本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# Amazon Cognito AWS SDKs的程式碼範例
下列程式碼範例示範如何使用 Amazon Cognito 搭配 AWS 軟體開發套件 (SDK)。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [Amazon Cognito 身分](service_code_examples_cognito-identity.md)
+ [基本概念](service_code_examples_cognito-identity_basics.md)
+ [動作](service_code_examples_cognito-identity_actions.md)
+ [`CreateIdentityPool`](cognito-identity_example_cognito-identity_CreateIdentityPool_section.md)
+ [`DeleteIdentityPool`](cognito-identity_example_cognito-identity_DeleteIdentityPool_section.md)
+ [`DescribeIdentityPool`](cognito-identity_example_cognito-identity_DescribeIdentityPool_section.md)
+ [`GetCredentialsForIdentity`](cognito-identity_example_cognito-identity_GetCredentialsForIdentity_section.md)
+ [`GetIdentityPoolRoles`](cognito-identity_example_cognito-identity_GetIdentityPoolRoles_section.md)
+ [`ListIdentityPools`](cognito-identity_example_cognito-identity_ListIdentityPools_section.md)
+ [`SetIdentityPoolRoles`](cognito-identity_example_cognito-identity_SetIdentityPoolRoles_section.md)
+ [`UpdateIdentityPool`](cognito-identity_example_cognito-identity_UpdateIdentityPool_section.md)
+ [案例](service_code_examples_cognito-identity_scenarios.md)
+ [建立 Amazon Textract Explorer 應用程式](cognito-identity_example_cross_TextractExplorer_section.md)
+ [Amazon Cognito 身分提供者](service_code_examples_cognito-identity-provider.md)
+ [基本概念](service_code_examples_cognito-identity-provider_basics.md)
+ [Hello Amazon Cognito](cognito-identity-provider_example_cognito-identity-provider_Hello_section.md)
+ [動作](service_code_examples_cognito-identity-provider_actions.md)
+ [`AdminCreateUser`](cognito-identity-provider_example_cognito-identity-provider_AdminCreateUser_section.md)
+ [`AdminGetUser`](cognito-identity-provider_example_cognito-identity-provider_AdminGetUser_section.md)
+ [`AdminInitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_AdminInitiateAuth_section.md)
+ [`AdminRespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md)
+ [`AdminSetUserPassword`](cognito-identity-provider_example_cognito-identity-provider_AdminSetUserPassword_section.md)
+ [`AssociateSoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_AssociateSoftwareToken_section.md)
+ [`ConfirmDevice`](cognito-identity-provider_example_cognito-identity-provider_ConfirmDevice_section.md)
+ [`ConfirmForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ConfirmForgotPassword_section.md)
+ [`ConfirmSignUp`](cognito-identity-provider_example_cognito-identity-provider_ConfirmSignUp_section.md)
+ [`CreateUserPool`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPool_section.md)
+ [`CreateUserPoolClient`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPoolClient_section.md)
+ [`DeleteUser`](cognito-identity-provider_example_cognito-identity-provider_DeleteUser_section.md)
+ [`ForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ForgotPassword_section.md)
+ [`InitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_InitiateAuth_section.md)
+ [`ListUserPools`](cognito-identity-provider_example_cognito-identity-provider_ListUserPools_section.md)
+ [`ListUsers`](cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md)
+ [`ResendConfirmationCode`](cognito-identity-provider_example_cognito-identity-provider_ResendConfirmationCode_section.md)
+ [`RespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md)
+ [`SignUp`](cognito-identity-provider_example_cognito-identity-provider_SignUp_section.md)
+ [`UpdateUserPool`](cognito-identity-provider_example_cognito-identity-provider_UpdateUserPool_section.md)
+ [`VerifySoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_VerifySoftwareToken_section.md)
+ [案例](service_code_examples_cognito-identity-provider_scenarios.md)
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
+ [使用 Amazon Cognito 身分集區](cognito-identity-provider_example_cross_CognitoFlows_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
+ [Amazon Cognito Sync](service_code_examples_cognito-sync.md)
+ [基本概念](service_code_examples_cognito-sync_basics.md)
+ [動作](service_code_examples_cognito-sync_actions.md)
+ [`ListIdentityPoolUsage`](cognito-sync_example_cognito-sync_ListIdentityPoolUsage_section.md)
# 使用 AWS SDKs Amazon Cognito 身分程式碼範例
下列程式碼範例示範如何使用 Amazon Cognito Identity 搭配 AWS 軟體開發套件 (SDK)。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
*案例*是向您展示如何呼叫服務中的多個函數或與其他 AWS 服務組合來完成特定任務的程式碼範例。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [基本概念](service_code_examples_cognito-identity_basics.md)
+ [動作](service_code_examples_cognito-identity_actions.md)
+ [`CreateIdentityPool`](cognito-identity_example_cognito-identity_CreateIdentityPool_section.md)
+ [`DeleteIdentityPool`](cognito-identity_example_cognito-identity_DeleteIdentityPool_section.md)
+ [`DescribeIdentityPool`](cognito-identity_example_cognito-identity_DescribeIdentityPool_section.md)
+ [`GetCredentialsForIdentity`](cognito-identity_example_cognito-identity_GetCredentialsForIdentity_section.md)
+ [`GetIdentityPoolRoles`](cognito-identity_example_cognito-identity_GetIdentityPoolRoles_section.md)
+ [`ListIdentityPools`](cognito-identity_example_cognito-identity_ListIdentityPools_section.md)
+ [`SetIdentityPoolRoles`](cognito-identity_example_cognito-identity_SetIdentityPoolRoles_section.md)
+ [`UpdateIdentityPool`](cognito-identity_example_cognito-identity_UpdateIdentityPool_section.md)
+ [案例](service_code_examples_cognito-identity_scenarios.md)
+ [建立 Amazon Textract Explorer 應用程式](cognito-identity_example_cross_TextractExplorer_section.md)
# 使用 AWS SDKs的 Amazon Cognito 身分基本範例
下列程式碼範例示範如何搭配 AWS SDK 使用 Amazon Cognito 身分。
**Contents**
+ [動作](service_code_examples_cognito-identity_actions.md)
+ [`CreateIdentityPool`](cognito-identity_example_cognito-identity_CreateIdentityPool_section.md)
+ [`DeleteIdentityPool`](cognito-identity_example_cognito-identity_DeleteIdentityPool_section.md)
+ [`DescribeIdentityPool`](cognito-identity_example_cognito-identity_DescribeIdentityPool_section.md)
+ [`GetCredentialsForIdentity`](cognito-identity_example_cognito-identity_GetCredentialsForIdentity_section.md)
+ [`GetIdentityPoolRoles`](cognito-identity_example_cognito-identity_GetIdentityPoolRoles_section.md)
+ [`ListIdentityPools`](cognito-identity_example_cognito-identity_ListIdentityPools_section.md)
+ [`SetIdentityPoolRoles`](cognito-identity_example_cognito-identity_SetIdentityPoolRoles_section.md)
+ [`UpdateIdentityPool`](cognito-identity_example_cognito-identity_UpdateIdentityPool_section.md)
# 使用 AWS SDKs的 Amazon Cognito 身分動作
下列程式碼範例示範如何使用 AWS SDKs 執行個別 Amazon Cognito Identity 動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。
這些摘錄會呼叫 Amazon Cognito Identity API,是必須在內容中執行之大型程式的程式碼摘錄。您可以在 [使用 AWS SDKs Amazon Cognito 身分案例](service_code_examples_cognito-identity_scenarios.md) 中查看內容中的動作。
下列範例僅包含最常使用的動作。如需完整清單,請參閱 [Amazon Cognito 身分 API 參考](https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/Welcome.html)。
**Topics**
+ [`CreateIdentityPool`](cognito-identity_example_cognito-identity_CreateIdentityPool_section.md)
+ [`DeleteIdentityPool`](cognito-identity_example_cognito-identity_DeleteIdentityPool_section.md)
+ [`DescribeIdentityPool`](cognito-identity_example_cognito-identity_DescribeIdentityPool_section.md)
+ [`GetCredentialsForIdentity`](cognito-identity_example_cognito-identity_GetCredentialsForIdentity_section.md)
+ [`GetIdentityPoolRoles`](cognito-identity_example_cognito-identity_GetIdentityPoolRoles_section.md)
+ [`ListIdentityPools`](cognito-identity_example_cognito-identity_ListIdentityPools_section.md)
+ [`SetIdentityPoolRoles`](cognito-identity_example_cognito-identity_SetIdentityPoolRoles_section.md)
+ [`UpdateIdentityPool`](cognito-identity_example_cognito-identity_UpdateIdentityPool_section.md)
# `CreateIdentityPool` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateIdentityPool`。
------
#### [ CLI ]
**AWS CLI**
**若要使用 Cognito 身分集區提供者建立身分集區**
此範例會建立名為 MyIdentityPool 的身分集區。它具有 Cognito 身分集區提供者。不允許使用未驗證的身分。
命令:
```
aws cognito-identity create-identity-pool --identity-pool-name MyIdentityPool --no-allow-unauthenticated-identities --cognito-identity-providers ProviderName="cognito-idp.us-west-2.amazonaws.com/us-west-2_aaaaaaaaa",ClientId="3n4b5urk1ft4fl3mg5e62d9ado",ServerSideTokenCheck=false
```
輸出:
```
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "MyIdentityPool",
"AllowUnauthenticatedIdentities": false,
"CognitoIdentityProviders": [
{
"ProviderName": "cognito-idp.us-west-2.amazonaws.com/us-west-2_111111111",
"ClientId": "3n4b5urk1ft4fl3mg5e62d9ado",
"ServerSideTokenCheck": false
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateIdentityPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/create-identity-pool.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient;
import software.amazon.awssdk.services.cognitoidentity.model.CreateIdentityPoolRequest;
import software.amazon.awssdk.services.cognitoidentity.model.CreateIdentityPoolResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateIdentityPool {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
identityPoolName - The name to give your identity pool.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String identityPoolName = args[0];
CognitoIdentityClient cognitoClient = CognitoIdentityClient.builder()
.region(Region.US_EAST_1)
.build();
String identityPoolId = createIdPool(cognitoClient, identityPoolName);
System.out.println("Unity pool ID " + identityPoolId);
cognitoClient.close();
}
public static String createIdPool(CognitoIdentityClient cognitoClient, String identityPoolName) {
try {
CreateIdentityPoolRequest poolRequest = CreateIdentityPoolRequest.builder()
.allowUnauthenticatedIdentities(false)
.identityPoolName(identityPoolName)
.build();
CreateIdentityPoolResponse response = cognitoClient.createIdentityPool(poolRequest);
return response.identityPoolId();
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateIdentityPool](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-identity-2014-06-30/CreateIdentityPool)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:建立新的身分集區,該身分集區允許未驗證的身分。**
```
New-CGIIdentityPool -AllowUnauthenticatedIdentities $true -IdentityPoolName CommonTests13
```
**輸出:**
```
LoggedAt : 8/12/2015 4:56:07 PM
AllowUnauthenticatedIdentities : True
DeveloperProviderName :
IdentityPoolId : us-east-1:15d49393-ab16-431a-b26e-EXAMPLEGUID3
IdentityPoolName : CommonTests13
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 136
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [CreateIdentityPool](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:建立新的身分集區,該身分集區允許未驗證的身分。**
```
New-CGIIdentityPool -AllowUnauthenticatedIdentities $true -IdentityPoolName CommonTests13
```
**輸出:**
```
LoggedAt : 8/12/2015 4:56:07 PM
AllowUnauthenticatedIdentities : True
DeveloperProviderName :
IdentityPoolId : us-east-1:15d49393-ab16-431a-b26e-EXAMPLEGUID3
IdentityPoolName : CommonTests13
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 136
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [CreateIdentityPool](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity/FindOrCreateIdentityPool#code-examples)中設定和執行。
```
import AWSCognitoIdentity
/// Create a new identity pool and return its ID.
///
/// - Parameters:
/// - name: The name to give the new identity pool.
///
/// - Returns: A string containing the newly created pool's ID, or `nil`
/// if an error occurred.
///
func createIdentityPool(name: String) async throws -> String? {
do {
let cognitoInputCall = CreateIdentityPoolInput(developerProviderName: "com.exampleco.CognitoIdentityDemo",
identityPoolName: name)
let result = try await cognitoIdentityClient.createIdentityPool(input: cognitoInputCall)
guard let poolId = result.identityPoolId else {
return nil
}
return poolId
} catch {
print("ERROR: createIdentityPool:", dump(error))
throw error
}
}
```
+ 如需詳細資訊,請參閱[適用於 Swift 的AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/getting-started.html)。
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [CreateIdentityPool](https://sdk.amazonaws.com/swift/api/awscognitoidentity/latest/documentation/awscognitoidentity/cognitoidentityclient/createidentitypool(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteIdentityPool` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteIdentityPool`。
------
#### [ CLI ]
**AWS CLI**
**若要刪除身分集區**
以下範例 `delete-identity-pool` 會刪除指定的身分集區。
命令:
```
aws cognito-identity delete-identity-pool \
--identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111"
```
此命令不會產生輸出。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteIdentityPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/delete-identity-pool.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
import software.amazon.awssdk.awscore.exception.AwsServiceException;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient;
import software.amazon.awssdk.services.cognitoidentity.model.DeleteIdentityPoolRequest;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class DeleteIdentityPool {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
identityPoolId - The Id value of your identity pool.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String identityPoold = args[0];
CognitoIdentityClient cognitoIdClient = CognitoIdentityClient.builder()
.region(Region.US_EAST_1)
.credentialsProvider(ProfileCredentialsProvider.create())
.build();
deleteIdPool(cognitoIdClient, identityPoold);
cognitoIdClient.close();
}
public static void deleteIdPool(CognitoIdentityClient cognitoIdClient, String identityPoold) {
try {
DeleteIdentityPoolRequest identityPoolRequest = DeleteIdentityPoolRequest.builder()
.identityPoolId(identityPoold)
.build();
cognitoIdClient.deleteIdentityPool(identityPoolRequest);
System.out.println("Done");
} catch (AwsServiceException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [DeleteIdentityPool](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-identity-2014-06-30/DeleteIdentityPool)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:刪除特定身分集區。**
```
Remove-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DeleteIdentityPool](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:刪除特定身分集區。**
```
Remove-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DeleteIdentityPool](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity/FindOrCreateIdentityPool#code-examples)中設定和執行。
```
import AWSCognitoIdentity
/// Delete the specified identity pool.
///
/// - Parameters:
/// - id: The ID of the identity pool to delete.
///
func deleteIdentityPool(id: String) async throws {
do {
let input = DeleteIdentityPoolInput(
identityPoolId: id
)
_ = try await cognitoIdentityClient.deleteIdentityPool(input: input)
} catch {
print("ERROR: deleteIdentityPool:", dump(error))
throw error
}
}
```
+ 如需詳細資訊,請參閱[適用於 Swift 的AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/getting-started.html)。
+ 如需 API 詳細資訊,請參閱*《適用於 Swift 的AWS SDK API 參考》*中的 [DeleteIdentityPool](https://sdk.amazonaws.com/swift/api/awscognitoidentity/latest/documentation/awscognitoidentity/cognitoidentityclient/deleteidentitypool(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `DescribeIdentityPool` 與 CLI
下列程式碼範例示範如何使用 `DescribeIdentityPool`。
------
#### [ CLI ]
**AWS CLI**
**描述身分集區**
此範例描述身分集區。
命令:
```
aws cognito-identity describe-identity-pool --identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111"
```
輸出:
```
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "MyIdentityPool",
"AllowUnauthenticatedIdentities": false,
"CognitoIdentityProviders": [
{
"ProviderName": "cognito-idp.us-west-2.amazonaws.com/us-west-2_111111111",
"ClientId": "3n4b5urk1ft4fl3mg5e62d9ado",
"ServerSideTokenCheck": false
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DescribeIdentityPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/describe-identity-pool.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:依照特定身分集區 ID 順序擷取其相關資訊。**
```
Get-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
**輸出:**
```
LoggedAt : 8/12/2015 4:29:40 PM
AllowUnauthenticatedIdentities : True
DeveloperProviderName :
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
IdentityPoolName : CommonTests1
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 142
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [DescribeIdentityPool](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:依照特定身分集區 ID 順序擷取其相關資訊。**
```
Get-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
**輸出:**
```
LoggedAt : 8/12/2015 4:29:40 PM
AllowUnauthenticatedIdentities : True
DeveloperProviderName :
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
IdentityPoolName : CommonTests1
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 142
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [DescribeIdentityPool](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `GetCredentialsForIdentity` 搭配 AWS SDK 使用
以下程式碼範例顯示如何使用 `GetCredentialsForIdentity`。
------
#### [ Java ]
**適用於 Java 2.x 的 SDK **
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient;
import software.amazon.awssdk.services.cognitoidentity.model.GetCredentialsForIdentityRequest;
import software.amazon.awssdk.services.cognitoidentity.model.GetCredentialsForIdentityResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class GetIdentityCredentials {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
identityId - The Id of an existing identity in the format REGION:GUID.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String identityId = args[0];
CognitoIdentityClient cognitoClient = CognitoIdentityClient.builder()
.region(Region.US_EAST_1)
.build();
getCredsForIdentity(cognitoClient, identityId);
cognitoClient.close();
}
public static void getCredsForIdentity(CognitoIdentityClient cognitoClient, String identityId) {
try {
GetCredentialsForIdentityRequest getCredentialsForIdentityRequest = GetCredentialsForIdentityRequest
.builder()
.identityId(identityId)
.build();
GetCredentialsForIdentityResponse response = cognitoClient
.getCredentialsForIdentity(getCredentialsForIdentityRequest);
System.out.println(
"Identity ID " + response.identityId() + ", Access key ID " + response.credentials().accessKeyId());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [GetCredentialsForIdentity](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-identity-2014-06-30/GetCredentialsForIdentity)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `GetIdentityPoolRoles` 與 CLI
下列程式碼範例示範如何使用 `GetIdentityPoolRoles`。
------
#### [ CLI ]
**AWS CLI**
**取得身分集區角色**
此範例會取得身分集區角色。
命令:
```
aws cognito-identity get-identity-pool-roles --identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111"
```
輸出:
```
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"Roles": {
"authenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role",
"unauthenticated": "arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolUnauth_Role"
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [GetIdentityPoolRoles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/get-identity-pool-roles.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:取得特定身分集區角色的相關資訊。**
```
Get-CGIIdentityPoolRole -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
**輸出:**
```
LoggedAt : 8/12/2015 4:33:51 PM
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
Roles : {[unauthenticated, arn:aws:iam::123456789012:role/CommonTests1Role]}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 165
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [GetIdentityPoolRoles](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:取得特定身分集區角色的相關資訊。**
```
Get-CGIIdentityPoolRole -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
```
**輸出:**
```
LoggedAt : 8/12/2015 4:33:51 PM
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
Roles : {[unauthenticated, arn:aws:iam::123456789012:role/CommonTests1Role]}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 165
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [GetIdentityPoolRoles](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListIdentityPools` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListIdentityPools`。
------
#### [ CLI ]
**AWS CLI**
**若要列出身分集區**
此範例會列出身分集區。最多列出 20 個身分識別。
命令:
```
aws cognito-identity list-identity-pools --max-results 20
```
輸出:
```
{
"IdentityPools": [
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "MyIdentityPool"
},
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "AnotherIdentityPool"
},
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "IdentityPoolRegionA"
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListIdentityPools](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/list-identity-pools.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentity.CognitoIdentityClient;
import software.amazon.awssdk.services.cognitoidentity.model.ListIdentityPoolsRequest;
import software.amazon.awssdk.services.cognitoidentity.model.ListIdentityPoolsResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListIdentityPools {
public static void main(String[] args) {
CognitoIdentityClient cognitoClient = CognitoIdentityClient.builder()
.region(Region.US_EAST_1)
.build();
listIdPools(cognitoClient);
cognitoClient.close();
}
public static void listIdPools(CognitoIdentityClient cognitoClient) {
try {
ListIdentityPoolsRequest poolsRequest = ListIdentityPoolsRequest.builder()
.maxResults(15)
.build();
ListIdentityPoolsResponse response = cognitoClient.listIdentityPools(poolsRequest);
response.identityPools().forEach(pool -> {
System.out.println("Pool ID: " + pool.identityPoolId());
System.out.println("Pool name: " + pool.identityPoolName());
});
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ListIdentityPools](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-identity-2014-06-30/ListIdentityPools)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:擷取現有身分集區的清單。**
```
Get-CGIIdentityPoolList
```
**輸出:**
```
IdentityPoolId IdentityPoolName
-------------- ----------------
us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 CommonTests1
us-east-1:118d242d-204e-4b88-b803-EXAMPLEGUID2 Tests2
us-east-1:15d49393-ab16-431a-b26e-EXAMPLEGUID3 CommonTests13
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [ListIdentityPools](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:擷取現有身分集區的清單。**
```
Get-CGIIdentityPoolList
```
**輸出:**
```
IdentityPoolId IdentityPoolName
-------------- ----------------
us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 CommonTests1
us-east-1:118d242d-204e-4b88-b803-EXAMPLEGUID2 Tests2
us-east-1:15d49393-ab16-431a-b26e-EXAMPLEGUID3 CommonTests13
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [ListIdentityPools](https://docs.aws.amazon.com/powershell/v5/reference)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity/FindOrCreateIdentityPool#code-examples)中設定和執行。
```
import AWSCognitoIdentity
/// Return the ID of the identity pool with the specified name.
