Struct aws_sdk_cognitoidentityprovider::client::Client

source · 
pub struct Client { /* private fields */ }
Expand description

Client for Amazon Cognito Identity Provider

Client for invoking operations on Amazon Cognito Identity Provider. Each operation on Amazon Cognito Identity Provider is a method on this this struct. .send() MUST be invoked on the generated operations to dispatch the request to the service.

§Constructing a Client

A Config is required to construct a client. For most use cases, the aws-config crate should be used to automatically resolve this config using aws_config::load_from_env(), since this will resolve an SdkConfig which can be shared across multiple different AWS SDK clients. This config resolution process can be customized by calling aws_config::from_env() instead, which returns a ConfigLoader that uses the builder pattern to customize the default config.

In the simplest case, creating a client looks as follows:

let config = aws_config::load_from_env().await;
let client = aws_sdk_cognitoidentityprovider::Client::new(&config);

Occasionally, SDKs may have additional service-specific values that can be set on the Config that is absent from SdkConfig, or slightly different settings for a specific client may be desired. The Config struct implements From<&SdkConfig>, so setting these specific settings can be done as follows:

let sdk_config = ::aws_config::load_from_env().await;
let config = aws_sdk_cognitoidentityprovider::config::Builder::from(&sdk_config)
    .some_service_specific_setting("value")
    .build();

See the aws-config docs and Config for more information on customizing configuration.

Note: Client construction is expensive due to connection thread pool initialization, and should be done once at application start-up.

§Using the Client

A client has a function for every operation that can be performed by the service. For example, the AddCustomAttributes operation has a Client::add_custom_attributes, function which returns a builder for that operation. The fluent builder ultimately has a send() function that returns an async future that returns a result, as illustrated below:

let result = client.add_custom_attributes()
    .user_pool_id("example")
    .send()
    .await;

The underlying HTTP requests that get made by this can be modified with the customize_operation function on the fluent builder. See the customize module for more information.

Implementations§

source§

impl Client

source

pub fn add_custom_attributes(&self) -> AddCustomAttributesFluentBuilder

Constructs a fluent builder for the AddCustomAttributes operation.

source§

impl Client

source

pub fn admin_add_user_to_group(&self) -> AdminAddUserToGroupFluentBuilder

Constructs a fluent builder for the AdminAddUserToGroup operation.

source§

impl Client

source

pub fn admin_confirm_sign_up(&self) -> AdminConfirmSignUpFluentBuilder

Constructs a fluent builder for the AdminConfirmSignUp operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for which you want to confirm user registration.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      If your user pool configuration includes triggers, the AdminConfirmSignUp API action invokes the Lambda function that is specified for the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. In this payload, the clientMetadata attribute provides the data that you assigned to the ClientMetadata parameter in your AdminConfirmSignUp request. In your function code in Lambda, you can process the ClientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with AdminConfirmSignUpOutput
  • On failure, responds with SdkError<AdminConfirmSignUpError>
source§

impl Client

source

pub fn admin_create_user(&self) -> AdminCreateUserFluentBuilder

Constructs a fluent builder for the AdminCreateUser operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool where the user will be created.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The value that you want to set as the username sign-in attribute. The following conditions apply to the username parameter.

      • The username can’t be a duplicate of another username in the same user pool.

      • You can’t change the value of a username after you create it.

      • You can only provide a value if usernames are a valid sign-in attribute for your user pool. If your user pool only supports phone numbers or email addresses as sign-in attributes, Amazon Cognito automatically generates a username value. For more information, see Customizing sign-in attributes.


    • user_attributes(AttributeType) / set_user_attributes(Option<Vec::<AttributeType>>):
      required: false

      An array of name-value pairs that contain user attributes and attribute values to be set for the user to be created. You can create a user without specifying any attributes other than Username. However, any attributes that you specify as required (when creating a user pool or in the Attributes tab of the console) either you should supply (in your call to AdminCreateUser) or the user should supply (when they sign up in response to your welcome message).

      For custom attributes, you must prepend the custom: prefix to the attribute name.

      To send a message inviting the user to sign up, you must specify the user’s email address or phone number. You can do this in your call to AdminCreateUser or in the Users tab of the Amazon Cognito console for managing your user pools.

      In your call to AdminCreateUser, you can set the email_verified attribute to True, and you can set the phone_number_verified attribute to True. You can also do this by calling AdminUpdateUserAttributes.

      • email: The email address of the user to whom the message that contains the code and username will be sent. Required if the email_verified attribute is set to True, or if “EMAIL” is specified in the DesiredDeliveryMediums parameter.

      • phone_number: The phone number of the user to whom the message that contains the code and username will be sent. Required if the phone_number_verified attribute is set to True, or if “SMS” is specified in the DesiredDeliveryMediums parameter.


    • validation_data(AttributeType) / set_validation_data(Option<Vec::<AttributeType>>):
      required: false

      Temporary user attributes that contribute to the outcomes of your pre sign-up Lambda trigger. This set of key-value pairs are for custom validation of information that you collect from your users but don’t need to retain.

      Your Lambda function can analyze this additional data and act on it. Your function might perform external API operations like logging user attributes and validation data to Amazon CloudWatch Logs. Validation data might also affect the response that your function returns to Amazon Cognito, like automatically confirming the user if they sign up from within your network.

      For more information about the pre sign-up Lambda trigger, see Pre sign-up Lambda trigger.


    • temporary_password(impl Into<String>) / set_temporary_password(Option<String>):
      required: false

      The user’s temporary password. This password must conform to the password policy that you specified when you created the user pool.

      The temporary password is valid only once. To complete the Admin Create User flow, the user must enter the temporary password in the sign-in page, along with a new password to be used in all future sign-ins.

      This parameter isn’t required. If you don’t specify a value, Amazon Cognito generates one for you.

      The temporary password can only be used until the user account expiration limit that you set for your user pool. To reset the account after that time limit, you must call AdminCreateUser again and specify RESEND for the MessageAction parameter.


    • force_alias_creation(bool) / set_force_alias_creation(Option<bool>):
      required: false

      This parameter is used only if the phone_number_verified or email_verified attribute is set to True. Otherwise, it is ignored.

      If this parameter is set to True and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias.

      If this parameter is set to False, the API throws an AliasExistsException error if the alias already exists. The default value is False.


    • message_action(MessageActionType) / set_message_action(Option<MessageActionType>):
      required: false

      Set to RESEND to resend the invitation message to a user that already exists and reset the expiration limit on the user’s account. Set to SUPPRESS to suppress sending the message. You can specify only one value.


    • desired_delivery_mediums(DeliveryMediumType) / set_desired_delivery_mediums(Option<Vec::<DeliveryMediumType>>):
      required: false

      Specify “EMAIL” if email will be used to send the welcome message. Specify “SMS” if the phone number will be used. The default value is “SMS”. You can specify more than one value.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the pre sign-up trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with AdminCreateUserOutput with field(s):
  • On failure, responds with SdkError<AdminCreateUserError>
source§

impl Client

source

pub fn admin_delete_user(&self) -> AdminDeleteUserFluentBuilder

Constructs a fluent builder for the AdminDeleteUser operation.

source§

impl Client

source

pub fn admin_delete_user_attributes( &self ) -> AdminDeleteUserAttributesFluentBuilder

Constructs a fluent builder for the AdminDeleteUserAttributes operation.

source§

impl Client

source

pub fn admin_disable_provider_for_user( &self ) -> AdminDisableProviderForUserFluentBuilder

Constructs a fluent builder for the AdminDisableProviderForUser operation.

source§

impl Client

source

pub fn admin_disable_user(&self) -> AdminDisableUserFluentBuilder

Constructs a fluent builder for the AdminDisableUser operation.

source§

impl Client

source

pub fn admin_enable_user(&self) -> AdminEnableUserFluentBuilder

Constructs a fluent builder for the AdminEnableUser operation.

source§

impl Client

source

pub fn admin_forget_device(&self) -> AdminForgetDeviceFluentBuilder

Constructs a fluent builder for the AdminForgetDevice operation.

source§

impl Client

source

pub fn admin_get_device(&self) -> AdminGetDeviceFluentBuilder

Constructs a fluent builder for the AdminGetDevice operation.

source§

impl Client

source

pub fn admin_get_user(&self) -> AdminGetUserFluentBuilder

Constructs a fluent builder for the AdminGetUser operation.

  • The fluent builder is configurable:
  • On success, responds with AdminGetUserOutput with field(s):
    • username(String):

      The username of the user that you requested.

    • user_attributes(Option<Vec::<AttributeType>>):

      An array of name-value pairs representing user attributes.

    • user_create_date(Option<DateTime>):

      The date the user was created.

    • user_last_modified_date(Option<DateTime>):

      The date and time when the item was modified. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java Date object.

    • enabled(bool):

      Indicates that the status is enabled.

    • user_status(Option<UserStatusType>):

      The user status. Can be one of the following:

      • UNCONFIRMED - User has been created but not confirmed.

      • CONFIRMED - User has been confirmed.

      • UNKNOWN - User status isn’t known.

      • RESET_REQUIRED - User is confirmed, but the user must request a code and reset their password before they can sign in.

      • FORCE_CHANGE_PASSWORD - The user is confirmed and the user can sign in using a temporary password, but on first sign-in, the user must change their password to a new value before doing anything else.

    • mfa_options(Option<Vec::<MfaOptionType>>):

      This response parameter is no longer supported. It provides information only about SMS MFA configurations. It doesn’t provide information about time-based one-time password (TOTP) software token MFA configurations. To look up information about either type of MFA configuration, use UserMFASettingList instead.

    • preferred_mfa_setting(Option<String>):

      The user’s preferred MFA setting.

    • user_mfa_setting_list(Option<Vec::<String>>):

      The MFA options that are activated for the user. The possible values in this list are SMS_MFA and SOFTWARE_TOKEN_MFA.

  • On failure, responds with SdkError<AdminGetUserError>
source§

impl Client

source

pub fn admin_initiate_auth(&self) -> AdminInitiateAuthFluentBuilder

Constructs a fluent builder for the AdminInitiateAuth operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The ID of the Amazon Cognito user pool.


    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The app client ID.


    • auth_flow(AuthFlowType) / set_auth_flow(Option<AuthFlowType>):
      required: true

      The authentication flow for this call to run. The API action will depend on this value. For example:

      • REFRESH_TOKEN_AUTH will take in a valid refresh token and return new tokens.

      • USER_SRP_AUTH will take in USERNAME and SRP_A and return the Secure Remote Password (SRP) protocol variables to be used for next challenge execution.

