2019/10/04 - Amazon Cognito Identity Provider - 13 updated api methods
Changes This release adds ClientMetadata input parameter to multiple Cognito User Pools operations, making this parameter available to the customer configured lambda triggers as applicable.
{'ClientMetadata': {'string': 'string'}}
Confirms user registration as an admin without using a confirmation code. Works on any user.
Calling this action requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_confirm_sign_up(
UserPoolId='string',
Username='string',
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The user pool ID for which you want to confirm user registration.
string
[REQUIRED]
The user name for which you want to confirm user registration.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
If your user pool configuration includes triggers, the AdminConfirmSignUp API action invokes the AWS Lambda function that is specified for the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. In this payload, the clientMetadata attribute provides the data that you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in AWS Lambda, you can process the ClientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server for the request to confirm registration.
{'ClientMetadata': {'string': 'string'}}
Creates a new user in the specified user pool.
If MessageAction is not set, the default is to send a welcome message via email or phone (SMS).
Note
This message is based on a template that you configured in your call to or . This template includes your custom sign-up instructions and placeholders for user name and temporary password.
Alternatively, you can call AdminCreateUser with “SUPPRESS” for the MessageAction parameter, and Amazon Cognito will not send any email.
In either case, the user will be in the FORCE_CHANGE_PASSWORD state until they sign in and change their password.
AdminCreateUser requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_create_user(
UserPoolId='string',
Username='string',
UserAttributes=[
{
'Name': 'string',
'Value': 'string'
},
],
ValidationData=[
{
'Name': 'string',
'Value': 'string'
},
],
TemporaryPassword='string',
ForceAliasCreation=True|False,
MessageAction='RESEND'|'SUPPRESS',
DesiredDeliveryMediums=[
'SMS'|'EMAIL',
],
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The user pool ID for the user pool where the user will be created.
string
[REQUIRED]
The username for the user. Must be unique within the user pool. Must be a UTF-8 string between 1 and 128 characters. After the user is created, the username cannot be changed.
list
An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than Username . However, any attributes that you specify as required (in or in the Attributes tab of the console) must be supplied either by you (in your call to AdminCreateUser ) or by the user (when he or she signs up in response to your welcome message).
For custom attributes, you must prepend the custom: prefix to the attribute name.
To send a message inviting the user to sign up, you must specify the user's email address or phone number. This can be done in your call to AdminCreateUser or in the Users tab of the Amazon Cognito console for managing your user pools.
In your call to AdminCreateUser , you can set the email_verified attribute to True , and you can set the phone_number_verified attribute to True . (You can also do this by calling .)
email : The email address of the user to whom the message that contains the code and username will be sent. Required if the email_verified attribute is set to True , or if "EMAIL" is specified in the DesiredDeliveryMediums parameter.
phone_number : The phone number of the user to whom the message that contains the code and username will be sent. Required if the phone_number_verified attribute is set to True , or if "SMS" is specified in the DesiredDeliveryMediums parameter.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
list
The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. For example, you might choose to allow or disallow user sign-up based on the user's domain.
To configure custom validation, you must create a Pre Sign-up Lambda trigger for the user pool as described in the Amazon Cognito Developer Guide. The Lambda trigger receives the validation data and uses it in the validation process.
The user's validation data is not persisted.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
string
The user's temporary password. This password must conform to the password policy that you specified when you created the user pool.
The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary password in the sign-in page along with a new password to be used in all future sign-ins.
This parameter is not required. If you do not specify a value, Amazon Cognito generates one for you.
The temporary password can only be used until the user account expiration limit that you specified when you created the user pool. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter.
boolean
This parameter is only used if the phone_number_verified or email_verified attribute is set to True . Otherwise, it is ignored.
If this parameter is set to True and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.
If this parameter is set to False , the API throws an AliasExistsException error if the alias already exists. The default value is False .
string
Set to "RESEND" to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to "SUPPRESS" to suppress sending the message. Only one value can be specified.
list
Specify "EMAIL" if email will be used to send the welcome message. Specify "SMS" if the phone number will be used. The default value is "SMS" . More than one value can be specified.
(string) --
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'User': {
'Username': 'string',
'Attributes': [
{
'Name': 'string',
'Value': 'string'
},
],
'UserCreateDate': datetime(2015, 1, 1),
'UserLastModifiedDate': datetime(2015, 1, 1),
'Enabled': True|False,
'UserStatus': 'UNCONFIRMED'|'CONFIRMED'|'ARCHIVED'|'COMPROMISED'|'UNKNOWN'|'RESET_REQUIRED'|'FORCE_CHANGE_PASSWORD',
'MFAOptions': [
{
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
]
}
}
Response Structure
(dict) --
Represents the response from the server to the request to create the user.
