aws-elixir v0.6.0 AWS.Cognito.IdentityProvider View Source
Using the Amazon Cognito User Pools API, you can create a user pool to manage directories and users. You can authenticate a user to obtain tokens related to user identity and access policies.
This API reference provides information about user pools in Amazon Cognito User Pools.
For more information, see the Amazon Cognito Documentation.
Link to this section Summary
Functions
Adds additional user attributes to the user pool schema.
Adds the specified user to the specified group.
Confirms user registration as an admin without using a confirmation code. Works on any user.
Creates a new user in the specified user pool.
Deletes a user as an administrator. Works on any user.
Deletes the user attributes in a user pool as an administrator. Works on any user.
Disables the user from signing in with the specified external (SAML or
social) identity provider. If the user to disable is a Cognito User Pools
native username + password user, they are not permitted to use their
password to sign-in. If the user to disable is a linked external IdP user,
any link between that user and an existing user is removed. The next time
the external user (no longer attached to the previously linked
DestinationUser) signs in, they must create a new user account. See .
Disables the specified user.
Enables the specified user as an administrator. Works on any user.
Forgets the device, as an administrator.
Gets the device, as an administrator.
Gets the specified user by user name in a user pool as an administrator. Works on any user.
Initiates the authentication flow, as an administrator.
Links an existing user account in a user pool (DestinationUser) to an
identity from an external identity provider (SourceUser) based on a
specified attribute name and value from the external identity provider.
This allows you to create a link from the existing user account to an
external federated user identity that has not yet been used to sign in, so
that the federated user identity can be used to sign in as the existing
user account.
Lists devices, as an administrator.
Lists the groups that the user belongs to.
Lists a history of user activity and any risks detected as part of Amazon Cognito advanced security.
Removes the specified user from the specified group.
Resets the specified user's password in a user pool as an administrator. Works on any user.
Responds to an authentication challenge, as an administrator.
Sets the user's multi-factor authentication (MFA) preference, including which MFA options are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.
Sets the specified user's password in a user pool as an administrator. Works on any user.
This action is no longer supported. You can use it to configure only SMS
MFA. You can't use it to configure TOTP software token MFA. To configure
either type of MFA, use the AdminSetUserMFAPreference action instead.
Provides feedback for an authentication event as to whether it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status as an administrator.
Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user.
Signs out users from all devices, as an administrator. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
Returns a unique generated shared secret key code for the user account. The request takes an access token or a session string, but not both.
Changes the password for a specified user in a user pool.
Confirms tracking of the device. This API call is the call that begins device tracking.
Allows a user to enter a confirmation code to reset a forgotten password.
Confirms registration of a user and handles the existing alias from a previous user.
Creates a new group in the specified user pool.
Creates an identity provider for a user pool.
Creates a new OAuth2.0 resource server and defines custom scopes in it.
Creates the user import job.
Creates a new Amazon Cognito user pool and sets the password policy for the pool.
Creates the user pool client.
Creates a new domain for a user pool.
Deletes a group. Currently only groups with no members can be deleted.
Deletes an identity provider for a user pool.
Deletes a resource server.
Allows a user to delete himself or herself.
Deletes the attributes for a user.
Deletes the specified Amazon Cognito user pool.
Allows the developer to delete the user pool client.
Deletes a domain for a user pool.
Gets information about a specific identity provider.
Describes a resource server.
Describes the risk configuration.
Describes the user import job.
Returns the configuration information and metadata of the specified user pool.
Client method for returning the configuration information and metadata of the specified user pool app client.
Gets information about a domain.
Forgets the specified device.
Calling this API causes a message to be sent to the end user with a
confirmation code that is required to change the user's password. For the
Username parameter, you can use the username or user alias. The method
used to send the confirmation code is sent according to the specified
AccountRecoverySetting. For more information, see Recovering
User Accountsin the *Amazon Cognito Developer Guide*. If neither a verified phone number nor a verified email exists, anInvalidParameterException` is thrown. To use the confirmation code for
resetting the password, call .
Gets the device.
Gets a group.
Gets the specified identity provider.
This method takes a user pool ID, and returns the signing certificate.
Gets the UI Customization information for a particular app client's app UI,
if there is something set. If nothing is set for the particular client, but
there is an existing pool level customization (app clientId will be
ALL), then that is returned. If nothing is present, then an empty shape
is returned.
Gets the user attributes and metadata for a user.
Gets the user attribute verification code for the specified attribute name.
Gets the user pool multi-factor authentication (MFA) configuration.
Signs out users from all devices. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
Initiates the authentication flow.
Lists the devices.
