From f35898ec563ffb61bb40d88f6012d9571bbd8d75 Mon Sep 17 00:00:00 2001 From: awstools Date: Tue, 6 Aug 2024 18:13:44 +0000 Subject: [PATCH] feat(client-cognito-identity-provider): Advanced security feature updates to include password history and log export for Cognito user pools. --- .../src/CognitoIdentityProvider.ts | 10 +- .../src/CognitoIdentityProviderClient.ts | 10 +- .../src/commands/AdminConfirmSignUpCommand.ts | 15 +- .../src/commands/AdminCreateUserCommand.ts | 2 +- .../src/commands/AdminInitiateAuthCommand.ts | 2 +- .../commands/AdminResetUserPasswordCommand.ts | 2 +- .../AdminRespondToAuthChallengeCommand.ts | 6 +- .../commands/AdminSetUserPasswordCommand.ts | 4 + .../AdminUpdateUserAttributesCommand.ts | 2 +- .../commands/AssociateSoftwareTokenCommand.ts | 4 +- .../src/commands/ChangePasswordCommand.ts | 4 + .../commands/ConfirmForgotPasswordCommand.ts | 4 + .../src/commands/CreateUserPoolCommand.ts | 4 +- .../src/commands/DescribeUserPoolCommand.ts | 1 + .../src/commands/ForgotPasswordCommand.ts | 2 +- .../GetLogDeliveryConfigurationCommand.ts | 12 +- ...GetUserAttributeVerificationCodeCommand.ts | 2 +- .../src/commands/InitiateAuthCommand.ts | 2 +- .../commands/ResendConfirmationCodeCommand.ts | 2 +- .../commands/RespondToAuthChallengeCommand.ts | 6 +- .../SetLogDeliveryConfigurationCommand.ts | 26 ++- .../commands/SetUserPoolMfaConfigCommand.ts | 2 +- .../src/commands/SignUpCommand.ts | 2 +- .../commands/UpdateUserAttributesCommand.ts | 2 +- .../src/commands/UpdateUserPoolCommand.ts | 3 +- .../src/index.ts | 10 +- .../src/models/models_0.ts | 175 +++++++++++------- .../src/models/models_1.ts | 62 ++++++- .../src/protocols/Aws_json1_1.ts | 38 +++- .../aws-models/cognito-identity-provider.json | 149 ++++++++++++--- 30 files changed, 416 insertions(+), 149 deletions(-) diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts index 1a3ca1a77492..3f91c3766a35 100644 --- a/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts +++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProvider.ts @@ -2168,7 +2168,7 @@ export interface CognitoIdentityProvider { /** *

With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.

*

This API reference provides detailed information about API operations and object types * in Amazon Cognito.

@@ -2200,7 +2200,7 @@ export interface CognitoIdentityProvider { *
  • *

    * Amazon Web Services - * Command Line Interface + * Command Line Interface *

    *
    • *
  • @@ -2226,13 +2226,13 @@ export interface CognitoIdentityProvider { *
  • *

    * Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *

    *
    • *
  • *

    * Amazon Web Services SDK for PHP - * V3 + * V3 *

    *
    • *
  • @@ -2243,7 +2243,7 @@ export interface CognitoIdentityProvider { *
  • *

    * Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *

    *
    • * diff --git a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts index 1f339df1cb55..aadd6087b22a 100644 --- a/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts +++ b/clients/client-cognito-identity-provider/src/CognitoIdentityProviderClient.ts @@ -731,7 +731,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden /** *

    With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.

    *

    This API reference provides detailed information about API operations and object types * in Amazon Cognito.

    @@ -763,7 +763,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden *
  • *

    * Amazon Web Services - * Command Line Interface + * Command Line Interface *

    *
    • *
  • @@ -789,13 +789,13 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden *
  • *

    * Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *

    *
    • *
  • *

    * Amazon Web Services SDK for PHP - * V3 + * V3 *

    *
    • *
  • @@ -806,7 +806,7 @@ export interface CognitoIdentityProviderClientResolvedConfig extends CognitoIden *
  • *

    * Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *

    *
    • * diff --git a/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts index 57e01708244b..b57b3c093ffb 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminConfirmSignUpCommand.ts @@ -36,15 +36,12 @@ export interface AdminConfirmSignUpCommandInput extends AdminConfirmSignUpReques export interface AdminConfirmSignUpCommandOutput extends AdminConfirmSignUpResponse, __MetadataBearer {} /** - *

    This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user - * when they signed up in your user pool. After your user enters their code, they confirm - * ownership of the email address or phone number that they provided, and their user - * account becomes active. Depending on your user pool configuration, your users will - * receive their confirmation code in an email or SMS message.

    - *

    Local users who signed up in your user pool are the only type of user who can confirm - * sign-up with a code. Users who federate through an external identity provider (IdP) have - * already been confirmed by their IdP. Administrator-created users confirm their accounts - * when they respond to their invitation email message and choose a password.

    + *

    This IAM-authenticated API operation confirms user sign-up as an administrator. + * Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation. + * No confirmation code is required.

    + *

    This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can + * configure your user pool to not send confirmation codes to new users and instead confirm + * them with this API operation on the back end.

    * *

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For * this operation, you must use IAM credentials to authorize requests, and you must diff --git a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts index 2a47386f6c88..593a18fb76dd 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminCreateUserCommand.ts @@ -171,7 +171,7 @@ export interface AdminCreateUserCommandOutput extends AdminCreateUserResponse, _ * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts index 2666a58272f1..8454c8760df7 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminInitiateAuthCommand.ts @@ -153,7 +153,7 @@ export interface AdminInitiateAuthCommandOutput extends AdminInitiateAuthRespons * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts index 282e461d6837..292ea11ea2ce 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminResetUserPasswordCommand.ts @@ -131,7 +131,7 @@ export interface AdminResetUserPasswordCommandOutput extends AdminResetUserPassw * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts index c1cf4a7b8f7a..1935dc0d9c48 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminRespondToAuthChallengeCommand.ts @@ -179,7 +179,7 @@ export interface AdminRespondToAuthChallengeCommandOutput * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link InvalidUserPoolConfigurationException} (client fault) @@ -192,6 +192,10 @@ export interface AdminRespondToAuthChallengeCommandOutput * @throws {@link NotAuthorizedException} (client fault) *

    This exception is thrown when a user isn't authorized.

    * + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * * @throws {@link PasswordResetRequiredException} (client fault) *

    This exception is thrown when a password reset is required.

    * diff --git a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts index e620c0d67f2c..63bc3158858e 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminSetUserPasswordCommand.ts @@ -114,6 +114,10 @@ export interface AdminSetUserPasswordCommandOutput extends AdminSetUserPasswordR * @throws {@link NotAuthorizedException} (client fault) *

    This exception is thrown when a user isn't authorized.

    * + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * * @throws {@link ResourceNotFoundException} (client fault) *

    This exception is thrown when the Amazon Cognito service can't find the requested * resource.

    diff --git a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts index 9393c68e86f6..32e0280e37c9 100644 --- a/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AdminUpdateUserAttributesCommand.ts @@ -139,7 +139,7 @@ export interface AdminUpdateUserAttributesCommandOutput extends AdminUpdateUserA * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts b/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts index b6ffba758475..7f5f9a6acc1a 100644 --- a/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/AssociateSoftwareTokenCommand.ts @@ -48,8 +48,8 @@ export interface AssociateSoftwareTokenCommandOutput extends AssociateSoftwareTo * token and your user pool doesn't require MFA, the user can then authenticate with * user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito * generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge - * each time your user signs. Complete setup with AssociateSoftwareToken - * and VerifySoftwareToken.

    + * each time your user signs in. Complete setup with + * AssociateSoftwareToken and VerifySoftwareToken.

    *

    After you set up software token MFA for your user, Amazon Cognito generates a * SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to * this challenge with your user's TOTP.

    diff --git a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts index 5bc102faa086..17069b43e525 100644 --- a/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ChangePasswordCommand.ts @@ -88,6 +88,10 @@ export interface ChangePasswordCommandOutput extends ChangePasswordResponse, __M * @throws {@link NotAuthorizedException} (client fault) *

    This exception is thrown when a user isn't authorized.

    * + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * * @throws {@link PasswordResetRequiredException} (client fault) *

    This exception is thrown when a password reset is required.

    * diff --git a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts index 987c69f9cdbf..45e9d02cefec 100644 --- a/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ConfirmForgotPasswordCommand.ts @@ -109,6 +109,10 @@ export interface ConfirmForgotPasswordCommandOutput extends ConfirmForgotPasswor * @throws {@link NotAuthorizedException} (client fault) *

    This exception is thrown when a user isn't authorized.

    * + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * * @throws {@link ResourceNotFoundException} (client fault) *

    This exception is thrown when the Amazon Cognito service can't find the requested * resource.

    diff --git a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts index f655b4cbcd56..9faf64fc5bc9 100644 --- a/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/CreateUserPoolCommand.ts @@ -89,6 +89,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * RequireLowercase: true || false, * RequireNumbers: true || false, * RequireSymbols: true || false, + * PasswordHistorySize: Number("int"), * TemporaryPasswordValidityDays: Number("int"), * }, * }, @@ -218,6 +219,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * // RequireLowercase: true || false, * // RequireNumbers: true || false, * // RequireSymbols: true || false, + * // PasswordHistorySize: Number("int"), * // TemporaryPasswordValidityDays: Number("int"), * // }, * // }, @@ -371,7 +373,7 @@ export interface CreateUserPoolCommandOutput extends CreateUserPoolResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts index 89766ce5d53d..acadfdfb285b 100644 --- a/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/DescribeUserPoolCommand.ts @@ -75,6 +75,7 @@ export interface DescribeUserPoolCommandOutput extends DescribeUserPoolResponse, * // RequireLowercase: true || false, * // RequireNumbers: true || false, * // RequireSymbols: true || false, + * // PasswordHistorySize: Number("int"), * // TemporaryPasswordValidityDays: Number("int"), * // }, * // }, diff --git a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts index 2ac24cee516e..0c5f17bdab74 100644 --- a/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ForgotPasswordCommand.ts @@ -139,7 +139,7 @@ export interface ForgotPasswordCommandOutput extends ForgotPasswordResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts index 4b8e95b11c58..859a3e90ce4c 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetLogDeliveryConfigurationCommand.ts @@ -34,7 +34,7 @@ export interface GetLogDeliveryConfigurationCommandOutput __MetadataBearer {} /** - *

    Gets the detailed activity logging configuration for a user pool.

    + *

    Gets the logging configuration of a user pool.

    * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -51,11 +51,17 @@ export interface GetLogDeliveryConfigurationCommandOutput * // UserPoolId: "STRING_VALUE", // required * // LogConfigurations: [ // LogConfigurationListType // required * // { // LogConfigurationType - * // LogLevel: "ERROR", // required - * // EventSource: "userNotification", // required + * // LogLevel: "ERROR" || "INFO", // required + * // EventSource: "userNotification" || "userAuthEvents", // required * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * // LogGroupArn: "STRING_VALUE", * // }, + * // S3Configuration: { // S3ConfigurationType + * // BucketArn: "STRING_VALUE", + * // }, + * // FirehoseConfiguration: { // FirehoseConfigurationType + * // StreamArn: "STRING_VALUE", + * // }, * // }, * // ], * // }, diff --git a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts index 3309c889c476..ea7b330e218a 100644 --- a/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/GetUserAttributeVerificationCodeCommand.ts @@ -128,7 +128,7 @@ export interface GetUserAttributeVerificationCodeCommandOutput * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts index 9954ae610078..e10ad09d5f91 100644 --- a/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/InitiateAuthCommand.ts @@ -135,7 +135,7 @@ export interface InitiateAuthCommandOutput extends InitiateAuthResponse, __Metad * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link InvalidUserPoolConfigurationException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts index cdc4db18b97c..4c9fcb2657be 100644 --- a/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/ResendConfirmationCodeCommand.ts @@ -129,7 +129,7 @@ export interface ResendConfirmationCodeCommandOutput extends ResendConfirmationC * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts index e3302cb41381..00bb53d5c915 100644 --- a/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/RespondToAuthChallengeCommand.ts @@ -158,7 +158,7 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link InvalidUserPoolConfigurationException} (client fault) @@ -171,6 +171,10 @@ export interface RespondToAuthChallengeCommandOutput extends RespondToAuthChalle * @throws {@link NotAuthorizedException} (client fault) *

    This exception is thrown when a user isn't authorized.

    * + * @throws {@link PasswordHistoryPolicyViolationException} (client fault) + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * * @throws {@link PasswordResetRequiredException} (client fault) *

    This exception is thrown when a password reset is required.