      • ADMIN_USER_PASSWORD_AUTH will take in USERNAME and PASSWORD and return the next challenge or tokens.

      Valid values include:

      • USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol.

      • REFRESH_TOKEN_AUTH/REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.

      • CUSTOM_AUTH: Custom authentication flow.

      • ADMIN_NO_SRP_AUTH: Non-SRP authentication flow; you can pass in the USERNAME and PASSWORD directly if the flow is enabled for calling the app client.

      • ADMIN_USER_PASSWORD_AUTH: Admin-based user password authentication. This replaces the ADMIN_NO_SRP_AUTH authentication flow. In this flow, Amazon Cognito receives the password in the request instead of using the SRP process to verify passwords.


    • auth_parameters(impl Into<String>, impl Into<String>) / set_auth_parameters(Option<HashMap::<String, String>>):
      required: false

      The authentication parameters. These are inputs corresponding to the AuthFlow that you’re invoking. The required values depend on the value of AuthFlow:

      • For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For ADMIN_USER_PASSWORD_AUTH: USERNAME (required), PASSWORD (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY. To start the authentication flow with password verification, include ChallengeName: SRP_A and SRP_A: (The SRP_A Value).

      For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminInitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:

      • Pre signup

      • Pre authentication

      • User migration

      When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminInitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.

      When you use the AdminInitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn’t provide the ClientMetadata value as input:

      • Post authentication

      • Custom message

      • Pre token generation

      • Create auth challenge

      • Define auth challenge

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The analytics metadata for collecting Amazon Pinpoint metrics for AdminInitiateAuth calls.


    • context_data(ContextDataType) / set_context_data(Option<ContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


  • On success, responds with AdminInitiateAuthOutput with field(s):
    • challenge_name(Option<ChallengeNameType>):

      The name of the challenge that you’re responding to with this call. This is returned in the AdminInitiateAuth response if you must pass another challenge.

      • MFA_SETUP: If MFA is required, users who don’t have at least one of the MFA methods set up are presented with an MFA_SETUP challenge. The user must set up at least one MFA type to continue to authenticate.

      • SELECT_MFA_TYPE: Selects the MFA type. Valid MFA options are SMS_MFA for text SMS MFA, and SOFTWARE_TOKEN_MFA for time-based one-time password (TOTP) software token MFA.

      • SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.

      • PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.

      • CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.

      • DEVICE_SRP_AUTH: If device tracking was activated in your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.

      • DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.

      • ADMIN_NO_SRP_AUTH: This is returned if you must authenticate with USERNAME and PASSWORD directly. An app client must be enabled to use this flow.

      • NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login. Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren’t required by your user pool and that your app client can write. For more information, see AdminRespondToAuthChallenge.

        In a NEW_PASSWORD_REQUIRED challenge response, you can’t modify a required attribute that already has a value. In AdminRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the AdminUpdateUserAttributes API operation to modify the value of any additional attributes.

      • MFA_SETUP: For users who are required to set up an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFAS_CAN_SETUP value.

        To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken, and use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, users will need help from an administrator to add a phone number to their account and then call InitiateAuth again to restart sign-in.

    • session(Option<String>):

      The session that should be passed both ways in challenge-response calls to the service. If AdminInitiateAuth or AdminRespondToAuthChallenge API call determines that the caller must pass another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next AdminRespondToAuthChallenge API call.

    • challenge_parameters(Option<HashMap::<String, String>>):

      The challenge parameters. These are returned to you in the AdminInitiateAuth response if you must pass another challenge. The responses in this parameter should be used to compute inputs to the next call (AdminRespondToAuthChallenge).

      All challenges require USERNAME and SECRET_HASH (if applicable).

      The value of the USER_ID_FOR_SRP attribute is the user’s actual username, not an alias (such as email address or phone number), even if you specified an alias in your call to AdminInitiateAuth. This happens because, in the AdminRespondToAuthChallenge API ChallengeResponses, the USERNAME attribute can’t be an alias.

    • authentication_result(Option<AuthenticationResultType>):

      The result of the authentication response. This is only returned if the caller doesn’t need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName, ChallengeParameters, and Session are returned.

  • On failure, responds with SdkError<AdminInitiateAuthError>
source§

impl Client

Constructs a fluent builder for the AdminLinkProviderForUser operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool.


    • destination_user(ProviderUserIdentifierType) / set_destination_user(Option<ProviderUserIdentifierType>):
      required: true

      The existing user in the user pool that you want to assign to the external IdP user account. This user can be a local (Username + Password) Amazon Cognito user pools user or a federated user (for example, a SAML or Facebook user). If the user doesn’t exist, Amazon Cognito generates an exception. Amazon Cognito returns this user when the new user (with the linked IdP attribute) signs in.

      For a native username + password user, the ProviderAttributeValue for the DestinationUser should be the username in the user pool. For a federated user, it should be the provider-specific user_id.

      The ProviderAttributeName of the DestinationUser is ignored.

      The ProviderName should be set to Cognito for users in Cognito user pools.

      All attributes in the DestinationUser profile must be mutable. If you have assigned the user any immutable custom attributes, the operation won’t succeed.


    • source_user(ProviderUserIdentifierType) / set_source_user(Option<ProviderUserIdentifierType>):
      required: true

      An external IdP account for a user who doesn’t exist yet in the user pool. This user must be a federated user (for example, a SAML or Facebook user), not another native user.

      If the SourceUser is using a federated social IdP, such as Facebook, Google, or Login with Amazon, you must set the ProviderAttributeName to Cognito_Subject. For social IdPs, the ProviderName will be Facebook, Google, or LoginWithAmazon, and Amazon Cognito will automatically parse the Facebook, Google, and Login with Amazon tokens for id, sub, and user_id, respectively. The ProviderAttributeValue for the user must be the same value as the id, sub, or user_id value found in the social IdP token.

      For OIDC, the ProviderAttributeName can be any value that matches a claim in the ID token, or that your app retrieves from the userInfo endpoint. You must map the claim to a user pool attribute in your IdP configuration, and set the user pool attribute name as the value of ProviderAttributeName in your AdminLinkProviderForUser request.

      For SAML, the ProviderAttributeName can be any value that matches a claim in the SAML assertion. To link SAML users based on the subject of the SAML assertion, map the subject to a claim through the SAML IdP and set that claim name as the value of ProviderAttributeName in your AdminLinkProviderForUser request.

      For both OIDC and SAML users, when you set ProviderAttributeName to Cognito_Subject, Amazon Cognito will automatically parse the default unique identifier found in the subject from the IdP token.


  • On success, responds with AdminLinkProviderForUserOutput
  • On failure, responds with SdkError<AdminLinkProviderForUserError>
source§

impl Client

source

pub fn admin_list_devices(&self) -> AdminListDevicesFluentBuilder

Constructs a fluent builder for the AdminListDevices operation.

source§

impl Client

source

pub fn admin_list_groups_for_user(&self) -> AdminListGroupsForUserFluentBuilder

Constructs a fluent builder for the AdminListGroupsForUser operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn admin_list_user_auth_events( &self ) -> AdminListUserAuthEventsFluentBuilder

Constructs a fluent builder for the AdminListUserAuthEvents operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn admin_remove_user_from_group( &self ) -> AdminRemoveUserFromGroupFluentBuilder

Constructs a fluent builder for the AdminRemoveUserFromGroup operation.

source§

impl Client

source

pub fn admin_reset_user_password(&self) -> AdminResetUserPasswordFluentBuilder

Constructs a fluent builder for the AdminResetUserPassword operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool where you want to reset the user’s password.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminResetUserPassword API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminResetUserPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with AdminResetUserPasswordOutput
  • On failure, responds with SdkError<AdminResetUserPasswordError>
source§

impl Client

source

pub fn admin_respond_to_auth_challenge( &self ) -> AdminRespondToAuthChallengeFluentBuilder

Constructs a fluent builder for the AdminRespondToAuthChallenge operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The ID of the Amazon Cognito user pool.


    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The app client ID.


    • challenge_name(ChallengeNameType) / set_challenge_name(Option<ChallengeNameType>):
      required: true

      The challenge name. For more information, see AdminInitiateAuth.


    • challenge_responses(impl Into<String>, impl Into<String>) / set_challenge_responses(Option<HashMap::<String, String>>):
      required: false

      The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

      You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret.
      SMS_MFA

      “ChallengeName”: “SMS_MFA”, “ChallengeResponses”: {“SMS_MFA_CODE”: “[SMS_code]”, “USERNAME”: “[username]”}

      PASSWORD_VERIFIER

      “ChallengeName”: “PASSWORD_VERIFIER”, “ChallengeResponses”: {“PASSWORD_CLAIM_SIGNATURE”: “[claim_signature]”, “PASSWORD_CLAIM_SECRET_BLOCK”: “[secret_block]”, “TIMESTAMP”: [timestamp], “USERNAME”: “[username]”}

      Add “DEVICE_KEY” when you sign in with a remembered device.

      CUSTOM_CHALLENGE

      “ChallengeName”: “CUSTOM_CHALLENGE”, “ChallengeResponses”: {“USERNAME”: “[username]”, “ANSWER”: “[challenge_answer]”}

      Add “DEVICE_KEY” when you sign in with a remembered device.

      NEW_PASSWORD_REQUIRED

      “ChallengeName”: “NEW_PASSWORD_REQUIRED”, “ChallengeResponses”: {“NEW_PASSWORD”: “[new_password]”, “USERNAME”: “[username]”}

      To set any required attributes that InitiateAuth returned in an requiredAttributes parameter, add “userAttributes.[attribute_name]”: “[attribute_value]”. This parameter can also set values for writable attributes that aren’t required by your user pool.

      In a NEW_PASSWORD_REQUIRED challenge response, you can’t modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
      SOFTWARE_TOKEN_MFA

      “ChallengeName”: “SOFTWARE_TOKEN_MFA”, “ChallengeResponses”: {“USERNAME”: “[username]”, “SOFTWARE_TOKEN_MFA_CODE”: [authenticator_code]}

      DEVICE_SRP_AUTH

      “ChallengeName”: “DEVICE_SRP_AUTH”, “ChallengeResponses”: {“USERNAME”: “[username]”, “DEVICE_KEY”: “[device_key]”, “SRP_A”: “[srp_a]”}

      DEVICE_PASSWORD_VERIFIER

      “ChallengeName”: “DEVICE_PASSWORD_VERIFIER”, “ChallengeResponses”: {“DEVICE_KEY”: “[device_key]”, “PASSWORD_CLAIM_SIGNATURE”: “[claim_signature]”, “PASSWORD_CLAIM_SECRET_BLOCK”: “[secret_block]”, “TIMESTAMP”: [timestamp], “USERNAME”: “[username]”}

      MFA_SETUP

      “ChallengeName”: “MFA_SETUP”, “ChallengeResponses”: {“USERNAME”: “[username]”}, “SESSION”: “[Session ID from VerifySoftwareToken]”

      SELECT_MFA_TYPE

      “ChallengeName”: “SELECT_MFA_TYPE”, “ChallengeResponses”: {“USERNAME”: “[username]”, “ANSWER”: “[SMS_MFA or SOFTWARE_TOKEN_MFA]”}

      For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.


