message @@ -120,8 +111,7 @@ final class InitiateAuthRequest extends Input * - Custom email sender * - Custom SMS sender * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > @@ -139,7 +129,7 @@ final class InitiateAuthRequest extends Input private $clientMetadata; /** - * The app client ID. + * The ID of the app client that your user wants to sign in to. * * @required * @@ -148,16 +138,18 @@ final class InitiateAuthRequest extends Input private $clientId; /** - * The Amazon Pinpoint analytics metadata that contributes to your metrics for `InitiateAuth` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -169,7 +161,10 @@ final class InitiateAuthRequest extends Input /** * The optional session ID from a `ConfirmSignUp` API request. You can sign in a user directly from the sign-up process - * with the `USER_AUTH` authentication flow. + * with the `USER_AUTH` authentication flow. When you pass the session ID to `InitiateAuth`, Amazon Cognito assumes the + * SMS or email message one-time verification password from `ConfirmSignUp` as the primary authentication factor. You're + * not required to submit this code a second time. This option is only valid for users who have confirmed their sign-up + * and are signing in for the first time within the authentication flow session duration of the session ID. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Input/ListGroupsRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ListGroupsRequest.php index 73a309d1a..c2c5e8386 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ListGroupsRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ListGroupsRequest.php @@ -10,7 +10,7 @@ final class ListGroupsRequest extends Input { /** - * The ID of the user pool. + * The ID of the user pool where you want to list user groups. * * @required * @@ -19,15 +19,17 @@ final class ListGroupsRequest extends Input private $userPoolId; /** - * The limit of the request to list groups. + * The maximum number of groups that you want Amazon Cognito to return in the response. * * @var int|null */ private $limit; /** - * An identifier that was returned from the previous call to this operation, which can be used to return the next set of - * items in the list. + * This API operation returns a limited number of results. The pagination token is an identifier that you can present in + * an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the + * next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, + * you can paginate through the full list of items. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php index d74d5c1cf..e5a51a526 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ListUsersRequest.php @@ -13,7 +13,7 @@ final class ListUsersRequest extends Input { /** - * The ID of the user pool on which the search should be performed. + * The ID of the user pool where you want to display or search for users. * * @required * @@ -36,7 +36,7 @@ final class ListUsersRequest extends Input private $attributesToGet; /** - * Maximum number of users to be returned. + * The maximum number of users that you want Amazon Cognito to return in the response. * * @var int|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Input/ResendConfirmationCodeRequest.php b/src/Service/CognitoIdentityProvider/src/Input/ResendConfirmationCodeRequest.php index b600734b0..0eebbfb21 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/ResendConfirmationCodeRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/ResendConfirmationCodeRequest.php @@ -15,7 +15,7 @@ final class ResendConfirmationCodeRequest extends Input { /** - * The ID of the client associated with the user pool. + * The ID of the user pool app client where the user signed up. * * @required * @@ -34,9 +34,9 @@ final class ResendConfirmationCodeRequest extends Input private $secretHash; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -47,9 +47,9 @@ final class ResendConfirmationCodeRequest extends Input private $userContextData; /** - * The username of the user that you want to query or modify. The value of this parameter is typically your user's - * username, but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this - * value must be the `sub` of a local user or the username of a user from a third-party IdP. + * The name of the user that you want to query or modify. The value of this parameter is typically your user's username, + * but it can be any of their alias attributes. If `username` isn't an alias attribute in your user pool, this value + * must be the `sub` of a local user or the username of a user from a third-party IdP. * * @required * @@ -58,7 +58,9 @@ final class ResendConfirmationCodeRequest extends Input private $username; /** - * The Amazon Pinpoint analytics metadata that contributes to your metrics for `ResendConfirmationCode` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ @@ -74,8 +76,7 @@ final class ResendConfirmationCodeRequest extends Input * parameter in your ResendConfirmationCode request. In your function code in Lambda, you can process the * `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php index 44a3c05f8..a2be15258 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php @@ -16,7 +16,7 @@ final class RespondToAuthChallengeRequest extends Input { /** - * The app client ID. + * The ID of the app client where the user is signing in. * * @required * @@ -25,11 +25,59 @@ final class RespondToAuthChallengeRequest extends Input private $clientId; /** - * The challenge name. For more information, see InitiateAuth [^1]. + * The name of the challenge that you are responding to. + * + * > You can't respond to an `ADMIN_NO_SRP_AUTH` challenge with this operation. + * + * Possible challenges include the following: + * + * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in + * > the parameters. + * + * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn + * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. + * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), + * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. + * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` + * (required if the app client is configured with a client secret), `DEVICE_KEY`. + * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge + * types in the `AvailableChallenges` response parameter. + * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. + * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after + * client-side SRP calculations. + * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see + * Signing in with a device [^1]. + * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` + * after client-side SRP calculations. For more information, see Signing in with a device [^2]. + * - `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond + * to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the + * `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and + * that your app client can write. + * + * Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless + * users, you must provide values for all required attributes. * - * `ADMIN_NO_SRP_AUTH` isn't a valid value. + * > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. + * > In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito + * > returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or + * > `UpdateUserAttributes` API operation to modify the value of any additional attributes. + * + * - `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for + * the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. + * + * To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` + * or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by + * `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name + * `MFA_SETUP` to complete sign-in. + * + * To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the + * authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device * * @required * @@ -38,9 +86,10 @@ final class RespondToAuthChallengeRequest extends Input private $challengeName; /** - * The session that should be passed both ways in challenge-response calls to the service. If `InitiateAuth` or - * `RespondToAuthChallenge` API call determines that the caller must pass another challenge, they return a session with - * other challenge parameters. This session should be passed as it is to the next `RespondToAuthChallenge` API call. + * The session identifier that maintains the state of authentication requests and challenge responses. If an + * `AdminInitiateAuth` or `AdminRespondToAuthChallenge` API request results in a determination that your application + * must pass another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session + * identifier, unmodified, to the next `AdminRespondToAuthChallenge` request. * * @var string|null */ @@ -113,8 +162,9 @@ final class RespondToAuthChallengeRequest extends Input * attributes that aren't required by your user pool. * * > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. - * > In `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` - * > parameter, then use the `UpdateUserAttributes` API operation to modify the value of any additional attributes. + * > In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito + * > returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or + * > `UpdateUserAttributes` API operation to modify the value of any additional attributes. * * - `SOFTWARE_TOKEN_MFA`: * @@ -141,7 +191,7 @@ final class RespondToAuthChallengeRequest extends Input * For more information about `SECRET_HASH`, see Computing secret hash values [^2]. For information about `DEVICE_KEY`, * see Working with user devices in your user pool [^3]. * - * [^1]: https://www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson + * [^1]: https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html * @@ -150,16 +200,18 @@ final class RespondToAuthChallengeRequest extends Input private $challengeResponses; /** - * The Amazon Pinpoint analytics metadata that contributes to your metrics for `RespondToAuthChallenge` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -180,8 +232,7 @@ final class RespondToAuthChallengeRequest extends Input * ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in Lambda, you can process the * `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/RevokeTokenRequest.php b/src/Service/CognitoIdentityProvider/src/Input/RevokeTokenRequest.php index 2281b0e99..4dcd3f7b4 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/RevokeTokenRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/RevokeTokenRequest.php @@ -19,7 +19,7 @@ final class RevokeTokenRequest extends Input private $token; /** - * The client ID for the token that you want to revoke. + * The ID of the app client where the token that you want to revoke was issued. * * @required * @@ -28,7 +28,7 @@ final class RevokeTokenRequest extends Input private $clientId; /** - * The secret for the client ID. This is required only if the client ID has a secret. + * The client secret of the requested app client, if the client has a secret. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Input/SetUserMFAPreferenceRequest.php b/src/Service/CognitoIdentityProvider/src/Input/SetUserMFAPreferenceRequest.php index a0944faaa..2f6938c6b 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/SetUserMFAPreferenceRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/SetUserMFAPreferenceRequest.php @@ -30,17 +30,18 @@ final class SetUserMFAPreferenceRequest extends Input /** * User preferences for email message MFA. Activates or deactivates email MFA and sets it as the preferred MFA method - * when multiple methods are available. To activate this setting, advanced security features [^1] must be active in your - * user pool. + * when multiple methods are available. To activate this setting, your user pool must be in the Essentials tier [^1] or + * higher. * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html * * @var EmailMfaSettingsType|null */ private $emailMfaSettings; /** - * A valid access token that Amazon Cognito issued to the user whose MFA preference you want to set. + * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for + * `aws.cognito.signin.user.admin`. * * @required * diff --git a/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php b/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php index 505977b65..2c5d2e16b 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/SignUpRequest.php @@ -16,7 +16,7 @@ final class SignUpRequest extends Input { /** - * The ID of the client associated with the user pool. + * The ID of the app client where the user wants to sign up. * * @required * @@ -45,16 +45,13 @@ final class SignUpRequest extends Input private $username; /** - * The password of the user you want to register. + * The user's proposed password. The password must comply with the password requirements [^1] of your user pool. * * Users can sign up without a password when your user pool supports passwordless sign-in with email or SMS OTPs. To * create a user with no password, omit this parameter or submit a blank value. You can only create a passwordless user - * when passwordless sign-in is available. See the SignInPolicyType [^1] property of CreateUserPool [^2] and - * UpdateUserPool [^3]. + * when passwordless sign-in is available. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignInPolicyType.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPool.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPool.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users-passwords.html * * @var string|null */ @@ -63,7 +60,7 @@ final class SignUpRequest extends Input /** * An array of name-value pairs representing user attributes. * - * For custom attributes, you must prepend the `custom:` prefix to the attribute name. + * For custom attributes, include a `custom:` prefix in the attribute name, for example `custom:department`. * * @var AttributeType[]|null */ @@ -73,10 +70,9 @@ final class SignUpRequest extends Input * Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value * pairs are for custom validation of information that you collect from your users but don't need to retain. * - * Your Lambda function can analyze this additional data and act on it. Your function might perform external API - * operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also - * affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign - * up from within your network. + * Your Lambda function can analyze this additional data and act on it. Your function can automatically confirm and + * verify select users or perform external API operations like logging user attributes and validation data to Amazon + * CloudWatch Logs. * * For more information about the pre sign-up Lambda trigger, see Pre sign-up Lambda trigger [^1]. * @@ -87,16 +83,18 @@ final class SignUpRequest extends Input private $validationData; /** - * The Amazon Pinpoint analytics metadata that contributes to your metrics for `SignUp` calls. + * Information that supports analytics outcomes with Amazon Pinpoint, including the user's endpoint ID. The endpoint ID + * is a destination for Amazon Pinpoint push notifications, for example a device identifier, email address, or phone + * number. * * @var AnalyticsMetadataType|null */ private $analyticsMetadata; /** - * Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito - * advanced security evaluates the risk of an authentication event based on the context that your app generates and - * passes to Amazon Cognito when it makes API requests. + * Contextual data about your user session like the device fingerprint, IP address, or location. Amazon Cognito threat + * protection evaluates the risk of an authentication event based on the context that your app generates and passes to + * Amazon Cognito when it makes API requests. * * For more information, see Collecting data for threat protection in applications [^1]. * @@ -116,8 +114,7 @@ final class SignUpRequest extends Input * assigned to the ClientMetadata parameter in your SignUp request. In your function code in Lambda, you can process the * `clientMetadata` value to enhance your workflow for your specific needs. * - * For more information, see Customizing user pool Workflows with Lambda Triggers [^1] in the *Amazon Cognito Developer - * Guide*. + * For more information, see Using Lambda triggers [^1] in the *Amazon Cognito Developer Guide*. * * > When you use the `ClientMetadata` parameter, note that Amazon Cognito won't do the following: * > diff --git a/src/Service/CognitoIdentityProvider/src/Input/VerifySoftwareTokenRequest.php b/src/Service/CognitoIdentityProvider/src/Input/VerifySoftwareTokenRequest.php index aeb85721d..56e23e96e 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/VerifySoftwareTokenRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/VerifySoftwareTokenRequest.php @@ -10,23 +10,22 @@ final class VerifySoftwareTokenRequest extends Input { /** - * A valid access token that Amazon Cognito issued to the user whose software token you want to verify. + * A valid access token that Amazon Cognito issued to the currently signed-in user. Must include a scope claim for + * `aws.cognito.signin.user.admin`. * * @var string|null */ private $accessToken; /** - * The session that should be passed both ways in challenge-response calls to the service. + * The session ID from an `AssociateSoftwareToken` request. * * @var string|null */ private $session; /** - * The one- time password computed using the secret code returned by AssociateSoftwareToken [^1]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AssociateSoftwareToken.html + * A TOTP that the user generated in their configured authenticator app. * * @required * @@ -35,7 +34,7 @@ final class VerifySoftwareTokenRequest extends Input private $userCode; /** - * The friendly device name. + * A friendly name for the device that's running the TOTP authenticator. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/AdminGetUserResponse.php b/src/Service/CognitoIdentityProvider/src/Result/AdminGetUserResponse.php index 9138ace19..bffa0160c 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/AdminGetUserResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/AdminGetUserResponse.php @@ -44,11 +44,7 @@ class AdminGetUserResponse extends Result private $userLastModifiedDate; /** - * Indicates whether the user is activated for sign-in. The AdminDisableUser [^1] and AdminEnableUser [^2] API - * operations deactivate and activate user sign-in, respectively. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminDisableUser.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminEnableUser.html + * Indicates whether the user is activated for sign-in. * * @var bool|null */ @@ -88,11 +84,7 @@ class AdminGetUserResponse extends Result /** * The MFA options that are activated for the user. The possible values in this list are `SMS_MFA`, `EMAIL_OTP`, and - * `SOFTWARE_TOKEN_MFA`. You can change the MFA preference for users who have more than one available MFA factor with - * AdminSetUserMFAPreference [^1] or SetUserMFAPreference [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html + * `SOFTWARE_TOKEN_MFA`. * * @var string[] */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php index 8a375ab0a..bb9f24da0 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php @@ -17,55 +17,55 @@ class AdminInitiateAuthResponse extends Result * The name of the challenge that you're responding to with this call. This is returned in the `AdminInitiateAuth` * response if you must pass another challenge. * - * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a passkey, or webauthN, - * factor. These are typically biometric devices or security keys. + * Possible challenges include the following: + * + * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in + * > the parameters. + * + * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn + * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` * (required if the app client is configured with a client secret), `DEVICE_KEY`. * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge * types in the `AvailableChallenges` response parameter. - * - `MFA_SETUP`: If MFA is required, users who don't have at least one of the MFA methods set up are presented with an - * `MFA_SETUP` challenge. The user must set up at least one MFA type to continue to authenticate. - * - `SELECT_MFA_TYPE`: Selects the MFA type. Valid MFA options are `SMS_MFA` for SMS message MFA, `EMAIL_OTP` for email - * message MFA, and `SOFTWARE_TOKEN_MFA` for time-based one-time password (TOTP) software token MFA. - * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Next challenge is to supply `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and - * `TIMESTAMP` after the client-side SRP calculations. + * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. + * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after + * client-side SRP calculations. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. - * - `DEVICE_SRP_AUTH`: If device tracking was activated in your user pool and the previous challenges were passed, this - * challenge is returned so that Amazon Cognito can start tracking this device. - * - `DEVICE_PASSWORD_VERIFIER`: Similar to `PASSWORD_VERIFIER`, but for devices only. - * - `ADMIN_NO_SRP_AUTH`: This is returned if you must authenticate with `USERNAME` and `PASSWORD` directly. An app - * client must be enabled to use this flow. + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see + * Signing in with a device [^1]. + * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` + * after client-side SRP calculations. For more information, see Signing in with a device [^2]. * - `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond * to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the * `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and - * that your app client can write. For more information, see AdminRespondToAuthChallenge [^1]. + * that your app client can write. * - * Amazon Cognito only returns this challenge for users who have temporary passwords. Because of this, and because in - * some cases you can create users who don't have values for required attributes, take care to collect and submit - * required-attribute values for all users who don't have passwords. You can create a user in the Amazon Cognito - * console without, for example, a required `birthdate` attribute. The API response from Amazon Cognito won't prompt - * you to submit a birthdate for the user if they don't have a password. + * Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless + * users, you must provide values for all required attributes. * * > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. - * > In `AdminRespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the - * > `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` API operation to modify the value of any - * > additional attributes. + * > In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito + * > returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or + * > `UpdateUserAttributes` API operation to modify the value of any additional attributes. + * + * - `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for + * the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. * - * - `MFA_SETUP`: For users who are required to set up an MFA factor before they can sign in. The MFA types activated - * for the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. + * To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` + * or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by + * `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name + * `MFA_SETUP` to complete sign-in. * - * To set up software token MFA, use the session returned here from `InitiateAuth` as an input to - * `AssociateSoftwareToken`, and use the session returned by `VerifySoftwareToken` as an input to - * `RespondToAuthChallenge` with challenge name `MFA_SETUP` to complete sign-in. To set up SMS MFA, users will need - * help from an administrator to add a phone number to their account and then call `InitiateAuth` again to restart - * sign-in. + * To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the + * authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device * * @var ChallengeNameType::*|null */ @@ -73,8 +73,8 @@ class AdminInitiateAuthResponse extends Result /** * The session that must be passed to challenge-response requests. If an `AdminInitiateAuth` or - * `AdminRespondToAuthChallenge` API request determines that the caller must pass another challenge, Amazon Cognito - * returns a session ID and the parameters of the next challenge. Pass this session Id in the `Session` parameter of + * `AdminRespondToAuthChallenge` API request results in another authentication challenge, Amazon Cognito returns a + * session ID and the parameters of the next challenge. Pass this session ID in the `Session` parameter of * `AdminRespondToAuthChallenge`. * * @var string|null @@ -82,15 +82,15 @@ class AdminInitiateAuthResponse extends Result private $session; /** - * The challenge parameters. These are returned to you in the `AdminInitiateAuth` response if you must pass another - * challenge. The responses in this parameter should be used to compute inputs to the next call - * (`AdminRespondToAuthChallenge`). + * The parameters of an authentication challenge. Amazon Cognito returns challenge parameters as a guide to the + * responses your user or application must provide for the returned `ChallengeName`. Calculate responses to the + * challenge parameters and pass them in the `ChallengeParameters` of `AdminRespondToAuthChallenge`. * - * All challenges require `USERNAME` and `SECRET_HASH` (if applicable). + * All challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH`. * - * The value of the `USER_ID_FOR_SRP` attribute is the user's actual username, not an alias (such as email address or - * phone number), even if you specified an alias in your call to `AdminInitiateAuth`. This happens because, in the - * `AdminRespondToAuthChallenge` API `ChallengeResponses`, the `USERNAME` attribute can't be an alias. + * In SRP challenges, Amazon Cognito returns the `username` attribute in `USER_ID_FOR_SRP` instead of any email address, + * preferred username, or phone number alias that you might have specified in your `AdminInitiateAuth` request. You must + * use the username and not an alias in the `ChallengeResponses` of your challenge response. * * @var array */ @@ -105,6 +105,17 @@ class AdminInitiateAuthResponse extends Result */ private $authenticationResult; + /** + * This response parameter lists the available authentication challenges that users can select from in choice-based + * authentication [^1]. For example, they might be able to choose between passkey authentication, a one-time password + * from an SMS message, and a traditional password. + * + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice + * + * @var list + */ + private $availableChallenges; + public function getAuthenticationResult(): ?AuthenticationResultType { $this->initialize(); @@ -112,6 +123,16 @@ public function getAuthenticationResult(): ?AuthenticationResultType return $this->authenticationResult; } + /** + * @return list + */ + public function getAvailableChallenges(): array + { + $this->initialize(); + + return $this->availableChallenges; + } + /** * @return ChallengeNameType::*|null */ @@ -147,6 +168,7 @@ protected function populateResult(Response $response): void $this->session = isset($data['Session']) ? (string) $data['Session'] : null; $this->challengeParameters = empty($data['ChallengeParameters']) ? [] : $this->populateResultChallengeParametersType($data['ChallengeParameters']); $this->authenticationResult = empty($data['AuthenticationResult']) ? null : $this->populateResultAuthenticationResultType($data['AuthenticationResult']); + $this->availableChallenges = empty($data['AvailableChallenges']) ? [] : $this->populateResultAvailableChallengeListType($data['AvailableChallenges']); } private function populateResultAuthenticationResultType(array $json): AuthenticationResultType @@ -161,6 +183,22 @@ private function populateResultAuthenticationResultType(array $json): Authentica ]); } + /** + * @return list + */ + private function populateResultAvailableChallengeListType(array $json): array + { + $items = []; + foreach ($json as $item) { + $a = isset($item) ? (string) $item : null; + if (null !== $a) { + $items[] = $a; + } + } + + return $items; + } + /** * @return array */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/AssociateSoftwareTokenResponse.php b/src/Service/CognitoIdentityProvider/src/Result/AssociateSoftwareTokenResponse.php index fd2eae7b8..f33cb4d17 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/AssociateSoftwareTokenResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/AssociateSoftwareTokenResponse.php @@ -15,10 +15,7 @@ class AssociateSoftwareTokenResponse extends Result private $secretCode; /** - * The session identifier that maintains the state of authentication requests and challenge responses. This session ID - * is valid for the next request in this flow, VerifySoftwareToken [^1]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_VerifySoftwareToken.html + * The session identifier that maintains the state of authentication requests and challenge responses. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php index e5b74223e..3a668b42e 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/ConfirmSignUpResponse.php @@ -12,11 +12,7 @@ class ConfirmSignUpResponse extends Result { /** * A session identifier that you can use to immediately sign in the confirmed user. You can automatically sign users in - * with the one-time password that they provided in a successful `ConfirmSignUp` request. To do this, pass the `Session` - * parameter from this response in the `Session` parameter of an InitiateAuth [^1] or AdminInitiateAuth [^2] request. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html + * with the one-time password that they provided in a successful `ConfirmSignUp` request. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/ForgotPasswordResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ForgotPasswordResponse.php index 008e3fda2..ea7937cff 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/ForgotPasswordResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/ForgotPasswordResponse.php @@ -12,7 +12,7 @@ class ForgotPasswordResponse extends Result { /** - * The code delivery details returned by the server in response to the request to reset a password. + * Information about the phone number or email address that Amazon Cognito sent the password-recovery code to. * * @var CodeDeliveryDetailsType|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/GetUserResponse.php b/src/Service/CognitoIdentityProvider/src/Result/GetUserResponse.php index 1334cb1c3..284a709f6 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/GetUserResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/GetUserResponse.php @@ -13,7 +13,7 @@ class GetUserResponse extends Result { /** - * The username of the user that you requested. + * The name of the user that you requested. * * @var string */ @@ -22,7 +22,7 @@ class GetUserResponse extends Result /** * An array of name-value pairs representing user attributes. * - * For custom attributes, you must prepend the `custom:` prefix to the attribute name. + * Custom attributes are prepended with the `custom:` prefix. * * @var AttributeType[] */ @@ -38,7 +38,7 @@ class GetUserResponse extends Result private $mfaOptions; /** - * The user's preferred MFA setting. + * The user's preferred MFA. Users can prefer SMS message, email message, or TOTP MFA. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php index 091bd6594..ae8d38555 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php @@ -14,72 +14,72 @@ class InitiateAuthResponse extends Result { /** - * The name of the challenge that you're responding to with this call. This name is returned in the `InitiateAuth` - * response if you must pass another challenge. + * The name of an additional authentication challenge that you must respond to. * - * Valid values include the following: + * Possible challenges include the following: * - * > All of the following challenges require `USERNAME` and `SECRET_HASH` (if applicable) in the parameters. + * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in + * > the parameters. * - * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a passkey, or webauthN, - * factor. These are typically biometric devices or security keys. + * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn + * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` * (required if the app client is configured with a client secret), `DEVICE_KEY`. * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge * types in the `AvailableChallenges` response parameter. - * - `SMS_MFA`: Next challenge is to supply an `SMS_MFA_CODE`that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Next challenge is to supply an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Next challenge is to supply `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and - * `TIMESTAMP` after the client-side SRP calculations. + * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. + * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after + * client-side SRP calculations. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. - * - `DEVICE_SRP_AUTH`: If device tracking was activated on your user pool and the previous challenges were passed, this - * challenge is returned so that Amazon Cognito can start tracking this device. - * - `DEVICE_PASSWORD_VERIFIER`: Similar to `PASSWORD_VERIFIER`, but for devices only. - * - `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. - * - * Respond to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see + * Signing in with a device [^1]. + * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` + * after client-side SRP calculations. For more information, see Signing in with a device [^2]. + * - `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond + * to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the * `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and - * that your app client can write. For more information, see RespondToAuthChallenge [^1]. + * that your app client can write. * - * Amazon Cognito only returns this challenge for users who have temporary passwords. Because of this, and because in - * some cases you can create users who don't have values for required attributes, take care to collect and submit - * required-attribute values for all users who don't have passwords. You can create a user in the Amazon Cognito - * console without, for example, a required `birthdate` attribute. The API response from Amazon Cognito won't prompt - * you to submit a birthdate for the user if they don't have a password. + * Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless + * users, you must provide values for all required attributes. * * > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. - * > In `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito returned in the `requiredAttributes` - * > parameter, then use the `UpdateUserAttributes` API operation to modify the value of any additional attributes. + * > In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito + * > returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or + * > `UpdateUserAttributes` API operation to modify the value of any additional attributes. * * - `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for * the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. * - * To set up software token MFA, use the session returned here from `InitiateAuth` as an input to - * `AssociateSoftwareToken`. Use the session returned by `VerifySoftwareToken` as an input to `RespondToAuthChallenge` - * with challenge name `MFA_SETUP` to complete sign-in. To set up SMS MFA, an administrator should help the user to - * add a phone number to their account, and then the user should call `InitiateAuth` again to restart sign-in. + * To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` + * or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by + * `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name + * `MFA_SETUP` to complete sign-in. + * + * To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the + * authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device * * @var ChallengeNameType::*|null */ private $challengeName; /** - * The session that should pass both ways in challenge-response calls to the service. If the caller must pass another - * challenge, they return a session with other challenge parameters. Include this session identifier in a - * `RespondToAuthChallenge` API request. + * The session identifier that links a challenge response to the initial authentication request. If the user must pass + * another challenge, Amazon Cognito returns a session ID and challenge parameters. * * @var string|null */ private $session; /** - * The challenge parameters. These are returned in the `InitiateAuth` response if you must pass another challenge. The - * responses in this parameter should be used to compute inputs to the next call (`RespondToAuthChallenge`). + * The required parameters of the `ChallengeName` challenge. * * All challenges require `USERNAME`. They also require `SECRET_HASH` if your app client has a client secret. * @@ -88,18 +88,20 @@ class InitiateAuthResponse extends Result private $challengeParameters; /** - * The result of the authentication response. This result is only returned if the caller doesn't need to pass another - * challenge. If the caller does need to pass another challenge before it gets tokens, `ChallengeName`, - * `ChallengeParameters`, and `Session` are returned. + * The result of a successful and complete authentication request. This result is only returned if the user doesn't need + * to pass another challenge. If they must pass another challenge before they get tokens, Amazon Cognito returns a + * challenge in `ChallengeName`, `ChallengeParameters`, and `Session` response parameters. * * @var AuthenticationResultType|null */ private $authenticationResult; /** - * This response parameter prompts a user to select from multiple available challenges that they can complete - * authentication with. For example, they might be able to continue with passwordless authentication or with a one-time - * password from an SMS message. + * This response parameter lists the available authentication challenges that users can select from in choice-based + * authentication [^1]. For example, they might be able to choose between passkey authentication, a one-time password + * from an SMS message, and a traditional password. + * + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice * * @var list */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/ListGroupsResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ListGroupsResponse.php index 97eff227d..70956f06c 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/ListGroupsResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/ListGroupsResponse.php @@ -15,15 +15,17 @@ class ListGroupsResponse extends Result implements \IteratorAggregate { /** - * The group objects for the groups. + * An array of groups and their details. Each entry that's returned includes description, precedence, and IAM role + * values. * * @var GroupType[] */ private $groups; /** - * An identifier that was returned from the previous call to this operation, which can be used to return the next set of - * items in the list. + * The identifier that Amazon Cognito returned with the previous request to this operation. When you include a + * pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you + * can paginate through the full list of items. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/ListUsersResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ListUsersResponse.php index 2bcde837b..92ed90f69 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/ListUsersResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/ListUsersResponse.php @@ -19,15 +19,7 @@ class ListUsersResponse extends Result implements \IteratorAggregate { /** - * A list of the user pool users, and their attributes, that match your query. - * - * > Amazon Cognito creates a profile in your user pool for each native user in your user pool, and each unique user ID - * > from your third-party identity providers (IdPs). When you link users with the AdminLinkProviderForUser [^1] API - * > operation, the output of `ListUsers` displays both the IdP user and the native user that you linked. You can - * > identify IdP users in the `Users` object of this API response by the IdP prefix that Amazon Cognito appends to - * > `Username`. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminLinkProviderForUser.html + * An array of user pool users who match your query, and their attributes. * * @var UserType[] */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/ResendConfirmationCodeResponse.php b/src/Service/CognitoIdentityProvider/src/Result/ResendConfirmationCodeResponse.php index 19feecc0b..9f34ce1d9 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/ResendConfirmationCodeResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/ResendConfirmationCodeResponse.php @@ -12,7 +12,7 @@ class ResendConfirmationCodeResponse extends Result { /** - * The code delivery details returned by the server in response to the request to resend the confirmation code. + * Information about the phone number or email address that Amazon Cognito sent the confirmation code to. * * @var CodeDeliveryDetailsType|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php b/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php index bad42e4c6..5646eb5f1 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php @@ -14,34 +14,82 @@ class RespondToAuthChallengeResponse extends Result { /** - * The challenge name. For more information, see InitiateAuth [^1]. + * The name of the next challenge that you must respond to. * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html + * Possible challenges include the following: + * + * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in + * > the parameters. + * + * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn + * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. + * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), + * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. + * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` + * (required if the app client is configured with a client secret), `DEVICE_KEY`. + * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge + * types in the `AvailableChallenges` response parameter. + * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. + * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. + * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after + * client-side SRP calculations. + * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see + * Signing in with a device [^1]. + * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` + * after client-side SRP calculations. For more information, see Signing in with a device [^2]. + * - `NEW_PASSWORD_REQUIRED`: For users who are required to change their passwords after successful first login. Respond + * to this challenge with `NEW_PASSWORD` and any required attributes that Amazon Cognito returned in the + * `requiredAttributes` parameter. You