Amazon Cognito Identity Provider

2017/11/29 - Amazon Cognito Identity Provider - 11 new18 updated api methods

Changes  Update cognito-idp client to latest version

SetUserPoolMfaConfig (new) Link ¶

Set the user pool MFA configuration.

See also: AWS API Documentation

Request Syntax

client.set_user_pool_mfa_config(
    UserPoolId='string',
    SmsMfaConfiguration={
        'SmsAuthenticationMessage': 'string',
        'SmsConfiguration': {
            'SnsCallerArn': 'string',
            'ExternalId': 'string'
        }
    },
    SoftwareTokenMfaConfiguration={
        'Enabled': True|False
    },
    MfaConfiguration='OFF'|'ON'|'OPTIONAL'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type SmsMfaConfiguration:

dict

param SmsMfaConfiguration:

The SMS text message MFA configuration.

  • SmsAuthenticationMessage (string) --

    The SMS authentication message.

  • SmsConfiguration (dict) --

    The SMS configuration.

    • SnsCallerArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

    • ExternalId (string) --

      The external ID.

type SoftwareTokenMfaConfiguration:

dict

param SoftwareTokenMfaConfiguration:

The software token MFA configuration.

  • Enabled (boolean) --

    Specifies whether software token MFA is enabled.

type MfaConfiguration:

string

param MfaConfiguration:

The MFA configuration.

rtype:

dict

returns:

Response Syntax

{
    'SmsMfaConfiguration': {
        'SmsAuthenticationMessage': 'string',
        'SmsConfiguration': {
            'SnsCallerArn': 'string',
            'ExternalId': 'string'
        }
    },
    'SoftwareTokenMfaConfiguration': {
        'Enabled': True|False
    },
    'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL'
}

Response Structure

  • (dict) --

    • SmsMfaConfiguration (dict) --

      The SMS text message MFA configuration.

      • SmsAuthenticationMessage (string) --

        The SMS authentication message.

      • SmsConfiguration (dict) --

        The SMS configuration.

        • SnsCallerArn (string) --

          The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

        • ExternalId (string) --

          The external ID.

    • SoftwareTokenMfaConfiguration (dict) --

      The software token MFA configuration.

      • Enabled (boolean) --

        Specifies whether software token MFA is enabled.

    • MfaConfiguration (string) --

      The MFA configuration.

VerifySoftwareToken (new) Link ¶

Use this API to register a user's entered TOTP code and mark the user's software token MFA status as "verified" if successful,

See also: AWS API Documentation

Request Syntax

client.verify_software_token(
    AccessToken='string',
    Session='string',
    UserCode='string',
    FriendlyDeviceName='string'
)
type AccessToken:

string

param AccessToken:

The access token.

type Session:

string

param Session:

The session which should be passed both ways in challenge-response calls to the service.

type UserCode:

string

param UserCode:

[REQUIRED]

The one time password computed using the secret code returned by

type FriendlyDeviceName:

string

param FriendlyDeviceName:

The friendly device name.

rtype:

dict

returns:

Response Syntax

{
    'Status': 'SUCCESS'|'ERROR',
    'Session': 'string'
}

Response Structure

  • (dict) --

    • Status (string) --

      The status of the verify software token.

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service.

AdminListUserAuthEvents (new) Link ¶

Lists a history of user activity and any risks detected as part of Amazon Cognito advanced security.

See also: AWS API Documentation

Request Syntax

client.admin_list_user_auth_events(
    UserPoolId='string',
    Username='string',
    MaxResults=123,
    NextToken='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type Username:

string

param Username:

[REQUIRED]

The user pool username.

type MaxResults:

integer

param MaxResults:

The maximum number of authentication events to return.

type NextToken:

string

param NextToken:

A pagination token.

rtype:

dict

returns:

Response Syntax

{
    'AuthEvents': [
        {
            'EventId': 'string',
            'EventType': 'SignIn'|'SignUp'|'ForgotPassword',
            'CreationDate': datetime(2015, 1, 1),
            'EventResponse': 'Success'|'Failure',
            'EventRisk': {
                'RiskDecision': 'NoRisk'|'AccountTakeover'|'Block',
                'RiskLevel': 'Low'|'Medium'|'High'
            },
            'ChallengeResponses': [
                {
                    'ChallengeName': 'Password'|'Mfa',
                    'ChallengeResponse': 'Success'|'Failure'
                },
            ],
            'EventContextData': {
                'IpAddress': 'string',
                'DeviceName': 'string',
                'Timezone': 'string',
                'City': 'string',
                'Country': 'string'
            },
            'EventFeedback': {
                'FeedbackValue': 'Valid'|'Invalid',
                'Provider': 'string',
                'FeedbackDate': datetime(2015, 1, 1)
            }
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • AuthEvents (list) --

      The response object. It includes the EventID, EventType, CreationDate, EventRisk, and EventResponse.

      • (dict) --

        The authentication event type.

        • EventId (string) --

          The event ID.

        • EventType (string) --

          The event type.

        • CreationDate (datetime) --

          The creation date

        • EventResponse (string) --

          The event response.

        • EventRisk (dict) --

          The event risk.

          • RiskDecision (string) --

            The risk decision.

          • RiskLevel (string) --

            The risk level.

        • ChallengeResponses (list) --

          The challenge responses.

          • (dict) --

            The challenge response type.

            • ChallengeName (string) --

              The challenge name

            • ChallengeResponse (string) --

              The challenge response.

        • EventContextData (dict) --

          The user context data captured at the time of an event request. It provides additional information about the client from which event the request is received.

          • IpAddress (string) --

            The user's IP address.

          • DeviceName (string) --

            The user's device name.

          • Timezone (string) --

            The user's time zone.

          • City (string) --

            The user's city.

          • Country (string) --

            The user's country.

        • EventFeedback (dict) --

          A flag specifying the user feedback captured at the time of an event request is good or bad.

          • FeedbackValue (string) --

            The event feedback value.

          • Provider (string) --

            The provider.

          • FeedbackDate (datetime) --

            The event feedback date.

    • NextToken (string) --

      A pagination token.

SetRiskConfiguration (new) Link ¶

Configures actions on detected risks. To delete the risk configuration for UserPoolId or ClientId, pass null values for all four configuration types.

To enable Amazon Cognito advanced security features, update the user pool to include the UserPoolAddOns key AdvancedSecurityMode.

See .

See also: AWS API Documentation

Request Syntax

client.set_risk_configuration(
    UserPoolId='string',
    ClientId='string',
    CompromisedCredentialsRiskConfiguration={
        'EventFilter': [
            'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
        ],
        'Actions': {
            'EventAction': 'BLOCK'|'NO_ACTION'
        }
    },
    AccountTakeoverRiskConfiguration={
        'NotifyConfiguration': {
            'From': 'string',
            'ReplyTo': 'string',
            'SourceArn': 'string',
            'BlockEmail': {
                'Subject': 'string',
                'HtmlBody': 'string',
                'TextBody': 'string'
            },
            'NoActionEmail': {
                'Subject': 'string',
                'HtmlBody': 'string',
                'TextBody': 'string'
            },
            'MfaEmail': {
                'Subject': 'string',
                'HtmlBody': 'string',
                'TextBody': 'string'
            }
        },
        'Actions': {
            'LowAction': {
                'Notify': True|False,
                'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
            },
            'MediumAction': {
                'Notify': True|False,
                'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
            },
            'HighAction': {
                'Notify': True|False,
                'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
            }
        }
    },
    RiskExceptionConfiguration={
        'BlockedIPRangeList': [
            'string',
        ],
        'SkippedIPRangeList': [
            'string',
        ]
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type ClientId:

string

param ClientId:

The app client ID. If ClientId is null, then the risk configuration is mapped to userPoolId. When the client ID is null, the same risk configuration is applied to all the clients in the userPool.

Otherwise, ClientId is mapped to the client. When the client ID is not null, the user pool configuration is overridden and the risk configuration for the client is used instead.

type CompromisedCredentialsRiskConfiguration:

dict

param CompromisedCredentialsRiskConfiguration:

The compromised credentials risk configuration.

  • EventFilter (list) --

    Perform the action for these events. The default is to perform all events if no event filter is specified.

    • (string) --

  • Actions (dict) -- [REQUIRED]

    The compromised credentials risk configuration actions.

    • EventAction (string) -- [REQUIRED]

      The event action.

type AccountTakeoverRiskConfiguration:

dict

param AccountTakeoverRiskConfiguration:

The account takeover risk configuration.

  • NotifyConfiguration (dict) --

    The notify configuration used to construct email notifications.

    • From (string) --

      The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.

    • ReplyTo (string) --

      The destination to which the receiver of an email should reply to.

    • SourceArn (string) -- [REQUIRED]

      The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.

    • BlockEmail (dict) --

      Email template used when a detected risk event is blocked.

      • Subject (string) -- [REQUIRED]

        The subject.

      • HtmlBody (string) --

        The HTML body.

      • TextBody (string) --

        The text body.

    • NoActionEmail (dict) --

      The email template used when a detected risk event is allowed.

      • Subject (string) -- [REQUIRED]

        The subject.

      • HtmlBody (string) --

        The HTML body.

      • TextBody (string) --

        The text body.

    • MfaEmail (dict) --

      The MFA email template used when MFA is challenged as part of a detected risk.

      • Subject (string) -- [REQUIRED]

        The subject.

      • HtmlBody (string) --

        The HTML body.

      • TextBody (string) --

        The text body.

  • Actions (dict) -- [REQUIRED]

    Account takeover risk configuration actions

    • LowAction (dict) --

      Action to take for a low risk.

      • Notify (boolean) -- [REQUIRED]

        Flag specifying whether to send a notification.

      • EventAction (string) -- [REQUIRED]

        The event action.

        • BLOCK Choosing this action will block the request.

        • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

        • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

        • NO_ACTION Allow the user sign-in.

    • MediumAction (dict) --

      Action to take for a medium risk.

      • Notify (boolean) -- [REQUIRED]

        Flag specifying whether to send a notification.

      • EventAction (string) -- [REQUIRED]

        The event action.

        • BLOCK Choosing this action will block the request.

        • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

        • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

        • NO_ACTION Allow the user sign-in.

    • HighAction (dict) --

      Action to take for a high risk.

      • Notify (boolean) -- [REQUIRED]

        Flag specifying whether to send a notification.

      • EventAction (string) -- [REQUIRED]

        The event action.

        • BLOCK Choosing this action will block the request.

        • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

        • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

        • NO_ACTION Allow the user sign-in.

type RiskExceptionConfiguration:

dict

param RiskExceptionConfiguration:

The configuration to override the risk decision.

  • BlockedIPRangeList (list) --

    Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.

    • (string) --

  • SkippedIPRangeList (list) --

    Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.

    • (string) --

rtype:

dict

returns:

Response Syntax

{
    'RiskConfiguration': {
        'UserPoolId': 'string',
        'ClientId': 'string',
        'CompromisedCredentialsRiskConfiguration': {
            'EventFilter': [
                'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
            ],
            'Actions': {
                'EventAction': 'BLOCK'|'NO_ACTION'
            }
        },
        'AccountTakeoverRiskConfiguration': {
            'NotifyConfiguration': {
                'From': 'string',
                'ReplyTo': 'string',
                'SourceArn': 'string',
                'BlockEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                },
                'NoActionEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                },
                'MfaEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                }
            },
            'Actions': {
                'LowAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                },
                'MediumAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                },
                'HighAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                }
            }
        },
        'RiskExceptionConfiguration': {
            'BlockedIPRangeList': [
                'string',
            ],
            'SkippedIPRangeList': [
                'string',
            ]
        },
        'LastModifiedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • RiskConfiguration (dict) --

      The risk configuration.

      • UserPoolId (string) --

        The user pool ID.

      • ClientId (string) --

        The app client ID.

      • CompromisedCredentialsRiskConfiguration (dict) --

        The compromised credentials risk configuration object including the EventFilter and the EventAction

        • EventFilter (list) --

          Perform the action for these events. The default is to perform all events if no event filter is specified.

          • (string) --

        • Actions (dict) --

          The compromised credentials risk configuration actions.

          • EventAction (string) --

            The event action.

      • AccountTakeoverRiskConfiguration (dict) --

        The account takeover risk configuration object including the NotifyConfiguration object and Actions to take in the case of an account takeover.

        • NotifyConfiguration (dict) --

          The notify configuration used to construct email notifications.

          • From (string) --

            The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.

          • ReplyTo (string) --

            The destination to which the receiver of an email should reply to.

          • SourceArn (string) --

            The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.