    * diff --git a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts index 464481414787..13e119540641 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetLogDeliveryConfigurationCommand.ts @@ -10,8 +10,7 @@ import { ServiceOutputTypes, } from "../CognitoIdentityProviderClient"; import { commonParams } from "../endpoint/EndpointParameters"; -import { SetLogDeliveryConfigurationRequest } from "../models/models_0"; -import { SetLogDeliveryConfigurationResponse } from "../models/models_1"; +import { SetLogDeliveryConfigurationRequest, SetLogDeliveryConfigurationResponse } from "../models/models_1"; import { de_SetLogDeliveryConfigurationCommand, se_SetLogDeliveryConfigurationCommand } from "../protocols/Aws_json1_1"; /** @@ -35,7 +34,8 @@ export interface SetLogDeliveryConfigurationCommandOutput __MetadataBearer {} /** - *

    Sets up or modifies the detailed activity logging configuration of a user pool.

    + *

    Sets up or modifies the logging configuration of a user pool. User pools can export + * user notification logs and advanced security features user activity logs.

    * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -46,11 +46,17 @@ export interface SetLogDeliveryConfigurationCommandOutput * UserPoolId: "STRING_VALUE", // required * LogConfigurations: [ // LogConfigurationListType // required * { // LogConfigurationType - * LogLevel: "ERROR", // required - * EventSource: "userNotification", // required + * LogLevel: "ERROR" || "INFO", // required + * EventSource: "userNotification" || "userAuthEvents", // required * CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * LogGroupArn: "STRING_VALUE", * }, + * S3Configuration: { // S3ConfigurationType + * BucketArn: "STRING_VALUE", + * }, + * FirehoseConfiguration: { // FirehoseConfigurationType + * StreamArn: "STRING_VALUE", + * }, * }, * ], * }; @@ -61,11 +67,17 @@ export interface SetLogDeliveryConfigurationCommandOutput * // UserPoolId: "STRING_VALUE", // required * // LogConfigurations: [ // LogConfigurationListType // required * // { // LogConfigurationType - * // LogLevel: "ERROR", // required - * // EventSource: "userNotification", // required + * // LogLevel: "ERROR" || "INFO", // required + * // EventSource: "userNotification" || "userAuthEvents", // required * // CloudWatchLogsConfiguration: { // CloudWatchLogsConfigurationType * // LogGroupArn: "STRING_VALUE", * // }, + * // S3Configuration: { // S3ConfigurationType + * // BucketArn: "STRING_VALUE", + * // }, + * // FirehoseConfiguration: { // FirehoseConfigurationType + * // StreamArn: "STRING_VALUE", + * // }, * // }, * // ], * // }, diff --git a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts index 7a938d7dc8da..ed3c2afd9880 100644 --- a/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SetUserPoolMfaConfigCommand.ts @@ -114,7 +114,7 @@ export interface SetUserPoolMfaConfigCommandOutput extends SetUserPoolMfaConfigR * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts index 2130082afa32..c8b0b68b028c 100644 --- a/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/SignUpCommand.ts @@ -143,7 +143,7 @@ export interface SignUpCommandOutput extends SignUpResponse, __MetadataBearer {} * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link LimitExceededException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts index fded8644982c..d5a80da0c213 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserAttributesCommand.ts @@ -146,7 +146,7 @@ export interface UpdateUserAttributesCommandOutput extends UpdateUserAttributesR * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts index 617cb634dcec..15b63e2bee7b 100644 --- a/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts +++ b/clients/client-cognito-identity-provider/src/commands/UpdateUserPoolCommand.ts @@ -89,6 +89,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M * RequireLowercase: true || false, * RequireNumbers: true || false, * RequireSymbols: true || false, + * PasswordHistorySize: Number("int"), * TemporaryPasswordValidityDays: Number("int"), * }, * }, @@ -213,7 +214,7 @@ export interface UpdateUserPoolCommandOutput extends UpdateUserPoolResponse, __M * @throws {@link InvalidSmsRoleTrustRelationshipException} (client fault) *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * * @throws {@link NotAuthorizedException} (client fault) diff --git a/clients/client-cognito-identity-provider/src/index.ts b/clients/client-cognito-identity-provider/src/index.ts index e581ac3587dd..7bd8be1c0837 100644 --- a/clients/client-cognito-identity-provider/src/index.ts +++ b/clients/client-cognito-identity-provider/src/index.ts @@ -3,7 +3,7 @@ /** *

    With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To * authenticate users from third-party identity providers (IdPs) in this API, you can - * link IdP users to native user profiles. Learn more + * link IdP users to native user profiles. Learn more * about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.

    *

    This API reference provides detailed information about API operations and object types * in Amazon Cognito.

    @@ -35,7 +35,7 @@ *
  • *

    * Amazon Web Services - * Command Line Interface + * Command Line Interface *

    *
    • *
  • @@ -61,13 +61,13 @@ *
  • *

    * Amazon Web Services - * SDK for JavaScript + * SDK for JavaScript *

    *
    • *
  • *

    * Amazon Web Services SDK for PHP - * V3 + * V3 *

    *
    • *
  • @@ -78,7 +78,7 @@ *
  • *

    * Amazon Web Services SDK - * for Ruby V3 + * for Ruby V3 *

    *
    • * diff --git a/clients/client-cognito-identity-provider/src/models/models_0.ts b/clients/client-cognito-identity-provider/src/models/models_0.ts index 973c42570765..a9ff331ab590 100644 --- a/clients/client-cognito-identity-provider/src/models/models_0.ts +++ b/clients/client-cognito-identity-provider/src/models/models_0.ts @@ -1128,7 +1128,7 @@ export class InvalidSmsRoleAccessPolicyException extends __BaseException { /** *

    This exception is thrown when the trust relationship is not valid for the role * provided for SMS configuration. This can happen if you don't trust - * cognito-idp.amazonaws.com or the external ID provided in the role does + * cognito-idp.amazonaws.com or the external ID provided in the role does * not match what is provided in the SMS configuration for the user pool.

    * @public */ @@ -3229,6 +3229,27 @@ export class ExpiredCodeException extends __BaseException { } } +/** + *

    The message returned when a user's new password matches a previous password and + * doesn't comply with the password-history policy.

    + * @public + */ +export class PasswordHistoryPolicyViolationException extends __BaseException { + readonly name: "PasswordHistoryPolicyViolationException" = "PasswordHistoryPolicyViolationException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "PasswordHistoryPolicyViolationException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, PasswordHistoryPolicyViolationException.prototype); + } +} + /** *

    This exception is thrown when the software token time-based one-time password (TOTP) * multi-factor authentication (MFA) isn't activated for the user pool.

    @@ -5313,6 +5334,17 @@ export interface PasswordPolicyType { */ RequireSymbols?: boolean; + /** + *

    The number of previous passwords that you want Amazon Cognito to restrict each user from + * reusing. Users can't set a password that matches any of n previous + * passwords, where n is the value of PasswordHistorySize.