///
/// - Parameters:
/// - name: The name of the identity pool whose ID should be returned.
///
/// - Returns: A string containing the ID of the specified identity pool
/// or `nil` on error or if not found.
///
func getIdentityPoolID(name: String) async throws -> String? {
let listPoolsInput = ListIdentityPoolsInput(maxResults: 25)
// Use "Paginated" to get all the objects.
// This lets the SDK handle the 'nextToken' field in "ListIdentityPoolsOutput".
let pages = cognitoIdentityClient.listIdentityPoolsPaginated(input: listPoolsInput)
do {
for try await page in pages {
guard let identityPools = page.identityPools else {
print("ERROR: listIdentityPoolsPaginated returned nil contents.")
continue
}
/// Read pages of identity pools from Cognito until one is found
/// whose name matches the one specified in the `name` parameter.
/// Return the matching pool's ID.
for pool in identityPools {
if pool.identityPoolName == name {
return pool.identityPoolId!
}
}
}
} catch {
print("ERROR: getIdentityPoolID:", dump(error))
throw error
}
return nil
}
```
取得現有身分集區的 ID 或建立它 (如果尚不存在)。
```
import AWSCognitoIdentity
/// Return the ID of the identity pool with the specified name.
///
/// - Parameters:
/// - name: The name of the identity pool whose ID should be returned
///
/// - Returns: A string containing the ID of the specified identity pool.
/// Returns `nil` if there's an error or if the pool isn't found.
///
public func getOrCreateIdentityPoolID(name: String) async throws -> String? {
// See if the pool already exists. If it doesn't, create it.
do {
guard let poolId = try await getIdentityPoolID(name: name) else {
return try await createIdentityPool(name: name)
}
return poolId
} catch {
print("ERROR: getOrCreateIdentityPoolID:", dump(error))
throw error
}
}
```
+ 如需詳細資訊,請參閱[適用於 Swift 的AWS SDK 開發人員指南](https://docs.aws.amazon.com/sdk-for-swift/latest/developer-guide/getting-started.html)。
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [ListIdentityPools](https://sdk.amazonaws.com/swift/api/awscognitoidentity/latest/documentation/awscognitoidentity/cognitoidentityclient/listidentitypools(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `SetIdentityPoolRoles` 與 CLI
下列程式碼範例示範如何使用 `SetIdentityPoolRoles`。
------
#### [ CLI ]
**AWS CLI**
**設定身分集區角色**
以下 `set-identity-pool-roles` 範例會設定身分集的角色。
```
aws cognito-identity set-identity-pool-roles \
--identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111" \
--roles authenticated="arn:aws:iam::111111111111:role/Cognito_MyIdentityPoolAuth_Role"
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [SetIdentityPoolRoles](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/set-identity-pool-roles.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:將特定身分集區設定為具有未驗證的 IAM 角色。**
```
Set-CGIIdentityPoolRole -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 -Role @{ "unauthenticated" = "arn:aws:iam::123456789012:role/CommonTests1Role" }
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [SetIdentityPoolRoles](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:將特定身分集區設定為具有未驗證的 IAM 角色。**
```
Set-CGIIdentityPoolRole -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 -Role @{ "unauthenticated" = "arn:aws:iam::123456789012:role/CommonTests1Role" }
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [SetIdentityPoolRoles](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 搭配使用 `UpdateIdentityPool` 與 CLI
下列程式碼範例示範如何使用 `UpdateIdentityPool`。
------
#### [ CLI ]
**AWS CLI**
**更新身分集區**
此範例會更新身分集區。並將名稱設定為 MyIdentityPool。並新增 Cognito 做為身分提供者。此範例不允許未驗證的身分。
命令:
```
aws cognito-identity update-identity-pool --identity-pool-id "us-west-2:11111111-1111-1111-1111-111111111111" --identity-pool-name "MyIdentityPool" --no-allow-unauthenticated-identities --cognito-identity-providers ProviderName="cognito-idp.us-west-2.amazonaws.com/us-west-2_111111111",ClientId="3n4b5urk1ft4fl3mg5e62d9ado",ServerSideTokenCheck=false
```
輸出:
```
{
"IdentityPoolId": "us-west-2:11111111-1111-1111-1111-111111111111",
"IdentityPoolName": "MyIdentityPool",
"AllowUnauthenticatedIdentities": false,
"CognitoIdentityProviders": [
{
"ProviderName": "cognito-idp.us-west-2.amazonaws.com/us-west-2_111111111",
"ClientId": "3n4b5urk1ft4fl3mg5e62d9ado",
"ServerSideTokenCheck": false
}
]
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateIdentityPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-identity/update-identity-pool.html)。
------
#### [ PowerShell ]
**Tools for PowerShell V4**
**範例 1:更新一些身分集區屬性,在此案例為身分集區的名稱。**
```
Update-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 -IdentityPoolName NewPoolName
```
**輸出:**
```
LoggedAt : 8/12/2015 4:53:33 PM
AllowUnauthenticatedIdentities : False
DeveloperProviderName :
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
IdentityPoolName : NewPoolName
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 135
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V4)》**中的 [UpdateIdentityPool](https://docs.aws.amazon.com/powershell/v4/reference)。
**Tools for PowerShell V5**
**範例 1:更新一些身分集區屬性,在此案例為身分集區的名稱。**
```
Update-CGIIdentityPool -IdentityPoolId us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1 -IdentityPoolName NewPoolName
```
**輸出:**
```
LoggedAt : 8/12/2015 4:53:33 PM
AllowUnauthenticatedIdentities : False
DeveloperProviderName :
IdentityPoolId : us-east-1:0de2af35-2988-4d0b-b22d-EXAMPLEGUID1
IdentityPoolName : NewPoolName
OpenIdConnectProviderARNs : {}
SupportedLoginProviders : {}
ResponseMetadata : Amazon.Runtime.ResponseMetadata
ContentLength : 135
HttpStatusCode : OK
```
+ 如需 API 詳細資訊,請參閱《AWS Tools for PowerShell Cmdlet 參考 (V5)》**中的 [UpdateIdentityPool](https://docs.aws.amazon.com/powershell/v5/reference)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs Amazon Cognito 身分案例
下列程式碼範例示範如何在 Amazon Cognito Identity AWS SDKs 中實作常見案例。這些案例示範如何呼叫 Amazon Cognito 身分中的多個函數,或與其他 AWS 服務結合,藉以完成特定任務。每個案例均包含完整原始碼的連結,您可在連結中找到如何設定和執行程式碼的相關指示。
案例的目標是獲得中等水平的經驗,協助您了解內容中的服務動作。
**Topics**
+ [建立 Amazon Textract Explorer 應用程式](cognito-identity_example_cross_TextractExplorer_section.md)
# 建立 Amazon Textract Explorer 應用程式
下列程式碼範例示範如何透過互動式應用程式探索 Amazon Textract 輸出。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
示範如何使用 適用於 JavaScript 的 AWS SDK 建置 React 應用程式,該應用程式使用 Amazon Textract 從文件映像擷取資料,並將其顯示在互動式網頁中。此範例會在 Web 瀏覽器中執行,且登入資料需要經過驗證的 Amazon Cognito 身分。它使用 Amazon Simple Storage Service (Amazon S3 進行儲存,對於通知,它會輪詢訂閱 Amazon Simple Notification Service (Amazon SNS)) 主題的 Amazon Simple Queue Service (Amazon SQS) 佇列。
如需完整的原始碼和如何設定及執行的指示,請參閱 [GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/textract-react) 上的完整範例。
**此範例中使用的服務**
+ Amazon Cognito Identity
+ Amazon S3
+ Amazon SNS
+ Amazon SQS
+ Amazon Textract
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
顯示如何使用 適用於 Python (Boto3) 的 AWS SDK 搭配 Amazon Textract 來偵測文件映像中的文字、表單和資料表元素。輸入影像和 Amazon Textract 輸出會顯示在 Tkinter 應用程式中,可讓您探索偵測到的元素。
+ 將文件影像提交到 Amazon Textract,並探索偵測到元素的輸出。
+ 將影像直接傳送至 Amazon Textract 或透過 Amazon Simple Storage Service (Amazon S3) 儲存貯體。
+ 使用非同步 API 可以在任務完成時啟動將通知發布到 Amazon Simple Notification Service (Amazon SNS) 主題的任務。
+ 輪詢 Amazon Simple Queue Service (Amazon SQS) 佇列以取得任務完成訊息並顯示結果。
如需完整的原始碼和如何設定及執行的指示,請參閱 [GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/cross_service/textract_explorer) 上的完整範例。
**此範例中使用的服務**
+ Amazon Cognito Identity
+ Amazon S3
+ Amazon SNS
+ Amazon SQS
+ Amazon Textract
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs 的 Amazon Cognito 身分提供者程式碼範例
下列程式碼範例示範如何使用 Amazon Cognito Identity Provider 搭配 AWS 軟體開發套件 (SDK)。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
*案例*是向您展示如何呼叫服務中的多個函數或與其他 AWS 服務組合來完成特定任務的程式碼範例。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [基本概念](service_code_examples_cognito-identity-provider_basics.md)
+ [Hello Amazon Cognito](cognito-identity-provider_example_cognito-identity-provider_Hello_section.md)
+ [動作](service_code_examples_cognito-identity-provider_actions.md)
+ [`AdminCreateUser`](cognito-identity-provider_example_cognito-identity-provider_AdminCreateUser_section.md)
+ [`AdminGetUser`](cognito-identity-provider_example_cognito-identity-provider_AdminGetUser_section.md)
+ [`AdminInitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_AdminInitiateAuth_section.md)
+ [`AdminRespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md)
+ [`AdminSetUserPassword`](cognito-identity-provider_example_cognito-identity-provider_AdminSetUserPassword_section.md)
+ [`AssociateSoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_AssociateSoftwareToken_section.md)
+ [`ConfirmDevice`](cognito-identity-provider_example_cognito-identity-provider_ConfirmDevice_section.md)
+ [`ConfirmForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ConfirmForgotPassword_section.md)
+ [`ConfirmSignUp`](cognito-identity-provider_example_cognito-identity-provider_ConfirmSignUp_section.md)
+ [`CreateUserPool`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPool_section.md)
+ [`CreateUserPoolClient`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPoolClient_section.md)
+ [`DeleteUser`](cognito-identity-provider_example_cognito-identity-provider_DeleteUser_section.md)
+ [`ForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ForgotPassword_section.md)
+ [`InitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_InitiateAuth_section.md)
+ [`ListUserPools`](cognito-identity-provider_example_cognito-identity-provider_ListUserPools_section.md)
+ [`ListUsers`](cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md)
+ [`ResendConfirmationCode`](cognito-identity-provider_example_cognito-identity-provider_ResendConfirmationCode_section.md)
+ [`RespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md)
+ [`SignUp`](cognito-identity-provider_example_cognito-identity-provider_SignUp_section.md)
+ [`UpdateUserPool`](cognito-identity-provider_example_cognito-identity-provider_UpdateUserPool_section.md)
+ [`VerifySoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_VerifySoftwareToken_section.md)
+ [案例](service_code_examples_cognito-identity-provider_scenarios.md)
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
+ [使用 Amazon Cognito 身分集區](cognito-identity-provider_example_cross_CognitoFlows_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
# 使用 AWS SDKs的 Amazon Cognito 身分提供者基本範例
下列程式碼範例示範如何搭配 AWS SDK 使用 Amazon Cognito 身分提供者。
**Contents**
+ [Hello Amazon Cognito](cognito-identity-provider_example_cognito-identity-provider_Hello_section.md)
+ [動作](service_code_examples_cognito-identity-provider_actions.md)
+ [`AdminCreateUser`](cognito-identity-provider_example_cognito-identity-provider_AdminCreateUser_section.md)
+ [`AdminGetUser`](cognito-identity-provider_example_cognito-identity-provider_AdminGetUser_section.md)
+ [`AdminInitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_AdminInitiateAuth_section.md)
+ [`AdminRespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md)
+ [`AdminSetUserPassword`](cognito-identity-provider_example_cognito-identity-provider_AdminSetUserPassword_section.md)
+ [`AssociateSoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_AssociateSoftwareToken_section.md)
+ [`ConfirmDevice`](cognito-identity-provider_example_cognito-identity-provider_ConfirmDevice_section.md)
+ [`ConfirmForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ConfirmForgotPassword_section.md)
+ [`ConfirmSignUp`](cognito-identity-provider_example_cognito-identity-provider_ConfirmSignUp_section.md)
+ [`CreateUserPool`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPool_section.md)
+ [`CreateUserPoolClient`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPoolClient_section.md)
+ [`DeleteUser`](cognito-identity-provider_example_cognito-identity-provider_DeleteUser_section.md)
+ [`ForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ForgotPassword_section.md)
+ [`InitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_InitiateAuth_section.md)
+ [`ListUserPools`](cognito-identity-provider_example_cognito-identity-provider_ListUserPools_section.md)
+ [`ListUsers`](cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md)
+ [`ResendConfirmationCode`](cognito-identity-provider_example_cognito-identity-provider_ResendConfirmationCode_section.md)
+ [`RespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md)
+ [`SignUp`](cognito-identity-provider_example_cognito-identity-provider_SignUp_section.md)
+ [`UpdateUserPool`](cognito-identity-provider_example_cognito-identity-provider_UpdateUserPool_section.md)
+ [`VerifySoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_VerifySoftwareToken_section.md)
# Hello Amazon Cognito
下列程式碼範例顯示如何開始使用 Amazon Cognito。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito/hello_cognito#code-examples)中設定和執行。
CMakeLists.txt CMake 檔案的程式碼。
```
# Set the minimum required version of CMake for this project.
cmake_minimum_required(VERSION 3.13)
# Set the AWS service components used by this project.
set(SERVICE_COMPONENTS cognito-idp)
# Set this project's name.
project("hello_cognito")
# Set the C++ standard to use to build this target.
# At least C++ 11 is required for the AWS SDK for C++.
set(CMAKE_CXX_STANDARD 11)
# Use the MSVC variable to determine if this is a Windows build.
set(WINDOWS_BUILD ${MSVC})
if (WINDOWS_BUILD) # Set the location where CMake can find the installed libraries for the AWS SDK.
string(REPLACE ";" "/aws-cpp-sdk-all;" SYSTEM_MODULE_PATH "${CMAKE_SYSTEM_PREFIX_PATH}/aws-cpp-sdk-all")
list(APPEND CMAKE_PREFIX_PATH ${SYSTEM_MODULE_PATH})
endif ()
# Find the AWS SDK for C++ package.
find_package(AWSSDK REQUIRED COMPONENTS ${SERVICE_COMPONENTS})
if (WINDOWS_BUILD AND AWSSDK_INSTALL_AS_SHARED_LIBS)
# Copy relevant AWS SDK for C++ libraries into the current binary directory for running and debugging.
# set(BIN_SUB_DIR "/Debug") # If you are building from the command line, you may need to uncomment this
# and set the proper subdirectory to the executables' location.
AWSSDK_CPY_DYN_LIBS(SERVICE_COMPONENTS "" ${CMAKE_CURRENT_BINARY_DIR}${BIN_SUB_DIR})
endif ()
add_executable(${PROJECT_NAME}
hello_cognito.cpp)
target_link_libraries(${PROJECT_NAME}
${AWSSDK_LINK_LIBRARIES})
```
hello\$1cognito.cpp 來源檔案的程式碼。
```
#include
#include
#include
#include
/*
* A "Hello Cognito" starter application which initializes an Amazon Cognito client and lists the Amazon Cognito
* user pools.
*
* main function
*
* Usage: 'hello_cognito'
*
*/
int main(int argc, char **argv) {
Aws::SDKOptions options;
// Optionally change the log level for debugging.
// options.loggingOptions.logLevel = Utils::Logging::LogLevel::Debug;
Aws::InitAPI(options); // Should only be called once.
int result = 0;
{
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient cognitoClient(clientConfig);
Aws::String nextToken; // Used for pagination.
std::vector userPools;
do {
Aws::CognitoIdentityProvider::Model::ListUserPoolsRequest listUserPoolsRequest;
if (!nextToken.empty()) {
listUserPoolsRequest.SetNextToken(nextToken);
}
Aws::CognitoIdentityProvider::Model::ListUserPoolsOutcome listUserPoolsOutcome =
cognitoClient.ListUserPools(listUserPoolsRequest);
if (listUserPoolsOutcome.IsSuccess()) {
for (auto &userPool: listUserPoolsOutcome.GetResult().GetUserPools()) {
userPools.push_back(userPool.GetName());
}
nextToken = listUserPoolsOutcome.GetResult().GetNextToken();
} else {
std::cerr << "ListUserPools error: " << listUserPoolsOutcome.GetError().GetMessage() << std::endl;
result = 1;
break;
}
} while (!nextToken.empty());
std::cout << userPools.size() << " user pools found." << std::endl;
for (auto &userPool: userPools) {
std::cout << " user pool: " << userPool << std::endl;
}
}
Aws::ShutdownAPI(options); // Should only be called once.
return result;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUserPools)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
package main
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
// main uses the AWS SDK for Go V2 to create an Amazon Simple Notification Service
// (Amazon SNS) client and list the topics in your account.
// This example uses the default settings specified in your shared credentials
// and config files.
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
fmt.Println("Couldn't load default configuration. Have you set up your AWS account?")
fmt.Println(err)
return
}
cognitoClient := cognitoidentityprovider.NewFromConfig(sdkConfig)
fmt.Println("Let's list the user pools for your account.")
var pools []types.UserPoolDescriptionType
paginator := cognitoidentityprovider.NewListUserPoolsPaginator(
cognitoClient, &cognitoidentityprovider.ListUserPoolsInput{MaxResults: aws.Int32(10)})
for paginator.HasMorePages() {
output, err := paginator.NextPage(ctx)
if err != nil {
log.Printf("Couldn't get user pools. Here's why: %v\n", err)
} else {
pools = append(pools, output.UserPools...)
}
}
if len(pools) == 0 {
fmt.Println("You don't have any user pools!")
} else {
for _, pool := range pools {
fmt.Printf("\t%v: %v\n", *pool.Name, *pool.Id)
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API 參考*中的 [ListUserPools](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ListUserPools)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsRequest;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListUserPools {
public static void main(String[] args) {
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
listAllUserPools(cognitoClient);
cognitoClient.close();
}
public static void listAllUserPools(CognitoIdentityProviderClient cognitoClient) {
try {
ListUserPoolsRequest request = ListUserPoolsRequest.builder()
.maxResults(10)
.build();
ListUserPoolsResponse response = cognitoClient.listUserPools(request);
response.userPools().forEach(userpool -> {
System.out.println("User pool " + userpool.name() + ", User ID " + userpool.id());
});
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserPools)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import {
paginateListUserPools,
CognitoIdentityProviderClient,
} from "@aws-sdk/client-cognito-identity-provider";
const client = new CognitoIdentityProviderClient({});
export const helloCognito = async () => {
const paginator = paginateListUserPools({ client }, {});
const userPoolNames = [];
for await (const page of paginator) {
const names = page.UserPools.map((pool) => pool.Name);
userPoolNames.push(...names);
}
console.log("User pool names: ");
console.log(userPoolNames.join("\n"));
return userPoolNames;
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListUserPoolsCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
import boto3
# Create a Cognito Identity Provider client
cognitoidp = boto3.client("cognito-idp")
# Initialize a paginator for the list_user_pools operation
paginator = cognitoidp.get_paginator("list_user_pools")
# Create a PageIterator from the paginator
page_iterator = paginator.paginate(MaxResults=10)
# Initialize variables for pagination
user_pools = []
# Handle pagination
for page in page_iterator:
user_pools.extend(page.get("UserPools", []))
# Print the list of user pools
print("User Pools for the account:")
if user_pools:
for pool in user_pools:
print(f"Name: {pool['Name']}, ID: {pool['Id']}")
else:
print("No user pools found.")
