AWS Security ChangesHomeSearch

AWS code-library documentation change

Service: code-library · 2026-01-25 · Documentation low

File: code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md

Summary

Added SAP ABAP code example for AdminRespondToAuthChallenge operation with MFA challenge handling

Security assessment

Documents secure implementation of MFA challenge response flow including SECRET_HASH handling, but doesn't address a specific security vulnerability

Diff

diff --git a/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md b/code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
index 10c64e21e..b21add520 100644
--- a//code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
+++ b//code-library/latest/ug/cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md
@@ -374,0 +375,65 @@ Respond to an MFA challenge by providing a code generated by an associated MFA a
+SAP ABAP
+    
+
+**SDK for SAP ABAP**
+    
+
+###### Note
+
+There's more on GitHub. Find the complete example and learn how to set up and run in the [AWS Code Examples Repository](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples). 
+    
+    
+        TRY.
+            " Build challenge responses
+            DATA(lt_challenge_responses) = VALUE /aws1/cl_cgpchallengerspstyp00=>tt_challengeresponsestype(
+              ( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow(
+                  key = 'USERNAME'
+                  value = NEW /aws1/cl_cgpchallengerspstyp00( iv_user_name ) ) )
+              ( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow(
+                  key = 'SOFTWARE_TOKEN_MFA_CODE'
+                  value = NEW /aws1/cl_cgpchallengerspstyp00( iv_mfa_code ) ) )
+            ).
+    
+            " Add SECRET_HASH if provided
+            IF iv_secret_hash IS NOT INITIAL.
+              INSERT VALUE #(
+                key = 'SECRET_HASH'
+                value = NEW /aws1/cl_cgpchallengerspstyp00( iv_secret_hash )
+              ) INTO TABLE lt_challenge_responses.
+            ENDIF.
+    
+            DATA(lo_result) = lo_cgp->adminrespondtoauthchallenge(
+              iv_userpoolid = iv_user_pool_id
+              iv_clientid = iv_client_id
+              iv_challengename = 'SOFTWARE_TOKEN_MFA'
+              it_challengeresponses = lt_challenge_responses
+              iv_session = iv_session
+            ).
+    
+            oo_auth_result = lo_result->get_authenticationresult( ).
+    
+            IF oo_auth_result IS BOUND.
+              MESSAGE 'MFA challenge completed successfully.' TYPE 'I'.
+            ELSE.
+              " Another challenge might be required
+              DATA(lv_next_challenge) = lo_result->get_challengename( ).
+              MESSAGE |Additional challenge required: { lv_next_challenge }.| TYPE 'I'.
+            ENDIF.
+    
+          CATCH /aws1/cx_cgpcodemismatchex INTO DATA(lo_code_ex).
+            MESSAGE 'Invalid MFA code provided.' TYPE 'E'.
+    
+          CATCH /aws1/cx_cgpexpiredcodeex INTO DATA(lo_expired_ex).
+            MESSAGE 'MFA code has expired.' TYPE 'E'.
+    
+          CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex).
+            MESSAGE 'Not authorized. Check MFA configuration.' TYPE 'E'.
+        ENDTRY.
+    
+    
+
+  * For API details, see [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html) in _AWS SDK for SAP ABAP API reference_. 
+
+
+
+