          • BlockEmail (dict) --

            Email template used when a detected risk event is blocked.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

          • NoActionEmail (dict) --

            The email template used when a detected risk event is allowed.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

          • MfaEmail (dict) --

            The MFA email template used when MFA is challenged as part of a detected risk.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

        • Actions (dict) --

          Account takeover risk configuration actions

          • LowAction (dict) --

            Action to take for a low risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

          • MediumAction (dict) --

            Action to take for a medium risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

          • HighAction (dict) --

            Action to take for a high risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

      • RiskExceptionConfiguration (dict) --

        The configuration to override the risk decision.

        • BlockedIPRangeList (list) --

          Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.

          • (string) --

        • SkippedIPRangeList (list) --

          Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.

          • (string) --

      • LastModifiedDate (datetime) --

        The last modified date.

DescribeRiskConfiguration (new) Link ¶

Describes the risk configuration.

See also: AWS API Documentation

Request Syntax

client.describe_risk_configuration(
    UserPoolId='string',
    ClientId='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type ClientId:

string

param ClientId:

The app client ID.

rtype:

dict

returns:

Response Syntax

{
    'RiskConfiguration': {
        'UserPoolId': 'string',
        'ClientId': 'string',
        'CompromisedCredentialsRiskConfiguration': {
            'EventFilter': [
                'SIGN_IN'|'PASSWORD_CHANGE'|'SIGN_UP',
            ],
            'Actions': {
                'EventAction': 'BLOCK'|'NO_ACTION'
            }
        },
        'AccountTakeoverRiskConfiguration': {
            'NotifyConfiguration': {
                'From': 'string',
                'ReplyTo': 'string',
                'SourceArn': 'string',
                'BlockEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                },
                'NoActionEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                },
                'MfaEmail': {
                    'Subject': 'string',
                    'HtmlBody': 'string',
                    'TextBody': 'string'
                }
            },
            'Actions': {
                'LowAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                },
                'MediumAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                },
                'HighAction': {
                    'Notify': True|False,
                    'EventAction': 'BLOCK'|'MFA_IF_CONFIGURED'|'MFA_REQUIRED'|'NO_ACTION'
                }
            }
        },
        'RiskExceptionConfiguration': {
            'BlockedIPRangeList': [
                'string',
            ],
            'SkippedIPRangeList': [
                'string',
            ]
        },
        'LastModifiedDate': datetime(2015, 1, 1)
    }
}

Response Structure

  • (dict) --

    • RiskConfiguration (dict) --

      The risk configuration.

      • UserPoolId (string) --

        The user pool ID.

      • ClientId (string) --

        The app client ID.

      • CompromisedCredentialsRiskConfiguration (dict) --

        The compromised credentials risk configuration object including the EventFilter and the EventAction

        • EventFilter (list) --

          Perform the action for these events. The default is to perform all events if no event filter is specified.

          • (string) --

        • Actions (dict) --

          The compromised credentials risk configuration actions.

          • EventAction (string) --

            The event action.

      • AccountTakeoverRiskConfiguration (dict) --

        The account takeover risk configuration object including the NotifyConfiguration object and Actions to take in the case of an account takeover.

        • NotifyConfiguration (dict) --

          The notify configuration used to construct email notifications.

          • From (string) --

            The email address that is sending the email. It must be either individually verified with Amazon SES, or from a domain that has been verified with Amazon SES.

          • ReplyTo (string) --

            The destination to which the receiver of an email should reply to.

          • SourceArn (string) --

            The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. It permits Amazon Cognito to send for the email address specified in the From parameter.

          • BlockEmail (dict) --

            Email template used when a detected risk event is blocked.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

          • NoActionEmail (dict) --

            The email template used when a detected risk event is allowed.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

          • MfaEmail (dict) --

            The MFA email template used when MFA is challenged as part of a detected risk.

            • Subject (string) --

              The subject.

            • HtmlBody (string) --

              The HTML body.

            • TextBody (string) --

              The text body.

        • Actions (dict) --

          Account takeover risk configuration actions

          • LowAction (dict) --

            Action to take for a low risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

          • MediumAction (dict) --

            Action to take for a medium risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

          • HighAction (dict) --

            Action to take for a high risk.

            • Notify (boolean) --

              Flag specifying whether to send a notification.

            • EventAction (string) --

              The event action.

              • BLOCK Choosing this action will block the request.

              • MFA_IF_CONFIGURED Throw MFA challenge if user has configured it, else allow the request.

              • MFA_REQUIRED Throw MFA challenge if user has configured it, else block the request.

              • NO_ACTION Allow the user sign-in.

      • RiskExceptionConfiguration (dict) --

        The configuration to override the risk decision.

        • BlockedIPRangeList (list) --

          Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation: a compact representation of an IP address and its associated routing prefix.

          • (string) --

        • SkippedIPRangeList (list) --

          Risk detection is not performed on the IP addresses in the range list. The IP range is in CIDR notation.

          • (string) --

      • LastModifiedDate (datetime) --

        The last modified date.

AdminSetUserMFAPreference (new) Link ¶

Sets the user's multi-factor authentication (MFA) preference.

See also: AWS API Documentation

Request Syntax

client.admin_set_user_mfa_preference(
    SMSMfaSettings={
        'Enabled': True|False,
        'PreferredMfa': True|False
    },
    SoftwareTokenMfaSettings={
        'Enabled': True|False,
        'PreferredMfa': True|False
    },
    Username='string',
    UserPoolId='string'
)
type SMSMfaSettings:

dict

param SMSMfaSettings:

The SMS text message MFA settings.

  • Enabled (boolean) --

    Specifies whether SMS text message MFA is enabled.

  • PreferredMfa (boolean) --

    The preferred MFA method.

type SoftwareTokenMfaSettings:

dict

param SoftwareTokenMfaSettings:

The time-based one-time password software token MFA settings.

  • Enabled (boolean) --

    Specifies whether software token MFA is enabled.

  • PreferredMfa (boolean) --

    The preferred MFA method.

type Username:

string

param Username:

[REQUIRED]

The user pool username.

type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

AssociateSoftwareToken (new) Link ¶

Returns a unique generated shared secret key code for the user account. The request takes an access token or a session string, but not both.

See also: AWS API Documentation

Request Syntax

client.associate_software_token(
    AccessToken='string',
    Session='string'
)
type AccessToken:

string

param AccessToken:

The access token.

type Session:

string

param Session:

The session which should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.

rtype:

dict

returns:

Response Syntax

{
    'SecretCode': 'string',
    'Session': 'string'
}

Response Structure

  • (dict) --

    • SecretCode (string) --

      A unique generated shared secret code that is used in the TOTP algorithm to generate a one time code.

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service. This allows authentication of the user as part of the MFA setup process.

SetUserMFAPreference (new) Link ¶

Set the user's multi-factor authentication (MFA) method preference.

See also: AWS API Documentation

Request Syntax

client.set_user_mfa_preference(
    SMSMfaSettings={
        'Enabled': True|False,
        'PreferredMfa': True|False
    },
    SoftwareTokenMfaSettings={
        'Enabled': True|False,
        'PreferredMfa': True|False
    },
    AccessToken='string'
)
type SMSMfaSettings:

dict

param SMSMfaSettings:

The SMS text message multi-factor authentication (MFA) settings.

  • Enabled (boolean) --

    Specifies whether SMS text message MFA is enabled.

  • PreferredMfa (boolean) --

    The preferred MFA method.

type SoftwareTokenMfaSettings:

dict

param SoftwareTokenMfaSettings:

The time-based one-time password software token MFA settings.

  • Enabled (boolean) --

    Specifies whether software token MFA is enabled.

  • PreferredMfa (boolean) --

    The preferred MFA method.

type AccessToken:

string

param AccessToken:

[REQUIRED]

The access token.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

UpdateAuthEventFeedback (new) Link ¶

Provides the feedback for an authentication event whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

See also: AWS API Documentation

Request Syntax

client.update_auth_event_feedback(
    UserPoolId='string',
    Username='string',
    EventId='string',
    FeedbackToken='string',
    FeedbackValue='Valid'|'Invalid'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type Username:

string

param Username:

[REQUIRED]

The user pool username.

type EventId:

string

param EventId:

[REQUIRED]

The event ID.

type FeedbackToken:

string

param FeedbackToken:

[REQUIRED]

The feedback token.

type FeedbackValue:

string

param FeedbackValue:

[REQUIRED]

The authentication event feedback value.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetUserPoolMfaConfig (new) Link ¶

Gets the user pool multi-factor authentication (MFA) configuration.

See also: AWS API Documentation

Request Syntax

client.get_user_pool_mfa_config(
    UserPoolId='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

rtype:

dict

returns:

Response Syntax

{
    'SmsMfaConfiguration': {
        'SmsAuthenticationMessage': 'string',
        'SmsConfiguration': {
            'SnsCallerArn': 'string',
            'ExternalId': 'string'
        }
    },
    'SoftwareTokenMfaConfiguration': {
        'Enabled': True|False
    },
    'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL'
}

Response Structure

  • (dict) --

    • SmsMfaConfiguration (dict) --

      The SMS text message multi-factor (MFA) configuration.

      • SmsAuthenticationMessage (string) --

        The SMS authentication message.

      • SmsConfiguration (dict) --

        The SMS configuration.

        • SnsCallerArn (string) --

          The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

        • ExternalId (string) --

          The external ID.

    • SoftwareTokenMfaConfiguration (dict) --

      The software token multi-factor (MFA) configuration.

      • Enabled (boolean) --

        Specifies whether software token MFA is enabled.

    • MfaConfiguration (string) --

      The multi-factor (MFA) configuration.

AdminUpdateAuthEventFeedback (new) Link ¶

Provides feedback for an authentication event as to whether it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.

See also: AWS API Documentation

Request Syntax

client.admin_update_auth_event_feedback(
    UserPoolId='string',
    Username='string',
    EventId='string',
    FeedbackValue='Valid'|'Invalid'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID.

type Username:

string

param Username:

[REQUIRED]

The user pool username.

type EventId:

string

param EventId:

[REQUIRED]

The authentication event ID.

type FeedbackValue:

string

param FeedbackValue:

[REQUIRED]

The authentication event feedback value.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

AdminGetUser (updated) Link ¶
Changes (response)
{'PreferredMfaSetting': 'string', 'UserMFASettingList': ['string']}

Gets the specified user by user name in a user pool as an administrator. Works on any user.

Requires developer credentials.

See also: AWS API Documentation

Request Syntax

client.admin_get_user(
    UserPoolId='string',
    Username='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool where you want to get information about the user.

type Username:

string

param Username:

[REQUIRED]

The user name of the user you wish to retrieve.

rtype:

dict

returns:

Response Syntax

{
    'Username': 'string',
    'UserAttributes': [
        {
            'Name': 'string',
            'Value': 'string'
        },
    ],
    'UserCreateDate': datetime(2015, 1, 1),
    'UserLastModifiedDate': datetime(2015, 1, 1),
    'Enabled': True|False,
    'UserStatus': 'UNCONFIRMED'|'CONFIRMED'|'ARCHIVED'|'COMPROMISED'|'UNKNOWN'|'RESET_REQUIRED'|'FORCE_CHANGE_PASSWORD',
    'MFAOptions': [
        {
            'DeliveryMedium': 'SMS'|'EMAIL',
            'AttributeName': 'string'
        },
    ],
    'PreferredMfaSetting': 'string',
    'UserMFASettingList': [
        'string',
    ]
}

Response Structure

  • (dict) --

    Represents the response from the server from the request to get the specified user as an administrator.

    • Username (string) --

      The user name of the user about whom you are receiving information.

    • UserAttributes (list) --

      An array of name-value pairs representing user attributes.

      • (dict) --

        Specifies whether the attribute is standard or custom.

        • Name (string) --

          The name of the attribute.

        • Value (string) --

          The value of the attribute.

    • UserCreateDate (datetime) --

      The date the user was created.

    • UserLastModifiedDate (datetime) --

      The date the user was last modified.

    • Enabled (boolean) --

      Indicates that the status is enabled.

    • UserStatus (string) --

      The user status. Can be one of the following:

      • UNCONFIRMED - User has been created but not confirmed.

      • CONFIRMED - User has been confirmed.

      • ARCHIVED - User is no longer active.

      • COMPROMISED - User is disabled due to a potential security threat.

      • UNKNOWN - User status is not known.

    • MFAOptions (list) --

      Specifies the options for MFA (e.g., email or phone number).

      • (dict) --

        Specifies the different settings for multi-factor authentication (MFA).

        • DeliveryMedium (string) --

          The delivery medium (email message or SMS message) to send the MFA code.

        • AttributeName (string) --

          The attribute name of the MFA option type.

    • PreferredMfaSetting (string) --

    • UserMFASettingList (list) --

      • (string) --

AdminInitiateAuth (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'ContextData': {'EncodedData': 'string',
                 'HttpHeaders': [{'headerName': 'string',
                                  'headerValue': 'string'}],
                 'IpAddress': 'string',
                 'ServerName': 'string',
                 'ServerPath': 'string'}}
Response
{'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'}}

Initiates the authentication flow, as an administrator.