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ListUserPools](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUserPools)。
------
#### [ Ruby ]
**SDK for Ruby**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/cognito#code-examples)中設定和執行。
```
require 'aws-sdk-cognitoidentityprovider'
require 'logger'
# CognitoManager is a class responsible for managing AWS Cognito operations
# such as listing all user pools in the current AWS account.
class CognitoManager
def initialize(client)
@client = client
@logger = Logger.new($stdout)
end
# Lists and prints all user pools associated with the AWS account.
def list_user_pools
paginator = @client.list_user_pools(max_results: 10)
user_pools = []
paginator.each_page do |page|
user_pools.concat(page.user_pools)
end
if user_pools.empty?
@logger.info('No Cognito user pools found.')
else
user_pools.each do |user_pool|
@logger.info("User pool ID: #{user_pool.id}")
@logger.info("User pool name: #{user_pool.name}")
@logger.info("User pool status: #{user_pool.status}")
@logger.info('---')
end
end
end
end
if $PROGRAM_NAME == __FILE__
cognito_client = Aws::CognitoIdentityProvider::Client.new
manager = CognitoManager.new(cognito_client)
manager.list_user_pools
end
```
+ 如需 API 詳細資訊,請參閱 *適用於 Ruby 的 AWS SDK API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/goto/SdkForRubyV3/cognito-idp-2016-04-18/ListUserPools)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# Amazon Cognito 身分提供者使用 AWS SDKs的動作
下列程式碼範例示範如何使用 AWS SDKs 執行個別 Amazon Cognito 身分提供者動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。
這些摘錄會呼叫 Amazon Cognito 身分提供者 API,是必須在內容中執行之大型程式的程式碼摘錄。您可以在 [使用 AWS SDKs Amazon Cognito 身分提供者案例](service_code_examples_cognito-identity-provider_scenarios.md) 中查看內容中的動作。
下列範例僅包含最常使用的動作。如需完整清單,請參閱 [Amazon Cognito 身分提供者 API 參考](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/Welcome.html)。
**Topics**
+ [`AdminCreateUser`](cognito-identity-provider_example_cognito-identity-provider_AdminCreateUser_section.md)
+ [`AdminGetUser`](cognito-identity-provider_example_cognito-identity-provider_AdminGetUser_section.md)
+ [`AdminInitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_AdminInitiateAuth_section.md)
+ [`AdminRespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_AdminRespondToAuthChallenge_section.md)
+ [`AdminSetUserPassword`](cognito-identity-provider_example_cognito-identity-provider_AdminSetUserPassword_section.md)
+ [`AssociateSoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_AssociateSoftwareToken_section.md)
+ [`ConfirmDevice`](cognito-identity-provider_example_cognito-identity-provider_ConfirmDevice_section.md)
+ [`ConfirmForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ConfirmForgotPassword_section.md)
+ [`ConfirmSignUp`](cognito-identity-provider_example_cognito-identity-provider_ConfirmSignUp_section.md)
+ [`CreateUserPool`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPool_section.md)
+ [`CreateUserPoolClient`](cognito-identity-provider_example_cognito-identity-provider_CreateUserPoolClient_section.md)
+ [`DeleteUser`](cognito-identity-provider_example_cognito-identity-provider_DeleteUser_section.md)
+ [`ForgotPassword`](cognito-identity-provider_example_cognito-identity-provider_ForgotPassword_section.md)
+ [`InitiateAuth`](cognito-identity-provider_example_cognito-identity-provider_InitiateAuth_section.md)
+ [`ListUserPools`](cognito-identity-provider_example_cognito-identity-provider_ListUserPools_section.md)
+ [`ListUsers`](cognito-identity-provider_example_cognito-identity-provider_ListUsers_section.md)
+ [`ResendConfirmationCode`](cognito-identity-provider_example_cognito-identity-provider_ResendConfirmationCode_section.md)
+ [`RespondToAuthChallenge`](cognito-identity-provider_example_cognito-identity-provider_RespondToAuthChallenge_section.md)
+ [`SignUp`](cognito-identity-provider_example_cognito-identity-provider_SignUp_section.md)
+ [`UpdateUserPool`](cognito-identity-provider_example_cognito-identity-provider_UpdateUserPool_section.md)
+ [`VerifySoftwareToken`](cognito-identity-provider_example_cognito-identity-provider_VerifySoftwareToken_section.md)
# `AdminCreateUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AdminCreateUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ CLI ]
**AWS CLI**
**建立使用者**
下列 `admin-create-user` 範例會建立具有指定的設定電子郵件地址和電話號碼的使用者。
```
aws cognito-idp admin-create-user \
--user-pool-id us-west-2_aaaaaaaaa \
--username diego \
--user-attributes Name=email,Value=diego@example.com Name=phone_number,Value="+15555551212" \
--message-action SUPPRESS
```
輸出:
```
{
"User": {
"Username": "diego",
"Attributes": [
{
"Name": "sub",
"Value": "7325c1de-b05b-4f84-b321-9adc6e61f4a2"
},
{
"Name": "phone_number",
"Value": "+15555551212"
},
{
"Name": "email",
"Value": "diego@example.com"
}
],
"UserCreateDate": 1548099495.428,
"UserLastModifiedDate": 1548099495.428,
"Enabled": true,
"UserStatus": "FORCE_CHANGE_PASSWORD"
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AdminCreateUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-create-user.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user
// in a state that requires they enter a new password next time they sign in.
func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error {
_, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
MessageAction: types.MessageActionTypeSuppress,
UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}},
})
if err != nil {
var userExists *types.UsernameExistsException
if errors.As(err, &userExists) {
log.Printf("User %v already exists in the user pool.", userName)
err = nil
} else {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
}
}
return err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [AdminCreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminCreateUser)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AdminGetUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AdminGetUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Get the specified user from an Amazon Cognito user pool with administrator access.
///
/// The name of the user.
/// The Id of the Amazon Cognito user pool.
/// Async task.
public async Task GetAdminUserAsync(string userName, string poolId)
{
AdminGetUserRequest userRequest = new AdminGetUserRequest
{
Username = userName,
UserPoolId = poolId,
};
var response = await _cognitoService.AdminGetUserAsync(userRequest);
Console.WriteLine($"User status {response.UserStatus}");
return response.UserStatus;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [AdminGetUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminGetUser)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::AdminGetUserRequest request;
request.SetUsername(userName);
request.SetUserPoolId(userPoolID);
Aws::CognitoIdentityProvider::Model::AdminGetUserOutcome outcome =
client.AdminGetUser(request);
if (outcome.IsSuccess()) {
std::cout << "The status for " << userName << " is " <<
Aws::CognitoIdentityProvider::Model::UserStatusTypeMapper::GetNameForUserStatusType(
outcome.GetResult().GetUserStatus()) << std::endl;
std::cout << "Enabled is " << outcome.GetResult().GetEnabled() << std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminGetUser. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminGetUser)。
------
#### [ CLI ]
**AWS CLI**
**若要取得使用者**
此範例取得使用者名稱 jane@example.com 的相關資訊。
命令:
```
aws cognito-idp admin-get-user --user-pool-id us-west-2_aaaaaaaaa --username jane@example.com
```
輸出:
```
{
"Username": "4320de44-2322-4620-999b-5e2e1c8df013",
"Enabled": true,
"UserStatus": "FORCE_CHANGE_PASSWORD",
"UserCreateDate": 1548108509.537,
"UserAttributes": [
{
"Name": "sub",
"Value": "4320de44-2322-4620-999b-5e2e1c8df013"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+01115551212"
},
{
"Name": "email",
"Value": "jane@example.com"
}
],
"UserLastModifiedDate": 1548108509.537
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AdminGetUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-get-user.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static void getAdminUser(CognitoIdentityProviderClient identityProviderClient, String userName,
String poolId) {
try {
AdminGetUserRequest userRequest = AdminGetUserRequest.builder()
.username(userName)
.userPoolId(poolId)
.build();
AdminGetUserResponse response = identityProviderClient.adminGetUser(userRequest);
System.out.println("User status " + response.userStatusAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminGetUser)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider/#code-examples)中設定和執行。
```
const adminGetUser = ({ userPoolId, username }) => {
const client = new CognitoIdentityProviderClient({});
const command = new AdminGetUserCommand({
UserPoolId: userPoolId,
Username: username,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [AdminGetUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminGetUserCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun getAdminUser(
userNameVal: String?,
poolIdVal: String?,
) {
val userRequest =
AdminGetUserRequest {
username = userNameVal
userPoolId = poolIdVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.adminGetUser(userRequest)
println("User status ${response.userStatus}")
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [AdminGetUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def sign_up_user(self, user_name, password, user_email):
"""
Signs up a new user with Amazon Cognito. This action prompts Amazon Cognito
to send an email to the specified email address. The email contains a code that
can be used to confirm the user.
When the user already exists, the user status is checked to determine whether
the user has been confirmed.
:param user_name: The user name that identifies the new user.
:param password: The password for the new user.
:param user_email: The email address for the new user.
:return: True when the user is already confirmed with Amazon Cognito.
Otherwise, false.
"""
try:
kwargs = {
"ClientId": self.client_id,
"Username": user_name,
"Password": password,
"UserAttributes": [{"Name": "email", "Value": user_email}],
}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
response = self.cognito_idp_client.sign_up(**kwargs)
confirmed = response["UserConfirmed"]
except ClientError as err:
if err.response["Error"]["Code"] == "UsernameExistsException":
response = self.cognito_idp_client.admin_get_user(
UserPoolId=self.user_pool_id, Username=user_name
)
logger.warning(
"User %s exists and is %s.", user_name, response["UserStatus"]
)
confirmed = response["UserStatus"] == "CONFIRMED"
else:
logger.error(
"Couldn't sign up %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
return confirmed
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [AdminGetUser](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminGetUser)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Get information about a specific user in a user pool.
///
/// - Parameters:
/// - cipClient: The Amazon Cognito Identity Provider client to use.
/// - userName: The user to retrieve information about.
/// - userPoolId: The user pool to search for the specified user.
///
/// - Returns: `true` if the user's information was successfully
/// retrieved. Otherwise returns `false`.
func adminGetUser(cipClient: CognitoIdentityProviderClient, userName: String,
userPoolId: String) async -> Bool {
do {
let output = try await cipClient.adminGetUser(
input: AdminGetUserInput(
userPoolId: userPoolId,
username: userName
)
)
guard let userStatus = output.userStatus else {
print("*** Unable to get the user's status.")
return false
}
print("User status: \(userStatus)")
return true
} catch {
return false
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [AdminGetUser](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admingetuser(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AdminInitiateAuth` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AdminInitiateAuth`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Initiate an admin auth request.
///
/// The client ID to use.
/// The ID of the user pool.
/// The username to authenticate.
/// The user's password.
/// The session to use in challenge-response.
public async Task AdminInitiateAuthAsync(string clientId, string userPoolId, string userName, string password)
{
var authParameters = new Dictionary();
authParameters.Add("USERNAME", userName);
authParameters.Add("PASSWORD", password);
var request = new AdminInitiateAuthRequest
{
ClientId = clientId,
UserPoolId = userPoolId,
AuthParameters = authParameters,
AuthFlow = AuthFlowType.ADMIN_USER_PASSWORD_AUTH,
};
var response = await _cognitoService.AdminInitiateAuthAsync(request);
return response.Session;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [AdminInitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminInitiateAuth)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::AdminInitiateAuthRequest request;
request.SetClientId(clientID);
request.SetUserPoolId(userPoolID);
request.AddAuthParameters("USERNAME", userName);
request.AddAuthParameters("PASSWORD", password);
request.SetAuthFlow(
Aws::CognitoIdentityProvider::Model::AuthFlowType::ADMIN_USER_PASSWORD_AUTH);
Aws::CognitoIdentityProvider::Model::AdminInitiateAuthOutcome outcome =
client.AdminInitiateAuth(request);
if (outcome.IsSuccess()) {
std::cout << "Call to AdminInitiateAuth was successful." << std::endl;
sessionResult = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminInitiateAuth. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminInitiateAuth)。
------
#### [ CLI ]
**AWS CLI**
**讓使用者以管理員身分登入**
下列 `admin-initiate-auth` 範例將使用者 diego@example.com 登入。此範例也包含用於威脅防護的中繼資料,和用於 Lambda 觸發的 ClientMetadata。使用者已設定 TOTP MFA,挑戰他們須先從驗證器應用程式提供程式碼,才能完成身分驗證。
```
aws cognito-idp admin-initiate-auth \
--user-pool-id us-west-2_EXAMPLE \
--client-id 1example23456789 \
--auth-flow ADMIN_USER_PASSWORD_AUTH \
--auth-parameters USERNAME=diego@example.com,PASSWORD="My@Example$Password3!",SECRET_HASH=ExampleEncodedClientIdSecretAndUsername= \
--context-data="{\"EncodedData\":\"abc123example\",\"HttpHeaders\":[{\"headerName\":\"UserAgent\",\"headerValue\":\"Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:47.0) Gecko/20100101 Firefox/47.0\"}],\"IpAddress\":\"192.0.2.1\",\"ServerName\":\"example.com\",\"ServerPath\":\"/login\"}" \
--client-metadata="{\"MyExampleKey\": \"MyExampleValue\"}"
```
輸出:
```
{
"ChallengeName": "SOFTWARE_TOKEN_MFA",
"Session": "AYABeExample...",
"ChallengeParameters": {
"FRIENDLY_DEVICE_NAME": "MyAuthenticatorApp",
"USER_ID_FOR_SRP": "diego@example.com"
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[管理員驗證流程](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-admin-authentication-flow)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AdminInitiateAuth](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-initiate-auth.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static AdminInitiateAuthResponse initiateAuth(CognitoIdentityProviderClient identityProviderClient,
String clientId, String userName, String password, String userPoolId) {
try {
Map authParameters = new HashMap<>();
authParameters.put("USERNAME", userName);
authParameters.put("PASSWORD", password);
AdminInitiateAuthRequest authRequest = AdminInitiateAuthRequest.builder()
.clientId(clientId)
.userPoolId(userPoolId)
.authParameters(authParameters)
.authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
.build();
AdminInitiateAuthResponse response = identityProviderClient.adminInitiateAuth(authRequest);
System.out.println("Result Challenge is : " + response.challengeName());
return response;
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminInitiateAuth)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider/#code-examples)中設定和執行。
```
const adminInitiateAuth = ({ clientId, userPoolId, username, password }) => {
const client = new CognitoIdentityProviderClient({});
const command = new AdminInitiateAuthCommand({
ClientId: clientId,
UserPoolId: userPoolId,
AuthFlow: AuthFlowType.ADMIN_USER_PASSWORD_AUTH,
AuthParameters: { USERNAME: username, PASSWORD: password },
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [AdminInitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminInitiateAuthCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun checkAuthMethod(
clientIdVal: String,
userNameVal: String,
passwordVal: String,
userPoolIdVal: String,
): AdminInitiateAuthResponse {
val authParas = mutableMapOf()
authParas["USERNAME"] = userNameVal
authParas["PASSWORD"] = passwordVal
val authRequest =
AdminInitiateAuthRequest {
clientId = clientIdVal
userPoolId = userPoolIdVal
authParameters = authParas
authFlow = AuthFlowType.AdminUserPasswordAuth
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.adminInitiateAuth(authRequest)
println("Result Challenge is ${response.challengeName}")
return response
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [AdminInitiateAuth](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def start_sign_in(self, user_name, password):
"""
Starts the sign-in process for a user by using administrator credentials.
This method of signing in is appropriate for code running on a secure server.
If the user pool is configured to require MFA and this is the first sign-in
for the user, Amazon Cognito returns a challenge response to set up an
MFA application. When this occurs, this function gets an MFA secret from
Amazon Cognito and returns it to the caller.
:param user_name: The name of the user to sign in.
:param password: The user's password.
:return: The result of the sign-in attempt. When sign-in is successful, this
returns an access token that can be used to get AWS credentials. Otherwise,
Amazon Cognito returns a challenge to set up an MFA application,
or a challenge to enter an MFA code from a registered MFA application.
"""
try:
kwargs = {
"UserPoolId": self.user_pool_id,
"ClientId": self.client_id,
"AuthFlow": "ADMIN_USER_PASSWORD_AUTH",
"AuthParameters": {"USERNAME": user_name, "PASSWORD": password},
}
if self.client_secret is not None:
kwargs["AuthParameters"]["SECRET_HASH"] = self._secret_hash(user_name)
response = self.cognito_idp_client.admin_initiate_auth(**kwargs)
challenge_name = response.get("ChallengeName", None)
if challenge_name == "MFA_SETUP":
if (
"SOFTWARE_TOKEN_MFA"
in response["ChallengeParameters"]["MFAS_CAN_SETUP"]
):
response.update(self.get_mfa_secret(response["Session"]))
else:
raise RuntimeError(
"The user pool requires MFA setup, but the user pool is not "
"configured for TOTP MFA. This example requires TOTP MFA."
)
except ClientError as err:
logger.error(
"Couldn't start sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [AdminInitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminInitiateAuth)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples)中設定和執行。
```
TRY.
" Set up authentication parameters
DATA(lt_auth_params) = VALUE /aws1/cl_cgpauthparamstype_w=>tt_authparameterstype(
( VALUE /aws1/cl_cgpauthparamstype_w=>ts_authparameterstype_maprow(
key = 'USERNAME'
value = NEW /aws1/cl_cgpauthparamstype_w( iv_user_name ) ) )
( VALUE /aws1/cl_cgpauthparamstype_w=>ts_authparameterstype_maprow(
key = 'PASSWORD'
value = NEW /aws1/cl_cgpauthparamstype_w( iv_password ) ) )
).
" Add SECRET_HASH if provided
IF iv_secret_hash IS NOT INITIAL.
INSERT VALUE #(
key = 'SECRET_HASH'
value = NEW /aws1/cl_cgpauthparamstype_w( iv_secret_hash )
) INTO TABLE lt_auth_params.
ENDIF.
oo_result = lo_cgp->admininitiateauth(
iv_userpoolid = iv_user_pool_id
iv_clientid = iv_client_id
iv_authflow = 'ADMIN_USER_PASSWORD_AUTH'
it_authparameters = lt_auth_params
).
DATA(lv_challenge) = oo_result->get_challengename( ).
IF lv_challenge IS INITIAL.
MESSAGE 'User successfully signed in.' TYPE 'I'.
ELSE.
MESSAGE |Authentication challenge required: { lv_challenge }.| TYPE 'I'.
ENDIF.
CATCH /aws1/cx_cgpusernotfoundex INTO DATA(lo_user_ex).
MESSAGE |User { iv_user_name } not found.| TYPE 'E'.
CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex).
MESSAGE 'Not authorized. Check credentials.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [AdminInitiateAuth](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Begin an authentication session.
///
/// - Parameters:
/// - cipClient: The `CongitoIdentityProviderClient` to use.
/// - clientId: The app client ID to use.
/// - userName: The username to check.
/// - password: The user's password.
/// - userPoolId: The user pool to use.
///
/// - Returns: The session token associated with this authentication
/// session.
func initiateAuth(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String, password: String,
userPoolId: String) async -> String? {
var authParams: [String: String] = [:]
authParams["USERNAME"] = userName
authParams["PASSWORD"] = password
do {
let output = try await cipClient.adminInitiateAuth(
input: AdminInitiateAuthInput(
authFlow: CognitoIdentityProviderClientTypes.AuthFlowType.adminUserPasswordAuth,
authParameters: authParams,
clientId: clientId,
userPoolId: userPoolId
)
)
guard let challengeName = output.challengeName else {
print("*** Invalid response from the auth service.")
return nil
}
print("=====> Response challenge is \(challengeName)")
return output.session
} catch _ as UserNotFoundException {
print("*** The specified username, \(userName), doesn't exist.")
return nil
} catch _ as UserNotConfirmedException {
print("*** The user \(userName) has not been confirmed.")
return nil
} catch {
print("*** An unexpected error occurred.")
return nil
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [AdminInitiateAuth](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admininitiateauth(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AdminRespondToAuthChallenge` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AdminRespondToAuthChallenge`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Respond to an admin authentication challenge.
///
/// The name of the user.
/// The client ID.
/// The multi-factor authentication code.
/// The current application session.
/// The user pool ID.