can also set values for attributes that aren't required by your user pool and + * that your app client can write. + * + * Amazon Cognito only returns this challenge for users who have temporary passwords. When you create passwordless + * users, you must provide values for all required attributes. + * + * > In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a required attribute that already has a value. + * > In `AdminRespondToAuthChallenge` or `RespondToAuthChallenge`, set a value for any keys that Amazon Cognito + * > returned in the `requiredAttributes` parameter, then use the `AdminUpdateUserAttributes` or + * > `UpdateUserAttributes` API operation to modify the value of any additional attributes. + * + * - `MFA_SETUP`: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for + * the user pool will be listed in the challenge parameters `MFAS_CAN_SETUP` value. + * + * To set up time-based one-time password (TOTP) MFA, use the session returned in this challenge from `InitiateAuth` + * or `AdminInitiateAuth` as an input to `AssociateSoftwareToken`. Then, use the session returned by + * `VerifySoftwareToken` as an input to `RespondToAuthChallenge` or `AdminRespondToAuthChallenge` with challenge name + * `MFA_SETUP` to complete sign-in. + * + * To set up SMS or email MFA, collect a `phone_number` or `email` attribute for the user. Then restart the + * authentication flow with an `InitiateAuth` or `AdminInitiateAuth` request. + * + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device + * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html#user-pools-remembered-devices-signing-in-with-a-device * * @var ChallengeNameType::*|null */ private $challengeName; /** - * The session that should be passed both ways in challenge-response calls to the service. If the caller must pass - * another challenge, they return a session with other challenge parameters. This session should be passed as it is to - * the next `RespondToAuthChallenge` API call. + * The session identifier that maintains the state of authentication requests and challenge responses. If an + * `InitiateAuth` or `RespondToAuthChallenge` API request results in a determination that your application must pass + * another challenge, Amazon Cognito returns a session with other challenge parameters. Send this session identifier, + * unmodified, to the next `RespondToAuthChallenge` request. * * @var string|null */ private $session; /** - * The challenge parameters. For more information, see InitiateAuth [^1]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html + * The parameters that define your response to the next challenge. * * @var array */ private $challengeParameters; /** - * The result returned by the server in response to the request to respond to the authentication challenge. + * The outcome of a successful authentication process. After your application has passed all challenges, Amazon Cognito + * returns an `AuthenticationResult` with the JSON web tokens (JWTs) that indicate successful sign-in. * * @var AuthenticationResultType|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php b/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php index b9c7c46ae..31cd54d13 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/SignUpResponse.php @@ -12,21 +12,26 @@ class SignUpResponse extends Result { /** - * A response from the server indicating that a user registration has been confirmed. + * Indicates whether the user was automatically confirmed. You can auto-confirm users with a pre sign-up Lambda trigger + * [^1]. + * + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-sign-up.html * * @var bool */ private $userConfirmed; /** - * The code delivery details returned by the server response to the user registration request. + * In user pools that automatically verify and confirm new users, Amazon Cognito sends users a message with a code or + * link that confirms ownership of the phone number or email address that they entered. The `CodeDeliveryDetails` object + * is information about the delivery destination for that link or code. * * @var CodeDeliveryDetailsType|null */ private $codeDeliveryDetails; /** - * The 128-bit ID of the authenticated user. This isn't the same as `username`. + * The unique identifier of the new user, for example `a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`. * * @var string */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/VerifySoftwareTokenResponse.php b/src/Service/CognitoIdentityProvider/src/Result/VerifySoftwareTokenResponse.php index 6d699f506..322ab36e9 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/VerifySoftwareTokenResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/VerifySoftwareTokenResponse.php @@ -9,14 +9,16 @@ class VerifySoftwareTokenResponse extends Result { /** - * The status of the verify software token. + * Amazon Cognito can accept or reject the code that you provide. This response parameter indicates the success of TOTP + * verification. Some reasons that this operation might return an error are clock skew on the user's device and + * excessive retries. * * @var VerifySoftwareTokenResponseType::*|null */ private $status; /** - * The session that should be passed both ways in challenge-response calls to the service. + * This session ID satisfies an `MFA_SETUP` challenge. Supply the session ID in your challenge response. * * @var string|null */ diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php index f188ab74b..08a3c38cc 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AnalyticsMetadataType.php @@ -11,14 +11,7 @@ * resources for use with Amazon Cognito user pools, see Using Amazon Pinpoint analytics with Amazon Cognito user pools * [^1]. * - * This data type is a request parameter of authentication operations like InitiateAuth [^2], AdminInitiateAuth [^3], - * RespondToAuthChallenge [^4], and AdminRespondToAuthChallenge [^5]. - * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-pinpoint-integration.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html - * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html */ final class AnalyticsMetadataType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php index 274327053..754c43b17 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AttributeType.php @@ -6,11 +6,6 @@ /** * The name and value of a user attribute. - * - * This data type is a request parameter of AdminUpdateUserAttributes [^1] and UpdateUserAttributes [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserAttributes.html */ final class AttributeType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php index fac6bd802..9e39a42d6 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/AuthenticationResultType.php @@ -5,14 +5,6 @@ /** * The object that your application receives after authentication. Contains tokens and information for device * authentication. - * - * This data type is a response parameter of authentication operations like InitiateAuth [^1], AdminInitiateAuth [^2], - * RespondToAuthChallenge [^3], and AdminRespondToAuthChallenge [^4]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html - * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html */ final class AuthenticationResultType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php index 243cd5de7..6e096679f 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/CodeDeliveryDetailsType.php @@ -6,12 +6,6 @@ /** * The delivery details for an email or SMS message that Amazon Cognito sent for authentication or verification. - * - * This data type is a response parameter of operations that send a code for user profile confirmation, verification, or - * management, for example ForgotPassword [^1] and SignUp [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ForgotPassword.