    + *

    Password history isn't enforced and isn't displayed in DescribeUserPool responses when you set this value to + * 0 or don't provide it. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ + PasswordHistorySize?: number; + /** *

    The number of days a temporary password is valid in the password policy. If the user * doesn't sign in during this time, an administrator must reset their password. Defaults @@ -6508,6 +6540,7 @@ export interface CreateUserPoolClientRequest { * existence related errors aren't prevented.

    * * + *

    Defaults to LEGACY when you don't provide a value.

    * @public */ PreventUserExistenceErrors?: PreventUserExistenceErrorTypes; @@ -6882,10 +6915,11 @@ export interface UserPoolClientType { * *
  • *

    - * LEGACY - This represents the old behavior of Amazon Cognito where user + * LEGACY - This represents the early behavior of Amazon Cognito where user * existence related errors aren't prevented.

    *
    • * + *

    Defaults to LEGACY when you don't provide a value.

    * @public */ PreventUserExistenceErrors?: PreventUserExistenceErrorTypes; @@ -7866,16 +7900,16 @@ export interface GetIdentityProviderByIdentifierResponse { */ export interface GetLogDeliveryConfigurationRequest { /** - *

    The ID of the user pool where you want to view detailed activity logging - * configuration.

    + *

    The ID of the user pool that has the logging configuration that you want to + * view.

    * @public */ UserPoolId: string | undefined; } /** - *

    The CloudWatch logging destination of a user pool detailed activity logging - * configuration.

    + *

    Configuration for the CloudWatch log group destination of user pool detailed activity + * logging, or of user activity log export with advanced security features.

    * @public */ export interface CloudWatchLogsConfigurationType { @@ -7897,6 +7931,7 @@ export interface CloudWatchLogsConfigurationType { * @enum */ export const EventSourceName = { + USER_AUTH_EVENTS: "userAuthEvents", USER_NOTIFICATION: "userNotification", } as const; @@ -7905,12 +7940,27 @@ export const EventSourceName = { */ export type EventSourceName = (typeof EventSourceName)[keyof typeof EventSourceName]; +/** + *

    Configuration for the Amazon Data Firehose stream destination of user activity log export with + * advanced security features.

    + * @public + */ +export interface FirehoseConfigurationType { + /** + *

    The ARN of an Amazon Data Firehose stream that's the destination for advanced security + * features log export.

    + * @public + */ + StreamArn?: string; +} + /** * @public * @enum */ export const LogLevel = { ERROR: "ERROR", + INFO: "INFO", } as const; /** @@ -7918,6 +7968,20 @@ export const LogLevel = { */ export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]; +/** + *

    Configuration for the Amazon S3 bucket destination of user activity log export with + * advanced security features.

    + * @public + */ +export interface S3ConfigurationType { + /** + *

    The ARN of an Amazon S3 bucket that's the destination for advanced security features + * log export.

    + * @public + */ + BucketArn?: string; +} + /** *

    The logging parameters of a user pool.

    * @public @@ -7925,37 +7989,63 @@ export type LogLevel = (typeof LogLevel)[keyof typeof LogLevel]; export interface LogConfigurationType { /** *

    The errorlevel selection of logs that a user pool sends for detailed - * activity logging.

    + * activity logging. To send userNotification activity with information about message delivery, choose ERROR with + * CloudWatchLogsConfiguration. To send userAuthEvents + * activity with user logs from advanced security features, choose INFO with + * one of CloudWatchLogsConfiguration, FirehoseConfiguration, or + * S3Configuration.

    * @public */ LogLevel: LogLevel | undefined; /** - *

    The source of events that your user pool sends for detailed activity logging.

    + *

    The source of events that your user pool sends for logging. To send error-level logs + * about user notification activity, set to userNotification. To send + * info-level logs about advanced security features user activity, set to + * userAuthEvents.

    * @public */ EventSource: EventSourceName | undefined; /** - *

    The CloudWatch logging destination of a user pool.

    + *

    The CloudWatch log group destination of user pool detailed activity logs, or of user + * activity log export with advanced security features.

    * @public */ CloudWatchLogsConfiguration?: CloudWatchLogsConfigurationType; + + /** + *

    The Amazon S3 bucket destination of user activity log export with advanced security + * features. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ + S3Configuration?: S3ConfigurationType; + + /** + *

    The Amazon Data Firehose stream destination of user activity log export with advanced security + * features. To activate this setting, + * advanced security features must be active in your user pool.

    + * @public + */ + FirehoseConfiguration?: FirehoseConfigurationType; } /** - *

    The logging parameters of a user pool.

    + *

    The logging parameters of a user pool returned in response to + * GetLogDeliveryConfiguration.

    * @public */ export interface LogDeliveryConfigurationType { /** - *

    The ID of the user pool where you configured detailed activity logging.

    + *

    The ID of the user pool where you configured logging.

    * @public */ UserPoolId: string | undefined; /** - *

    The detailed activity logging destination of a user pool.

    + *

    A logging destination of a user pool. User pools can have multiple logging + * destinations for message-delivery and user-activity logs.

    * @public */ LogConfigurations: LogConfigurationType[] | undefined; @@ -7966,7 +8056,7 @@ export interface LogDeliveryConfigurationType { */ export interface GetLogDeliveryConfigurationResponse { /** - *

    The detailed activity logging configuration of the requested user pool.

    + *

    The logging configuration of the requested user pool.

    * @public */ LogDeliveryConfiguration?: LogDeliveryConfigurationType; @@ -9598,65 +9688,6 @@ export class UnauthorizedException extends __BaseException { } } -/** - *

    Exception that is thrown when you attempt to perform an operation that isn't enabled - * for the user pool client.

    - * @public - */ -export class UnsupportedOperationException extends __BaseException { - readonly name: "UnsupportedOperationException" = "UnsupportedOperationException"; - readonly $fault: "client" = "client"; - /** - * @internal - */ - constructor(opts: __ExceptionOptionType) { - super({ - name: "UnsupportedOperationException", - $fault: "client", - ...opts, - }); - Object.setPrototypeOf(this, UnsupportedOperationException.prototype); - } -} - -/** - *

    Exception that is thrown when an unsupported token is passed to an operation.

    - * @public - */ -export class UnsupportedTokenTypeException extends __BaseException { - readonly name: "UnsupportedTokenTypeException" = "UnsupportedTokenTypeException"; - readonly $fault: "client" = "client"; - /** - * @internal - */ - constructor(opts: __ExceptionOptionType) { - super({ - name: "UnsupportedTokenTypeException", - $fault: "client", - ...opts, - }); - Object.setPrototypeOf(this, UnsupportedTokenTypeException.prototype); - } -} - -/** - * @public - */ -export interface SetLogDeliveryConfigurationRequest { - /** - *

    The ID of the user pool where you want to configure detailed activity logging .