/// The result of the authentication response.
public async Task AdminRespondToAuthChallengeAsync(
string userName,
string clientId,
string mfaCode,
string session,
string userPoolId)
{
Console.WriteLine("SOFTWARE_TOKEN_MFA challenge is generated");
var challengeResponses = new Dictionary();
challengeResponses.Add("USERNAME", userName);
challengeResponses.Add("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
var respondToAuthChallengeRequest = new AdminRespondToAuthChallengeRequest
{
ChallengeName = ChallengeNameType.SOFTWARE_TOKEN_MFA,
ClientId = clientId,
ChallengeResponses = challengeResponses,
Session = session,
UserPoolId = userPoolId,
};
var response = await _cognitoService.AdminRespondToAuthChallengeAsync(respondToAuthChallengeRequest);
Console.WriteLine($"Response to Authentication {response.AuthenticationResult.TokenType}");
return response.AuthenticationResult;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeRequest request;
request.AddChallengeResponses("USERNAME", userName);
request.AddChallengeResponses("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
request.SetChallengeName(
Aws::CognitoIdentityProvider::Model::ChallengeNameType::SOFTWARE_TOKEN_MFA);
request.SetClientId(clientID);
request.SetUserPoolId(userPoolID);
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeOutcome outcome =
client.AdminRespondToAuthChallenge(request);
if (outcome.IsSuccess()) {
std::cout << "Here is the response to the challenge.\n" <<
outcome.GetResult().GetAuthenticationResult().Jsonize().View().WriteReadable()
<< std::endl;
accessToken = outcome.GetResult().GetAuthenticationResult().GetAccessToken();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminRespondToAuthChallenge. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)。
------
#### [ CLI ]
**AWS CLI**
**回應身分驗證挑戰**
根據您的身分驗證流程、使用者集區組態和使用者設定,有多種方法可以回應不同的身分驗證挑戰。下列 `admin-respond-to-auth-challenge` 範例提供 diego@example.com 的 TOTP MFA 程式碼,並完成登入。此使用者集區已開啟裝置記憶功能,如此身分驗證結果也會傳回新裝置金鑰。
```
aws cognito-idp admin-respond-to-auth-challenge \
--user-pool-id us-west-2_EXAMPLE \
--client-id 1example23456789 \
--challenge-name SOFTWARE_TOKEN_MFA \
--challenge-responses USERNAME=diego@example.com,SOFTWARE_TOKEN_MFA_CODE=000000 \
--session AYABeExample...
```
輸出:
```
{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "eyJra456defEXAMPLE",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJra123abcEXAMPLE",
"IdToken": "eyJra789ghiEXAMPLE",
"NewDeviceMetadata": {
"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"DeviceGroupKey": "-ExAmPlE1"
}
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[管理員驗證流程](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-admin-authentication-flow)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AdminRespondToAuthChallenge](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-respond-to-auth-challenge.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
// Respond to an authentication challenge.
public static void adminRespondToAuthChallenge(CognitoIdentityProviderClient identityProviderClient,
String userName, String clientId, String mfaCode, String session) {
System.out.println("SOFTWARE_TOKEN_MFA challenge is generated");
Map challengeResponses = new HashMap<>();
challengeResponses.put("USERNAME", userName);
challengeResponses.put("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
AdminRespondToAuthChallengeRequest respondToAuthChallengeRequest = AdminRespondToAuthChallengeRequest.builder()
.challengeName(ChallengeNameType.SOFTWARE_TOKEN_MFA)
.clientId(clientId)
.challengeResponses(challengeResponses)
.session(session)
.build();
AdminRespondToAuthChallengeResponse respondToAuthChallengeResult = identityProviderClient
.adminRespondToAuthChallenge(respondToAuthChallengeRequest);
System.out.println("respondToAuthChallengeResult.getAuthenticationResult()"
+ respondToAuthChallengeResult.authenticationResult());
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const adminRespondToAuthChallenge = ({
userPoolId,
clientId,
username,
totp,
session,
}) => {
const client = new CognitoIdentityProviderClient({});
const command = new AdminRespondToAuthChallengeCommand({
ChallengeName: ChallengeNameType.SOFTWARE_TOKEN_MFA,
ChallengeResponses: {
SOFTWARE_TOKEN_MFA_CODE: totp,
USERNAME: username,
},
ClientId: clientId,
UserPoolId: userPoolId,
Session: session,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminRespondToAuthChallengeCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
// Respond to an authentication challenge.
suspend fun adminRespondToAuthChallenge(
userName: String,
clientIdVal: String?,
mfaCode: String,
sessionVal: String?,
) {
println("SOFTWARE_TOKEN_MFA challenge is generated")
val challengeResponsesOb = mutableMapOf()
challengeResponsesOb["USERNAME"] = userName
challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode
val adminRespondToAuthChallengeRequest =
AdminRespondToAuthChallengeRequest {
challengeName = ChallengeNameType.SoftwareTokenMfa
clientId = clientIdVal
challengeResponses = challengeResponsesOb
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val respondToAuthChallengeResult = identityProviderClient.adminRespondToAuthChallenge(adminRespondToAuthChallengeRequest)
println("respondToAuthChallengeResult.getAuthenticationResult() ${respondToAuthChallengeResult.authenticationResult}")
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
透過提供關聯的 MFA 應用程式所產生的程式碼,以回應 MFA 挑戰。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def respond_to_mfa_challenge(self, user_name, session, mfa_code):
"""
Responds to a challenge for an MFA code. This completes the second step of
a two-factor sign-in. When sign-in is successful, it returns an access token
that can be used to get AWS credentials from Amazon Cognito.
:param user_name: The name of the user who is signing in.
:param session: Session information returned from a previous call to initiate
authentication.
:param mfa_code: A code generated by the associated MFA application.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
kwargs = {
"UserPoolId": self.user_pool_id,
"ClientId": self.client_id,
"ChallengeName": "SOFTWARE_TOKEN_MFA",
"Session": session,
"ChallengeResponses": {
"USERNAME": user_name,
"SOFTWARE_TOKEN_MFA_CODE": mfa_code,
},
}
if self.client_secret is not None:
kwargs["ChallengeResponses"]["SECRET_HASH"] = self._secret_hash(
user_name
)
response = self.cognito_idp_client.admin_respond_to_auth_challenge(**kwargs)
auth_result = response["AuthenticationResult"]
except ClientError as err:
if err.response["Error"]["Code"] == "ExpiredCodeException":
logger.warning(
"Your MFA code has expired or has been used already. You might have "
"to wait a few seconds until your app shows you a new code."
)
else:
logger.error(
"Couldn't respond to mfa challenge for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_result
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples)中設定和執行。
```
TRY.
" Build challenge responses
DATA(lt_challenge_responses) = VALUE /aws1/cl_cgpchallengerspstyp00=>tt_challengeresponsestype(
( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow(
key = 'USERNAME'
value = NEW /aws1/cl_cgpchallengerspstyp00( iv_user_name ) ) )
( VALUE /aws1/cl_cgpchallengerspstyp00=>ts_challengerspstype_maprow(
key = 'SOFTWARE_TOKEN_MFA_CODE'
value = NEW /aws1/cl_cgpchallengerspstyp00( iv_mfa_code ) ) )
).
" Add SECRET_HASH if provided
IF iv_secret_hash IS NOT INITIAL.
INSERT VALUE #(
key = 'SECRET_HASH'
value = NEW /aws1/cl_cgpchallengerspstyp00( iv_secret_hash )
) INTO TABLE lt_challenge_responses.
ENDIF.
DATA(lo_result) = lo_cgp->adminrespondtoauthchallenge(
iv_userpoolid = iv_user_pool_id
iv_clientid = iv_client_id
iv_challengename = 'SOFTWARE_TOKEN_MFA'
it_challengeresponses = lt_challenge_responses
iv_session = iv_session
).
oo_auth_result = lo_result->get_authenticationresult( ).
IF oo_auth_result IS BOUND.
MESSAGE 'MFA challenge completed successfully.' TYPE 'I'.
ELSE.
" Another challenge might be required
DATA(lv_next_challenge) = lo_result->get_challengename( ).
MESSAGE |Additional challenge required: { lv_next_challenge }.| TYPE 'I'.
ENDIF.
CATCH /aws1/cx_cgpcodemismatchex INTO DATA(lo_code_ex).
MESSAGE 'Invalid MFA code provided.' TYPE 'E'.
CATCH /aws1/cx_cgpexpiredcodeex INTO DATA(lo_expired_ex).
MESSAGE 'MFA code has expired.' TYPE 'E'.
CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex).
MESSAGE 'Not authorized. Check MFA configuration.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Respond to the authentication challenge received from Cognito after
/// initiating an authentication session. This involves sending a current
/// MFA code to the service.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - userName: The user's username.
/// - clientId: The app client ID.
/// - userPoolId: The user pool to sign into.
/// - mfaCode: The 6-digit MFA code currently displayed by the user's
/// authenticator.
/// - session: The authentication session to continue processing.
func adminRespondToAuthChallenge(cipClient: CognitoIdentityProviderClient, userName: String,
clientId: String, userPoolId: String, mfaCode: String,
session: String) async {
print("=====> SOFTWARE_TOKEN_MFA challenge is generated...")
var challengeResponsesOb: [String: String] = [:]
challengeResponsesOb["USERNAME"] = userName
challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode
do {
let output = try await cipClient.adminRespondToAuthChallenge(
input: AdminRespondToAuthChallengeInput(
challengeName: CognitoIdentityProviderClientTypes.ChallengeNameType.softwareTokenMfa,
challengeResponses: challengeResponsesOb,
clientId: clientId,
session: session,
userPoolId: userPoolId
)
)
guard let authenticationResult = output.authenticationResult else {
print("*** Unable to get authentication result.")
return
}
print("=====> Authentication result (JWTs are redacted):")
print(authenticationResult)
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return
} catch _ as CodeMismatchException {
print("*** The specified MFA code doesn't match the expected value.")
return
} catch _ as UserNotFoundException {
print("*** The specified username, \(userName), doesn't exist.")
return
} catch _ as UserNotConfirmedException {
print("*** The user \(userName) has not been confirmed.")
return
} catch let error as NotAuthorizedException {
print("*** Unauthorized access. Reason: \(error.properties.message ?? "")")
} catch {
print("*** Error responding to the MFA challenge.")
return
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/adminrespondtoauthchallenge(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AdminSetUserPassword` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AdminSetUserPassword`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ CLI ]
**AWS CLI**
**將使用者密碼設定為管理員**
下列 `admin-set-user-password` 範例會永久設定 diego@example.com 的密碼。
```
aws cognito-idp admin-set-user-password \
--user-pool-id us-west-2_EXAMPLE \
--username diego@example.com \
--password MyExamplePassword1! \
--permanent
```
此命令不會產生輸出。
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[密碼、密碼還原和密碼政策](https://docs.aws.amazon.com/cognito/latest/developerguide/managing-users-passwords.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AdminSetUserPassword](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/admin-set-user-password.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a
// temporary password.
func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error {
_, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{
Password: aws.String(password),
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
Permanent: true,
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err)
}
}
return err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [AdminSetUserPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminSetUserPassword)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `AssociateSoftwareToken` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `AssociateSoftwareToken`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Get an MFA token to authenticate the user with the authenticator.
///
/// The session name.
/// The session name.
public async Task AssociateSoftwareTokenAsync(string session)
{
var softwareTokenRequest = new AssociateSoftwareTokenRequest
{
Session = session,
};
var tokenResponse = await _cognitoService.AssociateSoftwareTokenAsync(softwareTokenRequest);
var secretCode = tokenResponse.SecretCode;
Console.WriteLine($"Use the following secret code to set up the authenticator: {secretCode}");
return tokenResponse.Session;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AssociateSoftwareToken)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenRequest request;
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenOutcome outcome =
client.AssociateSoftwareToken(request);
if (outcome.IsSuccess()) {
std::cout
<< "Enter this setup key into an authenticator app, for example Google Authenticator."
<< std::endl;
std::cout << "Setup key: " << outcome.GetResult().GetSecretCode()
<< std::endl;
#ifdef USING_QR
printAsterisksLine();
std::cout << "\nOr scan the QR code in the file '" << QR_CODE_PATH << "."
<< std::endl;
saveQRCode(std::string("otpauth://totp/") + userName + "?secret=" +
outcome.GetResult().GetSecretCode());
#endif // USING_QR
session = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AssociateSoftwareToken. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AssociateSoftwareToken)。
------
#### [ CLI ]
**AWS CLI**
**為 MFA 驗證器應用程式產生私密金鑰**
下列 `associate-software-token` 範例為已登入並收到存取字符的使用者,產生 TOTP 私有金鑰。產生的私有金鑰可手動輸入到驗證器應用程式中,或者應用程式可以將該私有金鑰轉譯為使用者可以掃描的 QR 碼。
```
aws cognito-idp associate-software-token \
--access-token eyJra456defEXAMPLE
```
輸出:
```
{
"SecretCode": "QWERTYUIOP123456EXAMPLE"
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的 [TOTP 軟體字符 MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa-totp.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [AssociateSoftwareToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/associate-software-token.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static String getSecretForAppMFA(CognitoIdentityProviderClient identityProviderClient, String session) {
AssociateSoftwareTokenRequest softwareTokenRequest = AssociateSoftwareTokenRequest.builder()
.session(session)
.build();
AssociateSoftwareTokenResponse tokenResponse = identityProviderClient
.associateSoftwareToken(softwareTokenRequest);
String secretCode = tokenResponse.secretCode();
System.out.println("Enter this token into Google Authenticator");
System.out.println(secretCode);
return tokenResponse.session();
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AssociateSoftwareToken)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const associateSoftwareToken = (session) => {
const client = new CognitoIdentityProviderClient({});
const command = new AssociateSoftwareTokenCommand({
Session: session,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AssociateSoftwareTokenCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun getSecretForAppMFA(sessionVal: String?): String? {
val softwareTokenRequest =
AssociateSoftwareTokenRequest {
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val tokenResponse = identityProviderClient.associateSoftwareToken(softwareTokenRequest)
val secretCode = tokenResponse.secretCode
println("Enter this token into Google Authenticator")
println(secretCode)
return tokenResponse.session
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Kotlin API 參考》**中的 [AssociateSoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def get_mfa_secret(self, session):
"""
Gets a token that can be used to associate an MFA application with the user.
:param session: Session information returned from a previous call to initiate
authentication.
:return: An MFA token that can be used to set up an MFA application.
"""
try:
response = self.cognito_idp_client.associate_software_token(Session=session)
except ClientError as err:
logger.error(
"Couldn't get MFA secret. Here's why: %s: %s",
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AssociateSoftwareToken)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples)中設定和執行。
```
TRY.
DATA(lo_result) = lo_cgp->associatesoftwaretoken(
iv_session = iv_session
).
ov_secret_code = lo_result->get_secretcode( ).
MESSAGE 'MFA secret code generated successfully.' TYPE 'I'.
CATCH /aws1/cx_cgpresourcenotfoundex INTO DATA(lo_ex).
MESSAGE 'Session not found or expired.' TYPE 'E'.
CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex).
MESSAGE 'Not authorized to associate software token.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [AssociateSoftwareToken](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Request and display an MFA secret token that the user should enter
/// into their authenticator to set it up for the user account.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - authSession: The authentication session to request an MFA secret
/// for.
///
/// - Returns: A string containing the MFA secret token that should be
/// entered into the authenticator software.
func getSecretForAppMFA(cipClient: CognitoIdentityProviderClient, authSession: String?) async -> String? {
do {
let output = try await cipClient.associateSoftwareToken(
input: AssociateSoftwareTokenInput(
session: authSession
)
)
guard let secretCode = output.secretCode else {
print("*** Unable to get the secret code")
return nil
}
print("=====> Enter this token into Google Authenticator: \(secretCode)")
return output.session
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return nil
} catch {
print("*** An unexpected error occurred getting the secret for the app's MFA.")
return nil
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [AssociateSoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/associatesoftwaretoken(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ConfirmDevice` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ConfirmDevice`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Initiates and confirms tracking of the device.
///
/// The user's access token.
/// The key of the device from Amazon Cognito.
/// The device name.
///
public async Task ConfirmDeviceAsync(string accessToken, string deviceKey, string deviceName)
{
var request = new ConfirmDeviceRequest
{
AccessToken = accessToken,
DeviceKey = deviceKey,
DeviceName = deviceName
};
var response = await _cognitoService.ConfirmDeviceAsync(request);
return response.UserConfirmationNecessary;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ConfirmDevice](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmDevice)。
------
#### [ CLI ]
**AWS CLI**
**確認使用者裝置**
下列 `confirm-device` 範例會為目前使用者新增記住的裝置。
```
aws cognito-idp confirm-device \
--access-token eyJra456defEXAMPLE \
--device-key us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
--device-secret-verifier-config PasswordVerifier=TXlWZXJpZmllclN0cmluZw,Salt=TXlTUlBTYWx0
```
輸出:
```
{
"UserConfirmationNecessary": false
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[在使用者集區中運用使用者裝置](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ConfirmDevice](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/confirm-device.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const confirmDevice = ({ deviceKey, accessToken, passwordVerifier, salt }) => {
const client = new CognitoIdentityProviderClient({});
const command = new ConfirmDeviceCommand({
DeviceKey: deviceKey,
AccessToken: accessToken,
DeviceSecretVerifierConfig: {
PasswordVerifier: passwordVerifier,
Salt: salt,
},
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [ConfirmDevice](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmDeviceCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def confirm_mfa_device(
self,
user_name,
device_key,
device_group_key,
device_password,
access_token,
aws_srp,
):
"""
Confirms an MFA device to be tracked by Amazon Cognito. When a device is
tracked, its key and password can be used to sign in without requiring a new
MFA code from the MFA application.
:param user_name: The user that is associated with the device.
:param device_key: The key of the device, returned by Amazon Cognito.
:param device_group_key: The group key of the device, returned by Amazon Cognito.
:param device_password: The password that is associated with the device.
:param access_token: The user's access token.
:param aws_srp: A class that helps with Secure Remote Password (SRP)
calculations. The scenario associated with this example uses
the warrant package.
:return: True when the user must confirm the device. Otherwise, False. When
False, the device is automatically confirmed and tracked.
"""
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
device_and_pw = f"{device_group_key}{device_key}:{device_password}"
device_and_pw_hash = aws_srp.hash_sha256(device_and_pw.encode("utf-8"))
salt = aws_srp.pad_hex(aws_srp.get_random(16))
x_value = aws_srp.hex_to_long(aws_srp.hex_hash(salt + device_and_pw_hash))
verifier = aws_srp.pad_hex(pow(srp_helper.val_g, x_value, srp_helper.big_n))
device_secret_verifier_config = {
"PasswordVerifier": base64.standard_b64encode(
bytearray.fromhex(verifier)
).decode("utf-8"),
"Salt": base64.standard_b64encode(bytearray.fromhex(salt)).decode("utf-8"),
}
try:
response = self.cognito_idp_client.confirm_device(
AccessToken=access_token,
DeviceKey=device_key,
DeviceSecretVerifierConfig=device_secret_verifier_config,
)
user_confirm = response["UserConfirmationNecessary"]
except ClientError as err:
logger.error(
"Couldn't confirm mfa device %s. Here's why: %s: %s",
device_key,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return user_confirm
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ConfirmDevice](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmDevice)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ConfirmForgotPassword` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ConfirmForgotPassword`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
------
#### [ CLI ]
**AWS CLI**
**確認忘記的密碼**
此範例會確認使用者名稱 diego@example.com 忘記密碼。
命令:
```
aws cognito-idp confirm-forgot-password --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username=diego@example.com --password PASSWORD --confirmation-code CONF_CODE
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ConfirmForgotPassword](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/confirm-forgot-password.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// ConfirmForgotPassword confirms a user with a confirmation code and a new password.
func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error {
_, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{
ClientId: aws.String(clientId),
ConfirmationCode: aws.String(code),
Password: aws.String(password),
Username: aws.String(userName),
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err)
}
}
return err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [ConfirmForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ConfirmForgotPassword)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ConfirmSignUp` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ConfirmSignUp`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Confirm that the user has signed up.
///
/// The Id of this application.
/// The confirmation code sent to the user.
/// The username.
/// True if successful.
public async Task ConfirmSignupAsync(string clientId, string code, string userName)
{
var signUpRequest = new ConfirmSignUpRequest
{
ClientId = clientId,
ConfirmationCode = code,
Username = userName,
};
var response = await _cognitoService.ConfirmSignUpAsync(signUpRequest);
if (response.HttpStatusCode == HttpStatusCode.OK)
{
Console.WriteLine($"{userName} was confirmed");
return true;
}
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ConfirmSignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmSignUp)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::ConfirmSignUpRequest request;
request.SetClientId(clientID);
request.SetConfirmationCode(confirmationCode);
request.SetUsername(userName);
Aws::CognitoIdentityProvider::Model::ConfirmSignUpOutcome outcome =
client.ConfirmSignUp(request);
if (outcome.IsSuccess()) {
std::cout << "ConfirmSignup was Successful."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::ConfirmSignUp. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmSignUp)。
------
#### [ CLI ]
**AWS CLI**
**若要確認註冊**
此範例會確認註冊使用者名稱 diego@example.com。
命令:
```
aws cognito-idp confirm-sign-up --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username=diego@example.com --confirmation-code CONF_CODE
```
+ 如需 API 詳細資訊,請參閱《AWS CLI API 參考》**中的 [ConfirmSignUp](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/confirm-sign-up.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static void confirmSignUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String code,
String userName) {
try {
ConfirmSignUpRequest signUpRequest = ConfirmSignUpRequest.builder()
.clientId(clientId)
.confirmationCode(code)
.username(userName)
.build();
identityProviderClient.confirmSignUp(signUpRequest);
System.out.println(userName + " was confirmed");
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmSignUp)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const confirmSignUp = ({ clientId, username, code }) => {
const client = new CognitoIdentityProviderClient({});
const command = new ConfirmSignUpCommand({
ClientId: clientId,
Username: username,
ConfirmationCode: code,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [ConfirmSignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmSignUpCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun confirmSignUp(
clientIdVal: String?,
codeVal: String?,
userNameVal: String?,
) {
val signUpRequest =
ConfirmSignUpRequest {
clientId = clientIdVal
confirmationCode = codeVal
username = userNameVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
identityProviderClient.confirmSignUp(signUpRequest)
println("$userNameVal was confirmed")
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [ConfirmSignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def confirm_user_sign_up(self, user_name, confirmation_code):
"""
Confirms a previously created user. A user must be confirmed before they
can sign in to Amazon Cognito.