Requires developer credentials.

See also: AWS API Documentation

Request Syntax

client.admin_initiate_auth(
    UserPoolId='string',
    ClientId='string',
    AuthFlow='USER_SRP_AUTH'|'REFRESH_TOKEN_AUTH'|'REFRESH_TOKEN'|'CUSTOM_AUTH'|'ADMIN_NO_SRP_AUTH',
    AuthParameters={
        'string': 'string'
    },
    ClientMetadata={
        'string': 'string'
    },
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    ContextData={
        'IpAddress': 'string',
        'ServerName': 'string',
        'ServerPath': 'string',
        'HttpHeaders': [
            {
                'headerName': 'string',
                'headerValue': 'string'
            },
        ],
        'EncodedData': 'string'
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The ID of the Amazon Cognito user pool.

type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID.

type AuthFlow:

string

param AuthFlow:

[REQUIRED]

The authentication flow for this call to execute. The API action will depend on this value. For example:

  • REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens.

  • USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution.

Valid values include:

  • USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol.

  • REFRESH_TOKEN_AUTH/ REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.

  • CUSTOM_AUTH: Custom authentication flow.

  • ADMIN_NO_SRP_AUTH: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client.

type AuthParameters:

dict

param AuthParameters:

The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow:

  • For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY

  • For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: USERNAME (required), SECRET_HASH (required if the app client is configured with a client secret), REFRESH_TOKEN (required), DEVICE_KEY

  • For ADMIN_NO_SRP_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), PASSWORD (required), DEVICE_KEY

  • For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY

  • (string) --

    • (string) --

type ClientMetadata:

dict

param ClientMetadata:

This is a random key-value pair map which can contain any key and will be passed to your PreAuthentication Lambda trigger as-is. It can be used to implement additional validations around authentication.

  • (string) --

    • (string) --

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The analytics metadata for collecting Amazon Pinpoint metrics for AdminInitiateAuth calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type ContextData:

dict

param ContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • IpAddress (string) -- [REQUIRED]

    Source IP address of your user.

  • ServerName (string) -- [REQUIRED]

    Your server endpoint where this API is invoked.

  • ServerPath (string) -- [REQUIRED]

    Your server path where this API is invoked.

  • HttpHeaders (list) -- [REQUIRED]

    HttpHeaders received on your server in same order.

    • (dict) --

      The HTTP header.

      • headerName (string) --

        The header name

      • headerValue (string) --

        The header value.

  • EncodedData (string) --

    Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library.

rtype:

dict

returns:

Response Syntax

{
    'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    'Session': 'string',
    'ChallengeParameters': {
        'string': 'string'
    },
    'AuthenticationResult': {
        'AccessToken': 'string',
        'ExpiresIn': 123,
        'TokenType': 'string',
        'RefreshToken': 'string',
        'IdToken': 'string',
        'NewDeviceMetadata': {
            'DeviceKey': 'string',
            'DeviceGroupKey': 'string'
        }
    }
}

Response Structure

  • (dict) --

    Initiates the authentication response, as an administrator.

    • ChallengeName (string) --

      The name of the challenge which you are responding to with this call. This is returned to you in the AdminInitiateAuth response if you need to pass another challenge.

      • SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.

      • PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.

      • CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.

      • DEVICE_SRP_AUTH: If device tracking was enabled on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.

      • DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.

      • ADMIN_NO_SRP_AUTH: This is returned if you need to authenticate with USERNAME and PASSWORD directly. An app client must be enabled to use this flow.

      • NEW_PASSWORD_REQUIRED: For users which are required to change their passwords after successful first login. This challenge should be passed with NEW_PASSWORD and any other required attributes.

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service. If AdminInitiateAuth or AdminRespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next AdminRespondToAuthChallenge API call.

    • ChallengeParameters (dict) --

      The challenge parameters. These are returned to you in the AdminInitiateAuth response if you need to pass another challenge. The responses in this parameter should be used to compute inputs to the next call ( AdminRespondToAuthChallenge).

      All challenges require USERNAME and SECRET_HASH (if applicable).

      The value of the USER_IF_FOR_SRP attribute will be the user's actual username, not an alias (such as email address or phone number), even if you specified an alias in your call to AdminInitiateAuth. This is because, in the AdminRespondToAuthChallenge API ChallengeResponses, the USERNAME attribute cannot be an alias.

      • (string) --

        • (string) --

    • AuthenticationResult (dict) --

      The result of the authentication response. This is only returned if the caller does not need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName, ChallengeParameters, and Session are returned.

      • AccessToken (string) --

        The access token.

      • ExpiresIn (integer) --

        The expiration period of the authentication result.

      • TokenType (string) --

        The token type.

      • RefreshToken (string) --

        The refresh token.

      • IdToken (string) --

        The ID token.

      • NewDeviceMetadata (dict) --

        The new device metadata from an authentication result.

        • DeviceKey (string) --

          The device key.

        • DeviceGroupKey (string) --

          The device group key.

AdminRespondToAuthChallenge (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'},
 'ContextData': {'EncodedData': 'string',
                 'HttpHeaders': [{'headerName': 'string',
                                  'headerValue': 'string'}],
                 'IpAddress': 'string',
                 'ServerName': 'string',
                 'ServerPath': 'string'}}
Response
{'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'}}

Responds to an authentication challenge, as an administrator.

Requires developer credentials.

See also: AWS API Documentation

Request Syntax

client.admin_respond_to_auth_challenge(
    UserPoolId='string',
    ClientId='string',
    ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    ChallengeResponses={
        'string': 'string'
    },
    Session='string',
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    ContextData={
        'IpAddress': 'string',
        'ServerName': 'string',
        'ServerPath': 'string',
        'HttpHeaders': [
            {
                'headerName': 'string',
                'headerValue': 'string'
            },
        ],
        'EncodedData': 'string'
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The ID of the Amazon Cognito user pool.

type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID.

type ChallengeName:

string

param ChallengeName:

[REQUIRED]

The challenge name. For more information, see .

type ChallengeResponses:

dict

param ChallengeResponses:

The challenge responses. These are inputs corresponding to the value of ChallengeName, for example:

  • SMS_MFA: SMS_MFA_CODE, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • ADMIN_NO_SRP_AUTH: PASSWORD, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • NEW_PASSWORD_REQUIRED: NEW_PASSWORD, any other required attributes, USERNAME, SECRET_HASH (if app client is configured with client secret).

The value of the USERNAME attribute must be the user's actual username, not an alias (such as email address or phone number). To make this easier, the AdminInitiateAuth response includes the actual username value in the USERNAMEUSER_ID_FOR_SRP attribute, even if you specified an alias in your call to AdminInitiateAuth.

  • (string) --

    • (string) --

type Session:

string

param Session:

The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The analytics metadata for collecting Amazon Pinpoint metrics for AdminRespondToAuthChallenge calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type ContextData:

dict

param ContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • IpAddress (string) -- [REQUIRED]

    Source IP address of your user.

  • ServerName (string) -- [REQUIRED]

    Your server endpoint where this API is invoked.

  • ServerPath (string) -- [REQUIRED]

    Your server path where this API is invoked.

  • HttpHeaders (list) -- [REQUIRED]

    HttpHeaders received on your server in same order.

    • (dict) --

      The HTTP header.

      • headerName (string) --

        The header name

      • headerValue (string) --

        The header value.

  • EncodedData (string) --

    Encoded data containing device fingerprinting details, collected using the Amazon Cognito context data collection library.

rtype:

dict

returns:

Response Syntax

{
    'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    'Session': 'string',
    'ChallengeParameters': {
        'string': 'string'
    },
    'AuthenticationResult': {
        'AccessToken': 'string',
        'ExpiresIn': 123,
        'TokenType': 'string',
        'RefreshToken': 'string',
        'IdToken': 'string',
        'NewDeviceMetadata': {
            'DeviceKey': 'string',
            'DeviceGroupKey': 'string'
        }
    }
}

Response Structure

  • (dict) --

    Responds to the authentication challenge, as an administrator.

    • ChallengeName (string) --

      The name of the challenge. For more information, see .

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

    • ChallengeParameters (dict) --

      The challenge parameters. For more information, see .

      • (string) --

        • (string) --

    • AuthenticationResult (dict) --

      The result returned by the server in response to the authentication request.

      • AccessToken (string) --

        The access token.

      • ExpiresIn (integer) --

        The expiration period of the authentication result.

      • TokenType (string) --

        The token type.

      • RefreshToken (string) --

        The refresh token.

      • IdToken (string) --

        The ID token.

      • NewDeviceMetadata (dict) --

        The new device metadata from an authentication result.

        • DeviceKey (string) --

          The device key.

        • DeviceGroupKey (string) --

          The device group key.

ConfirmForgotPassword (updated) Link ¶
Changes (request)
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}

Allows a user to enter a confirmation code to reset a forgotten password.

See also: AWS API Documentation

Request Syntax

client.confirm_forgot_password(
    ClientId='string',
    SecretHash='string',
    Username='string',
    ConfirmationCode='string',
    Password='string',
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    UserContextData={
        'EncodedData': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID of the app associated with the user pool.

type SecretHash:

string

param SecretHash:

A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

type Username:

string

param Username:

[REQUIRED]

The user name of the user for whom you want to enter a code to retrieve a forgotten password.

type ConfirmationCode:

string

param ConfirmationCode:

[REQUIRED]

The confirmation code sent by a user's request to retrieve a forgotten password. For more information, see

type Password:

string

param Password:

[REQUIRED]

The password sent by a user's request to retrieve a forgotten password.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmForgotPassword calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

    The response from the server that results from a user's request to retrieve a forgotten password.

ConfirmSignUp (updated) Link ¶
Changes (request)
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}

Confirms registration of a user and handles the existing alias from a previous user.

See also: AWS API Documentation

Request Syntax

client.confirm_sign_up(
    ClientId='string',
    SecretHash='string',
    Username='string',
    ConfirmationCode='string',
    ForceAliasCreation=True|False,
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    UserContextData={
        'EncodedData': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The ID of the app client associated with the user pool.

type SecretHash:

string

param SecretHash:

A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

type Username:

string

param Username:

[REQUIRED]

The user name of the user whose registration you wish to confirm.

type ConfirmationCode:

string

param ConfirmationCode:

[REQUIRED]

The confirmation code sent by a user's request to confirm registration.

type ForceAliasCreation:

boolean

param ForceAliasCreation:

Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False. If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False, the API will throw an AliasExistsException error.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmSignUp calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

    Represents the response from the server for the registration confirmation.

CreateUserPool (updated) Link ¶
Changes (request, response)
Request
{'LambdaConfig': {'PreTokenGeneration': 'string'},
 'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | ENFORCED'}}
Response
{'UserPool': {'LambdaConfig': {'PreTokenGeneration': 'string'},
              'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | '
                                                         'ENFORCED'}}}

Creates a new Amazon Cognito user pool and sets the password policy for the pool.

See also: AWS API Documentation

Request Syntax

client.create_user_pool(
    PoolName='string',
    Policies={
        'PasswordPolicy': {
            'MinimumLength': 123,
            'RequireUppercase': True|False,
            'RequireLowercase': True|False,
            'RequireNumbers': True|False,
            'RequireSymbols': True|False
        }
    },
    LambdaConfig={
        'PreSignUp': 'string',
        'CustomMessage': 'string',
        'PostConfirmation': 'string',
        'PreAuthentication': 'string',
        'PostAuthentication': 'string',
        'DefineAuthChallenge': 'string',
        'CreateAuthChallenge': 'string',
        'VerifyAuthChallengeResponse': 'string',
        'PreTokenGeneration': 'string'
    },
    AutoVerifiedAttributes=[
        'phone_number'|'email',
    ],
    AliasAttributes=[
        'phone_number'|'email'|'preferred_username',
    ],
    UsernameAttributes=[
        'phone_number'|'email',
    ],
    SmsVerificationMessage='string',
    EmailVerificationMessage='string',
    EmailVerificationSubject='string',
    VerificationMessageTemplate={
        'SmsMessage': 'string',
        'EmailMessage': 'string',
        'EmailSubject': 'string',
        'EmailMessageByLink': 'string',
        'EmailSubjectByLink': 'string',
        'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
    },
    SmsAuthenticationMessage='string',
    MfaConfiguration='OFF'|'ON'|'OPTIONAL',
    DeviceConfiguration={
        'ChallengeRequiredOnNewDevice': True|False,
        'DeviceOnlyRememberedOnUserPrompt': True|False
    },
    EmailConfiguration={
        'SourceArn': 'string',
        'ReplyToEmailAddress': 'string'
    },
    SmsConfiguration={
        'SnsCallerArn': 'string',
        'ExternalId': 'string'
    },
    UserPoolTags={
        'string': 'string'
    },
    AdminCreateUserConfig={
        'AllowAdminCreateUserOnly': True|False,
        'UnusedAccountValidityDays': 123,
        'InviteMessageTemplate': {
            'SMSMessage': 'string',
            'EmailMessage': 'string',
            'EmailSubject': 'string'
        }
    },
    Schema=[
        {
            'Name': 'string',
            'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
            'DeveloperOnlyAttribute': True|False,
            'Mutable': True|False,
            'Required': True|False,
            'NumberAttributeConstraints': {
                'MinValue': 'string',
                'MaxValue': 'string'
            },
            'StringAttributeConstraints': {
                'MinLength': 'string',
                'MaxLength': 'string'
            }
        },
    ],
    UserPoolAddOns={
        'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
    }
)
type PoolName:

string

param PoolName:

[REQUIRED]

A string used to name the user pool.

type Policies:

dict

param Policies:

The policies associated with the new user pool.