    • session(impl Into<String>) / set_session(Option<String>):
      required: false

      The session that should be passed both ways in challenge-response calls to the service. If an InitiateAuth or RespondToAuthChallenge API call determines that the caller must pass another challenge, it returns a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The analytics metadata for collecting Amazon Pinpoint metrics for AdminRespondToAuthChallenge calls.


    • context_data(ContextDataType) / set_context_data(Option<ContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminRespondToAuthChallenge API action, Amazon Cognito invokes any functions that you have assigned to the following triggers:

      • pre sign-up

      • custom message

      • post authentication

      • user migration

      • pre token generation

      • define auth challenge

      • create auth challenge

      • verify auth challenge response

      When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute that provides the data that you assigned to the ClientMetadata parameter in your AdminRespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with AdminRespondToAuthChallengeOutput with field(s):
  • On failure, responds with SdkError<AdminRespondToAuthChallengeError>
source§

impl Client

source

pub fn admin_set_user_mfa_preference( &self ) -> AdminSetUserMFAPreferenceFluentBuilder

Constructs a fluent builder for the AdminSetUserMFAPreference operation.

source§

impl Client

source

pub fn admin_set_user_password(&self) -> AdminSetUserPasswordFluentBuilder

Constructs a fluent builder for the AdminSetUserPassword operation.

source§

impl Client

source

pub fn admin_set_user_settings(&self) -> AdminSetUserSettingsFluentBuilder

Constructs a fluent builder for the AdminSetUserSettings operation.

source§

impl Client

source

pub fn admin_update_auth_event_feedback( &self ) -> AdminUpdateAuthEventFeedbackFluentBuilder

Constructs a fluent builder for the AdminUpdateAuthEventFeedback operation.

source§

impl Client

source

pub fn admin_update_device_status(&self) -> AdminUpdateDeviceStatusFluentBuilder

Constructs a fluent builder for the AdminUpdateDeviceStatus operation.

source§

impl Client

source

pub fn admin_update_user_attributes( &self ) -> AdminUpdateUserAttributesFluentBuilder

Constructs a fluent builder for the AdminUpdateUserAttributes operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool where you want to update user attributes.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.


    • user_attributes(AttributeType) / set_user_attributes(Option<Vec::<AttributeType>>):
      required: true

      An array of name-value pairs representing user attributes.

      For custom attributes, you must prepend the custom: prefix to the attribute name.

      If your user pool requires verification before Amazon Cognito updates an attribute value that you specify in this request, Amazon Cognito doesn’t immediately update the value of that attribute. After your user receives and responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages with the original attribute value until they verify the new value.

      To update the value of an attribute that requires verification in the same API request, include the email_verified or phone_number_verified attribute, with a value of true. If you set the email_verified or phone_number_verified value for an email or phone_number attribute that requires verification to true, Amazon Cognito doesn’t send a verification message to your user.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the AdminUpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminUpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with AdminUpdateUserAttributesOutput
  • On failure, responds with SdkError<AdminUpdateUserAttributesError>
source§

impl Client

source

pub fn admin_user_global_sign_out(&self) -> AdminUserGlobalSignOutFluentBuilder

Constructs a fluent builder for the AdminUserGlobalSignOut operation.

source§

impl Client

source

pub fn associate_software_token(&self) -> AssociateSoftwareTokenFluentBuilder

Constructs a fluent builder for the AssociateSoftwareToken operation.

source§

impl Client

source

pub fn change_password(&self) -> ChangePasswordFluentBuilder

Constructs a fluent builder for the ChangePassword operation.

source§

impl Client

source

pub fn confirm_device(&self) -> ConfirmDeviceFluentBuilder

Constructs a fluent builder for the ConfirmDevice operation.

source§

impl Client

source

pub fn confirm_forgot_password(&self) -> ConfirmForgotPasswordFluentBuilder

Constructs a fluent builder for the ConfirmForgotPassword operation.

source§

impl Client

source

pub fn confirm_sign_up(&self) -> ConfirmSignUpFluentBuilder

Constructs a fluent builder for the ConfirmSignUp operation.

  • The fluent builder is configurable:
    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The ID of the app client associated with the user pool.


    • secret_hash(impl Into<String>) / set_secret_hash(Option<String>):
      required: false

      A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.


    • confirmation_code(impl Into<String>) / set_confirmation_code(Option<String>):
      required: true

      The confirmation code sent by a user’s request to confirm registration.


    • force_alias_creation(bool) / set_force_alias_creation(Option<bool>):
      required: false

      Boolean to be specified to force user confirmation irrespective of existing alias. By default set to False. If this parameter is set to True and the phone number/email used for sign up confirmation already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user being confirmed. If set to False, the API will throw an AliasExistsException error.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The Amazon Pinpoint analytics metadata for collecting metrics for ConfirmSignUp calls.


    • user_context_data(UserContextDataType) / set_user_context_data(Option<UserContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ConfirmSignUp API action, Amazon Cognito invokes the function that is assigned to the post confirmation trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ConfirmSignUp request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with ConfirmSignUpOutput
  • On failure, responds with SdkError<ConfirmSignUpError>
source§

impl Client

source

pub fn create_group(&self) -> CreateGroupFluentBuilder

Constructs a fluent builder for the CreateGroup operation.

source§

impl Client

source

pub fn create_identity_provider(&self) -> CreateIdentityProviderFluentBuilder

Constructs a fluent builder for the CreateIdentityProvider operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID.


    • provider_name(impl Into<String>) / set_provider_name(Option<String>):
      required: true

      The IdP name.


    • provider_type(IdentityProviderTypeType) / set_provider_type(Option<IdentityProviderTypeType>):
      required: true

      The IdP type.


    • provider_details(impl Into<String>, impl Into<String>) / set_provider_details(Option<HashMap::<String, String>>):
      required: true

      The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP authorize_scopes values must match the values listed here.

      OpenID Connect (OIDC)

      Amazon Cognito accepts the following elements when it can’t discover endpoint URLs from oidc_issuer: attributes_url, authorize_url, jwks_uri, token_url.

      Create or update request: “ProviderDetails”: { “attributes_request_method”: “GET”, “attributes_url”: “https://auth.example.com/userInfo”, “authorize_scopes”: “openid profile email”, “authorize_url”: “https://auth.example.com/authorize”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “jwks_uri”: “https://auth.example.com/.well-known/jwks.json”, “oidc_issuer”: “https://auth.example.com”, “token_url”: “https://example.com/token” }

      Describe response: “ProviderDetails”: { “attributes_request_method”: “GET”, “attributes_url”: “https://auth.example.com/userInfo”, “attributes_url_add_attributes”: “false”, “authorize_scopes”: “openid profile email”, “authorize_url”: “https://auth.example.com/authorize”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “jwks_uri”: “https://auth.example.com/.well-known/jwks.json”, “oidc_issuer”: “https://auth.example.com”, “token_url”: “https://example.com/token” }

      SAML

      Create or update request with Metadata URL: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “MetadataURL”: “https://auth.example.com/sso/saml/metadata”, “RequestSigningAlgorithm”: “rsa-sha256” }

      Create or update request with Metadata file: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “MetadataFile”: “[metadata XML]”, “RequestSigningAlgorithm”: “rsa-sha256” }

      The value of MetadataFile must be the plaintext metadata document with all quote (“) characters escaped by backslashes.

      Describe response: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “ActiveEncryptionCertificate”: “[certificate]”, “MetadataURL”: “https://auth.example.com/sso/saml/metadata”, “RequestSigningAlgorithm”: “rsa-sha256”, “SLORedirectBindingURI”: “https://auth.example.com/slo/saml”, “SSORedirectBindingURI”: “https://auth.example.com/sso/saml” }

      LoginWithAmazon

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “profile postal_code”, “client_id”: “amzn1.application-oa2-client.1example23456789”, “client_secret”: “provider-app-client-secret”

      Describe response: “ProviderDetails”: { “attributes_url”: “https://api.amazon.com/user/profile”, “attributes_url_add_attributes”: “false”, “authorize_scopes”: “profile postal_code”, “authorize_url”: “https://www.amazon.com/ap/oa”, “client_id”: “amzn1.application-oa2-client.1example23456789”, “client_secret”: “provider-app-client-secret”, “token_request_method”: “POST”, “token_url”: “https://api.amazon.com/auth/o2/token” }

      Google

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “email profile openid”, “client_id”: “1example23456789.apps.googleusercontent.com”, “client_secret”: “provider-app-client-secret” }

      Describe response: “ProviderDetails”: { “attributes_url”: “https://people.googleapis.com/v1/people/me?personFields=”, “attributes_url_add_attributes”: “true”, “authorize_scopes”: “email profile openid”, “authorize_url”: “https://accounts.google.com/o/oauth2/v2/auth”, “client_id”: “1example23456789.apps.googleusercontent.com”, “client_secret”: “provider-app-client-secret”, “oidc_issuer”: “https://accounts.google.com”, “token_request_method”: “POST”, “token_url”: “https://www.googleapis.com/oauth2/v4/token” }

      SignInWithApple

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “email name”, “client_id”: “com.example.cognito”, “private_key”: “1EXAMPLE”, “key_id”: “2EXAMPLE”, “team_id”: “3EXAMPLE” }

      Describe response: “ProviderDetails”: { “attributes_url_add_attributes”: “false”, “authorize_scopes”: “email name”, “authorize_url”: “https://appleid.apple.com/auth/authorize”, “client_id”: “com.example.cognito”, “key_id”: “1EXAMPLE”, “oidc_issuer”: “https://appleid.apple.com”, “team_id”: “2EXAMPLE”, “token_request_method”: “POST”, “token_url”: “https://appleid.apple.com/auth/token” }

      Facebook

      Create or update request: “ProviderDetails”: { “api_version”: “v17.0”, “authorize_scopes”: “public_profile, email”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret” }

      Describe response: “ProviderDetails”: { “api_version”: “v17.0”, “attributes_url”: “https://graph.facebook.com/v17.0/me?fields=”, “attributes_url_add_attributes”: “true”, “authorize_scopes”: “public_profile, email”, “authorize_url”: “https://www.facebook.com/v17.0/dialog/oauth”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “token_request_method”: “GET”, “token_url”: “https://graph.facebook.com/v17.0/oauth/access_token” }


    • attribute_mapping(impl Into<String>, impl Into<String>) / set_attribute_mapping(Option<HashMap::<String, String>>):
      required: false

      A mapping of IdP attributes to standard and custom user pool attributes.