:param user_name: The name of the user to confirm.
:param confirmation_code: The confirmation code sent to the user's registered
email address.
:return: True when the confirmation succeeds.
"""
try:
kwargs = {
"ClientId": self.client_id,
"Username": user_name,
"ConfirmationCode": confirmation_code,
}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
self.cognito_idp_client.confirm_sign_up(**kwargs)
except ClientError as err:
logger.error(
"Couldn't confirm sign up for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return True
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ConfirmSignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmSignUp)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Submit a confirmation code for the specified user. This is the code as
/// entered by the user after they've received it by email or text
/// message.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The app client ID the user is signing up for.
/// - userName: The username of the user whose code is being sent.
/// - code: The user's confirmation code.
///
/// - Returns: `true` if the code was successfully confirmed; otherwise `false`.
func confirmSignUp(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String, code: String) async -> Bool {
do {
_ = try await cipClient.confirmSignUp(
input: ConfirmSignUpInput(
clientId: clientId,
confirmationCode: code,
username: userName
)
)
print("=====> \(userName) has been confirmed.")
return true
} catch {
print("=====> \(userName)'s code was entered incorrectly.")
return false
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [ConfirmSignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/confirmsignup(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateUserPool` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateUserPool`。
------
#### [ CLI ]
**AWS CLI**
**建立最低限度設定的使用者集區**
此範例會使用預設值建立名為 MyUserPool 的使用者集區。沒有必要的屬性,也沒有應用程式用戶端。MFA 和進階安全性已停用。
命令:
```
aws cognito-idp create-user-pool --pool-name MyUserPool
```
輸出:
```
{
"UserPool": {
"SchemaAttributes": [
{
"Name": "sub",
"StringAttributeConstraints": {
"MinLength": "1",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": true,
"AttributeDataType": "String",
"Mutable": false
},
{
"Name": "name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "given_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "family_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "middle_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "nickname",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "preferred_username",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "profile",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "picture",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "website",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "email",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Required": false,
"Name": "email_verified",
"Mutable": true
},
{
"Name": "gender",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "birthdate",
"StringAttributeConstraints": {
"MinLength": "10",
"MaxLength": "10"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "zoneinfo",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "locale",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "phone_number",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Required": false,
"Name": "phone_number_verified",
"Mutable": true
},
{
"Name": "address",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "updated_at",
"NumberAttributeConstraints": {
"MinValue": "0"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "Number",
"Mutable": true
}
],
"MfaConfiguration": "OFF",
"Name": "MyUserPool",
"LastModifiedDate": 1547833345.777,
"AdminCreateUserConfig": {
"UnusedAccountValidityDays": 7,
"AllowAdminCreateUserOnly": false
},
"EmailConfiguration": {},
"Policies": {
"PasswordPolicy": {
"RequireLowercase": true,
"RequireSymbols": true,
"RequireNumbers": true,
"MinimumLength": 8,
"RequireUppercase": true
}
},
"CreationDate": 1547833345.777,
"EstimatedNumberOfUsers": 0,
"Id": "us-west-2_aaaaaaaaa",
"LambdaConfig": {}
}
}
```
**用兩個必要屬性建立新的使用者集區**
此範例會建立使用者集區 MyUserPool。集區設定為接受電子郵件作為使用者名稱屬性。它也會使用 Amazon Simple Email Service,將電子郵件來源地址設定為經過驗證的地址。
命令:
```
aws cognito-idp create-user-pool --pool-name MyUserPool --username-attributes "email" --email-configuration=SourceArn="arn:aws:ses:us-east-1:111111111111:identity/jane@example.com",ReplyToEmailAddress="jane@example.com"
```
輸出:
```
{
"UserPool": {
"SchemaAttributes": [
{
"Name": "sub",
"StringAttributeConstraints": {
"MinLength": "1",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": true,
"AttributeDataType": "String",
"Mutable": false
},
{
"Name": "name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "given_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "family_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "middle_name",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "nickname",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "preferred_username",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "profile",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "picture",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "website",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "email",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Required": false,
"Name": "email_verified",
"Mutable": true
},
{
"Name": "gender",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "birthdate",
"StringAttributeConstraints": {
"MinLength": "10",
"MaxLength": "10"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "zoneinfo",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "locale",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "phone_number",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"AttributeDataType": "Boolean",
"DeveloperOnlyAttribute": false,
"Required": false,
"Name": "phone_number_verified",
"Mutable": true
},
{
"Name": "address",
"StringAttributeConstraints": {
"MinLength": "0",
"MaxLength": "2048"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "String",
"Mutable": true
},
{
"Name": "updated_at",
"NumberAttributeConstraints": {
"MinValue": "0"
},
"DeveloperOnlyAttribute": false,
"Required": false,
"AttributeDataType": "Number",
"Mutable": true
}
],
"MfaConfiguration": "OFF",
"Name": "MyUserPool",
"LastModifiedDate": 1547837788.189,
"AdminCreateUserConfig": {
"UnusedAccountValidityDays": 7,
"AllowAdminCreateUserOnly": false
},
"EmailConfiguration": {
"ReplyToEmailAddress": "jane@example.com",
"SourceArn": "arn:aws:ses:us-east-1:111111111111:identity/jane@example.com"
},
"Policies": {
"PasswordPolicy": {
"RequireLowercase": true,
"RequireSymbols": true,
"RequireNumbers": true,
"MinimumLength": 8,
"RequireUppercase": true
}
},
"UsernameAttributes": [
"email"
],
"CreationDate": 1547837788.189,
"EstimatedNumberOfUsers": 0,
"Id": "us-west-2_aaaaaaaaa",
"LambdaConfig": {}
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateUserPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/create-user-pool.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolResponse;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateUserPool {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
userPoolName - The name to give your user pool when it's created.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String userPoolName = args[0];
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
String id = createPool(cognitoClient, userPoolName);
System.out.println("User pool ID: " + id);
cognitoClient.close();
}
public static String createPool(CognitoIdentityProviderClient cognitoClient, String userPoolName) {
try {
CreateUserPoolRequest request = CreateUserPoolRequest.builder()
.poolName(userPoolName)
.build();
CreateUserPoolResponse response = cognitoClient.createUserPool(request);
return response.userPool().id();
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return "";
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateUserPool](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserPool)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `CreateUserPoolClient` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `CreateUserPoolClient`。
------
#### [ CLI ]
**AWS CLI**
**建立使用者集區用戶端**
下列 `create-user-pool-client` 範例會透過下列各項來建立新的使用者集區用戶端:用戶端私密、明確的讀取和寫入屬性、具使用者名稱密碼和 SRP 流程的登入、具三個 IdP 的登入、OAuth 範圍的子集存取權、PinPoint 分析,以及延伸的身分驗證工作階段有效性。
```
aws cognito-idp create-user-pool-client \
--user-pool-id us-west-2_EXAMPLE \
--client-name MyTestClient \
--generate-secret \
--refresh-token-validity 10 \
--access-token-validity 60 \
--id-token-validity 60 \
--token-validity-units AccessToken=minutes,IdToken=minutes,RefreshToken=days \
--read-attributes email phone_number email_verified phone_number_verified \
--write-attributes email phone_number \
--explicit-auth-flows ALLOW_USER_PASSWORD_AUTH ALLOW_USER_SRP_AUTH ALLOW_REFRESH_TOKEN_AUTH \
--supported-identity-providers Google Facebook MyOIDC \
--callback-urls https://www.amazon.com https://example.com http://localhost:8001 myapp://example \
--allowed-o-auth-flows code implicit \
--allowed-o-auth-scopes openid profile aws.cognito.signin.user.admin solar-system-data/asteroids.add \
--allowed-o-auth-flows-user-pool-client \
--analytics-configuration ApplicationArn=arn:aws:mobiletargeting:us-west-2:767671399759:apps/thisisanexamplepinpointapplicationid,UserDataShared=TRUE \
--prevent-user-existence-errors ENABLED \
--enable-token-revocation \
--enable-propagate-additional-user-context-data \
--auth-session-validity 4
```
輸出:
```
{
"UserPoolClient": {
"UserPoolId": "us-west-2_EXAMPLE",
"ClientName": "MyTestClient",
"ClientId": "123abc456defEXAMPLE",
"ClientSecret": "this1234is5678my91011example1213client1415secret",
"LastModifiedDate": 1726788459.464,
"CreationDate": 1726788459.464,
"RefreshTokenValidity": 10,
"AccessTokenValidity": 60,
"IdTokenValidity": 60,
"TokenValidityUnits": {
"AccessToken": "minutes",
"IdToken": "minutes",
"RefreshToken": "days"
},
"ReadAttributes": [
"email_verified",
"phone_number_verified",
"phone_number",
"email"
],
"WriteAttributes": [
"phone_number",
"email"
],
"ExplicitAuthFlows": [
"ALLOW_USER_PASSWORD_AUTH",
"ALLOW_USER_SRP_AUTH",
"ALLOW_REFRESH_TOKEN_AUTH"
],
"SupportedIdentityProviders": [
"Google",
"MyOIDC",
"Facebook"
],
"CallbackURLs": [
"https://example.com",
"https://www.amazon.com",
"myapp://example",
"http://localhost:8001"
],
"AllowedOAuthFlows": [
"implicit",
"code"
],
"AllowedOAuthScopes": [
"aws.cognito.signin.user.admin",
"openid",
"profile",
"solar-system-data/asteroids.add"
],
"AllowedOAuthFlowsUserPoolClient": true,
"AnalyticsConfiguration": {
"ApplicationArn": "arn:aws:mobiletargeting:us-west-2:123456789012:apps/thisisanexamplepinpointapplicationid",
"RoleArn": "arn:aws:iam::123456789012:role/aws-service-role/cognito-idp.amazonaws.com/AWSServiceRoleForAmazonCognitoIdp",
"UserDataShared": true
},
"PreventUserExistenceErrors": "ENABLED",
"EnableTokenRevocation": true,
"EnablePropagateAdditionalUserContextData": true,
"AuthSessionValidity": 4
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[使用應用程式用戶端的特定應用程式設定](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [CreateUserPoolClient](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/create-user-pool-client.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolClientRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CreateUserPoolClientResponse;
/**
* A user pool client app is an application that authenticates with Amazon
* Cognito user pools.
* When you create a user pool, you can configure app clients that allow mobile
* or web applications
* to call API operations to authenticate users, manage user attributes and
* profiles,
* and implement sign-up and sign-in flows.
*
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class CreateUserPoolClient {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
clientName - The name for the user pool client to create.
userPoolId - The ID for the user pool.
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String clientName = args[0];
String userPoolId = args[1];
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
createPoolClient(cognitoClient, clientName, userPoolId);
cognitoClient.close();
}
public static void createPoolClient(CognitoIdentityProviderClient cognitoClient, String clientName,
String userPoolId) {
try {
CreateUserPoolClientRequest request = CreateUserPoolClientRequest.builder()
.clientName(clientName)
.userPoolId(userPoolId)
.build();
CreateUserPoolClientResponse response = cognitoClient.createUserPoolClient(request);
System.out.println("User pool " + response.userPoolClient().clientName() + " created. ID: "
+ response.userPoolClient().clientId());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [CreateUserPoolClient](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/CreateUserPoolClient)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `DeleteUser` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `DeleteUser`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::DeleteUserRequest request;
request.SetAccessToken(accessToken);
Aws::CognitoIdentityProvider::Model::DeleteUserOutcome outcome =
client.DeleteUser(request);
if (outcome.IsSuccess()) {
std::cout << "The user " << userName << " was deleted."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::DeleteUser. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 C\$1\$1 的 AWS SDK API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/DeleteUser)。
------
#### [ CLI ]
**AWS CLI**
**若要刪除使用者**
此範例會刪除使用者。
命令:
```
aws cognito-idp delete-user --access-token ACCESS_TOKEN
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [DeleteUser](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/delete-user.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// DeleteUser removes a user from the user pool.
func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error {
_, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{
AccessToken: aws.String(userAccessToken),
})
if err != nil {
log.Printf("Couldn't delete user. Here's why: %v\n", err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API Reference* 中的 [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-pools-triggers#code-examples)中設定和執行。
```
/**
* Delete the signed-in user. Useful for allowing a user to delete their
* own profile.
* @param {{ region: string, accessToken: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").DeleteUserCommandOutput | null, unknown]>}
*/
export const deleteUser = async ({ region, accessToken }) => {
try {
const client = new CognitoIdentityProviderClient({ region });
const response = await client.send(
new DeleteUserCommand({ AccessToken: accessToken }),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteUserCommand)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ForgotPassword` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ForgotPassword`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
------
#### [ CLI ]
**AWS CLI**
**強制變更密碼**
下列 `forgot-password` 範例將訊息傳送至 jane@example.com 以變更其密碼。
```
aws cognito-idp forgot-password --client-id 38fjsnc484p94kpqsnet7mpld0 --username jane@example.com
```
輸出:
```
{
"CodeDeliveryDetails": {
"Destination": "j***@e***.com",
"DeliveryMedium": "EMAIL",
"AttributeName": "email"
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [ForgotPassword](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/forgot-password.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code
// to the user's configured notification destination, such as email.
func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) {
output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{
ClientId: aws.String(clientId),
Username: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err)
}
return output.CodeDeliveryDetails, err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [ForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ForgotPassword)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `InitiateAuth` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `InitiateAuth`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Initiate authorization.
///
/// The client Id of the application.
/// The name of the user who is authenticating.
/// The password for the user who is authenticating.
/// The response from the initiate auth request.
public async Task InitiateAuthAsync(string clientId, string userName, string password)
{
var authParameters = new Dictionary();
authParameters.Add("USERNAME", userName);
authParameters.Add("PASSWORD", password);
var authRequest = new InitiateAuthRequest
{
ClientId = clientId,
AuthParameters = authParameters,
AuthFlow = AuthFlowType.USER_PASSWORD_AUTH,
};
var response = await _cognitoService.InitiateAuthAsync(authRequest);
Console.WriteLine($"Result Challenge is : {response.ChallengeName}");
return response;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/InitiateAuth)。
------
#### [ CLI ]
**AWS CLI**
**讓使用者登入**
下列 `initiate-auth` 範例使用基本的使用者名稱密碼流程讓使用者登入,沒有額外的難題。
```
aws cognito-idp initiate-auth \
--auth-flow USER_PASSWORD_AUTH \
--client-id 1example23456789 \
--analytics-metadata AnalyticsEndpointId=d70b2ba36a8c4dc5a04a0451aEXAMPLE \
--auth-parameters USERNAME=testuser,PASSWORD=[Password] --user-context-data EncodedData=mycontextdata --client-metadata MyTestKey=MyTestValue
```
輸出:
```
{
"AuthenticationResult": {
"AccessToken": "eyJra456defEXAMPLE",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJra123abcEXAMPLE",
"IdToken": "eyJra789ghiEXAMPLE",
"NewDeviceMetadata": {
"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"DeviceGroupKey": "-v7w9UcY6"
}
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[身分驗證](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [InitiateAuth](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/initiate-auth.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// SignIn signs in a user to Amazon Cognito using a username and password authentication flow.
func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) {
var authResult *types.AuthenticationResultType
output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: aws.String(clientId),
AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password},
})
if err != nil {
var resetRequired *types.PasswordResetRequiredException
if errors.As(err, &resetRequired) {
log.Println(*resetRequired.Message)
} else {
log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err)
}
} else {
authResult = output.AuthenticationResult
}
return authResult, err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const initiateAuth = ({ username, password, clientId }) => {
const client = new CognitoIdentityProviderClient({});
const command = new InitiateAuthCommand({
AuthFlow: AuthFlowType.USER_PASSWORD_AUTH,
AuthParameters: {
USERNAME: username,
PASSWORD: password,
},
ClientId: clientId,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
此範例示範如何使用追蹤的裝置開始進行身分驗證。若要完成登入,用戶端必須正確回應「安全遠端密碼」(SRP) 挑戰。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def sign_in_with_tracked_device(
self,
user_name,
password,
device_key,
device_group_key,
device_password,
aws_srp,
):
"""
Signs in to Amazon Cognito as a user who has a tracked device. Signing in
with a tracked device lets a user sign in without entering a new MFA code.
Signing in with a tracked device requires that the client respond to the SRP
protocol. The scenario associated with this example uses the warrant package
to help with SRP calculations.
For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol.
:param user_name: The user that is associated with the device.
:param password: The user's password.
:param device_key: The key of a tracked device.
:param device_group_key: The group key of a tracked device.
:param device_password: The password that is associated with the device.
:param aws_srp: A class that helps with SRP calculations. The scenario
associated with this example uses the warrant package.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
response_init = self.cognito_idp_client.initiate_auth(
ClientId=self.client_id,
AuthFlow="USER_PASSWORD_AUTH",
AuthParameters={
"USERNAME": user_name,
"PASSWORD": password,
"DEVICE_KEY": device_key,
},
)
if response_init["ChallengeName"] != "DEVICE_SRP_AUTH":
raise RuntimeError(
f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}."
)
auth_params = srp_helper.get_auth_params()
auth_params["DEVICE_KEY"] = device_key
response_auth = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_SRP_AUTH",
ChallengeResponses=auth_params,
)
if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER":
raise RuntimeError(
f"Expected DEVICE_PASSWORD_VERIFIER challenge but got "
f"{response_init['ChallengeName']}."
)
challenge_params = response_auth["ChallengeParameters"]
challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key
cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name})
cr["USERNAME"] = user_name
cr["DEVICE_KEY"] = device_key
response_verifier = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_PASSWORD_VERIFIER",
ChallengeResponses=cr,
)
auth_tokens = response_verifier["AuthenticationResult"]
except ClientError as err:
logger.error(
"Couldn't start client sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_tokens
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/InitiateAuth)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListUserPools` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListUserPools`。
------
#### [ .NET ]
**適用於 .NET 的 SDK (v4)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv4/Cognito#code-examples)中設定和執行。
```
///
/// List the Amazon Cognito user pools for an account.
///
/// A list of UserPoolDescriptionType objects.
public async Task> ListUserPoolsAsync()
{
var userPools = new List();
var userPoolsPaginator = _cognitoService.Paginators.ListUserPools(new ListUserPoolsRequest());
await foreach (var response in userPoolsPaginator.Responses)
{
userPools.AddRange(response.UserPools);
}
return userPools;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/goto/DotNetSDKV4/cognito-idp-2016-04-18/ListUserPools)。
------
#### [ CLI ]
**AWS CLI**
**若要列出使用者集區**
下列`list-user-pools`範例列出目前 CLI 登入 AWS 資料帳戶中的 3 個可用使用者集區。
```
aws cognito-idp list-user-pools \
--max-results 3
```
輸出:
```
{
"NextToken": "[Pagination token]",
"UserPools": [
{
"CreationDate": 1681502497.741,
"Id": "us-west-2_EXAMPLE1",
"LambdaConfig": {
"CustomMessage": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
"PreSignUp": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
"PreTokenGeneration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
"PreTokenGenerationConfig": {
"LambdaArn": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction",
"LambdaVersion": "V1_0"
}
},
"LastModifiedDate": 1681502497.741,
"Name": "user pool 1"
},
{
"CreationDate": 1686064178.717,
"Id": "us-west-2_EXAMPLE2",
"LambdaConfig": {
},
"LastModifiedDate": 1686064178.873,
"Name": "user pool 2"
},
{
"CreationDate": 1627681712.237,
"Id": "us-west-2_EXAMPLE3",
"LambdaConfig": {
"UserMigration": "arn:aws:lambda:us-east-1:123456789012:function:MyFunction"
},
"LastModifiedDate": 1678486942.479,
"Name": "user pool 3"
}
]
}
```
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[Amazon Cognito 使用者集區](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListUserPools](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/list-user-pools.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
package main
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
// main uses the AWS SDK for Go V2 to create an Amazon Simple Notification Service
// (Amazon SNS) client and list the topics in your account.