  • PasswordPolicy (dict) --

    The password policy.

    • MinimumLength (integer) --

      The minimum length of the password policy that you have set. Cannot be less than 6.

    • RequireUppercase (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.

    • RequireLowercase (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.

    • RequireNumbers (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one number in their password.

    • RequireSymbols (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.

type LambdaConfig:

dict

param LambdaConfig:

The Lambda trigger configuration information for the new user pool.

  • PreSignUp (string) --

    A pre-registration AWS Lambda trigger.

  • CustomMessage (string) --

    A custom Message AWS Lambda trigger.

  • PostConfirmation (string) --

    A post-confirmation AWS Lambda trigger.

  • PreAuthentication (string) --

    A pre-authentication AWS Lambda trigger.

  • PostAuthentication (string) --

    A post-authentication AWS Lambda trigger.

  • DefineAuthChallenge (string) --

    Defines the authentication challenge.

  • CreateAuthChallenge (string) --

    Creates an authentication challenge.

  • VerifyAuthChallengeResponse (string) --

    Verifies the authentication challenge response.

  • PreTokenGeneration (string) --

    A Lambda trigger that is invoked before token generation.

type AutoVerifiedAttributes:

list

param AutoVerifiedAttributes:

The attributes to be auto-verified. Possible values: email, phone_number.

  • (string) --

type AliasAttributes:

list

param AliasAttributes:

Attributes supported as an alias for this user pool. Possible values: phone_number, email, or preferred_username.

  • (string) --

type UsernameAttributes:

list

param UsernameAttributes:

Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.

  • (string) --

type SmsVerificationMessage:

string

param SmsVerificationMessage:

A string representing the SMS verification message.

type EmailVerificationMessage:

string

param EmailVerificationMessage:

A string representing the email verification message.

type EmailVerificationSubject:

string

param EmailVerificationSubject:

A string representing the email verification subject.

type VerificationMessageTemplate:

dict

param VerificationMessageTemplate:

The template for the verification message that the user sees when the app requests permission to access the user's information.

  • SmsMessage (string) --

    The SMS message template.

  • EmailMessage (string) --

    The email message template.

  • EmailSubject (string) --

    The subject line for the email message template.

  • EmailMessageByLink (string) --

    The email message template for sending a confirmation link to the user.

  • EmailSubjectByLink (string) --

    The subject line for the email message template for sending a confirmation link to the user.

  • DefaultEmailOption (string) --

    The default email option.

type SmsAuthenticationMessage:

string

param SmsAuthenticationMessage:

A string representing the SMS authentication message.

type MfaConfiguration:

string

param MfaConfiguration:

Specifies MFA configuration details.

type DeviceConfiguration:

dict

param DeviceConfiguration:

The device configuration.

  • ChallengeRequiredOnNewDevice (boolean) --

    Indicates whether a challenge is required on a new device. Only applicable to a new device.

  • DeviceOnlyRememberedOnUserPrompt (boolean) --

    If true, a device is only remembered on user prompt.

type EmailConfiguration:

dict

param EmailConfiguration:

The email configuration.

  • SourceArn (string) --

    The Amazon Resource Name (ARN) of the email source.

  • ReplyToEmailAddress (string) --

    The destination to which the receiver of the email should reply to.

type SmsConfiguration:

dict

param SmsConfiguration:

The SMS configuration.

  • SnsCallerArn (string) -- [REQUIRED]

    The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

  • ExternalId (string) --

    The external ID.

type UserPoolTags:

dict

param UserPoolTags:

The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool

  • (string) --

    • (string) --

type AdminCreateUserConfig:

dict

param AdminCreateUserConfig:

The configuration for AdminCreateUser requests.

  • AllowAdminCreateUserOnly (boolean) --

    Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.

  • UnusedAccountValidityDays (integer) --

    The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.

  • InviteMessageTemplate (dict) --

    The message template to be used for the welcome message to new users.

    See also Customizing User Invitation Messages.

    • SMSMessage (string) --

      The message template for SMS messages.

    • EmailMessage (string) --

      The message template for email messages.

    • EmailSubject (string) --

      The subject line for email messages.

type Schema:

list

param Schema:

An array of schema attributes for the new user pool. These attributes can be standard or custom attributes.

  • (dict) --

    Contains information about the schema attribute.

    • Name (string) --

      A schema attribute of the name type.

    • AttributeDataType (string) --

      The attribute data type.

    • DeveloperOnlyAttribute (boolean) --

      Specifies whether the attribute type is developer only.

    • Mutable (boolean) --

      Specifies whether the attribute can be changed once it has been created.

    • Required (boolean) --

      Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.

    • NumberAttributeConstraints (dict) --

      Specifies the constraints for an attribute of the number type.

      • MinValue (string) --

        The minimum value of an attribute that is of the number data type.

      • MaxValue (string) --

        The maximum value of an attribute that is of the number data type.

    • StringAttributeConstraints (dict) --

      Specifies the constraints for an attribute of the string type.

      • MinLength (string) --

        The minimum length.

      • MaxLength (string) --

        The maximum length.

type UserPoolAddOns:

dict

param UserPoolAddOns:

Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".

  • AdvancedSecurityMode (string) -- [REQUIRED]

    The advanced security mode.

rtype:

dict

returns:

Response Syntax

{
    'UserPool': {
        'Id': 'string',
        'Name': 'string',
        'Policies': {
            'PasswordPolicy': {
                'MinimumLength': 123,
                'RequireUppercase': True|False,
                'RequireLowercase': True|False,
                'RequireNumbers': True|False,
                'RequireSymbols': True|False
            }
        },
        'LambdaConfig': {
            'PreSignUp': 'string',
            'CustomMessage': 'string',
            'PostConfirmation': 'string',
            'PreAuthentication': 'string',
            'PostAuthentication': 'string',
            'DefineAuthChallenge': 'string',
            'CreateAuthChallenge': 'string',
            'VerifyAuthChallengeResponse': 'string',
            'PreTokenGeneration': 'string'
        },
        'Status': 'Enabled'|'Disabled',
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1),
        'SchemaAttributes': [
            {
                'Name': 'string',
                'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
                'DeveloperOnlyAttribute': True|False,
                'Mutable': True|False,
                'Required': True|False,
                'NumberAttributeConstraints': {
                    'MinValue': 'string',
                    'MaxValue': 'string'
                },
                'StringAttributeConstraints': {
                    'MinLength': 'string',
                    'MaxLength': 'string'
                }
            },
        ],
        'AutoVerifiedAttributes': [
            'phone_number'|'email',
        ],
        'AliasAttributes': [
            'phone_number'|'email'|'preferred_username',
        ],
        'UsernameAttributes': [
            'phone_number'|'email',
        ],
        'SmsVerificationMessage': 'string',
        'EmailVerificationMessage': 'string',
        'EmailVerificationSubject': 'string',
        'VerificationMessageTemplate': {
            'SmsMessage': 'string',
            'EmailMessage': 'string',
            'EmailSubject': 'string',
            'EmailMessageByLink': 'string',
            'EmailSubjectByLink': 'string',
            'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
        },
        'SmsAuthenticationMessage': 'string',
        'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL',
        'DeviceConfiguration': {
            'ChallengeRequiredOnNewDevice': True|False,
            'DeviceOnlyRememberedOnUserPrompt': True|False
        },
        'EstimatedNumberOfUsers': 123,
        'EmailConfiguration': {
            'SourceArn': 'string',
            'ReplyToEmailAddress': 'string'
        },
        'SmsConfiguration': {
            'SnsCallerArn': 'string',
            'ExternalId': 'string'
        },
        'UserPoolTags': {
            'string': 'string'
        },
        'SmsConfigurationFailure': 'string',
        'EmailConfigurationFailure': 'string',
        'AdminCreateUserConfig': {
            'AllowAdminCreateUserOnly': True|False,
            'UnusedAccountValidityDays': 123,
            'InviteMessageTemplate': {
                'SMSMessage': 'string',
                'EmailMessage': 'string',
                'EmailSubject': 'string'
            }
        },
        'UserPoolAddOns': {
            'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
        }
    }
}

Response Structure

  • (dict) --

    Represents the response from the server for the request to create a user pool.

    • UserPool (dict) --

      A container for the user pool details.

      • Id (string) --

        The ID of the user pool.

      • Name (string) --

        The name of the user pool.

      • Policies (dict) --

        The policies associated with the user pool.

        • PasswordPolicy (dict) --

          The password policy.

          • MinimumLength (integer) --

            The minimum length of the password policy that you have set. Cannot be less than 6.

          • RequireUppercase (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.

          • RequireLowercase (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.

          • RequireNumbers (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one number in their password.

          • RequireSymbols (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.

      • LambdaConfig (dict) --

        The AWS Lambda triggers associated with tue user pool.

        • PreSignUp (string) --

          A pre-registration AWS Lambda trigger.

        • CustomMessage (string) --

          A custom Message AWS Lambda trigger.

        • PostConfirmation (string) --

          A post-confirmation AWS Lambda trigger.

        • PreAuthentication (string) --

          A pre-authentication AWS Lambda trigger.

        • PostAuthentication (string) --

          A post-authentication AWS Lambda trigger.

        • DefineAuthChallenge (string) --

          Defines the authentication challenge.

        • CreateAuthChallenge (string) --

          Creates an authentication challenge.

        • VerifyAuthChallengeResponse (string) --

          Verifies the authentication challenge response.

        • PreTokenGeneration (string) --

          A Lambda trigger that is invoked before token generation.

      • Status (string) --

        The status of a user pool.

      • LastModifiedDate (datetime) --

        The date the user pool was last modified.

      • CreationDate (datetime) --

        The date the user pool was created.

      • SchemaAttributes (list) --

        A container with the schema attributes of a user pool.

        • (dict) --

          Contains information about the schema attribute.

          • Name (string) --

            A schema attribute of the name type.

          • AttributeDataType (string) --

            The attribute data type.

          • DeveloperOnlyAttribute (boolean) --

            Specifies whether the attribute type is developer only.

          • Mutable (boolean) --

            Specifies whether the attribute can be changed once it has been created.

          • Required (boolean) --

            Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.

          • NumberAttributeConstraints (dict) --

            Specifies the constraints for an attribute of the number type.

            • MinValue (string) --

              The minimum value of an attribute that is of the number data type.

            • MaxValue (string) --

              The maximum value of an attribute that is of the number data type.

          • StringAttributeConstraints (dict) --

            Specifies the constraints for an attribute of the string type.

            • MinLength (string) --

              The minimum length.

            • MaxLength (string) --

              The maximum length.

      • AutoVerifiedAttributes (list) --

        Specifies the attributes that are auto-verified in a user pool.

        • (string) --

      • AliasAttributes (list) --

        Specifies the attributes that are aliased in a user pool.

        • (string) --

      • UsernameAttributes (list) --

        Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.

        • (string) --

      • SmsVerificationMessage (string) --

        The contents of the SMS verification message.

      • EmailVerificationMessage (string) --

        The contents of the email verification message.

      • EmailVerificationSubject (string) --

        The subject of the email verification message.

      • VerificationMessageTemplate (dict) --

        The template for verification messages.

        • SmsMessage (string) --

          The SMS message template.

        • EmailMessage (string) --

          The email message template.

        • EmailSubject (string) --

          The subject line for the email message template.

        • EmailMessageByLink (string) --

          The email message template for sending a confirmation link to the user.

        • EmailSubjectByLink (string) --

          The subject line for the email message template for sending a confirmation link to the user.

        • DefaultEmailOption (string) --

          The default email option.

      • SmsAuthenticationMessage (string) --

        The contents of the SMS authentication message.

      • MfaConfiguration (string) --

        Can be one of the following values:

        • OFF - MFA tokens are not required and cannot be specified during user registration.

        • ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.

        • OPTIONAL - Users have the option when registering to create an MFA token.