Lists the groups associated with a user pool.
Lists information about all identity providers for a user pool.
Lists the resource servers for a user pool.
Lists the tags that are assigned to an Amazon Cognito user pool.
Lists the user import jobs.
Lists the clients that have been created for the specified user pool.
Lists the user pools associated with an AWS account.
Lists the users in the Amazon Cognito user pool.
Lists the users in the specified group.
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
Responds to the authentication challenge.
Configures actions on detected risks. To delete the risk configuration for
UserPoolId or ClientId, pass null values for all four configuration
types.
Sets the UI customization information for a user pool's built-in app UI.
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.
Set the user pool multi-factor authentication (MFA) configuration.
This action is no longer supported. You can use it to configure only SMS
MFA. You can't use it to configure TOTP software token MFA. To configure
either type of MFA, use the SetUserMFAPreference action instead.
Registers the user in the specified user pool and creates a user name, password, and user attributes.
Starts the user import.
Stops the user import job.
Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account
Provides the feedback for an authentication event whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status.
Updates the specified group with the specified attributes.
Updates identity provider information for a user pool.
Updates the name and scopes of resource server. All other fields are read-only.
Allows a user to update a specific attribute (one at a time).
Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings with .
Updates the specified user pool app client with the specified attributes. You can get a list of the current user pool app client settings with .
Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
Use this API to register a user's entered TOTP code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.
Verifies the specified user attributes in the user pool.
Link to this section Functions
Adds additional user attributes to the user pool schema.
Adds the specified user to the specified group.
Calling this action requires developer credentials.
Confirms user registration as an admin without using a confirmation code. Works on any user.
Calling this action requires developer credentials.
Creates a new user in the specified user pool.
If MessageAction is not set, the default is to send a welcome message via
email or phone (SMS).
MessageAction parameter, and Amazon Cognito will not send any email.
In either case, the user will be in the FORCE_CHANGE_PASSWORD state until
they sign in and change their password.
AdminCreateUser requires developer credentials.
Deletes a user as an administrator. Works on any user.
Calling this action requires developer credentials.
Deletes the user attributes in a user pool as an administrator. Works on any user.
Calling this action requires developer credentials.
Disables the user from signing in with the specified external (SAML or
social) identity provider. If the user to disable is a Cognito User Pools
native username + password user, they are not permitted to use their
password to sign-in. If the user to disable is a linked external IdP user,
any link between that user and an existing user is removed. The next time
the external user (no longer attached to the previously linked
DestinationUser) signs in, they must create a new user account. See .
This action is enabled only for admin access and requires developer credentials.
The ProviderName must match the value specified when creating an IdP for
the pool.
To disable a native username + password user, the ProviderName value must
be Cognito and the ProviderAttributeName must be Cognito_Subject,
with the ProviderAttributeValue being the name that is used in the user
pool for the user.
The ProviderAttributeName must always be Cognito_Subject for social
identity providers. The ProviderAttributeValue must always be the exact
subject that was used when the user was originally linked as a source user.
For de-linking a SAML identity, there are two scenarios. If the linked
identity has not yet been used to sign-in, the ProviderAttributeName and
ProviderAttributeValue must be the same values that were used for the
SourceUser when the identities were originally linked in the call. (If
the linking was done with ProviderAttributeName set to Cognito_Subject,
the same applies here). However, if the user has already signed in, the
ProviderAttributeName must be Cognito_Subject and
ProviderAttributeValue must be the subject of the SAML assertion.
Disables the specified user.
Calling this action requires developer credentials.
Enables the specified user as an administrator. Works on any user.
Calling this action requires developer credentials.
Forgets the device, as an administrator.
Calling this action requires developer credentials.
Gets the device, as an administrator.
Calling this action requires developer credentials.
Gets the specified user by user name in a user pool as an administrator. Works on any user.
Calling this action requires developer credentials.
Initiates the authentication flow, as an administrator.
Calling this action requires developer credentials.
Links an existing user account in a user pool (DestinationUser) to an
identity from an external identity provider (SourceUser) based on a
specified attribute name and value from the external identity provider.
This allows you to create a link from the existing user account to an
external federated user identity that has not yet been used to sign in, so
that the federated user identity can be used to sign in as the existing
user account.
For example, if there is an existing user with a username and password, this API links that user to a federated user identity, so that when the federated user identity is used, the user signs in as the existing user account.
This action is enabled only for admin access and requires developer credentials.
Lists devices, as an administrator.
Calling this action requires developer credentials.
Lists the groups that the user belongs to.
Calling this action requires developer credentials.
Lists a history of user activity and any risks detected as part of Amazon Cognito advanced security.