// This example uses the default settings specified in your shared credentials
// and config files.
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
fmt.Println("Couldn't load default configuration. Have you set up your AWS account?")
fmt.Println(err)
return
}
cognitoClient := cognitoidentityprovider.NewFromConfig(sdkConfig)
fmt.Println("Let's list the user pools for your account.")
var pools []types.UserPoolDescriptionType
paginator := cognitoidentityprovider.NewListUserPoolsPaginator(
cognitoClient, &cognitoidentityprovider.ListUserPoolsInput{MaxResults: aws.Int32(10)})
for paginator.HasMorePages() {
output, err := paginator.NextPage(ctx)
if err != nil {
log.Printf("Couldn't get user pools. Here's why: %v\n", err)
} else {
pools = append(pools, output.UserPools...)
}
}
if len(pools) == 0 {
fmt.Println("You don't have any user pools!")
} else {
for _, pool := range pools {
fmt.Printf("\t%v: %v\n", *pool.Name, *pool.Id)
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 Go 的 AWS SDK API 參考*中的 [ListUserPools](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ListUserPools)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUserPoolsRequest;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListUserPools {
public static void main(String[] args) {
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
listAllUserPools(cognitoClient);
cognitoClient.close();
}
public static void listAllUserPools(CognitoIdentityProviderClient cognitoClient) {
try {
ListUserPoolsRequest request = ListUserPoolsRequest.builder()
.maxResults(10)
.build();
ListUserPoolsResponse response = cognitoClient.listUserPools(request);
response.userPools().forEach(userpool -> {
System.out.println("User pool " + userpool.name() + ", User ID " + userpool.id());
});
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API 參考*中的 [ListUserPools](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUserPools)。
------
#### [ Rust ]
**適用於 Rust 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/cognitoidentityprovider#code-examples)中設定和執行。
```
async fn show_pools(client: &Client) -> Result<(), Error> {
let response = client.list_user_pools().max_results(10).send().await?;
let pools = response.user_pools();
println!("User pools:");
for pool in pools {
println!(" ID: {}", pool.id().unwrap_or_default());
println!(" Name: {}", pool.name().unwrap_or_default());
println!(" Lambda Config: {:?}", pool.lambda_config().unwrap());
println!(
" Last modified: {}",
pool.last_modified_date().unwrap().to_chrono_utc()?
);
println!(
" Creation date: {:?}",
pool.creation_date().unwrap().to_chrono_utc()
);
println!();
}
println!("Next token: {}", response.next_token().unwrap_or_default());
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [ListUserPools](https://docs.rs/aws-sdk-cognitoidentityprovider/latest/aws_sdk_cognitoidentityprovider/client/struct.Client.html#method.list_user_pools)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ListUsers` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ListUsers`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Get a list of users for the Amazon Cognito user pool.
///
/// The user pool ID.
/// A list of users.
public async Task> ListUsersAsync(string userPoolId)
{
var request = new ListUsersRequest
{
UserPoolId = userPoolId
};
var users = new List();
var usersPaginator = _cognitoService.Paginators.ListUsers(request);
await foreach (var response in usersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
```
+ 如需 API 詳細資訊,請參閱 *適用於 .NET 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ListUsers)。
------
#### [ CLI ]
**AWS CLI**
**範例 1:列出具有伺服器端篩選條件的使用者**
下列 `list-users` 範例列出請求的使用者集區中,電子郵件地址開頭為 `testuser` 的 3 名使用者。
```
aws cognito-idp list-users \
--user-pool-id us-west-2_EXAMPLE \
--filter email^=\"testuser\" \
--max-items 3
```
輸出:
```
{
"PaginationToken": "efgh5678EXAMPLE",
"Users": [
{
"Attributes": [
{
"Name": "sub",
"Value": "eaad0219-2117-439f-8d46-4db20e59268f"
},
{
"Name": "email",
"Value": "testuser@example.com"
}
],
"Enabled": true,
"UserCreateDate": 1682955829.578,
"UserLastModifiedDate": 1689030181.63,
"UserStatus": "CONFIRMED",
"Username": "testuser"
},
{
"Attributes": [
{
"Name": "sub",
"Value": "3b994cfd-0b07-4581-be46-3c82f9a70c90"
},
{
"Name": "email",
"Value": "testuser2@example.com"
}
],
"Enabled": true,
"UserCreateDate": 1684427979.201,
"UserLastModifiedDate": 1684427979.201,
"UserStatus": "UNCONFIRMED",
"Username": "testuser2"
},
{
"Attributes": [
{
"Name": "sub",
"Value": "5929e0d1-4c34-42d1-9b79-a5ecacfe66f7"
},
{
"Name": "email",
"Value": "testuser3@example.com"
}
],
"Enabled": true,
"UserCreateDate": 1684427823.641,
"UserLastModifiedDate": 1684427823.641,
"UserStatus": "UNCONFIRMED",
"Username": "testuser3@example.com"
}
]
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[管理和搜尋使用者](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html)。
**範例 2:列出具有用戶端篩選條件的使用者**
下列 `list-users` 範例列出三名具有屬性之使用者的屬性,在此情況下,其電子郵件地址包含電子郵件網域 "@example.com"。如果其他屬性包含此字串,也會顯示這些屬性。第二名使用者未符合查詢的屬性,而且會從顯示的輸出中排除,但不會從伺服器回應中排除。
```
aws cognito-idp list-users \
--user-pool-id us-west-2_EXAMPLE \
--max-items 3
--query Users\[\*\].Attributes\[\?Value\.contains\(\@\,\'@example.com\'\)\]
```
輸出:
```
[
[
{
"Name": "email",
"Value": "admin@example.com"
}
],
[],
[
{
"Name": "email",
"Value": "operator@example.com"
}
]
]
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[管理和搜尋使用者](https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ListUsers](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/list-users.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ListUsersResponse;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class ListUsers {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
userPoolId - The ID given to your user pool when it's created.
""";
if (args.length != 1) {
System.out.println(usage);
System.exit(1);
}
String userPoolId = args[0];
CognitoIdentityProviderClient cognitoClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
listAllUsers(cognitoClient, userPoolId);
listUsersFilter(cognitoClient, userPoolId);
cognitoClient.close();
}
public static void listAllUsers(CognitoIdentityProviderClient cognitoClient, String userPoolId) {
try {
ListUsersRequest usersRequest = ListUsersRequest.builder()
.userPoolId(userPoolId)
.build();
ListUsersResponse response = cognitoClient.listUsers(usersRequest);
response.users().forEach(user -> {
System.out.println("User " + user.username() + " Status " + user.userStatus() + " Created "
+ user.userCreateDate());
});
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
// Shows how to list users by using a filter.
public static void listUsersFilter(CognitoIdentityProviderClient cognitoClient, String userPoolId) {
try {
String filter = "email = \"tblue@noserver.com\"";
ListUsersRequest usersRequest = ListUsersRequest.builder()
.userPoolId(userPoolId)
.filter(filter)
.build();
ListUsersResponse response = cognitoClient.listUsers(usersRequest);
response.users().forEach(user -> {
System.out.println("User with filter applied " + user.username() + " Status " + user.userStatus()
+ " Created " + user.userCreateDate());
});
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Java 2.x API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUsers)。
------
#### [ JavaScript ]
**SDK for JavaScript (v3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const listUsers = ({ userPoolId }) => {
const client = new CognitoIdentityProviderClient({});
const command = new ListUsersCommand({
UserPoolId: userPoolId,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱 *適用於 JavaScript 的 AWS SDK API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListUsersCommand)。
------
#### [ Kotlin ]
**SDK for Kotlin**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun listAllUsers(userPoolId: String) {
val request =
ListUsersRequest {
this.userPoolId = userPoolId
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { cognitoClient ->
val response = cognitoClient.listUsers(request)
response.users?.forEach { user ->
println("The user name is ${user.username}")
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Kotlin 的AWS SDK API 參考*》中的 [ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def list_users(self):
"""
Returns a list of the users in the current user pool.
:return: The list of users.
"""
try:
response = self.cognito_idp_client.list_users(UserPoolId=self.user_pool_id)
users = response["Users"]
except ClientError as err:
logger.error(
"Couldn't list users for %s. Here's why: %s: %s",
self.user_pool_id,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return users
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Python (Boto3) API Reference* 中的 [ListUsers](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUsers)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples)中設定和執行。
```
TRY.
DATA(lo_result) = lo_cgp->listusers(
iv_userpoolid = iv_user_pool_id
).
ot_users = lo_result->get_users( ).
MESSAGE |Found { lines( ot_users ) } users in the pool.| TYPE 'I'.
CATCH /aws1/cx_cgpresourcenotfoundex INTO DATA(lo_ex).
MESSAGE |User pool { iv_user_pool_id } not found.| TYPE 'E'.
CATCH /aws1/cx_cgpnotauthorizedex INTO DATA(lo_auth_ex).
MESSAGE 'Not authorized to list users.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [ListUsers](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
do {
let output = try await cognitoClient.listUsers(
input: ListUsersInput(
userPoolId: poolId
)
)
guard let users = output.users else {
print("No users found.")
return
}
print("\(users.count) user(s) found.")
for user in users {
print(" \(user.username ?? "")")
}
} catch _ as NotAuthorizedException {
print("*** Please authenticate with AWS before using this command.")
return
} catch _ as ResourceNotFoundException {
print("*** The specified User Pool was not found.")
return
} catch {
print("*** An unexpected type of error occurred.")
return
}
```
+ 如需 API 詳細資訊,請參閱 *AWS SDK for Swift API reference* 中的 [ListUsers](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/listusers(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `ResendConfirmationCode` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `ResendConfirmationCode`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Send a new confirmation code to a user.
///
/// The Id of the client application.
/// The username of user who will receive the code.
/// The delivery details.
public async Task ResendConfirmationCodeAsync(string clientId, string userName)
{
var codeRequest = new ResendConfirmationCodeRequest
{
ClientId = clientId,
Username = userName,
};
var response = await _cognitoService.ResendConfirmationCodeAsync(codeRequest);
Console.WriteLine($"Method of delivery is {response.CodeDeliveryDetails.DeliveryMedium}");
return response.CodeDeliveryDetails;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [ResendConfirmationCode](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ResendConfirmationCode)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeRequest request;
request.SetUsername(userName);
request.SetClientId(clientID);
Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeOutcome outcome =
client.ResendConfirmationCode(request);
if (outcome.IsSuccess()) {
std::cout
<< "CognitoIdentityProvider::ResendConfirmationCode was successful."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::ResendConfirmationCode. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ResendConfirmationCode)。
------
#### [ CLI ]
**AWS CLI**
**若要重新傳送確認碼**
下列 `resend-confirmation-code` 範例會傳送確認碼給使用者 `jane`。
```
aws cognito-idp resend-confirmation-code \
--client-id 12a3b456c7de890f11g123hijk \
--username jane
```
輸出:
```
{
"CodeDeliveryDetails": {
"Destination": "j***@e***.com",
"DeliveryMedium": "EMAIL",
"AttributeName": "email"
}
}
```
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[註冊及確認使用者帳戶](https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [ResendConfirmationCode](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/resend-confirmation-code.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static void resendConfirmationCode(CognitoIdentityProviderClient identityProviderClient, String clientId,
String userName) {
try {
ResendConfirmationCodeRequest codeRequest = ResendConfirmationCodeRequest.builder()
.clientId(clientId)
.username(userName)
.build();
ResendConfirmationCodeResponse response = identityProviderClient.resendConfirmationCode(codeRequest);
System.out.println("Method of delivery is " + response.codeDeliveryDetails().deliveryMediumAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ResendConfirmationCode)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const resendConfirmationCode = ({ clientId, username }) => {
const client = new CognitoIdentityProviderClient({});
const command = new ResendConfirmationCodeCommand({
ClientId: clientId,
Username: username,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [ResendConfirmationCode](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ResendConfirmationCodeCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun resendConfirmationCode(
clientIdVal: String?,
userNameVal: String?,
) {
val codeRequest =
ResendConfirmationCodeRequest {
clientId = clientIdVal
username = userNameVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.resendConfirmationCode(codeRequest)
println("Method of delivery is " + (response.codeDeliveryDetails?.deliveryMedium))
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [ResendConfirmationCode](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def resend_confirmation(self, user_name):
"""
Prompts Amazon Cognito to resend an email with a new confirmation code.
:param user_name: The name of the user who will receive the email.
:return: Delivery information about where the email is sent.
"""
try:
kwargs = {"ClientId": self.client_id, "Username": user_name}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
response = self.cognito_idp_client.resend_confirmation_code(**kwargs)
delivery = response["CodeDeliveryDetails"]
except ClientError as err:
logger.error(
"Couldn't resend confirmation to %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return delivery
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [ResendConfirmationCode](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ResendConfirmationCode)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Requests a new confirmation code be sent to the given user's contact
/// method.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The application client ID.
/// - userName: The user to resend a code for.
///
/// - Returns: `true` if a new code was sent successfully, otherwise
/// `false`.
func resendConfirmationCode(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String) async -> Bool {
do {
let output = try await cipClient.resendConfirmationCode(
input: ResendConfirmationCodeInput(
clientId: clientId,
username: userName
)
)
guard let deliveryMedium = output.codeDeliveryDetails?.deliveryMedium else {
print("*** Unable to get the delivery method for the resent code.")
return false
}
print("=====> A new code has been sent by \(deliveryMedium)")
return true
} catch {
print("*** Unable to resend the confirmation code to user \(userName).")
return false
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [ResendConfirmationCode](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/resendconfirmationcode(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `RespondToAuthChallenge` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `RespondToAuthChallenge`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ CLI ]
**AWS CLI**
**範例 1:回應 NEW\$1PASSWORD\$1REQUIRED 挑戰**
下列 `respond-to-auth-challenge` 範例回應 initiate-auth 傳回的 NEW\$1PASSWORD\$1REQUIRED 挑戰。設定使用者 `jane@example.com` 的密碼。
```
aws cognito-idp respond-to-auth-challenge \
--client-id 1example23456789 \
--challenge-name NEW_PASSWORD_REQUIRED \
--challenge-responses USERNAME=jane@example.com,NEW_PASSWORD=[Password] \
--session AYABeEv5HklEXAMPLE
```
輸出:
```
{
"ChallengeParameters": {},
"AuthenticationResult": {
"AccessToken": "ACCESS_TOKEN",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "REFRESH_TOKEN",
"IdToken": "ID_TOKEN",
"NewDeviceMetadata": {
"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"DeviceGroupKey": "-wt2ha1Zd"
}
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[身分驗證](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html)。
**範例 2:回應 SELECT\$1MFA\$1TYPE 挑戰**
下列 `respond-to-auth-challenge` 範例選擇 TOTP MFA 做為目前使用者的 MFA 選項。系統提示使用者選取 MFA 類型,然後提示使用者輸入其 MFA 碼。
```
aws cognito-idp respond-to-auth-challenge \
--client-id 1example23456789
--session AYABeEv5HklEXAMPLE
--challenge-name SELECT_MFA_TYPE
--challenge-responses USERNAME=testuser,ANSWER=SOFTWARE_TOKEN_MFA
```
輸出:
```
{
"ChallengeName": "SOFTWARE_TOKEN_MFA",
"Session": "AYABeEv5HklEXAMPLE",
"ChallengeParameters": {
"FRIENDLY_DEVICE_NAME": "transparent"
}
}
```
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[新增 MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html)。
**範例 3:回應 SOFTWARE\$1TOKEN\$1MFA 挑戰**
下列 `respond-to-auth-challenge` 範例提供 TOTP MFA 碼,並完成登入。
```
aws cognito-idp respond-to-auth-challenge \
--client-id 1example23456789 \
--session AYABeEv5HklEXAMPLE \
--challenge-name SOFTWARE_TOKEN_MFA \
--challenge-responses USERNAME=testuser,SOFTWARE_TOKEN_MFA_CODE=123456
```
輸出:
```
{
"AuthenticationResult": {
"AccessToken": "eyJra456defEXAMPLE",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJra123abcEXAMPLE",
"IdToken": "eyJra789ghiEXAMPLE",
"NewDeviceMetadata": {
"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"DeviceGroupKey": "-v7w9UcY6"
}
}
}
```
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[新增 MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [RespondToAuthChallenge](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/respond-to-auth-challenge.html)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const respondToAuthChallenge = ({
clientId,
username,
session,
userPoolId,
code,
}) => {
const client = new CognitoIdentityProviderClient({});
const command = new RespondToAuthChallengeCommand({
ChallengeName: ChallengeNameType.SOFTWARE_TOKEN_MFA,
ChallengeResponses: {
SOFTWARE_TOKEN_MFA_CODE: code,
USERNAME: username,
},
ClientId: clientId,
UserPoolId: userPoolId,
Session: session,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [RespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/RespondToAuthChallengeCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
使用追蹤的裝置登入。若要完成登入,用戶端必須正確回應安全遠端密碼 (SRP) 挑戰。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def sign_in_with_tracked_device(
self,
user_name,
password,
device_key,
device_group_key,
device_password,
aws_srp,
):
"""
Signs in to Amazon Cognito as a user who has a tracked device. Signing in
with a tracked device lets a user sign in without entering a new MFA code.
Signing in with a tracked device requires that the client respond to the SRP
protocol. The scenario associated with this example uses the warrant package
to help with SRP calculations.
For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol.
:param user_name: The user that is associated with the device.
:param password: The user's password.
:param device_key: The key of a tracked device.
:param device_group_key: The group key of a tracked device.
:param device_password: The password that is associated with the device.
:param aws_srp: A class that helps with SRP calculations. The scenario
associated with this example uses the warrant package.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
response_init = self.cognito_idp_client.initiate_auth(
ClientId=self.client_id,
AuthFlow="USER_PASSWORD_AUTH",
AuthParameters={
"USERNAME": user_name,
"PASSWORD": password,
"DEVICE_KEY": device_key,
},
)
if response_init["ChallengeName"] != "DEVICE_SRP_AUTH":
raise RuntimeError(
f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}."
)
auth_params = srp_helper.get_auth_params()
auth_params["DEVICE_KEY"] = device_key
response_auth = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_SRP_AUTH",
ChallengeResponses=auth_params,
)
if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER":
raise RuntimeError(
f"Expected DEVICE_PASSWORD_VERIFIER challenge but got "
f"{response_init['ChallengeName']}."
)
challenge_params = response_auth["ChallengeParameters"]
challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key
cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name})
cr["USERNAME"] = user_name
cr["DEVICE_KEY"] = device_key
response_verifier = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_PASSWORD_VERIFIER",
ChallengeResponses=cr,
)
auth_tokens = response_verifier["AuthenticationResult"]
except ClientError as err:
logger.error(
"Couldn't start client sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_tokens
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RespondToAuthChallenge)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `SignUp` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `SignUp`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Sign up a new user.
///
/// The client Id of the application.
/// The username to use.
/// The user's password.
/// The email address of the user.
/// A Boolean value indicating whether the user was confirmed.
public async Task SignUpAsync(string clientId, string userName, string password, string email)
{
var userAttrs = new AttributeType
{
Name = "email",
Value = email,
};
var userAttrsList = new List();
userAttrsList.Add(userAttrs);
var signUpRequest = new SignUpRequest
{
UserAttributes = userAttrsList,
Username = userName,
ClientId = clientId,
Password = password
};
var response = await _cognitoService.SignUpAsync(signUpRequest);
return response.HttpStatusCode == HttpStatusCode.OK;
}
```
+ 如需 API 的詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [SignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/SignUp)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::SignUpRequest request;
request.AddUserAttributes(
Aws::CognitoIdentityProvider::Model::AttributeType().WithName(
"email").WithValue(email));
request.SetUsername(userName);
request.SetPassword(password);
request.SetClientId(clientID);
Aws::CognitoIdentityProvider::Model::SignUpOutcome outcome =
client.SignUp(request);
if (outcome.IsSuccess()) {
std::cout << "The signup request for " << userName << " was successful."
<< std::endl;
}
else if (outcome.GetError().GetErrorType() ==
Aws::CognitoIdentityProvider::CognitoIdentityProviderErrors::USERNAME_EXISTS) {
std::cout
<< "The username already exists. Please enter a different username."