    - * @public - */ - UserPoolId: string | undefined; - - /** - *

    A collection of all of the detailed activity logging configurations for a user - * pool.

    - * @public - */ - LogConfigurations: LogConfigurationType[] | undefined; -} - /** * @internal */ diff --git a/clients/client-cognito-identity-provider/src/models/models_1.ts b/clients/client-cognito-identity-provider/src/models/models_1.ts index 0d3a519c75bf..c0ba8eab7016 100644 --- a/clients/client-cognito-identity-provider/src/models/models_1.ts +++ b/clients/client-cognito-identity-provider/src/models/models_1.ts @@ -23,6 +23,7 @@ import { GroupType, IdentityProviderType, LambdaConfigType, + LogConfigurationType, LogDeliveryConfigurationType, MFAOptionType, OAuthFlowType, @@ -52,6 +53,64 @@ import { VerifiedAttributeType, } from "./models_0"; +/** + *

    Exception that is thrown when you attempt to perform an operation that isn't enabled + * for the user pool client.

    + * @public + */ +export class UnsupportedOperationException extends __BaseException { + readonly name: "UnsupportedOperationException" = "UnsupportedOperationException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "UnsupportedOperationException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, UnsupportedOperationException.prototype); + } +} + +/** + *

    Exception that is thrown when an unsupported token is passed to an operation.

    + * @public + */ +export class UnsupportedTokenTypeException extends __BaseException { + readonly name: "UnsupportedTokenTypeException" = "UnsupportedTokenTypeException"; + readonly $fault: "client" = "client"; + /** + * @internal + */ + constructor(opts: __ExceptionOptionType) { + super({ + name: "UnsupportedTokenTypeException", + $fault: "client", + ...opts, + }); + Object.setPrototypeOf(this, UnsupportedTokenTypeException.prototype); + } +} + +/** + * @public + */ +export interface SetLogDeliveryConfigurationRequest { + /** + *

    The ID of the user pool where you want to configure logging.

    + * @public + */ + UserPoolId: string | undefined; + + /** + *

    A collection of the logging configurations for a user pool.

    + * @public + */ + LogConfigurations: LogConfigurationType[] | undefined; +} + /** * @public */ @@ -420,7 +479,7 @@ export interface SignUpResponse { CodeDeliveryDetails?: CodeDeliveryDetailsType; /** - *

    The UUID of the authenticated user. This isn't the same as + *

    The 128-bit ID of the authenticated user. This isn't the same as * username.

    * @public */ @@ -1451,6 +1510,7 @@ export interface UpdateUserPoolClientRequest { * existence related errors aren't prevented.

    * * + *

    Defaults to LEGACY when you don't provide a value.

    * @public */ PreventUserExistenceErrors?: PreventUserExistenceErrorTypes; diff --git a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts index f6ab26333a8a..1a5878867828 100644 --- a/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts +++ b/clients/client-cognito-identity-provider/src/protocols/Aws_json1_1.ts @@ -402,6 +402,7 @@ import { EventFilterType, ExpiredCodeException, ExplicitAuthFlowsType, + FirehoseConfigurationType, ForbiddenException, ForgetDeviceRequest, ForgotPasswordRequest, @@ -462,6 +463,7 @@ import { NotifyEmailType, NumberAttributeConstraintsType, OAuthFlowType, + PasswordHistoryPolicyViolationException, PasswordPolicyType, PasswordResetRequiredException, PreconditionNotMetException, @@ -476,9 +478,9 @@ import { RevokeTokenRequest, RiskConfigurationType, RiskExceptionConfigurationType, + S3ConfigurationType, SchemaAttributeType, ScopeDoesNotExistException, - SetLogDeliveryConfigurationRequest, SmsConfigurationType, SmsMfaConfigType, SMSMfaSettingsType, @@ -493,8 +495,6 @@ import { UnauthorizedException, UnexpectedLambdaException, UnsupportedIdentityProviderException, - UnsupportedOperationException, - UnsupportedTokenTypeException, UnsupportedUserStateException, UserAttributeUpdateSettingsType, UserContextDataType, @@ -519,6 +519,7 @@ import { } from "../models/models_0"; import { EnableSoftwareTokenMFAException, + SetLogDeliveryConfigurationRequest, SetRiskConfigurationRequest, SetRiskConfigurationResponse, SetUICustomizationRequest, @@ -532,6 +533,8 @@ import { StopUserImportJobRequest, StopUserImportJobResponse, TagResourceRequest, + UnsupportedOperationException, + UnsupportedTokenTypeException, UntagResourceRequest, UpdateAuthEventFeedbackRequest, UpdateDeviceStatusRequest, @@ -4006,6 +4009,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext): case "ExpiredCodeException": case "com.amazonaws.cognitoidentityprovider#ExpiredCodeException": throw await de_ExpiredCodeExceptionRes(parsedOutput, context); + case "PasswordHistoryPolicyViolationException": + case "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException": + throw await de_PasswordHistoryPolicyViolationExceptionRes(parsedOutput, context); case "SoftwareTokenMFANotFoundException": case "com.amazonaws.cognitoidentityprovider#SoftwareTokenMFANotFoundException": throw await de_SoftwareTokenMFANotFoundExceptionRes(parsedOutput, context); @@ -4388,6 +4394,22 @@ const de_NotAuthorizedExceptionRes = async ( return __decorateServiceException(exception, body); }; +/** + * deserializeAws_json1_1PasswordHistoryPolicyViolationExceptionRes + */ +const de_PasswordHistoryPolicyViolationExceptionRes = async ( + parsedOutput: any, + context: __SerdeContext +): Promise => { + const body = parsedOutput.body; + const deserialized: any = _json(body); + const exception = new PasswordHistoryPolicyViolationException({ + $metadata: deserializeMetadata(parsedOutput), + ...deserialized, + }); + return __decorateServiceException(exception, body); +}; + /** * deserializeAws_json1_1PasswordResetRequiredExceptionRes */ @@ -4882,6 +4904,8 @@ const de_UserPoolTaggingExceptionRes = async ( // se_ExplicitAuthFlowsListType omitted. +// se_FirehoseConfigurationType omitted. + // se_ForgetDeviceRequest omitted. // se_ForgotPasswordRequest omitted. @@ -4982,6 +5006,8 @@ const de_UserPoolTaggingExceptionRes = async ( // se_RiskExceptionConfigurationType omitted. +// se_S3ConfigurationType omitted. + // se_SchemaAttributesListType omitted. // se_SchemaAttributeType omitted. @@ -5443,6 +5469,8 @@ const de_EventFeedbackType = (output: any, context: __SerdeContext): EventFeedba // de_ExplicitAuthFlowsListType omitted. +// de_FirehoseConfigurationType omitted. + // de_ForbiddenException omitted. // de_ForgotPasswordResponse omitted. @@ -5677,6 +5705,8 @@ const de_ListUsersResponse = (output: any, context: __SerdeContext): ListUsersRe // de_OAuthFlowsType omitted. +// de_PasswordHistoryPolicyViolationException omitted. + // de_PasswordPolicyType omitted. // de_PasswordResetRequiredException omitted. @@ -5747,6 +5777,8 @@ const de_RiskConfigurationType = (output: any, context: __SerdeContext): RiskCon // de_RiskExceptionConfigurationType omitted. +// de_S3ConfigurationType omitted. + // de_SchemaAttributesListType omitted. // de_SchemaAttributeType omitted. diff --git a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json index 7f8309db4bb1..677624d82548 100644 --- a/codegen/sdk-codegen/aws-models/cognito-identity-provider.json +++ b/codegen/sdk-codegen/aws-models/cognito-identity-provider.json @@ -366,7 +366,7 @@ "name": "cognito-idp" }, "aws.protocols#awsJson1_1": {}, - "smithy.api#documentation": "