Removes the specified user from the specified group.
Calling this action requires developer credentials.
Resets the specified user's password in a user pool as an administrator. Works on any user.
When a developer calls this API, the current password is invalidated, so it must be changed. If a user tries to sign in after the API is called, the app will get a PasswordResetRequiredException exception back and should direct the user down the flow to reset the password, which is the same as the forgot password flow. In addition, if the user pool has phone verification selected and a verified phone number exists for the user, or if email verification is selected and a verified email exists for the user, calling this API will also result in sending a message to the end user with the code to change their password.
Calling this action requires developer credentials.
Responds to an authentication challenge, as an administrator.
Calling this action requires developer credentials.
Sets the user's multi-factor authentication (MFA) preference, including which MFA options are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.
Sets the specified user's password in a user pool as an administrator. Works on any user.
The password can be temporary or permanent. If it is temporary, the user
status will be placed into the FORCE_CHANGE_PASSWORD state. When the user
next tries to sign in, the InitiateAuth/AdminInitiateAuth response will
contain the NEW_PASSWORD_REQUIRED challenge. If the user does not sign in
before it expires, the user will not be able to sign in and their password
will need to be reset by an administrator.
Once the user has set a new password, or the password is permanent, the
user status will be set to Confirmed.
This action is no longer supported. You can use it to configure only SMS
MFA. You can't use it to configure TOTP software token MFA. To configure
either type of MFA, use the AdminSetUserMFAPreference action instead.
Provides feedback for an authentication event as to whether it was from a valid user. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status as an administrator.
Calling this action requires developer credentials.
Updates the specified user's attributes, including developer attributes, as an administrator. Works on any user.
For custom attributes, you must prepend the custom: prefix to the
attribute name.
In addition to updating user attributes, this API can also be used to mark phone and email as verified.
Calling this action requires developer credentials.
Signs out users from all devices, as an administrator. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
Calling this action requires developer credentials.
Returns a unique generated shared secret key code for the user account. The request takes an access token or a session string, but not both.
Changes the password for a specified user in a user pool.
Confirms tracking of the device. This API call is the call that begins device tracking.
Allows a user to enter a confirmation code to reset a forgotten password.
Confirms registration of a user and handles the existing alias from a previous user.
Creates a new group in the specified user pool.
Calling this action requires developer credentials.
Creates an identity provider for a user pool.
Creates a new OAuth2.0 resource server and defines custom scopes in it.
Creates the user import job.
Creates a new Amazon Cognito user pool and sets the password policy for the pool.
Creates the user pool client.
Creates a new domain for a user pool.
Deletes a group. Currently only groups with no members can be deleted.
Calling this action requires developer credentials.
Deletes an identity provider for a user pool.
Deletes a resource server.
Allows a user to delete himself or herself.
Deletes the attributes for a user.
Deletes the specified Amazon Cognito user pool.
Allows the developer to delete the user pool client.
Deletes a domain for a user pool.
Gets information about a specific identity provider.
Describes a resource server.
Describes the risk configuration.
Describes the user import job.
Returns the configuration information and metadata of the specified user pool.
Client method for returning the configuration information and metadata of the specified user pool app client.
Gets information about a domain.
Forgets the specified device.
Calling this API causes a message to be sent to the end user with a
confirmation code that is required to change the user's password. For the
Username parameter, you can use the username or user alias. The method
used to send the confirmation code is sent according to the specified
AccountRecoverySetting. For more information, see Recovering
User Accountsin the *Amazon Cognito Developer Guide*. If neither a verified phone number nor a verified email exists, anInvalidParameterException` is thrown. To use the confirmation code for
resetting the password, call .
Gets the header information for the .csv file to be used as input for the user import job.
Gets the device.
Gets a group.
Calling this action requires developer credentials.
Gets the specified identity provider.
This method takes a user pool ID, and returns the signing certificate.
Gets the UI Customization information for a particular app client's app UI,
if there is something set. If nothing is set for the particular client, but
there is an existing pool level customization (app clientId will be
ALL), then that is returned. If nothing is present, then an empty shape
is returned.
Gets the user attributes and metadata for a user.
get_user_attribute_verification_code(client, input, options \\ [])
View SourceGets the user attribute verification code for the specified attribute name.
Gets the user pool multi-factor authentication (MFA) configuration.
Signs out users from all devices. It also invalidates all refresh tokens issued to a user. The user's current access and Id tokens remain valid until their expiry. Access and Id tokens expire one hour after they are issued.
Initiates the authentication flow.
Lists the devices.
Lists the groups associated with a user pool.