User (dict) --
The newly created user.
Username (string) --
The user name of the user you wish to describe.
Attributes (list) --
A container with information about the user type attributes.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) --
The name of the attribute.
Value (string) --
The value of the attribute.
UserCreateDate (datetime) --
The creation date of the user.
UserLastModifiedDate (datetime) --
The last modified date of the user.
Enabled (boolean) --
Specifies whether the user is enabled.
UserStatus (string) --
The user status. Can be one of the following:
UNCONFIRMED - User has been created but not confirmed.
CONFIRMED - User has been confirmed.
ARCHIVED - User is no longer active.
COMPROMISED - User is disabled due to a potential security threat.
UNKNOWN - User status is not known.
RESET_REQUIRED - User is confirmed, but the user must request a code and reset his or her password before he or she can sign in.
FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change his or her password to a new value before doing anything else.
MFAOptions (list) --
The MFA options for the user.
(dict) --
This data type is no longer supported. You can use it only for SMS MFA configurations. You can't use it for TOTP software token MFA configurations.
To set either type of MFA configuration, use the AdminSetUserMFAPreference or SetUserMFAPreference actions.
To look up information about either type of MFA configuration, use the AdminGetUserResponse$UserMFASettingList or GetUserResponse$UserMFASettingList responses.
DeliveryMedium (string) --
The delivery medium to send the MFA code. You can use this parameter to set only the SMS delivery medium value.
AttributeName (string) --
The attribute name of the MFA option type. The only valid value is phone_number .
{'ClientMetadata': {'string': 'string'}}
Resets the specified user's password in a user pool as an administrator. Works on any user.
When a developer calls this API, the current password is invalidated, so it must be changed. If a user tries to sign in after the API is called, the app will get a PasswordResetRequiredException exception back and should direct the user down the flow to reset the password, which is the same as the forgot password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.
Calling this action requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_reset_user_password(
UserPoolId='string',
Username='string',
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The user pool ID for the user pool where you want to reset the user's password.
string
[REQUIRED]
The user name of the user whose password you wish to reset.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminResetUserPassword API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminResetUserPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server to reset a user password as an administrator.
{'ClientMetadata': {'string': 'string'}}
Responds to an authentication challenge, as an administrator.
Calling this action requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_respond_to_auth_challenge(
UserPoolId='string',
ClientId='string',
ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
ChallengeResponses={
'string': 'string'
},
Session='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
ContextData={
'IpAddress': 'string',
'ServerName': 'string',
'ServerPath': 'string',
'HttpHeaders': [
{
'headerName': 'string',
'headerValue': 'string'
},
],
'EncodedData': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the Amazon Cognito user pool.
string
[REQUIRED]
The app client ID.
string
[REQUIRED]
The challenge name. For more information, see .
dict
The challenge responses. These are inputs corresponding to the value of ChallengeName , for example:
SMS_MFA : SMS_MFA_CODE , USERNAME , SECRET_HASH (if app client is configured with client secret).
PASSWORD_VERIFIER : PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , TIMESTAMP , USERNAME , SECRET_HASH (if app client is configured with client secret).
ADMIN_NO_SRP_AUTH : PASSWORD , USERNAME , SECRET_HASH (if app client is configured with client secret).
NEW_PASSWORD_REQUIRED : NEW_PASSWORD , any other required attributes, USERNAME , SECRET_HASH (if app client is configured with client secret).
The value of the USERNAME attribute must be the user's actual username, not an alias (such as email address or phone number). To make this easier, the AdminInitiateAuth response includes the actual username value in the USERNAMEUSER_ID_FOR_SRP attribute, even if you specified an alias in your call to AdminInitiateAuth .
(string) --
(string) --
string
The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
dict
The analytics metadata for collecting Amazon Pinpoint metrics for AdminRespondToAuthChallenge calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
IpAddress (string) -- [REQUIRED]
Source IP address of your user.
ServerName (string) -- [REQUIRED]
Your server endpoint where this API is invoked.
ServerPath (string) -- [REQUIRED]
Your server path where this API is invoked.
HttpHeaders (list) -- [REQUIRED]
HttpHeaders received on your server in same order.
(dict) --
The HTTP header.
headerName (string) --
The header name
headerValue (string) --
The header value.
EncodedData (string) --
Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminRespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up , custom message , post authentication , user migration , pre token generation , define auth challenge , create auth challenge , and verify auth challenge response . When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminRespondToAuthChallenge request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
Responds to the authentication challenge, as an administrator.
ChallengeName (string) --
The name of the challenge. For more information, see .
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. For more information, see .
(string) --
(string) --
AuthenticationResult (dict) --
The result returned by the server in response to the authentication request.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result in seconds.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'ClientMetadata': {'string': 'string'}}
Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user.