    • idp_identifiers(impl Into<String>) / set_idp_identifiers(Option<Vec::<String>>):
      required: false

      A list of IdP identifiers.


  • On success, responds with CreateIdentityProviderOutput with field(s):
  • On failure, responds with SdkError<CreateIdentityProviderError>
source§

impl Client

source

pub fn create_resource_server(&self) -> CreateResourceServerFluentBuilder

Constructs a fluent builder for the CreateResourceServer operation.

source§

impl Client

source

pub fn create_user_import_job(&self) -> CreateUserImportJobFluentBuilder

Constructs a fluent builder for the CreateUserImportJob operation.

source§

impl Client

source

pub fn create_user_pool(&self) -> CreateUserPoolFluentBuilder

Constructs a fluent builder for the CreateUserPool operation.

source§

impl Client

source

pub fn create_user_pool_client(&self) -> CreateUserPoolClientFluentBuilder

Constructs a fluent builder for the CreateUserPoolClient operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool where you want to create a user pool client.


    • client_name(impl Into<String>) / set_client_name(Option<String>):
      required: true

      The client name for the user pool client you would like to create.


    • generate_secret(bool) / set_generate_secret(Option<bool>):
      required: false

      Boolean to specify whether you want to generate a secret for the user pool client being created.


    • refresh_token_validity(i32) / set_refresh_token_validity(Option<i32>):
      required: false

      The refresh token time limit. After this limit expires, your user can’t use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

      The default time unit for RefreshTokenValidity in an API request is days. You can’t set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.


    • access_token_validity(i32) / set_access_token_validity(Option<i32>):
      required: false

      The access token time limit. After this limit expires, your user can’t use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

      The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your access tokens are valid for one hour.


    • id_token_validity(i32) / set_id_token_validity(Option<i32>):
      required: false

      The ID token time limit. After this limit expires, your user can’t use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

      The default time unit for IdTokenValidity in an API request is hours. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.


    • token_validity_units(TokenValidityUnitsType) / set_token_validity_units(Option<TokenValidityUnitsType>):
      required: false

      The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.


    • read_attributes(impl Into<String>) / set_read_attributes(Option<Vec::<String>>):
      required: false

      The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user’s profile data.

      When you don’t specify the ReadAttributes for your app client, your app can read the values of email_verified, phone_number_verified, and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ReadAttributes doesn’t return any information. Amazon Cognito only populates ReadAttributes in the API response if you have specified your own custom set of read attributes.


    • write_attributes(impl Into<String>) / set_write_attributes(Option<Vec::<String>>):
      required: false

      The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets family_name to the new value.

      When you don’t specify the WriteAttributes for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, WriteAttributes doesn’t return any information. Amazon Cognito only populates WriteAttributes in the API response if you have specified your own custom set of write attributes.

      If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.


    • explicit_auth_flows(ExplicitAuthFlowsType) / set_explicit_auth_flows(Option<Vec::<ExplicitAuthFlowsType>>):
      required: false

      The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.

      If you don’t specify a value for ExplicitAuthFlows, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

      Valid values include:

      • ALLOW_ADMIN_USER_PASSWORD_AUTH: Enable admin based user password authentication flow ADMIN_USER_PASSWORD_AUTH. This setting replaces the ADMIN_NO_SRP_AUTH setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.

      • ALLOW_CUSTOM_AUTH: Enable Lambda trigger based authentication.

      • ALLOW_USER_PASSWORD_AUTH: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.

      • ALLOW_USER_SRP_AUTH: Enable SRP-based authentication.

      • ALLOW_REFRESH_TOKEN_AUTH: Enable authflow to refresh tokens.

      In some environments, you will see the values ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, or USER_PASSWORD_AUTH. You can’t assign these legacy ExplicitAuthFlows values to user pool clients at the same time as values that begin with ALLOW_, like ALLOW_USER_SRP_AUTH.


    • supported_identity_providers(impl Into<String>) / set_supported_identity_providers(Option<Vec::<String>>):
      required: false

      A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported: COGNITO, Facebook, Google, SignInWithApple, and LoginWithAmazon. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for example MySAMLIdP or MyOIDCIdP.


    • callback_urls(impl Into<String>) / set_callback_urls(Option<Vec::<String>>):
      required: false

      A list of allowed redirect (callback) URLs for the IdPs.

      A redirect URI must:

      • Be an absolute URI.

      • Be registered with the authorization server.

      • Not include a fragment component.

      See OAuth 2.0 - Redirection Endpoint.

      Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.

      App callback URLs such as myapp://example are also supported.


    • logout_urls(impl Into<String>) / set_logout_urls(Option<Vec::<String>>):
      required: false

      A list of allowed logout URLs for the IdPs.


    • default_redirect_uri(impl Into<String>) / set_default_redirect_uri(Option<String>):
      required: false

      The default redirect URI. In app clients with one assigned IdP, replaces redirect_uri in authentication requests. Must be in the CallbackURLs list.

      A redirect URI must:

      • Be an absolute URI.

      • Be registered with the authorization server.

      • Not include a fragment component.

      For more information, see Default redirect URI.

      Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.

      App callback URLs such as myapp://example are also supported.


    • allowed_o_auth_flows(OAuthFlowType) / set_allowed_o_auth_flows(Option<Vec::<OAuthFlowType>>):
      required: false

      The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add client_credentials as the only allowed OAuth flow.

      code

      Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the /oauth2/token endpoint.

      implicit

      Issue the access token (and, optionally, ID token, based on scopes) directly to your user.

      client_credentials

      Issue the access token from the /oauth2/token endpoint directly to a non-person user using a combination of the client ID and client secret.


    • allowed_o_auth_scopes(impl Into<String>) / set_allowed_o_auth_scopes(Option<Vec::<String>>):
      required: false

      The allowed OAuth scopes. Possible values provided by OAuth are phone, email, openid, and profile. Possible values provided by Amazon Web Services are aws.cognito.signin.user.admin. Custom scopes created in Resource Servers are also supported.


    • allowed_o_auth_flows_user_pool_client(bool) / set_allowed_o_auth_flows_user_pool_client(Option<bool>):
      required: false

      Set to true to use OAuth 2.0 features in your user pool app client.

      AllowedOAuthFlowsUserPoolClient must be true before you can configure the following features in your app client.

      • CallBackURLs: Callback URLs.

      • LogoutURLs: Sign-out redirect URLs.

      • AllowedOAuthScopes: OAuth 2.0 scopes.

      • AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or UpdateUserPoolClient API request. If you don’t set a value for AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults to false.


    • analytics_configuration(AnalyticsConfigurationType) / set_analytics_configuration(Option<AnalyticsConfigurationType>):
      required: false

      The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.

      In Amazon Web Services Regions where Amazon Pinpoint isn’t available, user pools only support sending events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.


    • prevent_user_existence_errors(PreventUserExistenceErrorTypes) / set_prevent_user_existence_errors(Option<PreventUserExistenceErrorTypes>):
      required: false

      Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn’t exist in the user pool. When set to ENABLED and the user doesn’t exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs return a UserNotFoundException exception if the user doesn’t exist in the user pool.

      Valid values include:

      • ENABLED - This prevents user existence-related errors.

      • LEGACY - This represents the early behavior of Amazon Cognito where user existence related errors aren’t prevented.


    • enable_token_revocation(bool) / set_enable_token_revocation(Option<bool>):
      required: false

      Activates or deactivates token revocation. For more information about revoking tokens, see RevokeToken.

      If you don’t include this parameter, token revocation is automatically activated for the new user pool client.


    • enable_propagate_additional_user_context_data(bool) / set_enable_propagate_additional_user_context_data(Option<bool>):
      required: false

      Activates the propagation of additional user context data. For more information about propagation of user context data, see Adding advanced security to a user pool. If you don’t include this parameter, you can’t send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate EnablePropagateAdditionalUserContextData in an app client that has a client secret.


    • auth_session_validity(i32) / set_auth_session_validity(Option<i32>):
      required: false

      Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.


  • On success, responds with CreateUserPoolClientOutput with field(s):
  • On failure, responds with SdkError<CreateUserPoolClientError>
source§

impl Client

source

pub fn create_user_pool_domain(&self) -> CreateUserPoolDomainFluentBuilder

Constructs a fluent builder for the CreateUserPoolDomain operation.

source§

impl Client

source

pub fn delete_group(&self) -> DeleteGroupFluentBuilder

Constructs a fluent builder for the DeleteGroup operation.

source§

impl Client

source

pub fn delete_identity_provider(&self) -> DeleteIdentityProviderFluentBuilder

Constructs a fluent builder for the DeleteIdentityProvider operation.

source§

impl Client

source

pub fn delete_resource_server(&self) -> DeleteResourceServerFluentBuilder

Constructs a fluent builder for the DeleteResourceServer operation.

source§

impl Client

source

pub fn delete_user(&self) -> DeleteUserFluentBuilder

Constructs a fluent builder for the DeleteUser operation.

source§

impl Client

source

pub fn delete_user_attributes(&self) -> DeleteUserAttributesFluentBuilder

Constructs a fluent builder for the DeleteUserAttributes operation.

source§

impl Client

source

pub fn delete_user_pool(&self) -> DeleteUserPoolFluentBuilder

Constructs a fluent builder for the DeleteUserPool operation.

source§

impl Client

source

pub fn delete_user_pool_client(&self) -> DeleteUserPoolClientFluentBuilder

Constructs a fluent builder for the DeleteUserPoolClient operation.

source§

impl Client

source

pub fn delete_user_pool_domain(&self) -> DeleteUserPoolDomainFluentBuilder

Constructs a fluent builder for the DeleteUserPoolDomain operation.

source§

impl Client

source

pub fn describe_identity_provider( &self ) -> DescribeIdentityProviderFluentBuilder

Constructs a fluent builder for the DescribeIdentityProvider operation.

source§

impl Client

source

pub fn describe_resource_server(&self) -> DescribeResourceServerFluentBuilder

Constructs a fluent builder for the DescribeResourceServer operation.

source§

impl Client

source

pub fn describe_risk_configuration( &self ) -> DescribeRiskConfigurationFluentBuilder

Constructs a fluent builder for the DescribeRiskConfiguration operation.

source§

impl Client

source

pub fn describe_user_import_job(&self) -> DescribeUserImportJobFluentBuilder

Constructs a fluent builder for the DescribeUserImportJob operation.

source§

impl Client

source

pub fn describe_user_pool(&self) -> DescribeUserPoolFluentBuilder

Constructs a fluent builder for the DescribeUserPool operation.

source§

impl Client

source

pub fn describe_user_pool_client(&self) -> DescribeUserPoolClientFluentBuilder

Constructs a fluent builder for the DescribeUserPoolClient operation.

source§

impl Client

source

pub fn describe_user_pool_domain(&self) -> DescribeUserPoolDomainFluentBuilder

Constructs a fluent builder for the DescribeUserPoolDomain operation.

source§

impl Client

source

pub fn forget_device(&self) -> ForgetDeviceFluentBuilder

Constructs a fluent builder for the ForgetDevice operation.

source§

impl Client

source

pub fn forgot_password(&self) -> ForgotPasswordFluentBuilder

Constructs a fluent builder for the ForgotPassword operation.