Calling this action requires developer credentials.
Lists information about all identity providers for a user pool.
Lists the resource servers for a user pool.
Lists the tags that are assigned to an Amazon Cognito user pool.
A tag is a label that you can apply to user pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
You can use this action up to 10 times per second, per account.
Lists the user import jobs.
Lists the clients that have been created for the specified user pool.
Lists the user pools associated with an AWS account.
Lists the users in the Amazon Cognito user pool.
Lists the users in the specified group.
Calling this action requires developer credentials.
Resends the confirmation (for confirmation of registration) to a specific user in the user pool.
Responds to the authentication challenge.
Configures actions on detected risks. To delete the risk configuration for
UserPoolId or ClientId, pass null values for all four configuration
types.
To enable Amazon Cognito advanced security features, update the user pool
to include the UserPoolAddOns keyAdvancedSecurityMode.
See .
Sets the UI customization information for a user pool's built-in app UI.
You can specify app UI customization settings for a single client (with a
specific clientId) or for all clients (by setting the clientId to
ALL). If you specify ALL, the default configuration will be used for
every client that has no UI customization set previously. If you specify UI
customization settings for a particular client, it will no longer fall back
to the ALL configuration.
Set the user's multi-factor authentication (MFA) method preference, including which MFA factors are enabled and if any are preferred. Only one factor can be set as preferred. The preferred MFA factor will be used to authenticate a user if multiple factors are enabled. If multiple options are enabled and no preference is set, a challenge to choose an MFA option will be returned during sign in.
Set the user pool multi-factor authentication (MFA) configuration.
This action is no longer supported. You can use it to configure only SMS
MFA. You can't use it to configure TOTP software token MFA. To configure
either type of MFA, use the SetUserMFAPreference action instead.
Registers the user in the specified user pool and creates a user name, password, and user attributes.
Starts the user import.
Stops the user import job.
Assigns a set of tags to an Amazon Cognito user pool. A tag is a label that you can use to categorize and manage user pools in different ways, such as by purpose, owner, environment, or other criteria.
Each tag consists of a key and value, both of which you define. A key is a
general category for more specific values. For example, if you have two
versions of a user pool, one for testing and another for production, you
might assign an Environment tag key to both user pools. The value of this
key might be Test for one user pool and Production for the other.
Tags are useful for cost tracking and access control. You can activate your tags so that they appear on the Billing and Cost Management console, where you can track the costs associated with your user pools. In an IAM policy, you can constrain permissions for user pools based on specific tags or tag values.
You can use this action up to 5 times per second, per account. A user pool can have as many as 50 tags.
Removes the specified tags from an Amazon Cognito user pool. You can use this action up to 5 times per second, per account
Provides the feedback for an authentication event whether it was from a valid user or not. This feedback is used for improving the risk evaluation decision for the user pool as part of Amazon Cognito advanced security.
Updates the device status.
Updates the specified group with the specified attributes.
Calling this action requires developer credentials.
Updates identity provider information for a user pool.
Updates the name and scopes of resource server. All other fields are read-only.
Allows a user to update a specific attribute (one at a time).
Updates the specified user pool with the specified attributes. You can get a list of the current user pool settings with .
Updates the specified user pool app client with the specified attributes. You can get a list of the current user pool app client settings with .
Updates the Secure Sockets Layer (SSL) certificate for the custom domain for your user pool.
You can use this operation to provide the Amazon Resource Name (ARN) of a new certificate to Amazon Cognito. You cannot use it to change the domain for a user pool.
A custom domain is used to host the Amazon Cognito hosted UI, which provides sign-up and sign-in pages for your application. When you set up a custom domain, you provide a certificate that you manage with AWS Certificate Manager (ACM). When necessary, you can use this operation to change the certificate that you applied to your custom domain.
Usually, this is unnecessary following routine certificate renewal with ACM. When you renew your existing certificate in ACM, the ARN for your certificate remains the same, and your custom domain uses the new certificate automatically.
However, if you replace your existing certificate with a new one, ACM gives the new certificate a new ARN. To apply the new certificate to your custom domain, you must provide this ARN to Amazon Cognito.
When you add your new certificate in ACM, you must choose US East (N. Virginia) as the AWS Region.
After you submit your request, Amazon Cognito requires up to 1 hour to distribute your new certificate to your custom domain.
For more information about adding a custom domain to your user pool, see Using Your Own Domain for the Hosted UI.
Use this API to register a user's entered TOTP code and mark the user's software token MFA status as "verified" if successful. The request takes an access token or a session string, but not both.
Verifies the specified user attributes in the user pool.