class Aws::CognitoIdentityProvider::Types::InitiateAuthRequest

Initiates the authentication request.

@note When making an API call, you may pass InitiateAuthRequest

data as a hash:

    {
      auth_flow: "USER_SRP_AUTH", # required, accepts USER_SRP_AUTH, REFRESH_TOKEN_AUTH, REFRESH_TOKEN, CUSTOM_AUTH, ADMIN_NO_SRP_AUTH, USER_PASSWORD_AUTH, ADMIN_USER_PASSWORD_AUTH
      auth_parameters: {
        "StringType" => "StringType",
      },
      client_metadata: {
        "StringType" => "StringType",
      },
      client_id: "ClientIdType", # required
      analytics_metadata: {
        analytics_endpoint_id: "StringType",
      },
      user_context_data: {
        encoded_data: "StringType",
      },
    }

@!attribute [rw] auth_flow

The authentication flow for this call to execute. The API action
will depend on this value. For example:

* `REFRESH_TOKEN_AUTH` will take in a valid refresh token and return
  new tokens.

* `USER_SRP_AUTH` will take in `USERNAME` and `SRP_A` and return the
  SRP variables to be used for next challenge execution.

* `USER_PASSWORD_AUTH` will take in `USERNAME` and `PASSWORD` and
  return the next challenge or tokens.

Valid values include:

* `USER_SRP_AUTH`\: Authentication flow for the Secure Remote
  Password (SRP) protocol.

* `REFRESH_TOKEN_AUTH`/`REFRESH_TOKEN`\: Authentication flow for
  refreshing the access token and ID token by supplying a valid
  refresh token.

* `CUSTOM_AUTH`\: Custom authentication flow.

* `USER_PASSWORD_AUTH`\: Non-SRP authentication flow; USERNAME and
  PASSWORD are passed directly. If a user migration Lambda trigger
  is set, this flow will invoke the user migration Lambda if the
  USERNAME is not found in the user pool.

* `ADMIN_USER_PASSWORD_AUTH`\: Admin-based user password
  authentication. This replaces the `ADMIN_NO_SRP_AUTH`
  authentication flow. In this flow, Cognito receives the password
  in the request instead of using the SRP process to verify
  passwords.

`ADMIN_NO_SRP_AUTH` is not a valid value.
@return [String]

@!attribute [rw] auth_parameters

The authentication parameters. These are inputs corresponding to the
`AuthFlow` that you are invoking. The required values depend on the
value of `AuthFlow`\:

* For `USER_SRP_AUTH`\: `USERNAME` (required), `SRP_A` (required),
  `SECRET_HASH` (required if the app client is configured with a
  client secret), `DEVICE_KEY`.

* For `REFRESH_TOKEN_AUTH/REFRESH_TOKEN`\: `REFRESH_TOKEN`
  (required), `SECRET_HASH` (required if the app client is
  configured with a client secret), `DEVICE_KEY`.

* For `CUSTOM_AUTH`\: `USERNAME` (required), `SECRET_HASH` (if app
  client is configured with client secret), `DEVICE_KEY`. To start
  the authentication flow with password verification, include
  `ChallengeName: SRP_A` and `SRP_A: (The SRP_A Value)`.
@return [Hash<String,String>]

@!attribute [rw] client_metadata

A map of custom key-value pairs that you can provide as input for
certain custom workflows that this action triggers.

You create custom workflows by assigning Lambda functions to user
pool triggers. When you use the InitiateAuth API action, Amazon
Cognito invokes the Lambda functions that are specified for various
triggers. The ClientMetadata value is passed as input to the
functions for only the following triggers:

* Pre signup

* Pre authentication

* User migration

When Amazon Cognito invokes the functions for these triggers, it
passes a JSON payload, which the function receives as input. This
payload contains a `validationData` attribute, which provides the
data that you assigned to the ClientMetadata parameter in your
InitiateAuth request. In your function code in Lambda, you can
process the `validationData` value to enhance your workflow for your
specific needs.

When you use the InitiateAuth API action, Amazon Cognito also
invokes the functions for the following triggers, but it does not
provide the ClientMetadata value as input:

* Post authentication

* Custom message

* Pre token generation

* Create auth challenge

* Define auth challenge

* Verify auth challenge

For more information, see [Customizing User Pool Workflows with
Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.

<note markdown="1"> Take the following limitations into consideration when you use the
ClientMetadata parameter:

 * Amazon Cognito does not store the ClientMetadata value. This data
  is available only to Lambda triggers that are assigned to a user
  pool to support custom workflows. If your user pool configuration
  does not include triggers, the ClientMetadata parameter serves no
  purpose.

* Amazon Cognito does not validate the ClientMetadata value.

* Amazon Cognito does not encrypt the the ClientMetadata value, so
  don't use it to provide sensitive information.

 </note>

[1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
@return [Hash<String,String>]

@!attribute [rw] client_id

The app client ID.
@return [String]

@!attribute [rw] analytics_metadata

The Amazon Pinpoint analytics metadata for collecting metrics for
`InitiateAuth` calls.
@return [Types::AnalyticsMetadataType]

@!attribute [rw] user_context_data

Contextual data such as the user's device fingerprint, IP address,
or location used for evaluating the risk of an unexpected event by
Amazon Cognito advanced security.
@return [Types::UserContextDataType]

@see docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/InitiateAuthRequest AWS API Documentation

Constants

SENSITIVE