For custom attributes, you must prepend the custom: prefix to the attribute name.
In addition to updating user attributes, this API can also be used to mark phone and email as verified.
Calling this action requires developer credentials.
See also: AWS API Documentation
Request Syntax
client.admin_update_user_attributes(
UserPoolId='string',
Username='string',
UserAttributes=[
{
'Name': 'string',
'Value': 'string'
},
],
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The user pool ID for the user pool where you want to update user attributes.
string
[REQUIRED]
The user name of the user for whom you want to update user attributes.
list
[REQUIRED]
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminUpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminUpdateUserAttributes request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server for the request to update user attributes as an administrator.
{'ClientMetadata': {'string': 'string'}}
Allows a user to enter a confirmation code to reset a forgotten password.
See also: AWS API Documentation
Request Syntax
client.confirm_forgot_password(
ClientId='string',
SecretHash='string',
Username='string',
ConfirmationCode='string',
Password='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The app client ID of the app associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user for whom you want to enter a code to retrieve a forgotten password.
string
[REQUIRED]
The confirmation code sent by a user's request to retrieve a forgotten password. For more information, see
string
[REQUIRED]
The password sent by a user's request to retrieve a forgotten password.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmForgotPassword calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ConfirmForgotPassword API action, Amazon Cognito invokes the functions that are assigned to the post confirmation and pre mutation triggers. When Amazon Cognito invokes either of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmForgotPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
The response from the server that results from a user's request to retrieve a forgotten password.
{'ClientMetadata': {'string': 'string'}}
Confirms registration of a user and handles the existing alias from a previous user.
See also: AWS API Documentation
Request Syntax
client.confirm_sign_up(
ClientId='string',
SecretHash='string',
Username='string',
ConfirmationCode='string',
ForceAliasCreation=True|False,
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the app client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user whose registration you wish to confirm.
string
[REQUIRED]
The confirmation code sent by a user's request to confirm registration.
boolean
Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False . If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False , the API will throw an AliasExistsException error.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmSignUp calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{}
Response Structure
(dict) --
Represents the response from the server for the registration confirmation.
{'ClientMetadata': {'string': 'string'}}
Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. If a verified phone number exists for the user, the confirmation code is sent to the phone number. Otherwise, if a verified email exists, the confirmation code is sent to the email. If neither a verified phone number nor a verified email exists, InvalidParameterException is thrown. To use the confirmation code for resetting the password, call .
See also: AWS API Documentation
Request Syntax
client.forgot_password(
ClientId='string',
SecretHash='string',
UserContextData={
'EncodedData': 'string'
},
Username='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
string
[REQUIRED]
The user name of the user for whom you want to enter a code to reset a forgotten password.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ForgotPassword calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ForgotPassword API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up , custom message , and user migration . When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
}
}
Response Structure
(dict) --
Respresents the response from the server regarding the request to reset a password.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server in response to the request to reset a password.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
{'ClientMetadata': {'string': 'string'}}
Gets the user attribute verification code for the specified attribute name.
See also: AWS API Documentation
Request Syntax
client.get_user_attribute_verification_code(
AccessToken='string',
AttributeName='string',
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The access token returned by the server response to get the user attribute verification code.
string
[REQUIRED]
The attribute name returned by the server response to get the user attribute verification code.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your GetUserAttributeVerificationCode request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
}
}
Response Structure
(dict) --
The verification code response returned by the server response to get the user attribute verification code.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server in response to the request to get the user attribute verification code.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
{'ClientMetadata': {'string': 'string'}}
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
See also: AWS API Documentation
Request Syntax
client.resend_confirmation_code(
ClientId='string',
SecretHash='string',
UserContextData={
'EncodedData': 'string'
},
Username='string',
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
string
[REQUIRED]
The user name of the user to whom you wish to resend a confirmation code.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for ResendConfirmationCode calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the ResendConfirmationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ResendConfirmationCode request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
}
}
Response Structure
(dict) --
The response from the server when the Amazon Cognito Your User Pools service makes the request to resend a confirmation code.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server in response to the request to resend the confirmation code.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
{'ClientMetadata': {'string': 'string'}}
Responds to the authentication challenge.
See also: AWS API Documentation
Request Syntax
client.respond_to_auth_challenge(
ClientId='string',
ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
Session='string',
ChallengeResponses={
'string': 'string'
},
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The app client ID.
string
[REQUIRED]
The challenge name. For more information, see .
ADMIN_NO_SRP_AUTH is not a valid value.
string
The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
dict
The challenge responses. These are inputs corresponding to the value of ChallengeName , for example:
Note
SECRET_HASH (if app client is configured with client secret) applies to all inputs below (including SOFTWARE_TOKEN_MFA ).
SMS_MFA : SMS_MFA_CODE , USERNAME .
