AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-04-23 · Documentation low

File: cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md

Summary

Added Swift SDK code example for AdminRespondToAuthChallenge API with MFA handling

Security assessment

The change documents MFA challenge response implementation, which is a security feature. However, it simply demonstrates existing MFA functionality rather than addressing a specific vulnerability or introducing new security controls.

Diff

diff --git a/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md b/cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
index 97205af82..6141cfc1f 100644
--- a//cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
+++ b//cognito/latest/developerguide/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
@@ -372,0 +373,79 @@ Respond to an MFA challenge by providing a code generated by an associated MFA a
+Swift
+    
+
+**SDK for Swift**
+    
+
+###### Note
+
+There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples). 
+    
+    
+    import AWSCognitoIdentityProvider
+    
+        /// Respond to the authentication challenge received from Cognito after
+        /// initiating an authentication session. This involves sending a current
+        /// MFA code to the service.
+        /// 
+        /// - Parameters:
+        ///   - cipClient: The `CognitoIdentityProviderClient` to use.
+        ///   - userName: The user's username.
+        ///   - clientId: The app client ID.
+        ///   - userPoolId: The user pool to sign into.
+        ///   - mfaCode: The 6-digit MFA code currently displayed by the user's
+        ///     authenticator.
+        ///   - session: The authentication session to continue processing.
+        func adminRespondToAuthChallenge(cipClient: CognitoIdentityProviderClient, userName: String,
+                                         clientId: String, userPoolId: String, mfaCode: String,
+                                         session: String) async {
+            print("=====> SOFTWARE_TOKEN_MFA challenge is generated...")
+    
+            var challengeResponsesOb: [String: String] = [:]
+            challengeResponsesOb["USERNAME"] = userName
+            challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode
+    
+            do {
+                let output = try await cipClient.adminRespondToAuthChallenge(
+                    input: AdminRespondToAuthChallengeInput(
+                        challengeName: CognitoIdentityProviderClientTypes.ChallengeNameType.softwareTokenMfa,
+                        challengeResponses: challengeResponsesOb,
+                        clientId: clientId,
+                        session: session,
+                        userPoolId: userPoolId
+                    )
+                )
+    
+                guard let authenticationResult = output.authenticationResult else {
+                    print("*** Unable to get authentication result.")
+                    return
+                }
+    
+                print("=====> Authentication result (JWTs are redacted):")
+                print(authenticationResult)
+            } catch _ as SoftwareTokenMFANotFoundException {
+                print("*** The specified user pool isn't configured for MFA.")
+                return
+            } catch _ as CodeMismatchException {
+                print("*** The specified MFA code doesn't match the expected value.")
+                return
+            } catch _ as UserNotFoundException {
+                print("*** The specified username, \(userName), doesn't exist.")
+                return
+            } catch _ as UserNotConfirmedException {
+                print("*** The user \(userName) has not been confirmed.")
+                return
+            } catch let error as NotAuthorizedException {
+                print("*** Unauthorized access. Reason: \(error.properties.message ?? "<unknown>")")
+            } catch {
+                print("*** Error responding to the MFA challenge.")
+                return
+            }
+        }
+    
+    
+
+  * For API details, see [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/adminrespondtoauthchallenge\(input:\)) in _AWS SDK for Swift API reference_. 
+
+
+
+