<< std::endl;
userExists = true;
}
else {
std::cerr << "Error with CognitoIdentityProvider::SignUpRequest. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [SignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SignUp)。
------
#### [ CLI ]
**AWS CLI**
**若要將使用者登出**
此範例註冊了 jane@example.com。
命令:
```
aws cognito-idp sign-up --client-id 3n4b5urk1ft4fl3mg5e62d9ado --username jane@example.com --password PASSWORD --user-attributes Name="email",Value="jane@example.com" Name="name",Value="Jane"
```
輸出:
```
{
"UserConfirmed": false,
"UserSub": "e04d60a6-45dc-441c-a40b-e25a787d4862"
}
```
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [SignUp](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/sign-up.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// SignUp signs up a user with Amazon Cognito.
func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) {
confirmed := false
output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{
ClientId: aws.String(clientId),
Password: aws.String(password),
Username: aws.String(userName),
UserAttributes: []types.AttributeType{
{Name: aws.String("email"), Value: aws.String(userEmail)},
},
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err)
}
} else {
confirmed = output.UserConfirmed
}
return confirmed, err
}
```
+ 如需 API 的詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [SignUp](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.SignUp)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
public static void signUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String userName,
String password, String email) {
AttributeType userAttrs = AttributeType.builder()
.name("email")
.value(email)
.build();
List userAttrsList = new ArrayList<>();
userAttrsList.add(userAttrs);
try {
SignUpRequest signUpRequest = SignUpRequest.builder()
.userAttributes(userAttrsList)
.username(userName)
.clientId(clientId)
.password(password)
.build();
identityProviderClient.signUp(signUpRequest);
System.out.println("User has been signed up ");
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [SignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SignUp)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const signUp = ({ clientId, username, password, email }) => {
const client = new CognitoIdentityProviderClient({});
const command = new SignUpCommand({
ClientId: clientId,
Username: username,
Password: password,
UserAttributes: [{ Name: "email", Value: email }],
});
return client.send(command);
};
```
+ 如需 API 的詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [SignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/SignUpCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
suspend fun signUp(
clientIdVal: String?,
userNameVal: String?,
passwordVal: String?,
emailVal: String?,
) {
val userAttrs =
AttributeType {
name = "email"
value = emailVal
}
val userAttrsList = mutableListOf()
userAttrsList.add(userAttrs)
val signUpRequest =
SignUpRequest {
userAttributes = userAttrsList
username = userNameVal
clientId = clientIdVal
password = passwordVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
identityProviderClient.signUp(signUpRequest)
println("User has been signed up")
}
}
```
+ 如需 API 的詳細資訊,請參閱《適用於 Kotlin 的AWS SDK API 參考》**中的 [SignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def sign_up_user(self, user_name, password, user_email):
"""
Signs up a new user with Amazon Cognito. This action prompts Amazon Cognito
to send an email to the specified email address. The email contains a code that
can be used to confirm the user.
When the user already exists, the user status is checked to determine whether
the user has been confirmed.
:param user_name: The user name that identifies the new user.
:param password: The password for the new user.
:param user_email: The email address for the new user.
:return: True when the user is already confirmed with Amazon Cognito.
Otherwise, false.
"""
try:
kwargs = {
"ClientId": self.client_id,
"Username": user_name,
"Password": password,
"UserAttributes": [{"Name": "email", "Value": user_email}],
}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
response = self.cognito_idp_client.sign_up(**kwargs)
confirmed = response["UserConfirmed"]
except ClientError as err:
if err.response["Error"]["Code"] == "UsernameExistsException":
response = self.cognito_idp_client.admin_get_user(
UserPoolId=self.user_pool_id, Username=user_name
)
logger.warning(
"User %s exists and is %s.", user_name, response["UserStatus"]
)
confirmed = response["UserStatus"] == "CONFIRMED"
else:
logger.error(
"Couldn't sign up %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
return confirmed
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [SignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SignUp)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Create a new user in a user pool.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The ID of the app client to create a user for.
/// - userName: The username for the new user.
/// - password: The new user's password.
/// - email: The new user's email address.
///
/// - Returns: `true` if successful; otherwise `false`.
func signUp(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String, password: String, email: String) async -> Bool {
let emailAttr = CognitoIdentityProviderClientTypes.AttributeType(
name: "email",
value: email
)
let userAttrsList = [emailAttr]
do {
_ = try await cipClient.signUp(
input: SignUpInput(
clientId: clientId,
password: password,
userAttributes: userAttrsList,
username: userName
)
)
print("=====> User \(userName) signed up.")
} catch _ as AWSCognitoIdentityProvider.UsernameExistsException {
print("*** The username \(userName) already exists. Please use a different one.")
return false
} catch let error as AWSCognitoIdentityProvider.InvalidPasswordException {
print("*** Error: The specified password is invalid. Reason: \(error.properties.message ?? "").")
return false
} catch _ as AWSCognitoIdentityProvider.ResourceNotFoundException {
print("*** Error: The specified client ID (\(clientId)) doesn't exist.")
return false
} catch {
print("*** Unexpected error: \(error)")
return false
}
return true
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [SignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/signup(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `UpdateUserPool` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `UpdateUserPool`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ CLI ]
**AWS CLI**
**更新使用者集區**
下列 `update-user-pool` 範例使用每個可用組態選項的範例語法,來修改使用者集區。若要更新使用者集區,您必須指定所有先前設定的選項,否則這些選項會重設為預設值。
```
aws cognito-idp update-user-pool --user-pool-id us-west-2_EXAMPLE \
--policies PasswordPolicy=\{MinimumLength=6,RequireUppercase=true,RequireLowercase=true,RequireNumbers=true,RequireSymbols=true,TemporaryPasswordValidityDays=7\} \
--deletion-protection ACTIVE \
--lambda-config PreSignUp="arn:aws:lambda:us-west-2:123456789012:function:cognito-test-presignup-function",PreTokenGeneration="arn:aws:lambda:us-west-2:123456789012:function:cognito-test-pretoken-function" \
--auto-verified-attributes "phone_number" "email" \
--verification-message-template \{\"SmsMessage\":\""Your code is {####}"\",\"EmailMessage\":\""Your code is {####}"\",\"EmailSubject\":\""Your verification code"\",\"EmailMessageByLink\":\""Click {##here##} to verify your email address."\",\"EmailSubjectByLink\":\""Your verification link"\",\"DefaultEmailOption\":\"CONFIRM_WITH_LINK\"\} \
--sms-authentication-message "Your code is {####}" \
--user-attribute-update-settings AttributesRequireVerificationBeforeUpdate="email","phone_number" \
--mfa-configuration "OPTIONAL" \
--device-configuration ChallengeRequiredOnNewDevice=true,DeviceOnlyRememberedOnUserPrompt=true \
--email-configuration SourceArn="arn:aws:ses:us-west-2:123456789012:identity/admin@example.com",ReplyToEmailAddress="amdin+noreply@example.com",EmailSendingAccount=DEVELOPER,From="admin@amazon.com",ConfigurationSet="test-configuration-set" \
--sms-configuration SnsCallerArn="arn:aws:iam::123456789012:role/service-role/SNS-SMS-Role",ExternalId="12345",SnsRegion="us-west-2" \
--admin-create-user-config AllowAdminCreateUserOnly=false,InviteMessageTemplate=\{SMSMessage=\""Welcome {username}. Your confirmation code is {####}"\",EmailMessage=\""Welcome {username}. Your confirmation code is {####}"\",EmailSubject=\""Welcome to MyMobileGame"\"\} \
--user-pool-tags "Function"="MyMobileGame","Developers"="Berlin" \
--admin-create-user-config AllowAdminCreateUserOnly=false,InviteMessageTemplate=\{SMSMessage=\""Welcome {username}. Your confirmation code is {####}"\",EmailMessage=\""Welcome {username}. Your confirmation code is {####}"\",EmailSubject=\""Welcome to MyMobileGame"\"\} \
--user-pool-add-ons AdvancedSecurityMode="AUDIT" \
--account-recovery-setting RecoveryMechanisms=\[\{Priority=1,Name="verified_email"\},\{Priority=2,Name="verified_phone_number"\}\]
```
此命令不會產生輸出。
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[更新使用者集區組態](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-updating.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [UpdateUserPool](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/update-user-pool.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger.
type Trigger int
const (
PreSignUp Trigger = iota
UserMigration
PostAuthentication
)
type TriggerInfo struct {
Trigger Trigger
HandlerArn *string
}
// UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value,
// it is removed from the user pool.
func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error {
output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{
UserPoolId: aws.String(userPoolId),
})
if err != nil {
log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err)
return err
}
lambdaConfig := output.UserPool.LambdaConfig
for _, trigger := range triggers {
switch trigger.Trigger {
case PreSignUp:
lambdaConfig.PreSignUp = trigger.HandlerArn
case UserMigration:
lambdaConfig.UserMigration = trigger.HandlerArn
case PostAuthentication:
lambdaConfig.PostAuthentication = trigger.HandlerArn
}
}
_, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{
UserPoolId: aws.String(userPoolId),
LambdaConfig: lambdaConfig,
})
if err != nil {
log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err)
}
return err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-pools-triggers#code-examples)中設定和執行。
```
/**
* Connect a Lambda function to the PreSignUp trigger for a Cognito user pool
* @param {{ region: string, userPoolId: string, handlerArn: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").UpdateUserPoolCommandOutput | null, unknown]>}
*/
export const addPreSignUpHandler = async ({
region,
userPoolId,
handlerArn,
}) => {
try {
const cognitoClient = new CognitoIdentityProviderClient({
region,
});
const command = new UpdateUserPoolCommand({
UserPoolId: userPoolId,
LambdaConfig: {
PreSignUp: handlerArn,
},
});
const response = await cognitoClient.send(command);
return [response, null];
} catch (err) {
return [null, err];
}
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [UpdateUserPool](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/UpdateUserPoolCommand)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# `VerifySoftwareToken` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `VerifySoftwareToken`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Verify the TOTP and register for MFA.
///
/// The name of the session.
/// The MFA code.
/// The status of the software token.
public async Task VerifySoftwareTokenAsync(string session, string code)
{
var tokenRequest = new VerifySoftwareTokenRequest
{
UserCode = code,
Session = session,
};
var verifyResponse = await _cognitoService.VerifySoftwareTokenAsync(tokenRequest);
return verifyResponse.Status;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [VerifySoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/VerifySoftwareToken)。
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenRequest request;
request.SetUserCode(userCode);
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenOutcome outcome =
client.VerifySoftwareToken(request);
if (outcome.IsSuccess()) {
std::cout << "Verification of the code was successful."
<< std::endl;
session = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::VerifySoftwareToken. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 C\$1\$1 的 AWS SDK API 參考》**中的 [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/VerifySoftwareToken)。
------
#### [ CLI ]
**AWS CLI**
**確認註冊 TOTP 驗證器**
下列 `verify-software-token` 範例會完成目前使用者的 TOTP 註冊。
```
aws cognito-idp verify-software-token \
--access-token eyJra456defEXAMPLE \
--user-code 123456
```
輸出:
```
{
"Status": "SUCCESS"
}
```
如需詳細資訊,請參閱《Amazon Cognito 開發人員指南》**中的[將 MFA 新增到使用者集區](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html)。
+ 如需 API 詳細資訊,請參閱《*AWS CLI 命令參考*》中的 [VerifySoftwareToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/verify-software-token.html)。
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
// Verify the TOTP and register for MFA.
public static void verifyTOTP(CognitoIdentityProviderClient identityProviderClient, String session, String code) {
try {
VerifySoftwareTokenRequest tokenRequest = VerifySoftwareTokenRequest.builder()
.userCode(code)
.session(session)
.build();
VerifySoftwareTokenResponse verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest);
System.out.println("The status of the token is " + verifyResponse.statusAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Java 2.x API 參考》**中的 [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/VerifySoftwareToken)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const verifySoftwareToken = (totp) => {
const client = new CognitoIdentityProviderClient({});
// The 'Session' is provided in the response to 'AssociateSoftwareToken'.
const session = process.env.SESSION;
if (!session) {
throw new Error(
"Missing a valid Session. Did you run 'admin-initiate-auth'?",
);
}
const command = new VerifySoftwareTokenCommand({
Session: session,
UserCode: totp,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [VerifySoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/VerifySoftwareTokenCommand)。
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
// Verify the TOTP and register for MFA.
suspend fun verifyTOTP(
sessionVal: String?,
codeVal: String?,
) {
val tokenRequest =
VerifySoftwareTokenRequest {
userCode = codeVal
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest)
println("The status of the token is ${verifyResponse.status}")
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Kotlin 的AWS SDK 參考》**中的 [VerifySoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def verify_mfa(self, session, user_code):
"""
Verify a new MFA application that is associated with a user.
:param session: Session information returned from a previous call to initiate
authentication.
:param user_code: A code generated by the associated MFA application.
:return: Status that indicates whether the MFA application is verified.
"""
try:
response = self.cognito_idp_client.verify_software_token(
Session=session, UserCode=user_code
)
except ClientError as err:
logger.error(
"Couldn't verify MFA. Here's why: %s: %s",
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [VerifySoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/VerifySoftwareToken)。
------
#### [ SAP ABAP ]
**適用於 SAP ABAP 的開發套件**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/sap-abap/services/cgp#code-examples)中設定和執行。
```
TRY.
DATA(lo_result) = lo_cgp->verifysoftwaretoken(
iv_session = iv_session
iv_usercode = iv_user_code
).
ov_status = lo_result->get_status( ).
IF ov_status = 'SUCCESS'.
MESSAGE 'MFA token verified successfully.' TYPE 'I'.
ELSE.
MESSAGE |MFA verification status: { ov_status }.| TYPE 'I'.
ENDIF.
CATCH /aws1/cx_cgpcodemismatchex INTO DATA(lo_code_ex).
MESSAGE 'Invalid MFA code provided.' TYPE 'E'.
CATCH /aws1/cx_cgpenbsoftwaretokmf00 INTO DATA(lo_enabled_ex).
MESSAGE 'Software token MFA is already enabled.' TYPE 'E'.
ENDTRY.
```
+ 如需 API 詳細資訊,請參閱《適用於 *AWS SAP ABAP 的 SDK API 參考*》中的 [VerifySoftwareToken](https://docs.aws.amazon.com/sdk-for-sap-abap/v1/api/latest/index.html)。
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
import AWSClientRuntime
import AWSCognitoIdentityProvider
/// Confirm that the user's TOTP authenticator is configured correctly by
/// sending a code to it to check that it matches successfully.
///
/// - Parameters:
/// - cipClient: The `CongnitoIdentityProviderClient` to use.
/// - session: An authentication session previously returned by an
/// `associateSoftwareToken()` call.
/// - mfaCode: The 6-digit code currently displayed by the user's
/// authenticator, as provided by the user.
func verifyTOTP(cipClient: CognitoIdentityProviderClient, session: String?, mfaCode: String?) async {
do {
let output = try await cipClient.verifySoftwareToken(
input: VerifySoftwareTokenInput(
session: session,
userCode: mfaCode
)
)
guard let tokenStatus = output.status else {
print("*** Unable to get the token's status.")
return
}
print("=====> The token's status is: \(tokenStatus)")
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return
} catch _ as CodeMismatchException {
print("*** The specified MFA code doesn't match the expected value.")
return
} catch _ as UserNotFoundException {
print("*** The specified username doesn't exist.")
return
} catch _ as UserNotConfirmedException {
print("*** The user has not been confirmed.")
return
} catch {
print("*** Error verifying the MFA token!")
return
}
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Swift 的AWS SDK API 參考》**中的 [VerifySoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/verifysoftwaretoken(input:))。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs Amazon Cognito 身分提供者案例
下列程式碼範例示範如何在 Amazon Cognito Identity Provider AWS SDKs中實作常見案例。這些案例示範如何呼叫 Amazon Cognito 身分提供者中的多個函數,或與其他 AWS 服務結合,藉以完成特定任務。每個案例均包含完整原始碼的連結,您可在連結中找到如何設定和執行程式碼的相關指示。
案例的目標是獲得中等水平的經驗,協助您了解內容中的服務動作。
**Topics**
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
+ [使用 Amazon Cognito 身分集區](cognito-identity-provider_example_cross_CognitoFlows_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
# 使用 SDK 透過 Lambda 函數自動確認已知的 Amazon Cognito 使用者 AWS
下列程式碼範例示範如何使用 Lambda 函數自動確認已知的 Amazon Cognito 使用者。
+ 設定使用者集區以呼叫 `PreSignUp` 觸發條件的 Lambda 函數。
+ 使用 Amazon Cognito 註冊使用者。
+ Lambda 函數會掃描 DynamoDB 資料表,並自動確認已知使用者。
+ 以新使用者身分登入,然後清除資源。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
import (
"context"
"errors"
"log"
"strings"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// AutoConfirm separates the steps of this scenario into individual functions so that
// they are simpler to read and understand.
type AutoConfirm struct {
helper IScenarioHelper
questioner demotools.IQuestioner
resources Resources
cognitoActor *actions.CognitoActions
}
// NewAutoConfirm constructs a new auto confirm runner.
func NewAutoConfirm(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) AutoConfirm {
scenario := AutoConfirm{
helper: helper,
questioner: questioner,
resources: Resources{},
cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)},
}
scenario.resources.init(scenario.cognitoActor, questioner)
return scenario
}
// AddPreSignUpTrigger adds a Lambda handler as an invocation target for the PreSignUp trigger.
func (runner *AutoConfirm) AddPreSignUpTrigger(ctx context.Context, userPoolId string, functionArn string) {
log.Printf("Let's add a Lambda function to handle the PreSignUp trigger from Cognito.\n" +
"This trigger happens when a user signs up, and lets your function take action before the main Cognito\n" +
"sign up processing occurs.\n")
err := runner.cognitoActor.UpdateTriggers(
ctx, userPoolId,
actions.TriggerInfo{Trigger: actions.PreSignUp, HandlerArn: aws.String(functionArn)})
if err != nil {
panic(err)
}
log.Printf("Lambda function %v added to user pool %v to handle the PreSignUp trigger.\n",
functionArn, userPoolId)
}
// SignUpUser signs up a user from the known user table with a password you specify.
func (runner *AutoConfirm) SignUpUser(ctx context.Context, clientId string, usersTable string) (string, string) {
log.Println("Let's sign up a user to your Cognito user pool. When the user's email matches an email in the\n" +
"DynamoDB known users table, it is automatically verified and the user is confirmed.")
knownUsers, err := runner.helper.GetKnownUsers(ctx, usersTable)
if err != nil {
panic(err)
}
userChoice := runner.questioner.AskChoice("Which user do you want to use?\n", knownUsers.UserNameList())
user := knownUsers.Users[userChoice]
var signedUp bool
var userConfirmed bool
password := runner.questioner.AskPassword("Enter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+
"(the password will not display as you type):", 8)
for !signedUp {
log.Printf("Signing up user '%v' with email '%v' to Cognito.\n", user.UserName, user.UserEmail)
userConfirmed, err = runner.cognitoActor.SignUp(ctx, clientId, user.UserName, password, user.UserEmail)
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
password = runner.questioner.AskPassword("Enter another password:", 8)
} else {
panic(err)
}
} else {
signedUp = true
}
}
log.Printf("User %v signed up, confirmed = %v.\n", user.UserName, userConfirmed)
log.Println(strings.Repeat("-", 88))
return user.UserName, password
}
// SignInUser signs in a user.
func (runner *AutoConfirm) SignInUser(ctx context.Context, clientId string, userName string, password string) string {
runner.questioner.Ask("Press Enter when you're ready to continue.")
log.Printf("Let's sign in as %v...\n", userName)
authResult, err := runner.cognitoActor.SignIn(ctx, clientId, userName, password)
if err != nil {
panic(err)
}
log.Printf("Successfully signed in. Your access token starts with: %v...\n", (*authResult.AccessToken)[:10])
log.Println(strings.Repeat("-", 88))
return *authResult.AccessToken
}
// Run runs the scenario.
func (runner *AutoConfirm) Run(ctx context.Context, stackName string) {
defer func() {
if r := recover(); r != nil {
log.Println("Something went wrong with the demo.")
runner.resources.Cleanup(ctx)
}
}()
log.Println(strings.Repeat("-", 88))
log.Printf("Welcome\n")
log.Println(strings.Repeat("-", 88))
stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName)
if err != nil {
panic(err)
}
runner.resources.userPoolId = stackOutputs["UserPoolId"]
runner.helper.PopulateUserTable(ctx, stackOutputs["TableName"])
runner.AddPreSignUpTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["AutoConfirmFunctionArn"])
runner.resources.triggers = append(runner.resources.triggers, actions.PreSignUp)
userName, password := runner.SignUpUser(ctx, stackOutputs["UserPoolClientId"], stackOutputs["TableName"])
runner.helper.ListRecentLogEvents(ctx, stackOutputs["AutoConfirmFunction"])
runner.resources.userAccessTokens = append(runner.resources.userAccessTokens,
runner.SignInUser(ctx, stackOutputs["UserPoolClientId"], userName, password))
runner.resources.Cleanup(ctx)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
```
使用 Lambda 函數來處理 `PreSignUp` 觸發條件。
```
import (
"context"
"log"
"os"
"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
const TABLE_NAME = "TABLE_NAME"
// UserInfo defines structured user data that can be marshalled to a DynamoDB format.