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SignUp.html */ final class CodeDeliveryDetailsType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php index 847e09c16..fcf312ca5 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/ContextDataType.php @@ -6,12 +6,6 @@ /** * Contextual user data used for evaluating the risk of an authentication event by user pool threat protection. - * - * This data type is a request parameter of server-side authentication operations like AdminInitiateAuth [^1] and - * AdminRespondToAuthChallenge [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html */ final class ContextDataType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php index 9c8ccb138..38e98671e 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/EmailMfaSettingsType.php @@ -4,14 +4,10 @@ /** * User preferences for multi-factor authentication with email messages. Activates or deactivates email MFA and sets it - * as the preferred MFA method when multiple methods are available. To activate this setting, advanced security features - * [^1] must be active in your user pool. + * as the preferred MFA method when multiple methods are available. To activate this setting, your user pool must be in + * the Essentials tier [^1] or higher. * - * This data type is a request parameter of SetUserMFAPreference [^2] and AdminSetUserMFAPreference [^3]. - * - * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html + * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/feature-plans-features-essentials.html */ final class EmailMfaSettingsType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php index 946146a5f..e616e9f0b 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/GroupType.php @@ -6,15 +6,6 @@ * A user pool group. Contains details about the group and the way that it contributes to IAM role decisions with * identity pools. Identity pools can make decisions about the IAM role to assign based on groups: users get credentials * for the role associated with their highest-priority group. - * - * This data type is a response parameter of AdminListGroupsForUser [^1], CreateGroup [^2], GetGroup [^3], ListGroups - * [^4], and UpdateGroup [^5]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminListGroupsForUser.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateGroup.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetGroup.html - * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListGroups.html - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateGroup.html */ final class GroupType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php b/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php index a59e82a50..346095c1d 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/HttpHeader.php @@ -4,12 +4,6 @@ /** * The HTTP header in the `ContextData` parameter. - * - * This data type is a request parameter of server-side authentication operations like AdminInitiateAuth [^1] and - * AdminRespondToAuthChallenge [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html */ final class HttpHeader { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php index 84bc19e0e..c1f43596c 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/NewDeviceMetadataType.php @@ -7,14 +7,7 @@ * a user signs in with an unrecognized device. Amazon Cognito presents a new device key that you can use to set up * device authentication [^1] in a "Remember me on this device" authentication model. * - * This data type is a response parameter of authentication operations like InitiateAuth [^2], AdminInitiateAuth [^3], - * RespondToAuthChallenge [^4], and AdminRespondToAuthChallenge [^5]. - * * [^1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html - * [^3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminInitiateAuth.html - * [^4]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html - * [^5]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html */ final class NewDeviceMetadataType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php index febd65f3e..6a74e8e50 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/SMSMfaSettingsType.php @@ -6,11 +6,6 @@ * A user's preference for using SMS message multi-factor authentication (MFA). Turns SMS MFA on and off, and can set * SMS as preferred when other MFA options are available. You can't turn off SMS MFA for any of your users when MFA is * required in your user pool; you can only set the type that your user prefers. - * - * This data type is a request parameter of SetUserMFAPreference [^1] and AdminSetUserMFAPreference [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html */ final class SMSMfaSettingsType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php index 8937125f6..327280517 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/SoftwareTokenMfaSettingsType.php @@ -6,11 +6,6 @@ * A user's preference for using time-based one-time password (TOTP) multi-factor authentication (MFA). Turns TOTP MFA * on and off, and can set TOTP as preferred when other MFA options are available. You can't turn off TOTP MFA for any * of your users when MFA is required in your user pool; you can only set the type that your user prefers. - * - * This data type is a request parameter of SetUserMFAPreference [^1] and AdminSetUserMFAPreference [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserMFAPreference.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserMFAPreference.html */ final class SoftwareTokenMfaSettingsType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php index 2e6dca7ed..d99bfe7cc 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/UserContextDataType.php @@ -4,13 +4,7 @@ /** * Contextual data, such as the user's device fingerprint, IP address, or location, used for evaluating the risk of an - * unexpected event by Amazon Cognito advanced security. - * - * This data type is a request parameter of public-client authentication operations like InitiateAuth [^1] and - * RespondToAuthChallenge [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html + * unexpected event by Amazon Cognito threat protection. */ final class UserContextDataType { diff --git a/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php b/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php index 75d2e24ad..eb5e5370d 100644 --- a/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php +++ b/src/Service/CognitoIdentityProvider/src/ValueObject/UserType.php @@ -6,11 +6,6 @@ /** * A user profile in a Amazon Cognito user pool. - * - * This data type is a response parameter to AdminCreateUser [^1] and ListUsers [^2]. - * - * [^1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminCreateUser.html - * [^2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ListUsers.html */ final class UserType {