      • DeviceConfiguration (dict) --

        The device configuration.

        • ChallengeRequiredOnNewDevice (boolean) --

          Indicates whether a challenge is required on a new device. Only applicable to a new device.

        • DeviceOnlyRememberedOnUserPrompt (boolean) --

          If true, a device is only remembered on user prompt.

      • EstimatedNumberOfUsers (integer) --

        A number estimating the size of the user pool.

      • EmailConfiguration (dict) --

        The email configuration.

        • SourceArn (string) --

          The Amazon Resource Name (ARN) of the email source.

        • ReplyToEmailAddress (string) --

          The destination to which the receiver of the email should reply to.

      • SmsConfiguration (dict) --

        The SMS configuration.

        • SnsCallerArn (string) --

          The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

        • ExternalId (string) --

          The external ID.

      • UserPoolTags (dict) --

        The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool

        • (string) --

          • (string) --

      • SmsConfigurationFailure (string) --

        The reason why the SMS configuration cannot send the messages to your users.

      • EmailConfigurationFailure (string) --

        The reason why the email configuration cannot send the messages to your users.

      • AdminCreateUserConfig (dict) --

        The configuration for AdminCreateUser requests.

        • AllowAdminCreateUserOnly (boolean) --

          Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.

        • UnusedAccountValidityDays (integer) --

          The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.

        • InviteMessageTemplate (dict) --

          The message template to be used for the welcome message to new users.

          See also Customizing User Invitation Messages.

          • SMSMessage (string) --

            The message template for SMS messages.

          • EmailMessage (string) --

            The message template for email messages.

          • EmailSubject (string) --

            The subject line for email messages.

      • UserPoolAddOns (dict) --

        The user pool add-ons.

        • AdvancedSecurityMode (string) --

          The advanced security mode.

CreateUserPoolClient (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsConfiguration': {'ApplicationId': 'string',
                            'ExternalId': 'string',
                            'RoleArn': 'string',
                            'UserDataShared': 'boolean'}}
Response
{'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
                                               'ExternalId': 'string',
                                               'RoleArn': 'string',
                                               'UserDataShared': 'boolean'}}}

Creates the user pool client.

See also: AWS API Documentation

Request Syntax

client.create_user_pool_client(
    UserPoolId='string',
    ClientName='string',
    GenerateSecret=True|False,
    RefreshTokenValidity=123,
    ReadAttributes=[
        'string',
    ],
    WriteAttributes=[
        'string',
    ],
    ExplicitAuthFlows=[
        'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
    ],
    SupportedIdentityProviders=[
        'string',
    ],
    CallbackURLs=[
        'string',
    ],
    LogoutURLs=[
        'string',
    ],
    DefaultRedirectURI='string',
    AllowedOAuthFlows=[
        'code'|'implicit'|'client_credentials',
    ],
    AllowedOAuthScopes=[
        'string',
    ],
    AllowedOAuthFlowsUserPoolClient=True|False,
    AnalyticsConfiguration={
        'ApplicationId': 'string',
        'RoleArn': 'string',
        'ExternalId': 'string',
        'UserDataShared': True|False
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool where you want to create a user pool client.

type ClientName:

string

param ClientName:

[REQUIRED]

The client name for the user pool client you would like to create.

type GenerateSecret:

boolean

param GenerateSecret:

Boolean to specify whether you want to generate a secret for the user pool client being created.

type RefreshTokenValidity:

integer

param RefreshTokenValidity:

The time limit, in days, after which the refresh token is no longer valid and cannot be used.

type ReadAttributes:

list

param ReadAttributes:

The read attributes.

  • (string) --

type WriteAttributes:

list

param WriteAttributes:

The write attributes.

  • (string) --

type ExplicitAuthFlows:

list

param ExplicitAuthFlows:

The explicit authentication flows.

  • (string) --

type SupportedIdentityProviders:

list

param SupportedIdentityProviders:

A list of provider names for the identity providers that are supported on this client.

  • (string) --

type CallbackURLs:

list

param CallbackURLs:

A list of allowed callback URLs for the identity providers.

  • (string) --

type LogoutURLs:

list

param LogoutURLs:

A list of allowed logout URLs for the identity providers.

  • (string) --

type DefaultRedirectURI:

string

param DefaultRedirectURI:

The default redirect URI. Must be in the CallbackURLs list.

type AllowedOAuthFlows:

list

param AllowedOAuthFlows:

Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.

Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.

  • (string) --

type AllowedOAuthScopes:

list

param AllowedOAuthScopes:

A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

  • (string) --

type AllowedOAuthFlowsUserPoolClient:

boolean

param AllowedOAuthFlowsUserPoolClient:

Set to True if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

type AnalyticsConfiguration:

dict

param AnalyticsConfiguration:

The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.

  • ApplicationId (string) -- [REQUIRED]

    The application ID for an Amazon Pinpoint application.

  • RoleArn (string) -- [REQUIRED]

    The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.

  • ExternalId (string) -- [REQUIRED]

    The external ID.

  • UserDataShared (boolean) --

    If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

rtype:

dict

returns:

Response Syntax

{
    'UserPoolClient': {
        'UserPoolId': 'string',
        'ClientName': 'string',
        'ClientId': 'string',
        'ClientSecret': 'string',
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1),
        'RefreshTokenValidity': 123,
        'ReadAttributes': [
            'string',
        ],
        'WriteAttributes': [
            'string',
        ],
        'ExplicitAuthFlows': [
            'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
        ],
        'SupportedIdentityProviders': [
            'string',
        ],
        'CallbackURLs': [
            'string',
        ],
        'LogoutURLs': [
            'string',
        ],
        'DefaultRedirectURI': 'string',
        'AllowedOAuthFlows': [
            'code'|'implicit'|'client_credentials',
        ],
        'AllowedOAuthScopes': [
            'string',
        ],
        'AllowedOAuthFlowsUserPoolClient': True|False,
        'AnalyticsConfiguration': {
            'ApplicationId': 'string',
            'RoleArn': 'string',
            'ExternalId': 'string',
            'UserDataShared': True|False
        }
    }
}

Response Structure

  • (dict) --

    Represents the response from the server to create a user pool client.

    • UserPoolClient (dict) --

      The user pool client that was just created.

      • UserPoolId (string) --

        The user pool ID for the user pool client.

      • ClientName (string) --

        The client name from the user pool request of the client type.

      • ClientId (string) --

        The ID of the client associated with the user pool.

      • ClientSecret (string) --

        The client secret from the user pool request of the client type.

      • LastModifiedDate (datetime) --

        The date the user pool client was last modified.

      • CreationDate (datetime) --

        The date the user pool client was created.

      • RefreshTokenValidity (integer) --

        The time limit, in days, after which the refresh token is no longer valid and cannot be used.

      • ReadAttributes (list) --

        The Read-only attributes.

        • (string) --

      • WriteAttributes (list) --

        The writeable attributes.

        • (string) --

      • ExplicitAuthFlows (list) --

        The explicit authentication flows.

        • (string) --

      • SupportedIdentityProviders (list) --

        A list of provider names for the identity providers that are supported on this client.

        • (string) --

      • CallbackURLs (list) --

        A list of allowed callback URLs for the identity providers.

        • (string) --

      • LogoutURLs (list) --

        A list of allowed logout URLs for the identity providers.

        • (string) --

      • DefaultRedirectURI (string) --

        The default redirect URI. Must be in the CallbackURLs list.

      • AllowedOAuthFlows (list) --

        Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.

        Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.

        • (string) --

      • AllowedOAuthScopes (list) --

        A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

        • (string) --

      • AllowedOAuthFlowsUserPoolClient (boolean) --

        Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

      • AnalyticsConfiguration (dict) --

        The Amazon Pinpoint analytics configuration for the user pool client.

        • ApplicationId (string) --

          The application ID for an Amazon Pinpoint application.

        • RoleArn (string) --

          The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.

        • ExternalId (string) --

          The external ID.

        • UserDataShared (boolean) --

          If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

DescribeUserPool (updated) Link ¶
Changes (response)
{'UserPool': {'LambdaConfig': {'PreTokenGeneration': 'string'},
              'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | '
                                                         'ENFORCED'}}}

Returns the configuration information and metadata of the specified user pool.

See also: AWS API Documentation

Request Syntax

client.describe_user_pool(
    UserPoolId='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool you want to describe.

rtype:

dict

returns:

Response Syntax

{
    'UserPool': {
        'Id': 'string',
        'Name': 'string',
        'Policies': {
            'PasswordPolicy': {
                'MinimumLength': 123,
                'RequireUppercase': True|False,
                'RequireLowercase': True|False,
                'RequireNumbers': True|False,
                'RequireSymbols': True|False
            }
        },
        'LambdaConfig': {
            'PreSignUp': 'string',
            'CustomMessage': 'string',
            'PostConfirmation': 'string',
            'PreAuthentication': 'string',
            'PostAuthentication': 'string',
            'DefineAuthChallenge': 'string',
            'CreateAuthChallenge': 'string',
            'VerifyAuthChallengeResponse': 'string',
            'PreTokenGeneration': 'string'
        },
        'Status': 'Enabled'|'Disabled',
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1),
        'SchemaAttributes': [
            {
                'Name': 'string',
                'AttributeDataType': 'String'|'Number'|'DateTime'|'Boolean',
                'DeveloperOnlyAttribute': True|False,
                'Mutable': True|False,
                'Required': True|False,
                'NumberAttributeConstraints': {
                    'MinValue': 'string',
                    'MaxValue': 'string'
                },
                'StringAttributeConstraints': {
                    'MinLength': 'string',
                    'MaxLength': 'string'
                }
            },
        ],
        'AutoVerifiedAttributes': [
            'phone_number'|'email',
        ],
        'AliasAttributes': [
            'phone_number'|'email'|'preferred_username',
        ],
        'UsernameAttributes': [
            'phone_number'|'email',
        ],
        'SmsVerificationMessage': 'string',
        'EmailVerificationMessage': 'string',
        'EmailVerificationSubject': 'string',
        'VerificationMessageTemplate': {
            'SmsMessage': 'string',
            'EmailMessage': 'string',
            'EmailSubject': 'string',
            'EmailMessageByLink': 'string',
            'EmailSubjectByLink': 'string',
            'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
        },
        'SmsAuthenticationMessage': 'string',
        'MfaConfiguration': 'OFF'|'ON'|'OPTIONAL',
        'DeviceConfiguration': {
            'ChallengeRequiredOnNewDevice': True|False,
            'DeviceOnlyRememberedOnUserPrompt': True|False
        },
        'EstimatedNumberOfUsers': 123,
        'EmailConfiguration': {
            'SourceArn': 'string',
            'ReplyToEmailAddress': 'string'
        },
        'SmsConfiguration': {
            'SnsCallerArn': 'string',
            'ExternalId': 'string'
        },
        'UserPoolTags': {
            'string': 'string'
        },
        'SmsConfigurationFailure': 'string',
        'EmailConfigurationFailure': 'string',
        'AdminCreateUserConfig': {
            'AllowAdminCreateUserOnly': True|False,
            'UnusedAccountValidityDays': 123,
            'InviteMessageTemplate': {
                'SMSMessage': 'string',
                'EmailMessage': 'string',
                'EmailSubject': 'string'
            }
        },
        'UserPoolAddOns': {
            'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
        }
    }
}

Response Structure

  • (dict) --

    Represents the response to describe the user pool.

    • UserPool (dict) --

      The container of metadata returned by the server to describe the pool.

      • Id (string) --

        The ID of the user pool.

      • Name (string) --

        The name of the user pool.

      • Policies (dict) --

        The policies associated with the user pool.

        • PasswordPolicy (dict) --

          The password policy.

          • MinimumLength (integer) --

            The minimum length of the password policy that you have set. Cannot be less than 6.

          • RequireUppercase (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.

          • RequireLowercase (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.

          • RequireNumbers (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one number in their password.

          • RequireSymbols (boolean) --

            In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.

      • LambdaConfig (dict) --

        The AWS Lambda triggers associated with tue user pool.

        • PreSignUp (string) --

          A pre-registration AWS Lambda trigger.

        • CustomMessage (string) --

          A custom Message AWS Lambda trigger.

        • PostConfirmation (string) --

          A post-confirmation AWS Lambda trigger.

        • PreAuthentication (string) --

          A pre-authentication AWS Lambda trigger.

        • PostAuthentication (string) --

          A post-authentication AWS Lambda trigger.

        • DefineAuthChallenge (string) --

          Defines the authentication challenge.

        • CreateAuthChallenge (string) --

          Creates an authentication challenge.

        • VerifyAuthChallengeResponse (string) --

          Verifies the authentication challenge response.

        • PreTokenGeneration (string) --

          A Lambda trigger that is invoked before token generation.

