AWS cli documentation change
Summary
Updated challenge response documentation with new parameters, added WEB_AUTHN/EMAIL_MFA/SMS_OTP details, clarified device authentication requirements
Security assessment
Changes add documentation for WebAuthn authentication (security feature), expand MFA options (EMAIL_MFA/SMS_OTP), and emphasize DEVICE_KEY usage for device authentication. While these are security-related features, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/cli/latest/reference/cognito-idp/admin-respond-to-auth-challenge.md b/cli/latest/reference/cognito-idp/admin-respond-to-auth-challenge.md index ebebd34d5..d88ffbd06 100644 --- a//cli/latest/reference/cognito-idp/admin-respond-to-auth-challenge.md +++ b//cli/latest/reference/cognito-idp/admin-respond-to-auth-challenge.md @@ -15 +15 @@ - * [AWS CLI 2.28.12 Command Reference](../../index.html) » + * [AWS CLI 2.28.15 Command Reference](../../index.html) » @@ -135,10 +135,12 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. -> -> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. -> * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter. -> * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. -> * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. -> * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations. -> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. +> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication. +> +> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys. +> * `PASSWORD` : Respond with the user’s password as `PASSWORD` . +> * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` . +> * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` . +> * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` +> * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` +> * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . +> * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` . +> * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` . +> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response. @@ -208 +210 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> SMS_OTP +> WEB_AUTHN @@ -212,0 +215,14 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit +>> `"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}` +> +> See [AuthenticationResponseJSON](https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson) . +> +>> > PASSWORD +>> +>> `"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}` +>> +>>> PASSWORD_SRP +>> +>> `"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}` +>> +>>> SMS_OTP +>> @@ -228,3 +244 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> -> Add `"DEVICE_KEY"` when you sign in with a remembered device. -> +>> @@ -234,3 +248 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> -> Add `"DEVICE_KEY"` when you sign in with a remembered device. -> +>> @@ -265 +277 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/cognit -> `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"}` +> `"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}` @@ -571,10 +583,12 @@ ChallengeName -> (string) -> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. -> -> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey. Examples of WebAuthn authenticators include biometric devices and security keys. -> * `PASSWORD` : Respond with `USER_PASSWORD_AUTH` parameters: `USERNAME` (required), `PASSWORD` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `PASSWORD_SRP` : Respond with `USER_SRP_AUTH` parameters: `USERNAME` (required), `SRP_A` (required), `SECRET_HASH` (required if the app client is configured with a client secret), `DEVICE_KEY` . -> * `SELECT_CHALLENGE` : Respond to the challenge with `USERNAME` and an `ANSWER` that matches one of the challenge types in the `AvailableChallenges` response parameter. -> * `SMS_MFA` : Respond with an `SMS_MFA_CODE` that your user pool delivered in an SMS message. -> * `EMAIL_OTP` : Respond with an `EMAIL_OTP_CODE` that your user pool delivered in an email message. -> * `PASSWORD_VERIFIER` : Respond with `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` after client-side SRP calculations. -> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function. +> All of the following challenges require `USERNAME` and, when the app client has a client secret, `SECRET_HASH` in the parameters. Include a `DEVICE_KEY` for device authentication. +> +> * `WEB_AUTHN` : Respond to the challenge with the results of a successful authentication with a WebAuthn authenticator, or passkey, as `CREDENTIAL` . Examples of WebAuthn authenticators include biometric devices and security keys. +> * `PASSWORD` : Respond with the user’s password as `PASSWORD` . +> * `PASSWORD_SRP` : Respond with the initial SRP secret as `SRP_A` . +> * `SELECT_CHALLENGE` : Respond with a challenge selection as `ANSWER` . It must be one of the challenge types in the `AvailableChallenges` response parameter. Add the parameters of the selected challenge, for example `USERNAME` and `SMS_OTP` . +> * `SMS_MFA` : Respond with the code that your user pool delivered in an SMS message, as `SMS_MFA_CODE` +> * `EMAIL_MFA` : Respond with the code that your user pool delivered in an email message, as `EMAIL_MFA_CODE` +> * `EMAIL_OTP` : Respond with the code that your user pool delivered in an email message, as `EMAIL_OTP_CODE` . +> * `SMS_OTP` : Respond with the code that your user pool delivered in an SMS message, as `SMS_OTP_CODE` . +> * `PASSWORD_VERIFIER` : Respond with the second stage of SRP secrets as `PASSWORD_CLAIM_SIGNATURE` , `PASSWORD_CLAIM_SECRET_BLOCK` , and `TIMESTAMP` . +> * `CUSTOM_CHALLENGE` : This is returned if your custom authentication flow determines that the user should pass another challenge before tokens are issued. The parameters of the challenge are determined by your Lambda function and issued in the `ChallengeParameters` of a challenge response. @@ -653 +667 @@ AuthenticationResult -> (structure) - * [AWS CLI 2.28.12 Command Reference](../../index.html) » + * [AWS CLI 2.28.15 Command Reference](../../index.html) »