AWS code-library documentation change
Summary
Added two new MFA challenge response examples (SELECT_MFA_TYPE and SOFTWARE_TOKEN_MFA), updated CLI command formatting with placeholder values, and added documentation links
Security assessment
The changes add documentation about MFA authentication flows which are security features, but there's no evidence of addressing a specific security vulnerability
Diff
diff --git a/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md index fe98ed2c0..71ad25bd5 100644 --- a/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md +++ b/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md @@ -24 +24 @@ CLI -**To respond to an authorization challenge** +**Example 1: To respond to a NEW_PASSWORD_REQUIRED challenge** @@ -26 +26 @@ CLI -This example responds to an authorization challenge initiated with initiate-auth. It is a response to the NEW_PASSWORD_REQUIRED challenge. It sets a password for user [email protected]. +The following `respond-to-auth-challenge` example responds to a NEW_PASSWORD_REQUIRED challenge that initiate-auth returned. It sets a password for the user `[email protected]`. @@ -28 +27,0 @@ This example responds to an authorization challenge initiated with initiate-auth -Command: @@ -30,2 +29,5 @@ Command: - - aws cognito-idp respond-to-auth-challenge --client-id 3n4b5urk1ft4fl3mg5e62d9ado --challenge-name NEW_PASSWORD_REQUIRED --challenge-responses [email protected],NEW_PASSWORD="password" --session "SESSION_TOKEN" + aws cognito-idp respond-to-auth-challenge \ + --client-id 1example23456789 \ + --challenge-name NEW_PASSWORD_REQUIRED \ + --challenge-responses [email protected],NEW_PASSWORD=[Password] \ + --session AYABeEv5HklEXAMPLE @@ -46 +48 @@ Output: - "DeviceKey": "us-west-2_fec070d2-fa88-424a-8ec8-b26d7198eb23", + "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", @@ -51,0 +54,58 @@ Output: +For more information, see [Authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html) in the _Amazon Cognito Developer Guide_. + +**Example 2: To respond to a SELECT_MFA_TYPE challenge** + +The following `respond-to-auth-challenge` example chooses TOTP MFA as the MFA option for the current user. The user was prompted to select an MFA type and will next be prompted to enter their MFA code. + + + aws cognito-idp respond-to-auth-challenge \ + --client-id 1example23456789 + --session AYABeEv5HklEXAMPLE + --challenge-name SELECT_MFA_TYPE + --challenge-responses USERNAME=testuser,ANSWER=SOFTWARE_TOKEN_MFA + + +Output: + + + { + "ChallengeName": "SOFTWARE_TOKEN_MFA", + "Session": "AYABeEv5HklEXAMPLE", + "ChallengeParameters": { + "FRIENDLY_DEVICE_NAME": "transparent" + } + } + +For more information, see [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) in the _Amazon Cognito Developer Guide_. + +**Example 3: To respond to a SOFTWARE_TOKEN_MFA challenge** + +The following `respond-to-auth-challenge` example provides a TOTP MFA code and completes sign-in. + + + aws cognito-idp respond-to-auth-challenge \ + --client-id 1example23456789 \ + --session AYABeEv5HklEXAMPLE \ + --challenge-name SOFTWARE_TOKEN_MFA \ + --challenge-responses USERNAME=testuser,SOFTWARE_TOKEN_MFA_CODE=123456 + + +Output: + + + { + "AuthenticationResult": { + "AccessToken": "eyJra456defEXAMPLE", + "ExpiresIn": 3600, + "TokenType": "Bearer", + "RefreshToken": "eyJra123abcEXAMPLE", + "IdToken": "eyJra789ghiEXAMPLE", + "NewDeviceMetadata": { + "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", + "DeviceGroupKey": "-v7w9UcY6" + } + } + } + +For more information, see [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html) in the _Amazon Cognito Developer Guide_. +