      • Status (string) --

        The status of a user pool.

      • LastModifiedDate (datetime) --

        The date the user pool was last modified.

      • CreationDate (datetime) --

        The date the user pool was created.

      • SchemaAttributes (list) --

        A container with the schema attributes of a user pool.

        • (dict) --

          Contains information about the schema attribute.

          • Name (string) --

            A schema attribute of the name type.

          • AttributeDataType (string) --

            The attribute data type.

          • DeveloperOnlyAttribute (boolean) --

            Specifies whether the attribute type is developer only.

          • Mutable (boolean) --

            Specifies whether the attribute can be changed once it has been created.

          • Required (boolean) --

            Specifies whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.

          • NumberAttributeConstraints (dict) --

            Specifies the constraints for an attribute of the number type.

            • MinValue (string) --

              The minimum value of an attribute that is of the number data type.

            • MaxValue (string) --

              The maximum value of an attribute that is of the number data type.

          • StringAttributeConstraints (dict) --

            Specifies the constraints for an attribute of the string type.

            • MinLength (string) --

              The minimum length.

            • MaxLength (string) --

              The maximum length.

      • AutoVerifiedAttributes (list) --

        Specifies the attributes that are auto-verified in a user pool.

        • (string) --

      • AliasAttributes (list) --

        Specifies the attributes that are aliased in a user pool.

        • (string) --

      • UsernameAttributes (list) --

        Specifies whether email addresses or phone numbers can be specified as usernames when a user signs up.

        • (string) --

      • SmsVerificationMessage (string) --

        The contents of the SMS verification message.

      • EmailVerificationMessage (string) --

        The contents of the email verification message.

      • EmailVerificationSubject (string) --

        The subject of the email verification message.

      • VerificationMessageTemplate (dict) --

        The template for verification messages.

        • SmsMessage (string) --

          The SMS message template.

        • EmailMessage (string) --

          The email message template.

        • EmailSubject (string) --

          The subject line for the email message template.

        • EmailMessageByLink (string) --

          The email message template for sending a confirmation link to the user.

        • EmailSubjectByLink (string) --

          The subject line for the email message template for sending a confirmation link to the user.

        • DefaultEmailOption (string) --

          The default email option.

      • SmsAuthenticationMessage (string) --

        The contents of the SMS authentication message.

      • MfaConfiguration (string) --

        Can be one of the following values:

        • OFF - MFA tokens are not required and cannot be specified during user registration.

        • ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.

        • OPTIONAL - Users have the option when registering to create an MFA token.

      • DeviceConfiguration (dict) --

        The device configuration.

        • ChallengeRequiredOnNewDevice (boolean) --

          Indicates whether a challenge is required on a new device. Only applicable to a new device.

        • DeviceOnlyRememberedOnUserPrompt (boolean) --

          If true, a device is only remembered on user prompt.

      • EstimatedNumberOfUsers (integer) --

        A number estimating the size of the user pool.

      • EmailConfiguration (dict) --

        The email configuration.

        • SourceArn (string) --

          The Amazon Resource Name (ARN) of the email source.

        • ReplyToEmailAddress (string) --

          The destination to which the receiver of the email should reply to.

      • SmsConfiguration (dict) --

        The SMS configuration.

        • SnsCallerArn (string) --

          The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

        • ExternalId (string) --

          The external ID.

      • UserPoolTags (dict) --

        The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool

        • (string) --

          • (string) --

      • SmsConfigurationFailure (string) --

        The reason why the SMS configuration cannot send the messages to your users.

      • EmailConfigurationFailure (string) --

        The reason why the email configuration cannot send the messages to your users.

      • AdminCreateUserConfig (dict) --

        The configuration for AdminCreateUser requests.

        • AllowAdminCreateUserOnly (boolean) --

          Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.

        • UnusedAccountValidityDays (integer) --

          The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.

        • InviteMessageTemplate (dict) --

          The message template to be used for the welcome message to new users.

          See also Customizing User Invitation Messages.

          • SMSMessage (string) --

            The message template for SMS messages.

          • EmailMessage (string) --

            The message template for email messages.

          • EmailSubject (string) --

            The subject line for email messages.

      • UserPoolAddOns (dict) --

        The user pool add-ons.

        • AdvancedSecurityMode (string) --

          The advanced security mode.

DescribeUserPoolClient (updated) Link ¶
Changes (response)
{'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
                                               'ExternalId': 'string',
                                               'RoleArn': 'string',
                                               'UserDataShared': 'boolean'}}}

Client method for returning the configuration information and metadata of the specified user pool client.

See also: AWS API Documentation

Request Syntax

client.describe_user_pool_client(
    UserPoolId='string',
    ClientId='string'
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool you want to describe.

type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID of the app associated with the user pool.

rtype:

dict

returns:

Response Syntax

{
    'UserPoolClient': {
        'UserPoolId': 'string',
        'ClientName': 'string',
        'ClientId': 'string',
        'ClientSecret': 'string',
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1),
        'RefreshTokenValidity': 123,
        'ReadAttributes': [
            'string',
        ],
        'WriteAttributes': [
            'string',
        ],
        'ExplicitAuthFlows': [
            'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
        ],
        'SupportedIdentityProviders': [
            'string',
        ],
        'CallbackURLs': [
            'string',
        ],
        'LogoutURLs': [
            'string',
        ],
        'DefaultRedirectURI': 'string',
        'AllowedOAuthFlows': [
            'code'|'implicit'|'client_credentials',
        ],
        'AllowedOAuthScopes': [
            'string',
        ],
        'AllowedOAuthFlowsUserPoolClient': True|False,
        'AnalyticsConfiguration': {
            'ApplicationId': 'string',
            'RoleArn': 'string',
            'ExternalId': 'string',
            'UserDataShared': True|False
        }
    }
}

Response Structure

  • (dict) --

    Represents the response from the server from a request to describe the user pool client.

    • UserPoolClient (dict) --

      The user pool client from a server response to describe the user pool client.

      • UserPoolId (string) --

        The user pool ID for the user pool client.

      • ClientName (string) --

        The client name from the user pool request of the client type.

      • ClientId (string) --

        The ID of the client associated with the user pool.

      • ClientSecret (string) --

        The client secret from the user pool request of the client type.

      • LastModifiedDate (datetime) --

        The date the user pool client was last modified.

      • CreationDate (datetime) --

        The date the user pool client was created.

      • RefreshTokenValidity (integer) --

        The time limit, in days, after which the refresh token is no longer valid and cannot be used.

      • ReadAttributes (list) --

        The Read-only attributes.

        • (string) --

      • WriteAttributes (list) --

        The writeable attributes.

        • (string) --

      • ExplicitAuthFlows (list) --

        The explicit authentication flows.

        • (string) --

      • SupportedIdentityProviders (list) --

        A list of provider names for the identity providers that are supported on this client.

        • (string) --

      • CallbackURLs (list) --

        A list of allowed callback URLs for the identity providers.

        • (string) --

      • LogoutURLs (list) --

        A list of allowed logout URLs for the identity providers.

        • (string) --

      • DefaultRedirectURI (string) --

        The default redirect URI. Must be in the CallbackURLs list.

      • AllowedOAuthFlows (list) --

        Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.

        Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.

        • (string) --

      • AllowedOAuthScopes (list) --

        A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

        • (string) --

      • AllowedOAuthFlowsUserPoolClient (boolean) --

        Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

      • AnalyticsConfiguration (dict) --

        The Amazon Pinpoint analytics configuration for the user pool client.

        • ApplicationId (string) --

          The application ID for an Amazon Pinpoint application.

        • RoleArn (string) --

          The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.

        • ExternalId (string) --

          The external ID.

        • UserDataShared (boolean) --

          If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

ForgotPassword (updated) Link ¶
Changes (request)
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}

Calling this API causes a message to be sent to the end user with a confirmation code that is required to change the user's password. For the Username parameter, you can use the username or user alias. If a verified phone number exists for the user, the confirmation code is sent to the phone number. Otherwise, if a verified email exists, the confirmation code is sent to the email. If neither a verified phone number nor a verified email exists, InvalidParameterException is thrown. To use the confirmation code for resetting the password, call .

See also: AWS API Documentation

Request Syntax

client.forgot_password(
    ClientId='string',
    SecretHash='string',
    UserContextData={
        'EncodedData': 'string'
    },
    Username='string',
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The ID of the client associated with the user pool.

type SecretHash:

string

param SecretHash:

A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

type Username:

string

param Username:

[REQUIRED]

The user name of the user for whom you want to enter a code to reset a forgotten password.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for ForgotPassword calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

rtype:

dict

returns:

Response Syntax

{
    'CodeDeliveryDetails': {
        'Destination': 'string',
        'DeliveryMedium': 'SMS'|'EMAIL',
        'AttributeName': 'string'
    }
}

Response Structure

  • (dict) --

    Respresents the response from the server regarding the request to reset a password.

    • CodeDeliveryDetails (dict) --

      The code delivery details returned by the server in response to the request to reset a password.

      • Destination (string) --

        The destination for the code delivery details.

      • DeliveryMedium (string) --

        The delivery medium (email message or phone number).

      • AttributeName (string) --

        The attribute name.

GetUser (updated) Link ¶
Changes (response)
{'PreferredMfaSetting': 'string', 'UserMFASettingList': ['string']}

Gets the user attributes and metadata for a user.

See also: AWS API Documentation

Request Syntax

client.get_user(
    AccessToken='string'
)
type AccessToken:

string

param AccessToken:

[REQUIRED]

The access token returned by the server response to get information about the user.

rtype:

dict

returns:

Response Syntax

{
    'Username': 'string',
    'UserAttributes': [
        {
            'Name': 'string',
            'Value': 'string'
        },
    ],
    'MFAOptions': [
        {
            'DeliveryMedium': 'SMS'|'EMAIL',
            'AttributeName': 'string'
        },
    ],
    'PreferredMfaSetting': 'string',
    'UserMFASettingList': [
        'string',
    ]
}

Response Structure

  • (dict) --

    Represents the response from the server from the request to get information about the user.

    • Username (string) --

      The user name of the user you wish to retrieve from the get user request.

    • UserAttributes (list) --

      An array of name-value pairs representing user attributes.

      For custom attributes, you must prepend the custom: prefix to the attribute name.

      • (dict) --

        Specifies whether the attribute is standard or custom.

        • Name (string) --

          The name of the attribute.

        • Value (string) --

          The value of the attribute.

    • MFAOptions (list) --

      Specifies the options for MFA (e.g., email or phone number).

      • (dict) --

        Specifies the different settings for multi-factor authentication (MFA).

        • DeliveryMedium (string) --

          The delivery medium (email message or SMS message) to send the MFA code.

        • AttributeName (string) --

          The attribute name of the MFA option type.

    • PreferredMfaSetting (string) --

    • UserMFASettingList (list) --

      • (string) --

InitiateAuth (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}
Response
{'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'}}

Initiates the authentication flow.

See also: AWS API Documentation

Request Syntax

client.initiate_auth(
    AuthFlow='USER_SRP_AUTH'|'REFRESH_TOKEN_AUTH'|'REFRESH_TOKEN'|'CUSTOM_AUTH'|'ADMIN_NO_SRP_AUTH',
    AuthParameters={
        'string': 'string'
    },
    ClientMetadata={
        'string': 'string'
    },
    ClientId='string',
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    UserContextData={
        'EncodedData': 'string'
    }
)
type AuthFlow:

string

param AuthFlow:

[REQUIRED]

The authentication flow for this call to execute. The API action will depend on this value. For example:

  • REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens.

  • USER_SRP_AUTH will take in USERNAME and SRP_A and return the SRP variables to be used for next challenge execution.

Valid values include:

  • USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol.

  • REFRESH_TOKEN_AUTH/ REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.

  • CUSTOM_AUTH: Custom authentication flow.

ADMIN_NO_SRP_AUTH is not a valid value.

type AuthParameters:

dict

param AuthParameters:

The authentication parameters. These are inputs corresponding to the AuthFlow that you are invoking. The required values depend on the value of AuthFlow:

  • For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY

  • For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: USERNAME (required), SECRET_HASH (required if the app client is configured with a client secret), REFRESH_TOKEN (required), DEVICE_KEY

  • For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY

  • (string) --

    • (string) --

type ClientMetadata:

dict

param ClientMetadata:

This is a random key-value pair map which can contain any key and will be passed to your PreAuthentication Lambda trigger as-is. It can be used to implement additional validations around authentication.

  • (string) --

    • (string) --

type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for InitiateAuth calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

rtype:

dict

returns:

Response Syntax

{
    'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    'Session': 'string',
    'ChallengeParameters': {
        'string': 'string'
    },
    'AuthenticationResult': {
        'AccessToken': 'string',
        'ExpiresIn': 123,
        'TokenType': 'string',
        'RefreshToken': 'string',
        'IdToken': 'string',
        'NewDeviceMetadata': {
            'DeviceKey': 'string',
            'DeviceGroupKey': 'string'
        }
    }
}

Response Structure

  • (dict) --

    Initiates the authentication response.