    With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To\n authenticate users from third-party identity providers (IdPs) in this API, you can\n link IdP users to native user profiles. Learn more\n about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.

    \n

    This API reference provides detailed information about API operations and object types\n in Amazon Cognito.

    \n

    Along with resource management operations, the Amazon Cognito user pools API includes classes\n of operations and authorization models for client-side and server-side authentication of\n users. You can interact with operations in the Amazon Cognito user pools API as any of the\n following subjects.

    \n
      \n
    1. \n

      An administrator who wants to configure user pools, app clients, users,\n groups, or other user pool functions.

      \n
      2. \n
    2. \n

      A server-side app, like a web application, that wants to use its Amazon Web Services\n privileges to manage, authenticate, or authorize a user.

      \n
      3. \n
    3. \n

      A client-side app, like a mobile app, that wants to make unauthenticated\n requests to manage, authenticate, or authorize a user.

      \n
      4. \n
    \n

    For more information, see Using the Amazon Cognito user pools API and user pool endpoints\n in the Amazon Cognito Developer Guide.

    \n

    With your Amazon Web Services SDK, you can build the logic to support operational flows in every use\n case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started\n with the CognitoIdentityProvider client in other supported Amazon Web Services\n SDKs.

    \n \n

    To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services\n SDKs.

    ", + "smithy.api#documentation": "

    With the Amazon Cognito user pools API, you can configure user pools and authenticate users. To\n authenticate users from third-party identity providers (IdPs) in this API, you can\n link IdP users to native user profiles. Learn more\n about the authentication and authorization of federated users at Adding user pool sign-in through a third party and in the User pool federation endpoints and hosted UI reference.

    \n

    This API reference provides detailed information about API operations and object types\n in Amazon Cognito.

    \n

    Along with resource management operations, the Amazon Cognito user pools API includes classes\n of operations and authorization models for client-side and server-side authentication of\n users. You can interact with operations in the Amazon Cognito user pools API as any of the\n following subjects.

    \n
      \n
    1. \n

      An administrator who wants to configure user pools, app clients, users,\n groups, or other user pool functions.

      \n
      2. \n
    2. \n

      A server-side app, like a web application, that wants to use its Amazon Web Services\n privileges to manage, authenticate, or authorize a user.

      \n
      3. \n
    3. \n

      A client-side app, like a mobile app, that wants to make unauthenticated\n requests to manage, authenticate, or authorize a user.

      \n
      4. \n
    \n

    For more information, see Using the Amazon Cognito user pools API and user pool endpoints\n in the Amazon Cognito Developer Guide.

    \n

    With your Amazon Web Services SDK, you can build the logic to support operational flows in every use\n case for this API. You can also make direct REST API requests to Amazon Cognito user pools service endpoints. The following links can get you started\n with the CognitoIdentityProvider client in other supported Amazon Web Services\n SDKs.

    \n \n

    To get started with an Amazon Web Services SDK, see Tools to Build on Amazon Web Services. For example actions and scenarios, see Code examples for Amazon Cognito Identity Provider using Amazon Web Services\n SDKs.

    ", "smithy.api#title": "Amazon Cognito Identity Provider", "smithy.api#xmlNamespace": { "uri": "http://cognito-idp.amazonaws.com/doc/2016-04-18/" @@ -1570,7 +1570,7 @@ } ], "traits": { - "smithy.api#documentation": "

    This IAM-authenticated API operation provides a code that Amazon Cognito sent to your user\n when they signed up in your user pool. After your user enters their code, they confirm\n ownership of the email address or phone number that they provided, and their user\n account becomes active. Depending on your user pool configuration, your users will\n receive their confirmation code in an email or SMS message.

    \n

    Local users who signed up in your user pool are the only type of user who can confirm\n sign-up with a code. Users who federate through an external identity provider (IdP) have\n already been confirmed by their IdP. Administrator-created users confirm their accounts\n when they respond to their invitation email message and choose a password.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " + "smithy.api#documentation": "

    This IAM-authenticated API operation confirms user sign-up as an administrator.\n Unlike ConfirmSignUp, your IAM credentials authorize user account confirmation.\n No confirmation code is required.

    \n

    This request sets a user account active in a user pool that requires confirmation of new user accounts before they can sign in. You can\n configure your user pool to not send confirmation codes to new users and instead confirm\n them with this API operation on the back end.

    \n \n

    Amazon Cognito evaluates Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you must use IAM credentials to authorize requests, and you must\n grant yourself the corresponding IAM permission in a policy.

    \n

    \n Learn more\n

    \n \n     " } }, "com.amazonaws.cognitoidentityprovider#AdminConfirmSignUpRequest": { @@ -3114,6 +3114,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException" }, @@ -3333,6 +3336,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException" }, @@ -3938,7 +3944,7 @@ ], "traits": { "smithy.api#auth": [], - "smithy.api#documentation": "

    Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.

    \n \n

    Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge\n each time your user signs. Complete setup with AssociateSoftwareToken\n and VerifySoftwareToken.

    \n

    After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to\n this challenge with your user's TOTP.

    \n     \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

    \n     ", + "smithy.api#documentation": "

    Begins setup of time-based one-time password (TOTP) multi-factor authentication (MFA)\n for a user, with a unique private key that Amazon Cognito generates and returns in the API\n response. You can authorize an AssociateSoftwareToken request with either\n the user's access token, or a session string from a challenge response that you received\n from Amazon Cognito.