  • The fluent builder is configurable:
    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The ID of the client associated with the user pool.


    • secret_hash(impl Into<String>) / set_secret_hash(Option<String>):
      required: false

      A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.


    • user_context_data(UserContextDataType) / set_user_context_data(Option<UserContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


    • username(impl Into<String>) / set_username(Option<String>):
      required: true

      The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The Amazon Pinpoint analytics metadata that contributes to your metrics for ForgotPassword calls.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the ForgotPassword API action, Amazon Cognito invokes any functions that are assigned to the following triggers: pre sign-up, custom message, and user migration. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your ForgotPassword request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with ForgotPasswordOutput with field(s):
  • On failure, responds with SdkError<ForgotPasswordError>
source§

impl Client

source

pub fn get_csv_header(&self) -> GetCSVHeaderFluentBuilder

Constructs a fluent builder for the GetCSVHeader operation.

source§

impl Client

source

pub fn get_device(&self) -> GetDeviceFluentBuilder

Constructs a fluent builder for the GetDevice operation.

source§

impl Client

source

pub fn get_group(&self) -> GetGroupFluentBuilder

Constructs a fluent builder for the GetGroup operation.

source§

impl Client

source

pub fn get_identity_provider_by_identifier( &self ) -> GetIdentityProviderByIdentifierFluentBuilder

Constructs a fluent builder for the GetIdentityProviderByIdentifier operation.

source§

impl Client

source

pub fn get_log_delivery_configuration( &self ) -> GetLogDeliveryConfigurationFluentBuilder

Constructs a fluent builder for the GetLogDeliveryConfiguration operation.

source§

impl Client

source

pub fn get_signing_certificate(&self) -> GetSigningCertificateFluentBuilder

Constructs a fluent builder for the GetSigningCertificate operation.

source§

impl Client

source

pub fn get_ui_customization(&self) -> GetUICustomizationFluentBuilder

Constructs a fluent builder for the GetUICustomization operation.

source§

impl Client

source

pub fn get_user(&self) -> GetUserFluentBuilder

Constructs a fluent builder for the GetUser operation.

source§

impl Client

source

pub fn get_user_attribute_verification_code( &self ) -> GetUserAttributeVerificationCodeFluentBuilder

Constructs a fluent builder for the GetUserAttributeVerificationCode operation.

  • The fluent builder is configurable:
    • access_token(impl Into<String>) / set_access_token(Option<String>):
      required: true

      A non-expired access token for the user whose attribute verification code you want to generate.


    • attribute_name(impl Into<String>) / set_attribute_name(Option<String>):
      required: true

      The attribute name returned by the server response to get the user attribute verification code.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the GetUserAttributeVerificationCode API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your GetUserAttributeVerificationCode request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with GetUserAttributeVerificationCodeOutput with field(s):
  • On failure, responds with SdkError<GetUserAttributeVerificationCodeError>
source§

impl Client

source

pub fn get_user_pool_mfa_config(&self) -> GetUserPoolMfaConfigFluentBuilder

Constructs a fluent builder for the GetUserPoolMfaConfig operation.

source§

impl Client

source

pub fn global_sign_out(&self) -> GlobalSignOutFluentBuilder

Constructs a fluent builder for the GlobalSignOut operation.

source§

impl Client

source

pub fn initiate_auth(&self) -> InitiateAuthFluentBuilder

Constructs a fluent builder for the InitiateAuth operation.

  • The fluent builder is configurable:
    • auth_flow(AuthFlowType) / set_auth_flow(Option<AuthFlowType>):
      required: true

      The authentication flow for this call to run. The API action will depend on this value. For example:

      • REFRESH_TOKEN_AUTH takes in a valid refresh token and returns new tokens.

      • USER_SRP_AUTH takes in USERNAME and SRP_A and returns the SRP variables to be used for next challenge execution.

      • USER_PASSWORD_AUTH takes in USERNAME and PASSWORD and returns the next challenge or tokens.

      Valid values include:

      • USER_SRP_AUTH: Authentication flow for the Secure Remote Password (SRP) protocol.

      • REFRESH_TOKEN_AUTH/REFRESH_TOKEN: Authentication flow for refreshing the access token and ID token by supplying a valid refresh token.

      • CUSTOM_AUTH: Custom authentication flow.

      • USER_PASSWORD_AUTH: Non-SRP authentication flow; user name and password are passed directly. If a user migration Lambda trigger is set, this flow will invoke the user migration Lambda if it doesn’t find the user name in the user pool.

      ADMIN_NO_SRP_AUTH isn’t a valid value.


    • auth_parameters(impl Into<String>, impl Into<String>) / set_auth_parameters(Option<HashMap::<String, String>>):
      required: false

      The authentication parameters. These are inputs corresponding to the AuthFlow that you’re invoking. The required values depend on the value of AuthFlow:

      • For USER_SRP_AUTH: USERNAME (required), SRP_A (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For USER_PASSWORD_AUTH: USERNAME (required), PASSWORD (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For REFRESH_TOKEN_AUTH/REFRESH_TOKEN: REFRESH_TOKEN (required), SECRET_HASH (required if the app client is configured with a client secret), DEVICE_KEY.

      • For CUSTOM_AUTH: USERNAME (required), SECRET_HASH (if app client is configured with client secret), DEVICE_KEY. To start the authentication flow with password verification, include ChallengeName: SRP_A and SRP_A: (The SRP_A Value).

      For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for certain custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the InitiateAuth API action, Amazon Cognito invokes the Lambda functions that are specified for various triggers. The ClientMetadata value is passed as input to the functions for only the following triggers:

      • Pre signup

      • Pre authentication

      • User migration

      When Amazon Cognito invokes the functions for these triggers, it passes a JSON payload, which the function receives as input. This payload contains a validationData attribute, which provides the data that you assigned to the ClientMetadata parameter in your InitiateAuth request. In your function code in Lambda, you can process the validationData value to enhance your workflow for your specific needs.

      When you use the InitiateAuth API action, Amazon Cognito also invokes the functions for the following triggers, but it doesn’t provide the ClientMetadata value as input:

      • Post authentication

      • Custom message

      • Pre token generation

      • Create auth challenge

      • Define auth challenge

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The app client ID.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The Amazon Pinpoint analytics metadata that contributes to your metrics for InitiateAuth calls.


    • user_context_data(UserContextDataType) / set_user_context_data(Option<UserContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


  • On success, responds with InitiateAuthOutput with field(s):
    • challenge_name(Option<ChallengeNameType>):

      The name of the challenge that you’re responding to with this call. This name is returned in the InitiateAuth response if you must pass another challenge.

      Valid values include the following:

      All of the following challenges require USERNAME and SECRET_HASH (if applicable) in the parameters.

      • SMS_MFA: Next challenge is to supply an SMS_MFA_CODE, delivered via SMS.

      • PASSWORD_VERIFIER: Next challenge is to supply PASSWORD_CLAIM_SIGNATURE, PASSWORD_CLAIM_SECRET_BLOCK, and TIMESTAMP after the client-side SRP calculations.

      • CUSTOM_CHALLENGE: This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued.

      • DEVICE_SRP_AUTH: If device tracking was activated on your user pool and the previous challenges were passed, this challenge is returned so that Amazon Cognito can start tracking this device.

      • DEVICE_PASSWORD_VERIFIER: Similar to PASSWORD_VERIFIER, but for devices only.

      • NEW_PASSWORD_REQUIRED: For users who are required to change their passwords after successful first login.

        Respond to this challenge with NEW_PASSWORD and any required attributes that Amazon Cognito returned in the requiredAttributes parameter. You can also set values for attributes that aren’t required by your user pool and that your app client can write. For more information, see RespondToAuthChallenge.

        In a NEW_PASSWORD_REQUIRED challenge response, you can’t modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.

      • MFA_SETUP: For users who are required to setup an MFA factor before they can sign in. The MFA types activated for the user pool will be listed in the challenge parameters MFAS_CAN_SETUP value.

        To set up software token MFA, use the session returned here from InitiateAuth as an input to AssociateSoftwareToken. Use the session returned by VerifySoftwareToken as an input to RespondToAuthChallenge with challenge name MFA_SETUP to complete sign-in. To set up SMS MFA, an administrator should help the user to add a phone number to their account, and then the user should call InitiateAuth again to restart sign-in.

    • session(Option<String>):

      The session that should pass both ways in challenge-response calls to the service. If the caller must pass another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.

    • challenge_parameters(Option<HashMap::<String, String>>):

      The challenge parameters. These are returned in the InitiateAuth response if you must pass another challenge. The responses in this parameter should be used to compute inputs to the next call (RespondToAuthChallenge).

      All challenges require USERNAME and SECRET_HASH (if applicable).

    • authentication_result(Option<AuthenticationResultType>):

      The result of the authentication response. This result is only returned if the caller doesn’t need to pass another challenge. If the caller does need to pass another challenge before it gets tokens, ChallengeName, ChallengeParameters, and Session are returned.

