AWS cli documentation change
Summary
Updated authentication parameters documentation with restructured flow-specific requirements, added DEVICE_KEY guidance for MFA bypass, and expanded challenge response details
Security assessment
The changes clarify security-related parameters like SECRET_HASH usage for client authentication and DEVICE_KEY for MFA bypass capabilities. While these updates improve security documentation, there's no evidence they address a specific vulnerability. The additions help users properly implement authentication flows with security features like client secrets and device tracking.
Diff
diff --git a/cli/latest/reference/cognito-idp/admin-initiate-auth.md b/cli/latest/reference/cognito-idp/admin-initiate-auth.md index 25462bd58..56d2d56c0 100644 --- a//cli/latest/reference/cognito-idp/admin-initiate-auth.md +++ b//cli/latest/reference/cognito-idp/admin-initiate-auth.md @@ -15 +15 @@ - * [AWS CLI 2.28.12 Command Reference](../../index.html) » + * [AWS CLI 2.28.15 Command Reference](../../index.html) » @@ -164 +164,33 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> The authentication parameters. These are inputs corresponding to the `AuthFlow` that you’re invoking. The required values depend on the value of `AuthFlow` for example: +> The authentication parameters. These are inputs corresponding to the `AuthFlow` that you’re invoking. +> +> The following are some authentication flows and their parameters. Add a `SECRET_HASH` parameter if your app client has a client secret. Add `DEVICE_KEY` if you want to bypass multi-factor authentication with a remembered device. +> +>> USER_AUTH +> +> * `USERNAME` (required) +> +> * `PREFERRED_CHALLENGE` . If you don’t provide a value for `PREFERRED_CHALLENGE` , Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods. +> +> USER_SRP_AUTH +> +> * `USERNAME` (required) +> +> * `SRP_A` (required) +> +> ADMIN_USER_PASSWORD_AUTH +> +> * `USERNAME` (required) +> +> * `PASSWORD` (required) +> +> REFRESH_TOKEN_AUTH/REFRESH_TOKEN +> +> * `REFRESH_TOKEN` (required) +> +> CUSTOM_AUTH +> +> * `USERNAME` (required) +> +> * `ChallengeName: SRP_A` (when preceding custom authentication with SRP authentication) +> +> * `SRP_A: (An SRP_A value)` (when preceding custom authentication with SRP authentication) @@ -166,5 +197,0 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> * For `USER_AUTH` : `USERNAME` (required), `PREFERRED_CHALLENGE` . If you don’t provide a value for `PREFERRED_CHALLENGE` , Amazon Cognito responds with the `AvailableChallenges` parameter that specifies the available sign-in methods. -> * For `USER_SRP_AUTH` : `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * For `ADMIN_USER_PASSWORD_AUTH` : `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN` : `REFRESH_TOKEN` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * For `CUSTOM_AUTH` : `USERNAME` (required), `SECRET_HASH` (if app client is configured with client secret), `DEVICE_KEY` . To start the authentication flow with password verification, include `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)` . @@ -480,10 +507,12 @@ ChallengeName -> (string) -> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. -> -> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. -> * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter. -> * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. -> * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. -> * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations. -> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. +> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication. +> +> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys. +> * `PASSWORD` : Respond with the user’s password as `PASSWORD` . +> * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` . +> * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` . +> * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` +> * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` +> * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . +> * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` . +> * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` . +> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response. @@ -572 +601 @@ AvailableChallenges -> (list) - * [AWS CLI 2.28.12 Command Reference](../../index.html) » + * [AWS CLI 2.28.15 Command Reference](../../index.html) »