Class: Aws::CognitoIdentityProvider::Types::ChallengeResponseType

Inherits:

Struct

• Object
• Struct
• Aws::CognitoIdentityProvider::Types::ChallengeResponseType

Includes:

Structure

Defined in:

lib/aws-sdk-cognitoidentityprovider/types.rb

Overview

The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret. Include a ‘DEVICE_KEY` for device authentication.

SELECT_CHALLENGE

: ‘“ChallengeName”: “SELECT_CHALLENGE”, “ChallengeResponses”:

"USERNAME": "[username]", "ANSWER": "[Challenge name]"`

Available challenges are `PASSWORD`, `PASSWORD_SRP`, `EMAIL_OTP`,
`SMS_OTP`, and `WEB_AUTHN`.

Complete authentication in the `SELECT_CHALLENGE` response for
`PASSWORD`, `PASSWORD_SRP`, and `WEB_AUTHN`:

* `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": {
  "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL":
  "[AuthenticationResponseJSON]"}`

  See [ AuthenticationResponseJSON][1].

* `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": {
  "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD":
  "[password]"}`

* `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": {
  "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A":
  "[SRP_A]"}`

For `SMS_OTP` and `EMAIL_OTP`, respond with the username and answer.
Your user pool will send a code for the user to submit in the next
challenge response.

* `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": {
  "ANSWER": "SMS_OTP", "USERNAME": "[username]"}`

* `"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": {
  "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}`

SMS_OTP

: ‘“ChallengeName”: “SMS_OTP”, “ChallengeResponses”: {“SMS_OTP_CODE”:

"[code]", "USERNAME": "[username]"}`

EMAIL_OTP

: ‘“ChallengeName”: “EMAIL_OTP”, “ChallengeResponses”:

{"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}`

SMS_MFA

: ‘“ChallengeName”: “SMS_MFA”, “ChallengeResponses”: {“SMS_MFA_CODE”:

"[code]", "USERNAME": "[username]"}`

PASSWORD_VERIFIER

: This challenge response is part of the SRP flow. Amazon Cognito

requires that your application respond to this challenge within a
few seconds. When the response time exceeds this period, your user
pool returns a `NotAuthorizedException` error.

`"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses":
{"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]",
"PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP":
[timestamp], "USERNAME": "[username]"}`

Add `"DEVICE_KEY"` when you sign in with a remembered device.

CUSTOM_CHALLENGE

: ‘“ChallengeName”: “CUSTOM_CHALLENGE”, “ChallengeResponses”:

{"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}`

Add `"DEVICE_KEY"` when you sign in with a remembered device.

NEW_PASSWORD_REQUIRED

: ‘“ChallengeName”: “NEW_PASSWORD_REQUIRED”, “ChallengeResponses”:

{"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}`

To set any required attributes that `InitiateAuth` returned in an
`requiredAttributes` parameter, add
`"userAttributes.[attribute_name]": "[attribute_value]"`. This
parameter can also set values for writable attributes that aren't
required by your user pool.

<note markdown="1"> In a `NEW_PASSWORD_REQUIRED` challenge response, you can't modify a
required attribute that already has a value. In
`RespondToAuthChallenge`, set a value for any keys that Amazon
Cognito returned in the `requiredAttributes` parameter, then use the
`UpdateUserAttributes` API operation to modify the value of any
additional attributes.

 </note>

SOFTWARE_TOKEN_MFA

: ‘“ChallengeName”: “SOFTWARE_TOKEN_MFA”, “ChallengeResponses”:

{"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE":
[authenticator_code]}`

DEVICE_SRP_AUTH

: ‘“ChallengeName”: “DEVICE_SRP_AUTH”, “ChallengeResponses”:

{"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A":
"[srp_a]"}`

DEVICE_PASSWORD_VERIFIER

: ‘“ChallengeName”: “DEVICE_PASSWORD_VERIFIER”, “ChallengeResponses”:

{"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE":
"[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK":
"[secret_block]", "TIMESTAMP": [timestamp], "USERNAME":
"[username]"}`

MFA_SETUP

: ‘“ChallengeName”: “MFA_SETUP”, “ChallengeResponses”: {“USERNAME”:

"[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"`

SELECT_MFA_TYPE

: ‘“ChallengeName”: “SELECT_MFA_TYPE”, “ChallengeResponses”:

{"USERNAME": "[username]", "ANSWER": "[SMS_MFA or
SOFTWARE_TOKEN_MFA]"}`

For more information about ‘SECRET_HASH`, see [Computing secret hash values]. For information about `DEVICE_KEY`, see [Working with user devices in your user pool].

This data type is a request parameter of [RespondToAuthChallenge] and [AdminRespondToAuthChallenge].

[1]: www.w3.org/TR/webauthn-3/#dictdef-authenticationresponsejson [2]: docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash [3]: docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html [4]: docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html [5]: docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html

See Also:

• AWS API Documentation

Constant Summary

SENSITIVE =

[]

Instance Attribute Summary

• #challenge_name ⇒ String

  The type of challenge that your previous authentication request returned in the parameter ‘ChallengeName`, for example `SMS_MFA`.

• #challenge_response ⇒ String

  The set of key-value pairs that provides a response to the requested challenge.

Instance Attribute Details

#challenge_name ⇒ String

The type of challenge that your previous authentication request returned in the parameter ‘ChallengeName`, for example `SMS_MFA`.

Returns:

• (String)

# File 'lib/aws-sdk-cognitoidentityprovider/types.rb', line 2889

class ChallengeResponseType < Struct.new(
  :challenge_name,
  :challenge_response)
  SENSITIVE = []
  include Aws::Structure
end

#challenge_response ⇒ String

The set of key-value pairs that provides a response to the requested challenge.

Returns:

• (String)

# File 'lib/aws-sdk-cognitoidentityprovider/types.rb', line 2889

class ChallengeResponseType < Struct.new(
  :challenge_name,
  :challenge_response)
  SENSITIVE = []
  include Aws::Structure
end