  • On failure, responds with SdkError<InitiateAuthError>
source§

impl Client

source

pub fn list_devices(&self) -> ListDevicesFluentBuilder

Constructs a fluent builder for the ListDevices operation.

source§

impl Client

source

pub fn list_groups(&self) -> ListGroupsFluentBuilder

Constructs a fluent builder for the ListGroups operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn list_identity_providers(&self) -> ListIdentityProvidersFluentBuilder

Constructs a fluent builder for the ListIdentityProviders operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn list_resource_servers(&self) -> ListResourceServersFluentBuilder

Constructs a fluent builder for the ListResourceServers operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn list_tags_for_resource(&self) -> ListTagsForResourceFluentBuilder

Constructs a fluent builder for the ListTagsForResource operation.

source§

impl Client

source

pub fn list_user_import_jobs(&self) -> ListUserImportJobsFluentBuilder

Constructs a fluent builder for the ListUserImportJobs operation.

source§

impl Client

source

pub fn list_user_pool_clients(&self) -> ListUserPoolClientsFluentBuilder

Constructs a fluent builder for the ListUserPoolClients operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn list_user_pools(&self) -> ListUserPoolsFluentBuilder

Constructs a fluent builder for the ListUserPools operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn list_users(&self) -> ListUsersFluentBuilder

Constructs a fluent builder for the ListUsers operation. This operation supports pagination; See into_paginator().

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool on which the search should be performed.


    • attributes_to_get(impl Into<String>) / set_attributes_to_get(Option<Vec::<String>>):
      required: false

      A JSON array of user attribute names, for example given_name, that you want Amazon Cognito to include in the response for each user. When you don’t provide an AttributesToGet parameter, Amazon Cognito returns all attributes for each user.

      Use AttributesToGet with required attributes in your user pool, or in conjunction with Filter. Amazon Cognito returns an error if not all users in the results have set a value for the attribute you request. Attributes that you can’t filter on, including custom attributes, must have a value set in every user profile before an AttributesToGet parameter returns results.


    • limit(i32) / set_limit(Option<i32>):
      required: false

      Maximum number of users to be returned.


    • pagination_token(impl Into<String>) / set_pagination_token(Option<String>):
      required: false

      This API operation returns a limited number of results. The pagination token is an identifier that you can present in an additional API request with the same parameters. When you include the pagination token, Amazon Cognito returns the next set of items after the current list. Subsequent requests return a new pagination token. By use of this token, you can paginate through the full list of items.


    • filter(impl Into<String>) / set_filter(Option<String>):
      required: false

      A filter string of the form “AttributeName Filter-TypeAttributeValue”“. Quotation marks within the filter string must be escaped using the backslash (</code>) character. For example, “family_name = "Reddy"”.

      • AttributeName: The name of the attribute to search for. You can only search for one attribute at a time.

      • Filter-Type: For an exact match, use =, for example, “given_name = "Jon"”. For a prefix (“starts with”) match, use ^=, for example, “given_name ^= "Jon"”.

      • AttributeValue: The attribute value that must be matched for each user.

      If the filter string is empty, ListUsers returns all users in the user pool.

      You can only search for the following standard attributes:

      • username (case-sensitive)

      • email

      • phone_number

      • name

      • given_name

      • family_name

      • preferred_username

      • cognito:user_status (called Status in the Console) (case-insensitive)

      • status (called Enabled in the Console) (case-sensitive)

      • sub

      Custom attributes aren’t searchable.

      You can also list users with a client-side filter. The server-side filter matches no more than one attribute. For an advanced search, use a client-side filter with the –query parameter of the list-users action in the CLI. When you use a client-side filter, ListUsers returns a paginated list of zero or more users. You can receive multiple pages in a row with zero results. Repeat the query with each pagination token that is returned until you receive a null pagination token value, and then review the combined result.

      For more information about server-side and client-side filtering, see FilteringCLI output in the Command Line Interface User Guide.

      For more information, see Searching for Users Using the ListUsers API and Examples of Using the ListUsers API in the Amazon Cognito Developer Guide.


  • On success, responds with ListUsersOutput with field(s):
    • users(Option<Vec::<UserType>>):

      A list of the user pool users, and their attributes, that match your query.

      Amazon Cognito creates a profile in your user pool for each native user in your user pool, and each unique user ID from your third-party identity providers (IdPs). When you link users with the AdminLinkProviderForUser API operation, the output of ListUsers displays both the IdP user and the native user that you linked. You can identify IdP users in the Users object of this API response by the IdP prefix that Amazon Cognito appends to Username.

    • pagination_token(Option<String>):

      The identifier that Amazon Cognito returned with the previous request to this operation. When you include a pagination token in your request, Amazon Cognito returns the next set of items in the list. By use of this token, you can paginate through the full list of items.

  • On failure, responds with SdkError<ListUsersError>
source§

impl Client

source

pub fn list_users_in_group(&self) -> ListUsersInGroupFluentBuilder

Constructs a fluent builder for the ListUsersInGroup operation. This operation supports pagination; See into_paginator().

source§

impl Client

source

pub fn resend_confirmation_code(&self) -> ResendConfirmationCodeFluentBuilder

Constructs a fluent builder for the ResendConfirmationCode operation.

source§

impl Client

source

pub fn respond_to_auth_challenge(&self) -> RespondToAuthChallengeFluentBuilder

Constructs a fluent builder for the RespondToAuthChallenge operation.

  • The fluent builder is configurable:
    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The app client ID.


    • challenge_name(ChallengeNameType) / set_challenge_name(Option<ChallengeNameType>):
      required: true

      The challenge name. For more information, see InitiateAuth.

      ADMIN_NO_SRP_AUTH isn’t a valid value.


    • session(impl Into<String>) / set_session(Option<String>):
      required: false

      The session that should be passed both ways in challenge-response calls to the service. If InitiateAuth or RespondToAuthChallenge API call determines that the caller must pass another challenge, they return a session with other challenge parameters. This session should be passed as it is to the next RespondToAuthChallenge API call.


    • challenge_responses(impl Into<String>, impl Into<String>) / set_challenge_responses(Option<HashMap::<String, String>>):
      required: false

      The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

      You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret.
      SMS_MFA

      “ChallengeName”: “SMS_MFA”, “ChallengeResponses”: {“SMS_MFA_CODE”: “[SMS_code]”, “USERNAME”: “[username]”}

      PASSWORD_VERIFIER

      “ChallengeName”: “PASSWORD_VERIFIER”, “ChallengeResponses”: {“PASSWORD_CLAIM_SIGNATURE”: “[claim_signature]”, “PASSWORD_CLAIM_SECRET_BLOCK”: “[secret_block]”, “TIMESTAMP”: [timestamp], “USERNAME”: “[username]”}

      Add “DEVICE_KEY” when you sign in with a remembered device.

      CUSTOM_CHALLENGE

      “ChallengeName”: “CUSTOM_CHALLENGE”, “ChallengeResponses”: {“USERNAME”: “[username]”, “ANSWER”: “[challenge_answer]”}

      Add “DEVICE_KEY” when you sign in with a remembered device.

      NEW_PASSWORD_REQUIRED

      “ChallengeName”: “NEW_PASSWORD_REQUIRED”, “ChallengeResponses”: {“NEW_PASSWORD”: “[new_password]”, “USERNAME”: “[username]”}

      To set any required attributes that InitiateAuth returned in an requiredAttributes parameter, add “userAttributes.[attribute_name]”: “[attribute_value]”. This parameter can also set values for writable attributes that aren’t required by your user pool.

      In a NEW_PASSWORD_REQUIRED challenge response, you can’t modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.
      SOFTWARE_TOKEN_MFA

      “ChallengeName”: “SOFTWARE_TOKEN_MFA”, “ChallengeResponses”: {“USERNAME”: “[username]”, “SOFTWARE_TOKEN_MFA_CODE”: [authenticator_code]}

      DEVICE_SRP_AUTH

      “ChallengeName”: “DEVICE_SRP_AUTH”, “ChallengeResponses”: {“USERNAME”: “[username]”, “DEVICE_KEY”: “[device_key]”, “SRP_A”: “[srp_a]”}

      DEVICE_PASSWORD_VERIFIER

      “ChallengeName”: “DEVICE_PASSWORD_VERIFIER”, “ChallengeResponses”: {“DEVICE_KEY”: “[device_key]”, “PASSWORD_CLAIM_SIGNATURE”: “[claim_signature]”, “PASSWORD_CLAIM_SECRET_BLOCK”: “[secret_block]”, “TIMESTAMP”: [timestamp], “USERNAME”: “[username]”}

      MFA_SETUP

      “ChallengeName”: “MFA_SETUP”, “ChallengeResponses”: {“USERNAME”: “[username]”}, “SESSION”: “[Session ID from VerifySoftwareToken]”

      SELECT_MFA_TYPE

      “ChallengeName”: “SELECT_MFA_TYPE”, “ChallengeResponses”: {“USERNAME”: “[username]”, “ANSWER”: “[SMS_MFA or SOFTWARE_TOKEN_MFA]”}

      For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.


    • analytics_metadata(AnalyticsMetadataType) / set_analytics_metadata(Option<AnalyticsMetadataType>):
      required: false

      The Amazon Pinpoint analytics metadata that contributes to your metrics for RespondToAuthChallenge calls.


    • user_context_data(UserContextDataType) / set_user_context_data(Option<UserContextDataType>):
      required: false

      Contextual data about your user session, such as the device fingerprint, IP address, or location. Amazon Cognito advanced security evaluates the risk of an authentication event based on the context that your app generates and passes to Amazon Cognito when it makes API requests.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the RespondToAuthChallenge API action, Amazon Cognito invokes any functions that are assigned to the following triggers: post authentication, pre token generation, define auth challenge, create auth challenge, and verify auth challenge. When Amazon Cognito invokes any of these functions, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your RespondToAuthChallenge request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with RespondToAuthChallengeOutput with field(s):
  • On failure, responds with SdkError<RespondToAuthChallengeError>
source§

impl Client

source

pub fn revoke_token(&self) -> RevokeTokenFluentBuilder

Constructs a fluent builder for the RevokeToken operation.

source§

impl Client

source

pub fn set_log_delivery_configuration( &self ) -> SetLogDeliveryConfigurationFluentBuilder

Constructs a fluent builder for the SetLogDeliveryConfiguration operation.

source§

impl Client

source

pub fn set_risk_configuration(&self) -> SetRiskConfigurationFluentBuilder

Constructs a fluent builder for the SetRiskConfiguration operation.

source§

impl Client

source

pub fn set_ui_customization(&self) -> SetUICustomizationFluentBuilder

Constructs a fluent builder for the SetUICustomization operation.

source§

impl Client

source

pub fn set_user_mfa_preference(&self) -> SetUserMFAPreferenceFluentBuilder

Constructs a fluent builder for the SetUserMFAPreference operation.