    \n \n

    Amazon Cognito disassociates an existing software token when you verify the new token in a\n VerifySoftwareToken API request. If you don't verify the software\n token and your user pool doesn't require MFA, the user can then authenticate with\n user name and password credentials alone. If your user pool requires TOTP MFA, Amazon Cognito\n generates an MFA_SETUP or SOFTWARE_TOKEN_SETUP challenge\n each time your user signs in. Complete setup with\n AssociateSoftwareToken and VerifySoftwareToken.

    \n

    After you set up software token MFA for your user, Amazon Cognito generates a\n SOFTWARE_TOKEN_MFA challenge when they authenticate. Respond to\n this challenge with your user's TOTP.

    \n     \n \n

    Amazon Cognito doesn't evaluate Identity and Access Management (IAM) policies in requests for this API operation. For\n this operation, you can't use IAM credentials to authorize requests, and you can't\n grant IAM permissions in policies. For more information about authorization models in\n Amazon Cognito, see Using the Amazon Cognito user pools API and user pool endpoints.

    \n     ", "smithy.api#optionalAuth": {} } }, @@ -4478,6 +4484,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException" }, @@ -4605,7 +4614,7 @@ } }, "traits": { - "smithy.api#documentation": "

    The CloudWatch logging destination of a user pool detailed activity logging\n configuration.

    " + "smithy.api#documentation": "

    Configuration for the CloudWatch log group destination of user pool detailed activity\n logging, or of user activity log export with advanced security features.

    " } }, "com.amazonaws.cognitoidentityprovider#CodeDeliveryDetailsListType": { @@ -4893,6 +4902,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#ResourceNotFoundException" }, @@ -6241,7 +6253,7 @@ "PreventUserExistenceErrors": { "target": "com.amazonaws.cognitoidentityprovider#PreventUserExistenceErrorTypes", "traits": { - "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    " + "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    \n

    Defaults to LEGACY when you don't provide a value.

    " } }, "EnableTokenRevocation": { @@ -8132,6 +8144,12 @@ "traits": { "smithy.api#enumValue": "userNotification" } + }, + "USER_AUTH_EVENTS": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "userAuthEvents" + } } } }, @@ -8262,6 +8280,20 @@ } } }, + "com.amazonaws.cognitoidentityprovider#FirehoseConfigurationType": { + "type": "structure", + "members": { + "StreamArn": { + "target": "com.amazonaws.cognitoidentityprovider#ArnType", + "traits": { + "smithy.api#documentation": "

    The ARN of an Amazon Data Firehose stream that's the destination for advanced security\n features log export.

    " + } + } + }, + "traits": { + "smithy.api#documentation": "

    Configuration for the Amazon Data Firehose stream destination of user activity log export with\n advanced security features.

    " + } + }, "com.amazonaws.cognitoidentityprovider#ForbiddenException": { "type": "structure", "members": { @@ -8788,7 +8820,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Gets the detailed activity logging configuration for a user pool.

    " + "smithy.api#documentation": "

    Gets the logging configuration of a user pool.

    " } }, "com.amazonaws.cognitoidentityprovider#GetLogDeliveryConfigurationRequest": { @@ -8797,7 +8829,7 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "

    The ID of the user pool where you want to view detailed activity logging\n configuration.

    ", + "smithy.api#documentation": "

    The ID of the user pool that has the logging configuration that you want to\n view.

    ", "smithy.api#required": {} } } @@ -8812,7 +8844,7 @@ "LogDeliveryConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#LogDeliveryConfigurationType", "traits": { - "smithy.api#documentation": "

    The detailed activity logging configuration of the requested user pool.

    " + "smithy.api#documentation": "

    The logging configuration of the requested user pool.

    " } } }, @@ -9834,7 +9866,7 @@ } }, "traits": { - "smithy.api#documentation": "

    This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.

    ", + "smithy.api#documentation": "

    This exception is thrown when the trust relationship is not valid for the role\n provided for SMS configuration. This can happen if you don't trust\n cognito-idp.amazonaws.com or the external ID provided in the role does\n not match what is provided in the SMS configuration for the user pool.

    ", "smithy.api#error": "client", "smithy.api#httpError": 400 } @@ -10903,7 +10935,7 @@ "traits": { "smithy.api#length": { "min": 0, - "max": 1 + "max": 2 } } }, @@ -10913,21 +10945,33 @@ "LogLevel": { "target": "com.amazonaws.cognitoidentityprovider#LogLevel", "traits": { - "smithy.api#documentation": "

    The errorlevel selection of logs that a user pool sends for detailed\n activity logging.

    ", + "smithy.api#documentation": "

    The errorlevel selection of logs that a user pool sends for detailed\n activity logging. To send userNotification activity with information about message delivery, choose ERROR with\n CloudWatchLogsConfiguration. To send userAuthEvents\n activity with user logs from advanced security features, choose INFO with\n one of CloudWatchLogsConfiguration, FirehoseConfiguration, or\n S3Configuration.

    ", "smithy.api#required": {} } }, "EventSource": { "target": "com.amazonaws.cognitoidentityprovider#EventSourceName", "traits": { - "smithy.api#documentation": "

    The source of events that your user pool sends for detailed activity logging.

    ", + "smithy.api#documentation": "

    The source of events that your user pool sends for logging. To send error-level logs\n about user notification activity, set to userNotification. To send\n info-level logs about advanced security features user activity, set to\n userAuthEvents.

    ", "smithy.api#required": {} } }, "CloudWatchLogsConfiguration": { "target": "com.amazonaws.cognitoidentityprovider#CloudWatchLogsConfigurationType", "traits": { - "smithy.api#documentation": "

    The CloudWatch logging destination of a user pool.

    " + "smithy.api#documentation": "

    The CloudWatch log group destination of user pool detailed activity logs, or of user\n activity log export with advanced security features.

    " + } + }, + "S3Configuration": { + "target": "com.amazonaws.cognitoidentityprovider#S3ConfigurationType", + "traits": { + "smithy.api#documentation": "

    The Amazon S3 bucket destination of user activity log export with advanced security\n features. To activate this setting, \n advanced security features must be active in your user pool.

    " + } + }, + "FirehoseConfiguration": { + "target": "com.amazonaws.cognitoidentityprovider#FirehoseConfigurationType", + "traits": { + "smithy.api#documentation": "

    The Amazon Data Firehose stream destination of user activity log export with advanced security\n features. To activate this setting, \n advanced security features must be active in your user pool.

    " } } }, @@ -10941,20 +10985,20 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "

    The ID of the user pool where you configured detailed activity logging.

    ", + "smithy.api#documentation": "

    The ID of the user pool where you configured logging.