PASSWORD_VERIFIER : PASSWORD_CLAIM_SIGNATURE , PASSWORD_CLAIM_SECRET_BLOCK , TIMESTAMP , USERNAME .
NEW_PASSWORD_REQUIRED : NEW_PASSWORD , any other required attributes, USERNAME .
SOFTWARE_TOKEN_MFA : USERNAME and SOFTWARE_TOKEN_MFA_CODE are required attributes.
DEVICE_SRP_AUTH requires USERNAME , DEVICE_KEY , SRP_A (and SECRET_HASH ).
DEVICE_PASSWORD_VERIFIER requires everything that PASSWORD_VERIFIER requires plus DEVICE_KEY .
(string) --
(string) --
dict
The Amazon Pinpoint analytics metadata for collecting metrics for RespondToAuthChallenge calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: post authentication , pre token generation , define auth challenge , create auth challenge , and verify auth challenge . When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
'Session': 'string',
'ChallengeParameters': {
'string': 'string'
},
'AuthenticationResult': {
'AccessToken': 'string',
'ExpiresIn': 123,
'TokenType': 'string',
'RefreshToken': 'string',
'IdToken': 'string',
'NewDeviceMetadata': {
'DeviceKey': 'string',
'DeviceGroupKey': 'string'
}
}
}
Response Structure
(dict) --
The response to respond to the authentication challenge.
ChallengeName (string) --
The challenge name. For more information, see .
Session (string) --
The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.
ChallengeParameters (dict) --
The challenge parameters. For more information, see .
(string) --
(string) --
AuthenticationResult (dict) --
The result returned by the server in response to the request to respond to the authentication challenge.
AccessToken (string) --
The access token.
ExpiresIn (integer) --
The expiration period of the authentication result in seconds.
TokenType (string) --
The token type.
RefreshToken (string) --
The refresh token.
IdToken (string) --
The ID token.
NewDeviceMetadata (dict) --
The new device metadata from an authentication result.
DeviceKey (string) --
The device key.
DeviceGroupKey (string) --
The device group key.
{'ClientMetadata': {'string': 'string'}}
Registers the user in the specified user pool and creates a user name, password, and user attributes.
See also: AWS API Documentation
Request Syntax
client.sign_up(
ClientId='string',
SecretHash='string',
Username='string',
Password='string',
UserAttributes=[
{
'Name': 'string',
'Value': 'string'
},
],
ValidationData=[
{
'Name': 'string',
'Value': 'string'
},
],
AnalyticsMetadata={
'AnalyticsEndpointId': 'string'
},
UserContextData={
'EncodedData': 'string'
},
ClientMetadata={
'string': 'string'
}
)
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user you wish to register.
string
[REQUIRED]
The password of the user you wish to register.
list
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
list
The validation data in the request to register a user.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
dict
The Amazon Pinpoint analytics metadata for collecting metrics for SignUp calls.
AnalyticsEndpointId (string) --
The endpoint ID.
dict
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
EncodedData (string) --
Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the SignUp API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up , custom message , and post confirmation . When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your SignUp request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'UserConfirmed': True|False,
'CodeDeliveryDetails': {
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
'UserSub': 'string'
}
Response Structure
(dict) --
The response from the server for a registration request.
UserConfirmed (boolean) --
A response from the server indicating that a user registration has been confirmed.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server response to the user registration request.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.
UserSub (string) --
The UUID of the authenticated user. This is not the same as username .
{'ClientMetadata': {'string': 'string'}}
Allows a user to update a specific attribute (one at a time).
See also: AWS API Documentation
Request Syntax
client.update_user_attributes(
UserAttributes=[
{
'Name': 'string',
'Value': 'string'
},
],
AccessToken='string',
ClientMetadata={
'string': 'string'
}
)
list
[REQUIRED]
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
string
[REQUIRED]
The access token for the request to update user attributes.
dict
A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the UpdateUserAttributes API action, Amazon Cognito invokes the functions that are assigned to the custom message and pre mutation triggers. When Amazon Cognito invokes either of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your UpdateUserAttributes request. In your function code in AWS Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.
For more information, see Customizing User Pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide .
Note
Take the following limitations into consideration when you use the ClientMetadata parameter:
Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
Amazon Cognito does not validate the ClientMetadata value.
Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
(string) --
(string) --
dict
Response Syntax
{
'CodeDeliveryDetailsList': [
{
'Destination': 'string',
'DeliveryMedium': 'SMS'|'EMAIL',
'AttributeName': 'string'
},
]
}
Response Structure
(dict) --
Represents the response from the server for the request to update user attributes.
CodeDeliveryDetailsList (list) --
The code delivery details list from the server for the request to update user attributes.
(dict) --
The code delivery details being returned from the server.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The attribute name.