source§

impl Client

source

pub fn set_user_pool_mfa_config(&self) -> SetUserPoolMfaConfigFluentBuilder

Constructs a fluent builder for the SetUserPoolMfaConfig operation.

source§

impl Client

source

pub fn set_user_settings(&self) -> SetUserSettingsFluentBuilder

Constructs a fluent builder for the SetUserSettings operation.

source§

impl Client

source

pub fn sign_up(&self) -> SignUpFluentBuilder

Constructs a fluent builder for the SignUp operation.

source§

impl Client

source

pub fn start_user_import_job(&self) -> StartUserImportJobFluentBuilder

Constructs a fluent builder for the StartUserImportJob operation.

source§

impl Client

source

pub fn stop_user_import_job(&self) -> StopUserImportJobFluentBuilder

Constructs a fluent builder for the StopUserImportJob operation.

source§

impl Client

source

pub fn tag_resource(&self) -> TagResourceFluentBuilder

Constructs a fluent builder for the TagResource operation.

source§

impl Client

source

pub fn untag_resource(&self) -> UntagResourceFluentBuilder

Constructs a fluent builder for the UntagResource operation.

source§

impl Client

source

pub fn update_auth_event_feedback(&self) -> UpdateAuthEventFeedbackFluentBuilder

Constructs a fluent builder for the UpdateAuthEventFeedback operation.

source§

impl Client

source

pub fn update_device_status(&self) -> UpdateDeviceStatusFluentBuilder

Constructs a fluent builder for the UpdateDeviceStatus operation.

source§

impl Client

source

pub fn update_group(&self) -> UpdateGroupFluentBuilder

Constructs a fluent builder for the UpdateGroup operation.

source§

impl Client

source

pub fn update_identity_provider(&self) -> UpdateIdentityProviderFluentBuilder

Constructs a fluent builder for the UpdateIdentityProvider operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID.


    • provider_name(impl Into<String>) / set_provider_name(Option<String>):
      required: true

      The IdP name.


    • provider_details(impl Into<String>, impl Into<String>) / set_provider_details(Option<HashMap::<String, String>>):
      required: false

      The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP authorize_scopes values must match the values listed here.

      OpenID Connect (OIDC)

      Amazon Cognito accepts the following elements when it can’t discover endpoint URLs from oidc_issuer: attributes_url, authorize_url, jwks_uri, token_url.

      Create or update request: “ProviderDetails”: { “attributes_request_method”: “GET”, “attributes_url”: “https://auth.example.com/userInfo”, “authorize_scopes”: “openid profile email”, “authorize_url”: “https://auth.example.com/authorize”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “jwks_uri”: “https://auth.example.com/.well-known/jwks.json”, “oidc_issuer”: “https://auth.example.com”, “token_url”: “https://example.com/token” }

      Describe response: “ProviderDetails”: { “attributes_request_method”: “GET”, “attributes_url”: “https://auth.example.com/userInfo”, “attributes_url_add_attributes”: “false”, “authorize_scopes”: “openid profile email”, “authorize_url”: “https://auth.example.com/authorize”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “jwks_uri”: “https://auth.example.com/.well-known/jwks.json”, “oidc_issuer”: “https://auth.example.com”, “token_url”: “https://example.com/token” }

      SAML

      Create or update request with Metadata URL: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “MetadataURL”: “https://auth.example.com/sso/saml/metadata”, “RequestSigningAlgorithm”: “rsa-sha256” }

      Create or update request with Metadata file: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “MetadataFile”: “[metadata XML]”, “RequestSigningAlgorithm”: “rsa-sha256” }

      The value of MetadataFile must be the plaintext metadata document with all quote (“) characters escaped by backslashes.

      Describe response: “ProviderDetails”: { “IDPInit”: “true”, “IDPSignout”: “true”, “EncryptedResponses” : “true”, “ActiveEncryptionCertificate”: “[certificate]”, “MetadataURL”: “https://auth.example.com/sso/saml/metadata”, “RequestSigningAlgorithm”: “rsa-sha256”, “SLORedirectBindingURI”: “https://auth.example.com/slo/saml”, “SSORedirectBindingURI”: “https://auth.example.com/sso/saml” }

      LoginWithAmazon

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “profile postal_code”, “client_id”: “amzn1.application-oa2-client.1example23456789”, “client_secret”: “provider-app-client-secret”

      Describe response: “ProviderDetails”: { “attributes_url”: “https://api.amazon.com/user/profile”, “attributes_url_add_attributes”: “false”, “authorize_scopes”: “profile postal_code”, “authorize_url”: “https://www.amazon.com/ap/oa”, “client_id”: “amzn1.application-oa2-client.1example23456789”, “client_secret”: “provider-app-client-secret”, “token_request_method”: “POST”, “token_url”: “https://api.amazon.com/auth/o2/token” }

      Google

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “email profile openid”, “client_id”: “1example23456789.apps.googleusercontent.com”, “client_secret”: “provider-app-client-secret” }

      Describe response: “ProviderDetails”: { “attributes_url”: “https://people.googleapis.com/v1/people/me?personFields=”, “attributes_url_add_attributes”: “true”, “authorize_scopes”: “email profile openid”, “authorize_url”: “https://accounts.google.com/o/oauth2/v2/auth”, “client_id”: “1example23456789.apps.googleusercontent.com”, “client_secret”: “provider-app-client-secret”, “oidc_issuer”: “https://accounts.google.com”, “token_request_method”: “POST”, “token_url”: “https://www.googleapis.com/oauth2/v4/token” }

      SignInWithApple

      Create or update request: “ProviderDetails”: { “authorize_scopes”: “email name”, “client_id”: “com.example.cognito”, “private_key”: “1EXAMPLE”, “key_id”: “2EXAMPLE”, “team_id”: “3EXAMPLE” }

      Describe response: “ProviderDetails”: { “attributes_url_add_attributes”: “false”, “authorize_scopes”: “email name”, “authorize_url”: “https://appleid.apple.com/auth/authorize”, “client_id”: “com.example.cognito”, “key_id”: “1EXAMPLE”, “oidc_issuer”: “https://appleid.apple.com”, “team_id”: “2EXAMPLE”, “token_request_method”: “POST”, “token_url”: “https://appleid.apple.com/auth/token” }

      Facebook

      Create or update request: “ProviderDetails”: { “api_version”: “v17.0”, “authorize_scopes”: “public_profile, email”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret” }

      Describe response: “ProviderDetails”: { “api_version”: “v17.0”, “attributes_url”: “https://graph.facebook.com/v17.0/me?fields=”, “attributes_url_add_attributes”: “true”, “authorize_scopes”: “public_profile, email”, “authorize_url”: “https://www.facebook.com/v17.0/dialog/oauth”, “client_id”: “1example23456789”, “client_secret”: “provider-app-client-secret”, “token_request_method”: “GET”, “token_url”: “https://graph.facebook.com/v17.0/oauth/access_token” }


    • attribute_mapping(impl Into<String>, impl Into<String>) / set_attribute_mapping(Option<HashMap::<String, String>>):
      required: false

      The IdP attribute mapping to be changed.


    • idp_identifiers(impl Into<String>) / set_idp_identifiers(Option<Vec::<String>>):
      required: false

      A list of IdP identifiers.


  • On success, responds with UpdateIdentityProviderOutput with field(s):
  • On failure, responds with SdkError<UpdateIdentityProviderError>
source§

impl Client

source

pub fn update_resource_server(&self) -> UpdateResourceServerFluentBuilder

Constructs a fluent builder for the UpdateResourceServer operation.

source§

impl Client

source

pub fn update_user_attributes(&self) -> UpdateUserAttributesFluentBuilder

Constructs a fluent builder for the UpdateUserAttributes operation.

  • The fluent builder is configurable:
    • user_attributes(AttributeType) / set_user_attributes(Option<Vec::<AttributeType>>):
      required: true

      An array of name-value pairs representing user attributes.

      For custom attributes, you must prepend the custom: prefix to the attribute name.

      If you have set an attribute to require verification before Amazon Cognito updates its value, this request doesn’t immediately update the value of that attribute. After your user receives and responds to a verification message to verify the new value, Amazon Cognito updates the attribute value. Your user can sign in and receive messages with the original attribute value until they verify the new value.


    • access_token(impl Into<String>) / set_access_token(Option<String>):
      required: true

      A valid access token that Amazon Cognito issued to the user whose user attributes you want to update.


    • client_metadata(impl Into<String>, impl Into<String>) / set_client_metadata(Option<HashMap::<String, String>>):
      required: false

      A map of custom key-value pairs that you can provide as input for any custom workflows that this action initiates.

      You create custom workflows by assigning Lambda functions to user pool triggers. When you use the UpdateUserAttributes API action, Amazon Cognito invokes the function that is assigned to the custom message trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a clientMetadata attribute, which provides the data that you assigned to the ClientMetadata parameter in your UpdateUserAttributes request. In your function code in Lambda, you can process the clientMetadata value to enhance your workflow for your specific needs.

      For more information, see Customizing user pool Workflows with Lambda Triggers in the Amazon Cognito Developer Guide.

      When you use the ClientMetadata parameter, remember that Amazon Cognito won’t do the following:

      • Store the ClientMetadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn’t include triggers, the ClientMetadata parameter serves no purpose.

      • Validate the ClientMetadata value.

      • Encrypt the ClientMetadata value. Don’t use Amazon Cognito to provide sensitive information.


  • On success, responds with UpdateUserAttributesOutput with field(s):
  • On failure, responds with SdkError<UpdateUserAttributesError>
source§

impl Client

source

pub fn update_user_pool(&self) -> UpdateUserPoolFluentBuilder

Constructs a fluent builder for the UpdateUserPool operation.

source§

impl Client

source

pub fn update_user_pool_client(&self) -> UpdateUserPoolClientFluentBuilder

Constructs a fluent builder for the UpdateUserPoolClient operation.

  • The fluent builder is configurable:
    • user_pool_id(impl Into<String>) / set_user_pool_id(Option<String>):
      required: true

      The user pool ID for the user pool where you want to update the user pool client.


    • client_id(impl Into<String>) / set_client_id(Option<String>):
      required: true

      The ID of the client associated with the user pool.


    • client_name(impl Into<String>) / set_client_name(Option<String>):
      required: false

      The client name from the update user pool client request.


    • refresh_token_validity(i32) / set_refresh_token_validity(Option<i32>):
      required: false

      The refresh token time limit. After this limit expires, your user can’t use their refresh token. To specify the time unit for RefreshTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set RefreshTokenValidity as 10 and TokenValidityUnits as days, your user can refresh their session and retrieve new access and ID tokens for 10 days.

