Update generated code

manifest.json

@@ -1,6 +1,6 @@
 {
     "variables": {
-        "${LATEST}": "3.354.0"
+        "${LATEST}": "3.356.1"
     },
     "endpoints": "https://raw.githubusercontent.com/aws/aws-sdk-php/${LATEST}/src/data/endpoints.json",
     "services": {

src/Service/CognitoIdentityProvider/CHANGELOG.md

@@ -2,6 +2,10 @@
 
 ## NOT RELEASED
 
+### Changed
+
+- AWS enhancement: Documentation updates.
+
 ## 1.15.0
 
 ### Added

src/Service/CognitoIdentityProvider/src/CognitoIdentityProviderClient.php

@@ -668,8 +668,10 @@ public function adminRemoveUserFromGroup($input): Result
     }
 
     /**
-     * Resets the specified user's password in a user pool. This operation doesn't change the user's password, but sends a
-     * password-reset code.
+     * Begins the password reset process. Sets the requested user’s account into a `RESET_REQUIRED` status, and sends them
+     * a password-reset code. Your user pool also sends the user a notification with a reset code and the information that
+     * their password has been reset. At sign-in, your application or the managed login session receives a challenge to
+     * complete the reset by confirming the code and setting a new password.
      *
      * To use this API operation, your user pool must have self-service account recovery configured.
      *
@@ -1275,9 +1277,11 @@ public function createGroup($input): CreateGroupResponse
     }
 
     /**
-     * Sends a password-reset confirmation code for the currently signed-in user.
+     * Sends a password-reset confirmation code to the email address or phone number of the requested username. The message
+     * delivery method is determined by the user's available attributes and the `AccountRecoverySetting` configuration of
+     * the user pool.
      *
-     * For the `Username` parameter, you can use the username or user alias.
+     * For the `Username` parameter, you can use the username or an email, phone, or preferred username alias.
      *
      * If neither a verified phone number nor a verified email exists, Amazon Cognito responds with an
      * `InvalidParameterException` error . If your app client has a client secret and you don't provide a `SECRET_HASH`

src/Service/CognitoIdentityProvider/src/Input/AdminInitiateAuthRequest.php

@@ -74,21 +74,37 @@ final class AdminInitiateAuthRequest extends Input
     private $authFlow;
 
     /**
-     * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking. The required
-     * values depend on the value of `AuthFlow` for example:
-     *
-     * - For `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for
-     *   `PREFERRED_CHALLENGE`, Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the
-     *   available sign-in methods.
-     * - For `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is
-     *   configured with a client secret), `DEVICE_KEY`.
-     * - For `ADMIN_USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app
-     *   client is configured with a client secret), `DEVICE_KEY`.
-     * - For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `SECRET_HASH` (required if the app client is
-     *   configured with a client secret), `DEVICE_KEY`.
-     * - For `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret),
-     *   `DEVICE_KEY`. To start the authentication flow with password verification, include `ChallengeName: SRP_A` and
-     *   `SRP_A: (The SRP_A Value)`.
+     * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking.
+     *
+     * The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client
+     * has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device.
+     *
+     * - `USER_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the
+     *     `AvailableChallenges` parameter that specifies the available sign-in methods.
+     *
+     * - `USER_SRP_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `SRP_A` (required)
+     *
+     * - `ADMIN_USER_PASSWORD_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `PASSWORD` (required)
+     *
+     * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`:
+     *
+     *   - `REFRESH_TOKEN`(required)
+     *
+     * - `CUSTOM_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `ChallengeName: SRP_A` (when preceding custom authentication with SRP authentication)
+     *   - `SRP_A: (An SRP_A value)` (when preceding custom authentication with SRP authentication)
+     *
      *
      * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`,
      * see Working with user devices in your user pool [^2].

src/Service/CognitoIdentityProvider/src/Input/InitiateAuthRequest.php

@@ -61,19 +61,35 @@ final class InitiateAuthRequest extends Input
     /**
      * The authentication parameters. These are inputs corresponding to the `AuthFlow` that you're invoking.
      *
-     * The required values are specific to the InitiateAuthRequest$AuthFlow.
-     *
      * The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client
-     * has a client secret.
-     *
-     * - `USER_AUTH`: `USERNAME` (required), `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`,
-     *   Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods.
-     * - `USER_SRP_AUTH`: `USERNAME` (required), `SRP_A` (required), `DEVICE_KEY`.
-     * - `USER_PASSWORD_AUTH`: `USERNAME` (required), `PASSWORD` (required), `DEVICE_KEY`.
-     * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`: `REFRESH_TOKEN` (required), `DEVICE_KEY`.
-     * - `CUSTOM_AUTH`: `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), `DEVICE_KEY`.
-     *   To start the authentication flow with password verification, include `ChallengeName: SRP_A` and `SRP_A: (The SRP_A
-     *   Value)`.
+     * has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device.
+     *
+     * - `USER_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `PREFERRED_CHALLENGE`. If you don't provide a value for `PREFERRED_CHALLENGE`, Amazon Cognito responds with the
+     *     `AvailableChallenges` parameter that specifies the available sign-in methods.
+     *
+     * - `USER_SRP_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `SRP_A` (required)
+     *
+     * - `USER_PASSWORD_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `PASSWORD` (required)
+     *
+     * - `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`:
+     *
+     *   - `REFRESH_TOKEN`(required)
+     *
+     * - `CUSTOM_AUTH`:
+     *
+     *   - `USERNAME` (required)
+     *   - `ChallengeName: SRP_A` (when doing SRP authentication before custom challenges)
+     *   - `SRP_A: (An SRP_A value)` (when doing SRP authentication before custom challenges)
+     *
      *
      * For more information about `SECRET_HASH`, see Computing secret hash values [^1]. For information about `DEVICE_KEY`,
      * see Working with user devices in your user pool [^2].

