diff --git a/manifest.json b/manifest.json index d3981f6aa..d49ef3992 100644 --- a/manifest.json +++ b/manifest.json @@ -1,6 +1,6 @@ { "variables": { - "${LATEST}": "3.354.0" + "${LATEST}": "3.356.1" }, "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json", "services": { diff --git a/src/Service/CognitoIdentityProvider/CHANGELOG.md b/src/Service/CognitoIdentityProvider/CHANGELOG.md index 32fae133a..c2ad0a79a 100644 --- a/src/Service/CognitoIdentityProvider/CHANGELOG.md +++ b/src/Service/CognitoIdentityProvider/CHANGELOG.md @@ -2,6 +2,10 @@ ## NOT RELEASED +### Changed + +- AWS enhancement: Documentation updates. + ## 1.15.0 ### Added diff --git a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php index 3742ef1e4..7486db369 100644 --- a/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php +++ b/src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php @@ -668,8 +668,10 @@ public function adminRemoveUserFromGroup($input): Result } /** - * Resets the specified user's password in a user pool. This operation doesn't change the user's password, but sends a - * password-reset code. + * Begins the password reset process. Sets the requested user’s account into a `RESET_REQUIRED` status, and sends them + * a password-reset code. Your user pool also sends the user a notification with a reset code and the information that + * their password has been reset. At sign-in, your application or the managed login session receives a challenge to + * complete the reset by confirming the code and setting a new password. * * To use this API operation, your user pool must have self-service account recovery configured. * @@ -1275,9 +1277,11 @@ public function createGroup($input): CreateGroupResponse } /** - * Sends a password-reset confirmation code for the currently signed-in user. + * Sends a password-reset confirmation code to the email address or phone number of the requested username. The message + * delivery method is determined by the user's available attributes and the `AccountRecoverySetting` configuration of + * the user pool. * - * For the `Username` parameter, you can use the username or user alias. + * For the `Username` parameter, you can use the username or an email, phone, or preferred username alias. * * If neither a verified phone number nor a verified email exists, Amazon Cognito responds with an * `InvalidParameterException` error . If your app client has a client secret and you don't provide a `SECRET_HASH` diff --git a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php index 3b846a54c..65c16903e 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php @@ -74,21 +74,37 @@ final class AdminInitiateAuthRequest extends Input private $authFlow; /** - * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required - * values depend on the value of `AuthFlow` for example: - * - * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for - * `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the - * available sign-in methods. - * - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is - * configured with a client secret), `DEVICE_KEY`. - * - For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app - * client is configured with a client secret), `DEVICE_KEY`. - * - For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `SECRET_HASH` (required if the app client is - * configured with a client secret), `DEVICE_KEY`. - * - For `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), - * `DEVICE_KEY`. To start the authentication flow with password verification, include `ChallengeName: SRP_A` and - * `SRP_A: (The SRP_A Value)`. + * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. + * + * The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client + * has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device. + * + * - `USER_AUTH`: + * + * - `USERNAME` (required) + * - `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the + * `AvailableChallenges` parameter that specifies the available sign-in methods. + * + * - `USER_SRP_AUTH`: + * + * - `USERNAME` (required) + * - `SRP_A` (required) + * + * - `ADMIN_USER_PASSWORD_AUTH`: + * + * - `USERNAME` (required) + * - `PASSWORD` (required) + * + * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: + * + * - `REFRESH_TOKEN`(required) + * + * - `CUSTOM_AUTH`: + * + * - `USERNAME` (required) + * - `ChallengeName: SRP_A` (when preceding custom authentication with SRP authentication) + * - `SRP_A: (An SRP_A value)` (when preceding custom authentication with SRP authentication) + * * * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`, * see Working with user devices in your user pool [^2]. diff --git a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php index cc063d3af..79554fcea 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php @@ -61,19 +61,35 @@ final class InitiateAuthRequest extends Input /** * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. * - * The required values are specific to the InitiateAuthRequest$AuthFlow. - * * The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client - * has a client secret. - * - * - `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, - * Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods. - * - `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `DEVICE_KEY`. - * - `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `DEVICE_KEY`. - * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `DEVICE_KEY`. - * - `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), `DEVICE_KEY`. - * To start the authentication flow with password verification, include `ChallengeName: SRP_A` and `SRP_A: (The SRP_A - * Value)`. + * has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device. + * + * - `USER_AUTH`: + * + * - `USERNAME` (required) + * - `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the + * `AvailableChallenges` parameter that specifies the available sign-in methods. + * + * - `USER_SRP_AUTH`: + * + * - `USERNAME` (required) + * - `SRP_A` (required) + * + * - `USER_PASSWORD_AUTH`: + * + * - `USERNAME` (required) + * - `PASSWORD` (required) + * + * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: + * + * - `REFRESH_TOKEN`(required) + * + * - `CUSTOM_AUTH`: + * + * - `USERNAME` (required) + * - `ChallengeName: SRP_A` (when doing SRP authentication before custom challenges) + * - `SRP_A: (An SRP_A value)` (when doing SRP authentication before custom challenges) + * * * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`, * see Working with user devices in your user pool [^2]. diff --git a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php index a2be15258..dfb444dab 100644 --- a/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php +++ b/src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php @@ -32,22 +32,25 @@ final class RespondToAuthChallengeRequest extends Input * Possible challenges include the following: * * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in - * > the parameters. + * > the parameters. Include a `DEVICE_KEY` for device authentication. * * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn - * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. - * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), - * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` - * (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge - * types in the `AvailableChallenges` response parameter. - * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after - * client-side SRP calculations. + * authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and + * security keys. + * - `PASSWORD`: Respond with the user's password as `PASSWORD`. + * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`. + * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the + * `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and + * `SMS_OTP`. + * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` + * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` + * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . + * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`. + * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, + * `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function + * and issued in the `ChallengeParameters` of a challenge response. * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see * Signing in with a device [^1]. * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` @@ -127,6 +130,18 @@ final class RespondToAuthChallengeRequest extends Input * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}` * - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}` * + * - `WEB_AUTHN`: + * + * `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": + * "[AuthenticationResponseJSON]"}` + * + * See AuthenticationResponseJSON [^2]. + * - `PASSWORD`: + * + * `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}` + * - `PASSWORD_SRP`: + * + * `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}` * - `SMS_OTP`: * * `"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}` @@ -144,14 +159,10 @@ final class RespondToAuthChallengeRequest extends Input * * `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", * "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}` - * - * Add `"DEVICE_KEY"` when you sign in with a remembered device. * - `CUSTOM_CHALLENGE`: * * `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": * "[challenge_answer]"}` - * - * Add `"DEVICE_KEY"` when you sign in with a remembered device. * - `NEW_PASSWORD_REQUIRED`: * * `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": @@ -185,15 +196,16 @@ final class RespondToAuthChallengeRequest extends Input * VerifySoftwareToken]"` * - `SELECT_MFA_TYPE`: * - * `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or - * SOFTWARE_TOKEN_MFA]"}` + * `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": + * "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}` * - * For more information about `SECRET_HASH`, see Computing secret hash values [^2]. For information about `DEVICE_KEY`, - * see Working with user devices in your user pool [^3]. + * For more information about `SECRET_HASH`, see Computing secret hash values [^3]. For information about `DEVICE_KEY`, + * see Working with user devices in your user pool [^4]. * * [^1]: https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson - * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash - * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html + * [^2]: https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson + * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash + * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html * * @var array|null */ diff --git a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php index bb9f24da0..9f529b27e 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php @@ -20,22 +20,25 @@ class AdminInitiateAuthResponse extends Result * Possible challenges include the following: * * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in - * > the parameters. + * > the parameters. Include a `DEVICE_KEY` for device authentication. * * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn - * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. - * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), - * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` - * (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge - * types in the `AvailableChallenges` response parameter. - * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after - * client-side SRP calculations. + * authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and + * security keys. + * - `PASSWORD`: Respond with the user's password as `PASSWORD`. + * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`. + * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the + * `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and + * `SMS_OTP`. + * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` + * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` + * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . + * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`. + * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, + * `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function + * and issued in the `ChallengeParameters` of a challenge response. * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see * Signing in with a device [^1]. * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` diff --git a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php index ae8d38555..9e993d9dd 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/InitiateAuthResponse.php @@ -19,22 +19,25 @@ class InitiateAuthResponse extends Result * Possible challenges include the following: * * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in - * > the parameters. + * > the parameters. Include a `DEVICE_KEY` for device authentication. * * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn - * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. - * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), - * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` - * (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge - * types in the `AvailableChallenges` response parameter. - * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after - * client-side SRP calculations. + * authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and + * security keys. + * - `PASSWORD`: Respond with the user's password as `PASSWORD`. + * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`. + * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the + * `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and + * `SMS_OTP`. + * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` + * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` + * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . + * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`. + * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, + * `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function + * and issued in the `ChallengeParameters` of a challenge response. * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see * Signing in with a device [^1]. * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` diff --git a/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php b/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php index 5646eb5f1..e05ec6c43 100644 --- a/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php +++ b/src/Service/CognitoIdentityProvider/src/Result/RespondToAuthChallengeResponse.php @@ -19,22 +19,25 @@ class RespondToAuthChallengeResponse extends Result * Possible challenges include the following: * * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in - * > the parameters. + * > the parameters. Include a `DEVICE_KEY` for device authentication. * * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn - * authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. - * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), - * `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` - * (required if the app client is configured with a client secret), `DEVICE_KEY`. - * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge - * types in the `AvailableChallenges` response parameter. - * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. - * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. - * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after - * client-side SRP calculations. + * authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and + * security keys. + * - `PASSWORD`: Respond with the user's password as `PASSWORD`. + * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`. + * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the + * `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and + * `SMS_OTP`. + * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` + * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` + * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . + * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`. + * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`, + * `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`. * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass - * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. + * another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function + * and issued in the `ChallengeParameters` of a challenge response. * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see * Signing in with a device [^1]. * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`