      The default time unit for RefreshTokenValidity in an API request is days. You can’t set RefreshTokenValidity to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.


    • access_token_validity(i32) / set_access_token_validity(Option<i32>):
      required: false

      The access token time limit. After this limit expires, your user can’t use their access token. To specify the time unit for AccessTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set AccessTokenValidity to 10 and TokenValidityUnits to hours, your user can authorize access with their access token for 10 hours.

      The default time unit for AccessTokenValidity in an API request is hours. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your access tokens are valid for one hour.


    • id_token_validity(i32) / set_id_token_validity(Option<i32>):
      required: false

      The ID token time limit. After this limit expires, your user can’t use their ID token. To specify the time unit for IdTokenValidity as seconds, minutes, hours, or days, set a TokenValidityUnits value in your API request.

      For example, when you set IdTokenValidity as 10 and TokenValidityUnits as hours, your user can authenticate their session with their ID token for 10 hours.

      The default time unit for IdTokenValidity in an API request is hours. Valid range is displayed below in seconds.

      If you don’t specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.


    • token_validity_units(TokenValidityUnitsType) / set_token_validity_units(Option<TokenValidityUnitsType>):
      required: false

      The time units you use when you set the duration of ID, access, and refresh tokens. The default unit for RefreshToken is days, and the default for ID and access tokens is hours.


    • read_attributes(impl Into<String>) / set_read_attributes(Option<Vec::<String>>):
      required: false

      The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user’s profile data.

      When you don’t specify the ReadAttributes for your app client, your app can read the values of email_verified, phone_number_verified, and the Standard attributes of your user pool. When your user pool has read access to these default attributes, ReadAttributes doesn’t return any information. Amazon Cognito only populates ReadAttributes in the API response if you have specified your own custom set of read attributes.


    • write_attributes(impl Into<String>) / set_write_attributes(Option<Vec::<String>>):
      required: false

      The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets family_name to the new value.

      When you don’t specify the WriteAttributes for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes, WriteAttributes doesn’t return any information. Amazon Cognito only populates WriteAttributes in the API response if you have specified your own custom set of write attributes.

      If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.


    • explicit_auth_flows(ExplicitAuthFlowsType) / set_explicit_auth_flows(Option<Vec::<ExplicitAuthFlowsType>>):
      required: false

      The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.

      If you don’t specify a value for ExplicitAuthFlows, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

      Valid values include:

      • ALLOW_ADMIN_USER_PASSWORD_AUTH: Enable admin based user password authentication flow ADMIN_USER_PASSWORD_AUTH. This setting replaces the ADMIN_NO_SRP_AUTH setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password.

      • ALLOW_CUSTOM_AUTH: Enable Lambda trigger based authentication.

      • ALLOW_USER_PASSWORD_AUTH: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords.

      • ALLOW_USER_SRP_AUTH: Enable SRP-based authentication.

      • ALLOW_REFRESH_TOKEN_AUTH: Enable authflow to refresh tokens.

      In some environments, you will see the values ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, or USER_PASSWORD_AUTH. You can’t assign these legacy ExplicitAuthFlows values to user pool clients at the same time as values that begin with ALLOW_, like ALLOW_USER_SRP_AUTH.


    • supported_identity_providers(impl Into<String>) / set_supported_identity_providers(Option<Vec::<String>>):
      required: false

      A list of provider names for the IdPs that this client supports. The following are supported: COGNITO, Facebook, Google, SignInWithApple, LoginWithAmazon, and the names of your own SAML and OIDC providers.


    • callback_urls(impl Into<String>) / set_callback_urls(Option<Vec::<String>>):
      required: false

      A list of allowed redirect (callback) URLs for the IdPs.

      A redirect URI must:

      • Be an absolute URI.

      • Be registered with the authorization server.

      • Not include a fragment component.

      See OAuth 2.0 - Redirection Endpoint.

      Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.

      App callback URLs such as myapp://example are also supported.


    • logout_urls(impl Into<String>) / set_logout_urls(Option<Vec::<String>>):
      required: false

      A list of allowed logout URLs for the IdPs.


    • default_redirect_uri(impl Into<String>) / set_default_redirect_uri(Option<String>):
      required: false

      The default redirect URI. Must be in the CallbackURLs list.

      A redirect URI must:

      • Be an absolute URI.

      • Be registered with the authorization server.

      • Not include a fragment component.

      See OAuth 2.0 - Redirection Endpoint.

      Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.

      App callback URLs such as myapp://example are also supported.


    • allowed_o_auth_flows(OAuthFlowType) / set_allowed_o_auth_flows(Option<Vec::<OAuthFlowType>>):
      required: false

      The allowed OAuth flows.

      code

      Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the /oauth2/token endpoint.

      implicit

      Issue the access token (and, optionally, ID token, based on scopes) directly to your user.

      client_credentials

      Issue the access token from the /oauth2/token endpoint directly to a non-person user using a combination of the client ID and client secret.


    • allowed_o_auth_scopes(impl Into<String>) / set_allowed_o_auth_scopes(Option<Vec::<String>>):
      required: false

      The allowed OAuth scopes. Possible values provided by OAuth are phone, email, openid, and profile. Possible values provided by Amazon Web Services are aws.cognito.signin.user.admin. Custom scopes created in Resource Servers are also supported.


    • allowed_o_auth_flows_user_pool_client(bool) / set_allowed_o_auth_flows_user_pool_client(Option<bool>):
      required: false

      Set to true to use OAuth 2.0 features in your user pool app client.

      AllowedOAuthFlowsUserPoolClient must be true before you can configure the following features in your app client.

      • CallBackURLs: Callback URLs.

      • LogoutURLs: Sign-out redirect URLs.

      • AllowedOAuthScopes: OAuth 2.0 scopes.

      • AllowedOAuthFlows: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.

      To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set AllowedOAuthFlowsUserPoolClient to true in a CreateUserPoolClient or UpdateUserPoolClient API request. If you don’t set a value for AllowedOAuthFlowsUserPoolClient in a request with the CLI or SDKs, it defaults to false.


    • analytics_configuration(AnalyticsConfigurationType) / set_analytics_configuration(Option<AnalyticsConfigurationType>):
      required: false

      The Amazon Pinpoint analytics configuration necessary to collect metrics for this user pool.

      In Amazon Web Services Regions where Amazon Pinpoint isn’t available, user pools only support sending events to Amazon Pinpoint projects in us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.


    • prevent_user_existence_errors(PreventUserExistenceErrorTypes) / set_prevent_user_existence_errors(Option<PreventUserExistenceErrorTypes>):
      required: false

      Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn’t exist in the user pool. When set to ENABLED and the user doesn’t exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs return a UserNotFoundException exception if the user doesn’t exist in the user pool.

      Valid values include:

      • ENABLED - This prevents user existence-related errors.

      • LEGACY - This represents the early behavior of Amazon Cognito where user existence related errors aren’t prevented.


    • enable_token_revocation(bool) / set_enable_token_revocation(Option<bool>):
      required: false

      Activates or deactivates token revocation. For more information about revoking tokens, see RevokeToken.


    • enable_propagate_additional_user_context_data(bool) / set_enable_propagate_additional_user_context_data(Option<bool>):
      required: false

      Activates the propagation of additional user context data. For more information about propagation of user context data, see Adding advanced security to a user pool. If you don’t include this parameter, you can’t send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate EnablePropagateAdditionalUserContextData in an app client that has a client secret.


    • auth_session_validity(i32) / set_auth_session_validity(Option<i32>):
      required: false

      Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.


  • On success, responds with UpdateUserPoolClientOutput with field(s):
  • On failure, responds with SdkError<UpdateUserPoolClientError>
source§

impl Client

source

pub fn update_user_pool_domain(&self) -> UpdateUserPoolDomainFluentBuilder

Constructs a fluent builder for the UpdateUserPoolDomain operation.

source§

impl Client

source

pub fn verify_software_token(&self) -> VerifySoftwareTokenFluentBuilder

Constructs a fluent builder for the VerifySoftwareToken operation.

source§

impl Client

source

pub fn verify_user_attribute(&self) -> VerifyUserAttributeFluentBuilder

Constructs a fluent builder for the VerifyUserAttribute operation.

source§

impl Client

source

pub fn from_conf(conf: Config) -> Self

Creates a new client from the service Config.

§Panics

This method will panic in the following cases:

  • Retries or timeouts are enabled without a sleep_impl configured.
  • Identity caching is enabled without a sleep_impl and time_source configured.
  • No behavior_version is provided.

The panic message for each of these will have instructions on how to resolve them.

source

pub fn config(&self) -> &Config

Returns the client’s configuration.

source§

impl Client

source

pub fn new(sdk_config: &SdkConfig) -> Self

Creates a new client from an SDK Config.

§Panics
  • This method will panic if the sdk_config is missing an async sleep implementation. If you experience this panic, set the sleep_impl on the Config passed into this function to fix it.
  • This method will panic if the sdk_config is missing an HTTP connector. If you experience this panic, set the http_connector on the Config passed into this function to fix it.
  • This method will panic if no BehaviorVersion is provided. If you experience this panic, set behavior_version on the Config or enable the behavior-version-latest Cargo feature.

Trait Implementations§

source§

impl Clone for Client

source§

fn clone(&self) -> Client

Returns a copy of the value. Read more
1.0.0 · source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
source§

impl Debug for Client

source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more

Auto Trait Implementations§

§

impl Freeze for Client

§

impl !RefUnwindSafe for Client

§

impl Send for Client

§

impl Sync for Client

§

impl Unpin for Client

§

impl !UnwindSafe for Client

Blanket Implementations§

source§

impl<T> Any for T
where T: 'static + ?Sized,

source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
source§

impl<T> Borrow<T> for T
where T: ?Sized,

source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
source§

impl<T> From<T> for T

source§

fn from(t: T) -> T

Returns the argument unchanged.

source§

impl<T> Instrument for T

source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
source§

impl<T, U> Into<U> for T
where U: From<T>,

source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

source§

impl<T> IntoEither for T

source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
source§

impl<Unshared, Shared> IntoShared<Shared> for Unshared
where Shared: FromUnshared<Unshared>,

source§

fn into_shared(self) -> Shared

Creates a shared type from an unshared type.
source§

impl<T> Same for T

§

type Output = T

Should always be Self
source§

impl<T> ToOwned for T
where T: Clone,

§

type Owned = T

The resulting type after obtaining ownership.
source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

§

type Error = Infallible

The type returned in the event of a conversion error.
source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
source§

impl<T> WithSubscriber for T

source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more