src/Service/CognitoIdentityProvider/src/Input/RespondToAuthChallengeRequest.php

@@ -32,22 +32,25 @@ final class RespondToAuthChallengeRequest extends Input
      * Possible challenges include the following:
      *
      * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in
-     * > the parameters.
+     * > the parameters. Include a `DEVICE_KEY` for device authentication.
      *
      * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn
-     *   authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys.
-     * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required),
-     *   `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`.
-     * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH`
-     *   (required if the app client is configured with a client secret), `DEVICE_KEY`.
-     * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge
-     *   types in the `AvailableChallenges` response parameter.
-     * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message.
-     * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
-     * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after
-     *   client-side SRP calculations.
+     *   authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and
+     *   security keys.
+     * - `PASSWORD`: Respond with the user's password as `PASSWORD`.
+     * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+     * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the
+     *   `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and
+     *   `SMS_OTP`.
+     * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE`
+     * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE`
+     * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+     * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+     * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`,
+     *   `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
      * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass
-     *   another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function.
+     *   another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function
+     *   and issued in the `ChallengeParameters` of a challenge response.
      * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see
      *   Signing in with a device [^1].
      * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`
@@ -127,6 +130,18 @@ final class RespondToAuthChallengeRequest extends Input
      *   - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}`
      *   - `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}`
      *
+     * - `WEB_AUTHN`:
+     *
+     *   `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL":
+     *   "[AuthenticationResponseJSON]"}`
+     *
+     *   See AuthenticationResponseJSON [^2].
+     * - `PASSWORD`:
+     *
+     *   `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}`
+     * - `PASSWORD_SRP`:
+     *
+     *   `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}`
      * - `SMS_OTP`:
      *
      *   `"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}`
@@ -144,14 +159,10 @@ final class RespondToAuthChallengeRequest extends Input
      *
      *   `"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
      *   "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}`
-     *
-     *   Add `"DEVICE_KEY"` when you sign in with a remembered device.
      * - `CUSTOM_CHALLENGE`:
      *
      *   `"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER":
      *   "[challenge_answer]"}`
-     *
-     *   Add `"DEVICE_KEY"` when you sign in with a remembered device.
      * - `NEW_PASSWORD_REQUIRED`:
      *
      *   `"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME":
@@ -185,15 +196,16 @@ final class RespondToAuthChallengeRequest extends Input
      *   VerifySoftwareToken]"`
      * - `SELECT_MFA_TYPE`:
      *
-     *   `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
-     *   SOFTWARE_TOKEN_MFA]"}`
+     *   `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER":
+     *   "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}`
      *
-     * For more information about `SECRET_HASH`, see Computing secret hash values [^2]. For information about `DEVICE_KEY`,
-     * see Working with user devices in your user pool [^3].
+     * For more information about `SECRET_HASH`, see Computing secret hash values [^3]. For information about `DEVICE_KEY`,
+     * see Working with user devices in your user pool [^4].
      *
      * [^1]: https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson
-     * [^2]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
-     * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+     * [^2]: https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson
+     * [^3]: https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash
+     * [^4]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
      *
      * @var array<string, string>|null
      */

src/Service/CognitoIdentityProvider/src/Result/AdminInitiateAuthResponse.php

@@ -20,22 +20,25 @@ class AdminInitiateAuthResponse extends Result
      * Possible challenges include the following:
      *
      * > All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in
-     * > the parameters.
+     * > the parameters. Include a `DEVICE_KEY` for device authentication.
      *
      * - `WEB_AUTHN`: Respond to the challenge with the results of a successful authentication with a WebAuthn
-     *   authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys.
-     * - `PASSWORD`: Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required),
-     *   `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY`.
-     * - `PASSWORD_SRP`: Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH`
-     *   (required if the app client is configured with a client secret), `DEVICE_KEY`.
-     * - `SELECT_CHALLENGE`: Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge
-     *   types in the `AvailableChallenges` response parameter.
-     * - `SMS_MFA`: Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message.
-     * - `EMAIL_OTP`: Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message.
-     * - `PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP` after
-     *   client-side SRP calculations.
+     *   authenticator, or passkey, as `CREDENTIAL`. Examples of WebAuthn authenticators include biometric devices and
+     *   security keys.
+     * - `PASSWORD`: Respond with the user's password as `PASSWORD`.
+     * - `PASSWORD_SRP`: Respond with the initial SRP secret as `SRP_A`.
+     * - `SELECT_CHALLENGE`: Respond with a challenge selection as `ANSWER`. It must be one of the challenge types in the
+     *   `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and
+     *   `SMS_OTP`.
+     * - `SMS_MFA`: Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE`
+     * - `EMAIL_MFA`: Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE`
+     * - `EMAIL_OTP`: Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` .
+     * - `SMS_OTP`: Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE`.
+     * - `PASSWORD_VERIFIER`: Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE`,
+     *   `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`.
      * - `CUSTOM_CHALLENGE`: This is returned if your custom authentication flow determines that the user should pass
-     *   another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function.
+     *   another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function
+     *   and issued in the `ChallengeParameters` of a challenge response.
      * - `DEVICE_SRP_AUTH`: Respond with the initial parameters of device SRP authentication. For more information, see
      *   Signing in with a device [^1].
      * - `DEVICE_PASSWORD_VERIFIER`: Respond with `PASSWORD_CLAIM_SIGNATURE`, `PASSWORD_CLAIM_SECRET_BLOCK`, and `TIMESTAMP`