    ", "smithy.api#required": {} } }, "LogConfigurations": { "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", "traits": { - "smithy.api#documentation": "

    The detailed activity logging destination of a user pool.

    ", + "smithy.api#documentation": "

    A logging destination of a user pool. User pools can have multiple logging\n destinations for message-delivery and user-activity logs.

    ", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "

    The logging parameters of a user pool.

    " + "smithy.api#documentation": "

    The logging parameters of a user pool returned in response to\n GetLogDeliveryConfiguration.

    " } }, "com.amazonaws.cognitoidentityprovider#LogLevel": { @@ -10965,6 +11009,12 @@ "traits": { "smithy.api#enumValue": "ERROR" } + }, + "INFO": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "INFO" + } } } }, @@ -11256,6 +11306,28 @@ "smithy.api#pattern": "^[\\S]+$" } }, + "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException": { + "type": "structure", + "members": { + "message": { + "target": "com.amazonaws.cognitoidentityprovider#MessageType" + } + }, + "traits": { + "smithy.api#documentation": "

    The message returned when a user's new password matches a previous password and \n doesn't comply with the password-history policy.

    ", + "smithy.api#error": "client", + "smithy.api#httpError": 400 + } + }, + "com.amazonaws.cognitoidentityprovider#PasswordHistorySizeType": { + "type": "integer", + "traits": { + "smithy.api#range": { + "min": 0, + "max": 24 + } + } + }, "com.amazonaws.cognitoidentityprovider#PasswordPolicyMinLengthType": { "type": "integer", "traits": { @@ -11302,6 +11374,12 @@ "smithy.api#documentation": "

    In the password policy that you have set, refers to whether you have required users to\n use at least one symbol in their password.

    " } }, + "PasswordHistorySize": { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistorySizeType", + "traits": { + "smithy.api#documentation": "

    The number of previous passwords that you want Amazon Cognito to restrict each user from\n reusing. Users can't set a password that matches any of n previous\n passwords, where n is the value of PasswordHistorySize.

    \n

    Password history isn't enforced and isn't displayed in DescribeUserPool responses when you set this value to\n 0 or don't provide it. To activate this setting, \n advanced security features must be active in your user pool.

    " + } + }, "TemporaryPasswordValidityDays": { "target": "com.amazonaws.cognitoidentityprovider#TemporaryPasswordValidityDaysType", "traits": { @@ -11949,6 +12027,9 @@ { "target": "com.amazonaws.cognitoidentityprovider#NotAuthorizedException" }, + { + "target": "com.amazonaws.cognitoidentityprovider#PasswordHistoryPolicyViolationException" + }, { "target": "com.amazonaws.cognitoidentityprovider#PasswordResetRequiredException" }, @@ -12248,6 +12329,16 @@ } } }, + "com.amazonaws.cognitoidentityprovider#S3ArnType": { + "type": "string", + "traits": { + "smithy.api#length": { + "min": 3, + "max": 1024 + }, + "smithy.api#pattern": "^arn:[\\w+=/,.@-]+:[\\w+=/,.@-]+:::[\\w+=/,.@-]+(:[\\w+=/,.@-]+)?(:[\\w+=/,.@-]+)?$" + } + }, "com.amazonaws.cognitoidentityprovider#S3BucketType": { "type": "string", "traits": { @@ -12258,6 +12349,20 @@ "smithy.api#pattern": "^[0-9A-Za-z\\.\\-_]*(?The ARN of an Amazon S3 bucket that's the destination for advanced security features\n log export.

    " + } + } + }, + "traits": { + "smithy.api#documentation": "

    Configuration for the Amazon S3 bucket destination of user activity log export with\n advanced security features.

    " + } + }, "com.amazonaws.cognitoidentityprovider#SESConfigurationSet": { "type": "string", "traits": { @@ -12462,7 +12567,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Sets up or modifies the detailed activity logging configuration of a user pool.

    " + "smithy.api#documentation": "

    Sets up or modifies the logging configuration of a user pool. User pools can export\n user notification logs and advanced security features user activity logs.

    " } }, "com.amazonaws.cognitoidentityprovider#SetLogDeliveryConfigurationRequest": { @@ -12471,14 +12576,14 @@ "UserPoolId": { "target": "com.amazonaws.cognitoidentityprovider#UserPoolIdType", "traits": { - "smithy.api#documentation": "

    The ID of the user pool where you want to configure detailed activity logging .

    ", + "smithy.api#documentation": "

    The ID of the user pool where you want to configure logging.

    ", "smithy.api#required": {} } }, "LogConfigurations": { "target": "com.amazonaws.cognitoidentityprovider#LogConfigurationListType", "traits": { - "smithy.api#documentation": "

    A collection of all of the detailed activity logging configurations for a user\n pool.

    ", + "smithy.api#documentation": "

    A collection of the logging configurations for a user pool.

    ", "smithy.api#required": {} } } @@ -13062,7 +13167,7 @@ "UserSub": { "target": "com.amazonaws.cognitoidentityprovider#StringType", "traits": { - "smithy.api#documentation": "

    The UUID of the authenticated user. This isn't the same as\n username.

    ", + "smithy.api#documentation": "

    The 128-bit ID of the authenticated user. This isn't the same as\n username.

    ", "smithy.api#required": {} } } @@ -14508,7 +14613,7 @@ "PreventUserExistenceErrors": { "target": "com.amazonaws.cognitoidentityprovider#PreventUserExistenceErrorTypes", "traits": { - "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    " + "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    \n

    Defaults to LEGACY when you don't provide a value.

    " } }, "EnableTokenRevocation": { @@ -15238,7 +15343,7 @@ "PreventUserExistenceErrors": { "target": "com.amazonaws.cognitoidentityprovider#PreventUserExistenceErrorTypes", "traits": { - "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the old behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    " + "smithy.api#documentation": "

    Errors and responses that you want Amazon Cognito APIs to return during authentication, account\n confirmation, and password recovery when the user doesn't exist in the user pool. When\n set to ENABLED and the user doesn't exist, authentication returns an error\n indicating either the username or password was incorrect. Account confirmation and\n password recovery return a response indicating a code was sent to a simulated\n destination. When set to LEGACY, those APIs return a\n UserNotFoundException exception if the user doesn't exist in the user\n pool.

    \n

    Valid values include:

    \n
      \n
    • \n

      \n ENABLED - This prevents user existence-related errors.

      \n
      • \n
    • \n

      \n LEGACY - This represents the early behavior of Amazon Cognito where user\n existence related errors aren't prevented.

      \n
      • \n
    \n

    Defaults to LEGACY when you don't provide a value.

    " } }, "EnableTokenRevocation": {