    • ChallengeName (string) --

      The name of the challenge which you are responding to with this call. This is returned to you in the AdminInitiateAuth response if you need to pass another challenge.

      Valid values include the following. Note that all of these challenges require USERNAME and SECRET_HASH (if applicable) in the parameters.

      • SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.

      • PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.

      • CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.

      • DEVICE_SRP_AUTH: If device tracking was enabled on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.

      • DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.

      • NEW_PASSWORD_REQUIRED: For users which are required to change their passwords after successful first login. This challenge should be passed with NEW_PASSWORD and any other required attributes.

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

    • ChallengeParameters (dict) --

      The challenge parameters. These are returned to you in the InitiateAuth response if you need to pass another challenge. The responses in this parameter should be used to compute inputs to the next call ( RespondToAuthChallenge).

      All challenges require USERNAME and SECRET_HASH (if applicable).

      • (string) --

        • (string) --

    • AuthenticationResult (dict) --

      The result of the authentication response. This is only returned if the caller does not need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName, ChallengeParameters, and Session are returned.

      • AccessToken (string) --

        The access token.

      • ExpiresIn (integer) --

        The expiration period of the authentication result.

      • TokenType (string) --

        The token type.

      • RefreshToken (string) --

        The refresh token.

      • IdToken (string) --

        The ID token.

      • NewDeviceMetadata (dict) --

        The new device metadata from an authentication result.

        • DeviceKey (string) --

          The device key.

        • DeviceGroupKey (string) --

          The device group key.

ListUserPools (updated) Link ¶
Changes (response)
{'UserPools': {'LambdaConfig': {'PreTokenGeneration': 'string'}}}

Lists the user pools associated with an AWS account.

See also: AWS API Documentation

Request Syntax

client.list_user_pools(
    NextToken='string',
    MaxResults=123
)
type NextToken:

string

param NextToken:

An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.

type MaxResults:

integer

param MaxResults:

[REQUIRED]

The maximum number of results you want the request to return when listing the user pools.

rtype:

dict

returns:

Response Syntax

{
    'UserPools': [
        {
            'Id': 'string',
            'Name': 'string',
            'LambdaConfig': {
                'PreSignUp': 'string',
                'CustomMessage': 'string',
                'PostConfirmation': 'string',
                'PreAuthentication': 'string',
                'PostAuthentication': 'string',
                'DefineAuthChallenge': 'string',
                'CreateAuthChallenge': 'string',
                'VerifyAuthChallengeResponse': 'string',
                'PreTokenGeneration': 'string'
            },
            'Status': 'Enabled'|'Disabled',
            'LastModifiedDate': datetime(2015, 1, 1),
            'CreationDate': datetime(2015, 1, 1)
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    Represents the response to list user pools.

    • UserPools (list) --

      The user pools from the response to list users.

      • (dict) --

        A user pool description.

        • Id (string) --

          The ID in a user pool description.

        • Name (string) --

          The name in a user pool description.

        • LambdaConfig (dict) --

          The AWS Lambda configuration information in a user pool description.

          • PreSignUp (string) --

            A pre-registration AWS Lambda trigger.

          • CustomMessage (string) --

            A custom Message AWS Lambda trigger.

          • PostConfirmation (string) --

            A post-confirmation AWS Lambda trigger.

          • PreAuthentication (string) --

            A pre-authentication AWS Lambda trigger.

          • PostAuthentication (string) --

            A post-authentication AWS Lambda trigger.

          • DefineAuthChallenge (string) --

            Defines the authentication challenge.

          • CreateAuthChallenge (string) --

            Creates an authentication challenge.

          • VerifyAuthChallengeResponse (string) --

            Verifies the authentication challenge response.

          • PreTokenGeneration (string) --

            A Lambda trigger that is invoked before token generation.

        • Status (string) --

          The user pool status in a user pool description.

        • LastModifiedDate (datetime) --

          The date the user pool description was last modified.

        • CreationDate (datetime) --

          The date the user pool description was created.

    • NextToken (string) --

      An identifier that was returned from the previous call to this operation, which can be used to return the next set of items in the list.

ResendConfirmationCode (updated) Link ¶
Changes (request)
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}

Resends the confirmation (for confirmation of registration) to a specific user in the user pool.

See also: AWS API Documentation

Request Syntax

client.resend_confirmation_code(
    ClientId='string',
    SecretHash='string',
    UserContextData={
        'EncodedData': 'string'
    },
    Username='string',
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The ID of the client associated with the user pool.

type SecretHash:

string

param SecretHash:

A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

type Username:

string

param Username:

[REQUIRED]

The user name of the user to whom you wish to resend a confirmation code.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for ResendConfirmationCode calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

rtype:

dict

returns:

Response Syntax

{
    'CodeDeliveryDetails': {
        'Destination': 'string',
        'DeliveryMedium': 'SMS'|'EMAIL',
        'AttributeName': 'string'
    }
}

Response Structure

  • (dict) --

    The response from the server when the Amazon Cognito Your User Pools service makes the request to resend a confirmation code.

    • CodeDeliveryDetails (dict) --

      The code delivery details returned by the server in response to the request to resend the confirmation code.

      • Destination (string) --

        The destination for the code delivery details.

      • DeliveryMedium (string) --

        The delivery medium (email message or phone number).

      • AttributeName (string) --

        The attribute name.

RespondToAuthChallenge (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'},
 'UserContextData': {'EncodedData': 'string'}}
Response
{'ChallengeName': {'MFA_SETUP', 'SOFTWARE_TOKEN_MFA', 'SELECT_MFA_TYPE'}}

Responds to the authentication challenge.

See also: AWS API Documentation

Request Syntax

client.respond_to_auth_challenge(
    ClientId='string',
    ChallengeName='SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    Session='string',
    ChallengeResponses={
        'string': 'string'
    },
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    UserContextData={
        'EncodedData': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The app client ID.

type ChallengeName:

string

param ChallengeName:

[REQUIRED]

The challenge name. For more information, see .

ADMIN_NO_SRP_AUTH is not a valid value.

type Session:

string

param Session:

The session which should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

type ChallengeResponses:

dict

param ChallengeResponses:

The challenge responses. These are inputs corresponding to the value of ChallengeName, for example:

  • SMS_MFA: SMS_MFA_CODE, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • PASSWORD_VERIFIER: PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, TIMESTAMP, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • NEW_PASSWORD_REQUIRED: NEW_PASSWORD, any other required attributes, USERNAME, SECRET_HASH (if app client is configured with client secret).

  • (string) --

    • (string) --

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for RespondToAuthChallenge calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

rtype:

dict

returns:

Response Syntax

{
    'ChallengeName': 'SMS_MFA'|'SOFTWARE_TOKEN_MFA'|'SELECT_MFA_TYPE'|'MFA_SETUP'|'PASSWORD_VERIFIER'|'CUSTOM_CHALLENGE'|'DEVICE_SRP_AUTH'|'DEVICE_PASSWORD_VERIFIER'|'ADMIN_NO_SRP_AUTH'|'NEW_PASSWORD_REQUIRED',
    'Session': 'string',
    'ChallengeParameters': {
        'string': 'string'
    },
    'AuthenticationResult': {
        'AccessToken': 'string',
        'ExpiresIn': 123,
        'TokenType': 'string',
        'RefreshToken': 'string',
        'IdToken': 'string',
        'NewDeviceMetadata': {
            'DeviceKey': 'string',
            'DeviceGroupKey': 'string'
        }
    }
}

Response Structure

  • (dict) --

    The response to respond to the authentication challenge.

    • ChallengeName (string) --

      The challenge name. For more information, see .

    • Session (string) --

      The session which should be passed both ways in challenge-response calls to the service. If the or API call determines that the caller needs to go through another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

    • ChallengeParameters (dict) --

      The challenge parameters. For more information, see .

      • (string) --

        • (string) --

    • AuthenticationResult (dict) --

      The result returned by the server in response to the request to respond to the authentication challenge.

      • AccessToken (string) --

        The access token.

      • ExpiresIn (integer) --

        The expiration period of the authentication result.

      • TokenType (string) --

        The token type.

      • RefreshToken (string) --

        The refresh token.

      • IdToken (string) --

        The ID token.

      • NewDeviceMetadata (dict) --

        The new device metadata from an authentication result.

        • DeviceKey (string) --

          The device key.

        • DeviceGroupKey (string) --

          The device group key.

SignUp (updated) Link ¶
Changes (request)
{'AnalyticsMetadata': {'AnalyticsEndpointId': 'string'},
 'UserContextData': {'EncodedData': 'string'}}

Registers the user in the specified user pool and creates a user name, password, and user attributes.

See also: AWS API Documentation

Request Syntax

client.sign_up(
    ClientId='string',
    SecretHash='string',
    Username='string',
    Password='string',
    UserAttributes=[
        {
            'Name': 'string',
            'Value': 'string'
        },
    ],
    ValidationData=[
        {
            'Name': 'string',
            'Value': 'string'
        },
    ],
    AnalyticsMetadata={
        'AnalyticsEndpointId': 'string'
    },
    UserContextData={
        'EncodedData': 'string'
    }
)
type ClientId:

string

param ClientId:

[REQUIRED]

The ID of the client associated with the user pool.

type SecretHash:

string

param SecretHash:

A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.

type Username:

string

param Username:

[REQUIRED]

The user name of the user you wish to register.

type Password:

string

param Password:

[REQUIRED]

The password of the user you wish to register.

type UserAttributes:

list

param UserAttributes:

An array of name-value pairs representing user attributes.

For custom attributes, you must prepend the custom: prefix to the attribute name.

  • (dict) --

    Specifies whether the attribute is standard or custom.

    • Name (string) -- [REQUIRED]

      The name of the attribute.

    • Value (string) --

      The value of the attribute.

type ValidationData:

list

param ValidationData:

The validation data in the request to register a user.

  • (dict) --

    Specifies whether the attribute is standard or custom.

    • Name (string) -- [REQUIRED]

      The name of the attribute.

    • Value (string) --

      The value of the attribute.

type AnalyticsMetadata:

dict

param AnalyticsMetadata:

The Amazon Pinpoint analytics metadata for collecting metrics for SignUp calls.

  • AnalyticsEndpointId (string) --

    The endpoint ID.

type UserContextData:

dict

param UserContextData:

Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

  • EncodedData (string) --

    Contextual data such as the user's device fingerprint, IP address, or location used for evaluating the risk of an unexpected event by Amazon Cognito advanced security.

rtype:

dict

returns:

Response Syntax

{
    'UserConfirmed': True|False,
    'CodeDeliveryDetails': {
        'Destination': 'string',
        'DeliveryMedium': 'SMS'|'EMAIL',
        'AttributeName': 'string'
    },
    'UserSub': 'string'
}

Response Structure

  • (dict) --

    The response from the server for a registration request.

    • UserConfirmed (boolean) --

      A response from the server indicating that a user registration has been confirmed.

    • CodeDeliveryDetails (dict) --

      The code delivery details returned by the server response to the user registration request.

      • Destination (string) --

        The destination for the code delivery details.

      • DeliveryMedium (string) --

        The delivery medium (email message or phone number).

      • AttributeName (string) --

        The attribute name.

    • UserSub (string) --

      The UUID of the authenticated user. This is not the same as username.

UpdateUserPool (updated) Link ¶
Changes (request)
{'LambdaConfig': {'PreTokenGeneration': 'string'},
 'UserPoolAddOns': {'AdvancedSecurityMode': 'OFF | AUDIT | ENFORCED'}}

Updates the specified user pool with the specified attributes.

See also: AWS API Documentation

Request Syntax

client.update_user_pool(
    UserPoolId='string',
    Policies={
        'PasswordPolicy': {
            'MinimumLength': 123,
            'RequireUppercase': True|False,
            'RequireLowercase': True|False,
            'RequireNumbers': True|False,
            'RequireSymbols': True|False
        }
    },
    LambdaConfig={
        'PreSignUp': 'string',
        'CustomMessage': 'string',
        'PostConfirmation': 'string',
        'PreAuthentication': 'string',
        'PostAuthentication': 'string',
        'DefineAuthChallenge': 'string',
        'CreateAuthChallenge': 'string',
        'VerifyAuthChallengeResponse': 'string',
        'PreTokenGeneration': 'string'
    },
    AutoVerifiedAttributes=[
        'phone_number'|'email',
    ],
    SmsVerificationMessage='string',
    EmailVerificationMessage='string',
    EmailVerificationSubject='string',
    VerificationMessageTemplate={
        'SmsMessage': 'string',
        'EmailMessage': 'string',
        'EmailSubject': 'string',
        'EmailMessageByLink': 'string',
        'EmailSubjectByLink': 'string',
        'DefaultEmailOption': 'CONFIRM_WITH_LINK'|'CONFIRM_WITH_CODE'
    },
    SmsAuthenticationMessage='string',
    MfaConfiguration='OFF'|'ON'|'OPTIONAL',
    DeviceConfiguration={
        'ChallengeRequiredOnNewDevice': True|False,
        'DeviceOnlyRememberedOnUserPrompt': True|False
    },
    EmailConfiguration={
        'SourceArn': 'string',
        'ReplyToEmailAddress': 'string'
    },
    SmsConfiguration={
        'SnsCallerArn': 'string',
        'ExternalId': 'string'
    },
    UserPoolTags={
        'string': 'string'
    },
    AdminCreateUserConfig={
        'AllowAdminCreateUserOnly': True|False,
        'UnusedAccountValidityDays': 123,
        'InviteMessageTemplate': {
            'SMSMessage': 'string',
            'EmailMessage': 'string',
            'EmailSubject': 'string'
        }
    },
    UserPoolAddOns={
        'AdvancedSecurityMode': 'OFF'|'AUDIT'|'ENFORCED'
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool you want to update.

type Policies:

dict

param Policies:

A container with the policies you wish to update in a user pool.

  • PasswordPolicy (dict) --

    The password policy.

    • MinimumLength (integer) --

      The minimum length of the password policy that you have set. Cannot be less than 6.

    • RequireUppercase (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one uppercase letter in their password.

    • RequireLowercase (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one lowercase letter in their password.

    • RequireNumbers (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one number in their password.

    • RequireSymbols (boolean) --

      In the password policy that you have set, refers to whether you have required users to use at least one symbol in their password.

type LambdaConfig:

dict

param LambdaConfig:

The AWS Lambda configuration information from the request to update the user pool.

  • PreSignUp (string) --

    A pre-registration AWS Lambda trigger.

  • CustomMessage (string) --

    A custom Message AWS Lambda trigger.

  • PostConfirmation (string) --

    A post-confirmation AWS Lambda trigger.

  • PreAuthentication (string) --

    A pre-authentication AWS Lambda trigger.

  • PostAuthentication (string) --

    A post-authentication AWS Lambda trigger.

  • DefineAuthChallenge (string) --

    Defines the authentication challenge.

  • CreateAuthChallenge (string) --

    Creates an authentication challenge.

  • VerifyAuthChallengeResponse (string) --

    Verifies the authentication challenge response.

  • PreTokenGeneration (string) --

    A Lambda trigger that is invoked before token generation.

type AutoVerifiedAttributes:

list

param AutoVerifiedAttributes:

The attributes that are automatically verified when the Amazon Cognito service makes a request to update user pools.

  • (string) --

type SmsVerificationMessage:

string

param SmsVerificationMessage:

A container with information about the SMS verification message.

type EmailVerificationMessage:

string

param EmailVerificationMessage:

The contents of the email verification message.

type EmailVerificationSubject:

string

param EmailVerificationSubject:

The subject of the email verification message.

type VerificationMessageTemplate:

dict

param VerificationMessageTemplate:

The template for verification messages.

  • SmsMessage (string) --

    The SMS message template.

  • EmailMessage (string) --

    The email message template.

  • EmailSubject (string) --

    The subject line for the email message template.

  • EmailMessageByLink (string) --

    The email message template for sending a confirmation link to the user.

  • EmailSubjectByLink (string) --

    The subject line for the email message template for sending a confirmation link to the user.

  • DefaultEmailOption (string) --

    The default email option.

type SmsAuthenticationMessage:

string

param SmsAuthenticationMessage:

The contents of the SMS authentication message.

type MfaConfiguration:

string

param MfaConfiguration:

Can be one of the following values:

  • OFF - MFA tokens are not required and cannot be specified during user registration.

  • ON - MFA tokens are required for all user registrations. You can only specify required when you are initially creating a user pool.

  • OPTIONAL - Users have the option when registering to create an MFA token.

type DeviceConfiguration:

dict

param DeviceConfiguration:

Device configuration.

  • ChallengeRequiredOnNewDevice (boolean) --

    Indicates whether a challenge is required on a new device. Only applicable to a new device.

  • DeviceOnlyRememberedOnUserPrompt (boolean) --

    If true, a device is only remembered on user prompt.

type EmailConfiguration:

dict

param EmailConfiguration:

Email configuration.

  • SourceArn (string) --

    The Amazon Resource Name (ARN) of the email source.

  • ReplyToEmailAddress (string) --

    The destination to which the receiver of the email should reply to.

type SmsConfiguration:

dict

param SmsConfiguration:

SMS configuration.

  • SnsCallerArn (string) -- [REQUIRED]

    The Amazon Resource Name (ARN) of the Amazon Simple Notification Service (SNS) caller.

  • ExternalId (string) --

    The external ID.

type UserPoolTags:

dict

param UserPoolTags:

The cost allocation tags for the user pool. For more information, see Adding Cost Allocation Tags to Your User Pool

  • (string) --

    • (string) --

type AdminCreateUserConfig:

dict

param AdminCreateUserConfig:

The configuration for AdminCreateUser requests.

  • AllowAdminCreateUserOnly (boolean) --

    Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.

  • UnusedAccountValidityDays (integer) --

    The user account expiration limit, in days, after which the account is no longer usable. To reset the account after that time limit, you must call AdminCreateUser again, specifying "RESEND" for the MessageAction parameter. The default value for this parameter is 7.

  • InviteMessageTemplate (dict) --

    The message template to be used for the welcome message to new users.

    See also Customizing User Invitation Messages.

    • SMSMessage (string) --

      The message template for SMS messages.

    • EmailMessage (string) --

      The message template for email messages.

    • EmailSubject (string) --

      The subject line for email messages.

type UserPoolAddOns:

dict

param UserPoolAddOns:

Used to enable advanced security risk detection. Set the key AdvancedSecurityMode to the value "AUDIT".

  • AdvancedSecurityMode (string) -- [REQUIRED]

    The advanced security mode.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

    Represents the response from the server when you make a request to update the user pool.

UpdateUserPoolClient (updated) Link ¶
Changes (request, response)
Request
{'AnalyticsConfiguration': {'ApplicationId': 'string',
                            'ExternalId': 'string',
                            'RoleArn': 'string',
                            'UserDataShared': 'boolean'}}
Response
{'UserPoolClient': {'AnalyticsConfiguration': {'ApplicationId': 'string',
                                               'ExternalId': 'string',
                                               'RoleArn': 'string',
                                               'UserDataShared': 'boolean'}}}

Allows the developer to update the specified user pool client and password policy.

See also: AWS API Documentation

Request Syntax

client.update_user_pool_client(
    UserPoolId='string',
    ClientId='string',
    ClientName='string',
    RefreshTokenValidity=123,
    ReadAttributes=[
        'string',
    ],
    WriteAttributes=[
        'string',
    ],
    ExplicitAuthFlows=[
        'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
    ],
    SupportedIdentityProviders=[
        'string',
    ],
    CallbackURLs=[
        'string',
    ],
    LogoutURLs=[
        'string',
    ],
    DefaultRedirectURI='string',
    AllowedOAuthFlows=[
        'code'|'implicit'|'client_credentials',
    ],
    AllowedOAuthScopes=[
        'string',
    ],
    AllowedOAuthFlowsUserPoolClient=True|False,
    AnalyticsConfiguration={
        'ApplicationId': 'string',
        'RoleArn': 'string',
        'ExternalId': 'string',
        'UserDataShared': True|False
    }
)
type UserPoolId:

string

param UserPoolId:

[REQUIRED]

The user pool ID for the user pool where you want to update the user pool client.

type ClientId:

string

param ClientId:

[REQUIRED]

The ID of the client associated with the user pool.

type ClientName:

string

param ClientName:

The client name from the update user pool client request.

type RefreshTokenValidity:

integer

param RefreshTokenValidity:

The time limit, in days, after which the refresh token is no longer valid and cannot be used.

type ReadAttributes:

list

param ReadAttributes:

The read-only attributes of the user pool.

  • (string) --

type WriteAttributes:

list

param WriteAttributes:

The writeable attributes of the user pool.

  • (string) --

type ExplicitAuthFlows:

list

param ExplicitAuthFlows:

Explicit authentication flows.

  • (string) --

type SupportedIdentityProviders:

list

param SupportedIdentityProviders:

A list of provider names for the identity providers that are supported on this client.

  • (string) --

type CallbackURLs:

list

param CallbackURLs:

A list of allowed callback URLs for the identity providers.

  • (string) --

type LogoutURLs:

list

param LogoutURLs:

A list of allowed logout URLs for the identity providers.

  • (string) --

type DefaultRedirectURI:

string

param DefaultRedirectURI:

The default redirect URI. Must be in the CallbackURLs list.

type AllowedOAuthFlows:

list

param AllowedOAuthFlows:

Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.

Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.

  • (string) --

type AllowedOAuthScopes:

list

param AllowedOAuthScopes:

A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

  • (string) --

type AllowedOAuthFlowsUserPoolClient:

boolean

param AllowedOAuthFlowsUserPoolClient:

Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

type AnalyticsConfiguration:

dict

param AnalyticsConfiguration:

The Amazon Pinpoint analytics configuration for collecting metrics for this user pool.

  • ApplicationId (string) -- [REQUIRED]

    The application ID for an Amazon Pinpoint application.

  • RoleArn (string) -- [REQUIRED]

    The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.

  • ExternalId (string) -- [REQUIRED]

    The external ID.

  • UserDataShared (boolean) --

    If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

rtype:

dict

returns:

Response Syntax

{
    'UserPoolClient': {
        'UserPoolId': 'string',
        'ClientName': 'string',
        'ClientId': 'string',
        'ClientSecret': 'string',
        'LastModifiedDate': datetime(2015, 1, 1),
        'CreationDate': datetime(2015, 1, 1),
        'RefreshTokenValidity': 123,
        'ReadAttributes': [
            'string',
        ],
        'WriteAttributes': [
            'string',
        ],
        'ExplicitAuthFlows': [
            'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY',
        ],
        'SupportedIdentityProviders': [
            'string',
        ],
        'CallbackURLs': [
            'string',
        ],
        'LogoutURLs': [
            'string',
        ],
        'DefaultRedirectURI': 'string',
        'AllowedOAuthFlows': [
            'code'|'implicit'|'client_credentials',
        ],
        'AllowedOAuthScopes': [
            'string',
        ],
        'AllowedOAuthFlowsUserPoolClient': True|False,
        'AnalyticsConfiguration': {
            'ApplicationId': 'string',
            'RoleArn': 'string',
            'ExternalId': 'string',
            'UserDataShared': True|False
        }
    }
}

Response Structure

  • (dict) --

    Represents the response from the server to the request to update the user pool client.

    • UserPoolClient (dict) --

      The user pool client value from the response from the server when an update user pool client request is made.

      • UserPoolId (string) --

        The user pool ID for the user pool client.

      • ClientName (string) --

        The client name from the user pool request of the client type.

      • ClientId (string) --

        The ID of the client associated with the user pool.

      • ClientSecret (string) --

        The client secret from the user pool request of the client type.

      • LastModifiedDate (datetime) --

        The date the user pool client was last modified.

      • CreationDate (datetime) --

        The date the user pool client was created.

      • RefreshTokenValidity (integer) --

        The time limit, in days, after which the refresh token is no longer valid and cannot be used.

      • ReadAttributes (list) --

        The Read-only attributes.

        • (string) --

      • WriteAttributes (list) --

        The writeable attributes.

        • (string) --

      • ExplicitAuthFlows (list) --

        The explicit authentication flows.

        • (string) --

      • SupportedIdentityProviders (list) --

        A list of provider names for the identity providers that are supported on this client.

        • (string) --

      • CallbackURLs (list) --

        A list of allowed callback URLs for the identity providers.

        • (string) --

      • LogoutURLs (list) --

        A list of allowed logout URLs for the identity providers.

        • (string) --

      • DefaultRedirectURI (string) --

        The default redirect URI. Must be in the CallbackURLs list.

      • AllowedOAuthFlows (list) --

        Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.

        Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.

        • (string) --

      • AllowedOAuthScopes (list) --

        A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

        • (string) --

      • AllowedOAuthFlowsUserPoolClient (boolean) --

        Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.

      • AnalyticsConfiguration (dict) --

        The Amazon Pinpoint analytics configuration for the user pool client.

        • ApplicationId (string) --

          The application ID for an Amazon Pinpoint application.

        • RoleArn (string) --

          The ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics.

        • ExternalId (string) --

          The external ID.

        • UserDataShared (boolean) --

          If UserDataShared is true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.