type UserInfo struct {
UserName string `dynamodbav:"UserName"`
UserEmail string `dynamodbav:"UserEmail"`
}
// GetKey marshals the user email value to a DynamoDB key format.
func (user UserInfo) GetKey() map[string]dynamodbtypes.AttributeValue {
userEmail, err := attributevalue.Marshal(user.UserEmail)
if err != nil {
panic(err)
}
return map[string]dynamodbtypes.AttributeValue{"UserEmail": userEmail}
}
type handler struct {
dynamoClient *dynamodb.Client
}
// HandleRequest handles the PreSignUp event by looking up a user in an Amazon DynamoDB table and
// specifying whether they should be confirmed and verified.
func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsPreSignup) (events.CognitoEventUserPoolsPreSignup, error) {
log.Printf("Received presignup from %v for user '%v'", event.TriggerSource, event.UserName)
if event.TriggerSource != "PreSignUp_SignUp" {
// Other trigger sources, such as PreSignUp_AdminInitiateAuth, ignore the response from this handler.
return event, nil
}
tableName := os.Getenv(TABLE_NAME)
user := UserInfo{
UserEmail: event.Request.UserAttributes["email"],
}
log.Printf("Looking up email %v in table %v.\n", user.UserEmail, tableName)
output, err := h.dynamoClient.GetItem(ctx, &dynamodb.GetItemInput{
Key: user.GetKey(),
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Error looking up email %v.\n", user.UserEmail)
return event, err
}
if output.Item == nil {
log.Printf("Email %v not found. Email verification is required.\n", user.UserEmail)
return event, err
}
err = attributevalue.UnmarshalMap(output.Item, &user)
if err != nil {
log.Printf("Couldn't unmarshal DynamoDB item. Here's why: %v\n", err)
return event, err
}
if user.UserName != event.UserName {
log.Printf("UserEmail %v found, but stored UserName '%v' does not match supplied UserName '%v'. Verification is required.\n",
user.UserEmail, user.UserName, event.UserName)
} else {
log.Printf("UserEmail %v found with matching UserName %v. User is confirmed.\n", user.UserEmail, user.UserName)
event.Response.AutoConfirmUser = true
event.Response.AutoVerifyEmail = true
}
return event, err
}
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
log.Panicln(err)
}
h := handler{
dynamoClient: dynamodb.NewFromConfig(sdkConfig),
}
lambda.Start(h.HandleRequest)
}
```
建立執行一般任務的 struct。
```
import (
"context"
"log"
"strings"
"time"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// IScenarioHelper defines common functions used by the workflows in this example.
type IScenarioHelper interface {
Pause(secs int)
GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error)
PopulateUserTable(ctx context.Context, tableName string)
GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error)
AddKnownUser(ctx context.Context, tableName string, user actions.User)
ListRecentLogEvents(ctx context.Context, functionName string)
}
// ScenarioHelper contains AWS wrapper structs used by the workflows in this example.
type ScenarioHelper struct {
questioner demotools.IQuestioner
dynamoActor *actions.DynamoActions
cfnActor *actions.CloudFormationActions
cwlActor *actions.CloudWatchLogsActions
isTestRun bool
}
// NewScenarioHelper constructs a new scenario helper.
func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper {
scenario := ScenarioHelper{
questioner: questioner,
dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)},
cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)},
cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)},
}
return scenario
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
if !helper.isTestRun {
time.Sleep(time.Duration(secs) * time.Second)
}
}
// GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format.
func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) {
return helper.cfnActor.GetOutputs(ctx, stackName), nil
}
// PopulateUserTable fills the known user table with example data.
func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) {
log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName)
err := helper.dynamoActor.PopulateTable(ctx, tableName)
if err != nil {
panic(err)
}
}
// GetKnownUsers gets the users from the known users table in a structured format.
func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) {
knownUsers, err := helper.dynamoActor.Scan(ctx, tableName)
if err != nil {
log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err)
}
return knownUsers, err
}
// AddKnownUser adds a user to the known users table.
func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) {
log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n",
user.UserName, user.UserEmail)
err := helper.dynamoActor.AddUser(ctx, tableName, user)
if err != nil {
panic(err)
}
}
// ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them.
func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) {
log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...")
helper.Pause(10)
log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.")
logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName)
if err != nil {
panic(err)
}
log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName)
events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10)
if err != nil {
panic(err)
}
for _, event := range events {
log.Printf("\t%v", *event.Message)
}
log.Println(strings.Repeat("-", 88))
}
```
建立包裝 Amazon Cognito 動作的 struct。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger.
type Trigger int
const (
PreSignUp Trigger = iota
UserMigration
PostAuthentication
)
type TriggerInfo struct {
Trigger Trigger
HandlerArn *string
}
// UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value,
// it is removed from the user pool.
func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error {
output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{
UserPoolId: aws.String(userPoolId),
})
if err != nil {
log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err)
return err
}
lambdaConfig := output.UserPool.LambdaConfig
for _, trigger := range triggers {
switch trigger.Trigger {
case PreSignUp:
lambdaConfig.PreSignUp = trigger.HandlerArn
case UserMigration:
lambdaConfig.UserMigration = trigger.HandlerArn
case PostAuthentication:
lambdaConfig.PostAuthentication = trigger.HandlerArn
}
}
_, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{
UserPoolId: aws.String(userPoolId),
LambdaConfig: lambdaConfig,
})
if err != nil {
log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err)
}
return err
}
// SignUp signs up a user with Amazon Cognito.
func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) {
confirmed := false
output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{
ClientId: aws.String(clientId),
Password: aws.String(password),
Username: aws.String(userName),
UserAttributes: []types.AttributeType{
{Name: aws.String("email"), Value: aws.String(userEmail)},
},
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err)
}
} else {
confirmed = output.UserConfirmed
}
return confirmed, err
}
// SignIn signs in a user to Amazon Cognito using a username and password authentication flow.
func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) {
var authResult *types.AuthenticationResultType
output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: aws.String(clientId),
AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password},
})
if err != nil {
var resetRequired *types.PasswordResetRequiredException
if errors.As(err, &resetRequired) {
log.Println(*resetRequired.Message)
} else {
log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err)
}
} else {
authResult = output.AuthenticationResult
}
return authResult, err
}
// ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code
// to the user's configured notification destination, such as email.
func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) {
output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{
ClientId: aws.String(clientId),
Username: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err)
}
return output.CodeDeliveryDetails, err
}
// ConfirmForgotPassword confirms a user with a confirmation code and a new password.
func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error {
_, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{
ClientId: aws.String(clientId),
ConfirmationCode: aws.String(code),
Password: aws.String(password),
Username: aws.String(userName),
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err)
}
}
return err
}
// DeleteUser removes a user from the user pool.
func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error {
_, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{
AccessToken: aws.String(userAccessToken),
})
if err != nil {
log.Printf("Couldn't delete user. Here's why: %v\n", err)
}
return err
}
// AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user
// in a state that requires they enter a new password next time they sign in.
func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error {
_, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
MessageAction: types.MessageActionTypeSuppress,
UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}},
})
if err != nil {
var userExists *types.UsernameExistsException
if errors.As(err, &userExists) {
log.Printf("User %v already exists in the user pool.", userName)
err = nil
} else {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
}
}
return err
}
// AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a
// temporary password.
func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error {
_, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{
Password: aws.String(password),
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
Permanent: true,
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err)
}
}
return err
}
```
建立包裝 DynamoDB 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
// DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions
// used in the examples.
type DynamoActions struct {
DynamoClient *dynamodb.Client
}
// User defines structured user data.
type User struct {
UserName string
UserEmail string
LastLogin *LoginInfo `dynamodbav:",omitempty"`
}
// LoginInfo defines structured custom login data.
type LoginInfo struct {
UserPoolId string
ClientId string
Time string
}
// UserList defines a list of users.
type UserList struct {
Users []User
}
// UserNameList returns the usernames contained in a UserList as a list of strings.
func (users *UserList) UserNameList() []string {
names := make([]string, len(users.Users))
for i := 0; i < len(users.Users); i++ {
names[i] = users.Users[i].UserName
}
return names
}
// PopulateTable adds a set of test users to the table.
func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error {
var err error
var item map[string]types.AttributeValue
var writeReqs []types.WriteRequest
for i := 1; i < 4; i++ {
item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)})
if err != nil {
log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err)
return err
}
writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}})
}
_, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{
RequestItems: map[string][]types.WriteRequest{tableName: writeReqs},
})
if err != nil {
log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err)
}
return err
}
// Scan scans the table for all items.
func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) {
var userList UserList
output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err)
} else {
err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users)
if err != nil {
log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err)
}
}
return userList, err
}
// AddUser adds a user item to a table.
func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error {
userItem, err := attributevalue.MarshalMap(user)
if err != nil {
log.Printf("Couldn't marshall user to item. Here's why: %v\n", err)
}
_, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{
Item: userItem,
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err)
}
return err
}
```
建立包裝 CloudWatch Logs 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
)
type CloudWatchLogsActions struct {
CwlClient *cloudwatchlogs.Client
}
// GetLatestLogStream gets the most recent log stream for a Lambda function.
func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) {
var logStream types.LogStream
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{
Descending: aws.Bool(true),
Limit: aws.Int32(1),
LogGroupName: aws.String(logGroupName),
OrderBy: types.OrderByLastEventTime,
})
if err != nil {
log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err)
} else {
logStream = output.LogStreams[0]
}
return logStream, err
}
// GetLogEvents gets the most recent eventCount events from the specified log stream.
func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) (
[]types.OutputLogEvent, error) {
var events []types.OutputLogEvent
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{
LogStreamName: aws.String(logStreamName),
Limit: aws.Int32(eventCount),
LogGroupName: aws.String(logGroupName),
})
if err != nil {
log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err)
} else {
events = output.Events
}
return events, err
}
```
建立包裝 CloudFormation 動作的結構。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
)
// StackOutputs defines a map of outputs from a specific stack.
type StackOutputs map[string]string
type CloudFormationActions struct {
CfnClient *cloudformation.Client
}
// GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format.
func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs {
output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{
StackName: aws.String(stackName),
})
if err != nil || len(output.Stacks) == 0 {
log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err)
}
stackOutputs := StackOutputs{}
for _, out := range output.Stacks[0].Outputs {
stackOutputs[*out.OutputKey] = *out.OutputValue
}
return stackOutputs
}
```
清除資源。
```
import (
"context"
"log"
"user_pools_and_lambda_triggers/actions"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// Resources keeps track of AWS resources created during an example and handles
// cleanup when the example finishes.
type Resources struct {
userPoolId string
userAccessTokens []string
triggers []actions.Trigger
cognitoActor *actions.CognitoActions
questioner demotools.IQuestioner
}
func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) {
resources.userAccessTokens = []string{}
resources.triggers = []actions.Trigger{}
resources.cognitoActor = cognitoActor
resources.questioner = questioner
}
// Cleanup deletes all AWS resources created during an example.
func (resources *Resources) Cleanup(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong during cleanup.\n%v\n", r)
log.Println("Use the AWS Management Console to remove any remaining resources \n" +
"that were created for this scenario.")
}
}()
wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+
"during this demo (y/n)?", "y")
if wantDelete {
for _, accessToken := range resources.userAccessTokens {
err := resources.cognitoActor.DeleteUser(ctx, accessToken)
if err != nil {
log.Println("Couldn't delete user during cleanup.")
panic(err)
}
log.Println("Deleted user.")
}
triggerList := make([]actions.TriggerInfo, len(resources.triggers))
for i := 0; i < len(resources.triggers); i++ {
triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil}
}
err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...)
if err != nil {
log.Println("Couldn't update Cognito triggers during cleanup.")
panic(err)
}
log.Println("Removed Cognito triggers from user pool.")
} else {
log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!")
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Go 的 AWS SDK API 參考*》中的下列主題。
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser)
+ [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth)
+ [SignUp](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.SignUp)
+ [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool)
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cross-services/wkflw-pools-triggers#code-examples)中設定和執行。
設定互動式 "Scenario" 執行。JavaScript (v3) 範例會共用案例執行器,以簡化複雜的範例。完整的原始程式碼位於 GitHub。
```
import { AutoConfirm } from "./scenario-auto-confirm.js";
/**
* The context is passed to every scenario. Scenario steps
* will modify the context.
*/
const context = {
errors: [],
users: [
{
UserName: "test_user_1",
UserEmail: "test_email_1@example.com",
},
{
UserName: "test_user_2",
UserEmail: "test_email_2@example.com",
},
{
UserName: "test_user_3",
UserEmail: "test_email_3@example.com",
},
],
};
/**
* Three Scenarios are created for the workflow. A Scenario is an orchestration class
* that simplifies running a series of steps.
*/
export const scenarios = {
// Demonstrate automatically confirming known users in a database.
"auto-confirm": AutoConfirm(context),
};
// Call function if run directly
import { fileURLToPath } from "node:url";
import { parseScenarioArgs } from "@aws-doc-sdk-examples/lib/scenario/index.js";
if (process.argv[1] === fileURLToPath(import.meta.url)) {
parseScenarioArgs(scenarios, {
name: "Cognito user pools and triggers",
description:
"Demonstrate how to use the AWS SDKs to customize Amazon Cognito authentication behavior.",
});
}
```
此案例展示如何自動確認已知使用者。它會協調範例步驟。
```
import { wait } from "@aws-doc-sdk-examples/lib/utils/util-timers.js";
import {
Scenario,
ScenarioAction,
ScenarioInput,
ScenarioOutput,
} from "@aws-doc-sdk-examples/lib/scenario/scenario.js";
import {
getStackOutputs,
logCleanUpReminder,
promptForStackName,
promptForStackRegion,
skipWhenErrors,
} from "./steps-common.js";
import { populateTable } from "./actions/dynamodb-actions.js";
import {
addPreSignUpHandler,
deleteUser,
getUser,
signIn,
signUpUser,
} from "./actions/cognito-actions.js";
import {
getLatestLogStreamForLambda,
getLogEvents,
} from "./actions/cloudwatch-logs-actions.js";
/**
* @typedef {{
* errors: Error[],
* password: string,
* users: { UserName: string, UserEmail: string }[],
* selectedUser?: string,
* stackName?: string,
* stackRegion?: string,
* token?: string,
* confirmDeleteSignedInUser?: boolean,
* TableName?: string,
* UserPoolClientId?: string,
* UserPoolId?: string,
* UserPoolArn?: string,
* AutoConfirmHandlerArn?: string,
* AutoConfirmHandlerName?: string
* }} State
*/
const greeting = new ScenarioOutput(
"greeting",
(/** @type {State} */ state) => `This demo will populate some users into the \
database created as part of the "${state.stackName}" stack. \
Then the AutoConfirmHandler will be linked to the PreSignUp \
trigger from Cognito. Finally, you will choose a user to sign up.`,
{ skipWhen: skipWhenErrors },
);
const logPopulatingUsers = new ScenarioOutput(
"logPopulatingUsers",
"Populating the DynamoDB table with some users.",
{ skipWhenErrors: skipWhenErrors },
);
const logPopulatingUsersComplete = new ScenarioOutput(
"logPopulatingUsersComplete",
"Done populating users.",
{ skipWhen: skipWhenErrors },
);
const populateUsers = new ScenarioAction(
"populateUsers",
async (/** @type {State} */ state) => {
const [_, err] = await populateTable({
region: state.stackRegion,
tableName: state.TableName,
items: state.users,
});
if (err) {
state.errors.push(err);
}
},
{
skipWhen: skipWhenErrors,
},
);
const logSetupSignUpTrigger = new ScenarioOutput(
"logSetupSignUpTrigger",
"Setting up the PreSignUp trigger for the Cognito User Pool.",
{ skipWhen: skipWhenErrors },
);
const setupSignUpTrigger = new ScenarioAction(
"setupSignUpTrigger",
async (/** @type {State} */ state) => {
const [_, err] = await addPreSignUpHandler({
region: state.stackRegion,
userPoolId: state.UserPoolId,
handlerArn: state.AutoConfirmHandlerArn,
});
if (err) {
state.errors.push(err);
}
},
{
skipWhen: skipWhenErrors,
},
);
const logSetupSignUpTriggerComplete = new ScenarioOutput(
"logSetupSignUpTriggerComplete",
(
/** @type {State} */ state,
) => `The lambda function "${state.AutoConfirmHandlerName}" \
has been configured as the PreSignUp trigger handler for the user pool "${state.UserPoolId}".`,
{ skipWhen: skipWhenErrors },
);
const selectUser = new ScenarioInput(
"selectedUser",
"Select a user to sign up.",
{
type: "select",
choices: (/** @type {State} */ state) => state.users.map((u) => u.UserName),
skipWhen: skipWhenErrors,
default: (/** @type {State} */ state) => state.users[0].UserName,
},
);
const checkIfUserAlreadyExists = new ScenarioAction(
"checkIfUserAlreadyExists",
async (/** @type {State} */ state) => {
const [user, err] = await getUser({
region: state.stackRegion,
userPoolId: state.UserPoolId,
username: state.selectedUser,
});
if (err?.name === "UserNotFoundException") {
// Do nothing. We're not expecting the user to exist before
// sign up is complete.
return;
}
if (err) {
state.errors.push(err);
return;
}
if (user) {
state.errors.push(
new Error(
`The user "${state.selectedUser}" already exists in the user pool "${state.UserPoolId}".`,
),
);
}
},
{
skipWhen: skipWhenErrors,
},
);
const createPassword = new ScenarioInput(
"password",
"Enter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.",
{ type: "password", skipWhen: skipWhenErrors, default: "Abcd1234!" },
);
const logSignUpExistingUser = new ScenarioOutput(
"logSignUpExistingUser",
(/** @type {State} */ state) => `Signing up user "${state.selectedUser}".`,
{ skipWhen: skipWhenErrors },
);
const signUpExistingUser = new ScenarioAction(
"signUpExistingUser",
async (/** @type {State} */ state) => {
const signUp = (password) =>
signUpUser({
region: state.stackRegion,
userPoolClientId: state.UserPoolClientId,
username: state.selectedUser,
email: state.users.find((u) => u.UserName === state.selectedUser)
.UserEmail,
password,
});
let [_, err] = await signUp(state.password);
while (err?.name === "InvalidPasswordException") {
console.warn("The password you entered was invalid.");
await createPassword.handle(state);
[_, err] = await signUp(state.password);
}
if (err) {
state.errors.push(err);
}
},
{ skipWhen: skipWhenErrors },
);
const logSignUpExistingUserComplete = new ScenarioOutput(
"logSignUpExistingUserComplete",
(/** @type {State} */ state) =>
`"${state.selectedUser} was signed up successfully.`,
{ skipWhen: skipWhenErrors },
);
const logLambdaLogs = new ScenarioAction(
"logLambdaLogs",
async (/** @type {State} */ state) => {
console.log(
"Waiting a few seconds to let Lambda write to CloudWatch Logs...\n",
);
await wait(10);
const [logStream, logStreamErr] = await getLatestLogStreamForLambda({
functionName: state.AutoConfirmHandlerName,
region: state.stackRegion,
});
if (logStreamErr) {
state.errors.push(logStreamErr);
return;
}
console.log(
`Getting some recent events from log stream "${logStream.logStreamName}"`,
);
const [logEvents, logEventsErr] = await getLogEvents({
functionName: state.AutoConfirmHandlerName,
region: state.stackRegion,
eventCount: 10,
logStreamName: logStream.logStreamName,
});
if (logEventsErr) {
state.errors.push(logEventsErr);
return;
}
console.log(logEvents.map((ev) => `\t${ev.message}`).join(""));
},
{ skipWhen: skipWhenErrors },
);
const logSignInUser = new ScenarioOutput(
"logSignInUser",
(/** @type {State} */ state) => `Let's sign in as ${state.selectedUser}`,
{ skipWhen: skipWhenErrors },
);
const signInUser = new ScenarioAction(
"signInUser",
async (/** @type {State} */ state) => {
const [response, err] = await signIn({
region: state.stackRegion,
clientId: state.UserPoolClientId,
username: state.selectedUser,
password: state.password,
});
if (err?.name === "PasswordResetRequiredException") {
state.errors.push(new Error("Please reset your password."));
return;
}
if (err) {
state.errors.push(err);
return;
}
state.token = response?.AuthenticationResult?.AccessToken;
},
{ skipWhen: skipWhenErrors },
);
const logSignInUserComplete = new ScenarioOutput(
"logSignInUserComplete",
(/** @type {State} */ state) =>
`Successfully signed in. Your access token starts with: ${state.token.slice(0, 11)}`,
{ skipWhen: skipWhenErrors },
);
const confirmDeleteSignedInUser = new ScenarioInput(
"confirmDeleteSignedInUser",
"Do you want to delete the currently signed in user?",
{ type: "confirm", skipWhen: skipWhenErrors },
);
const deleteSignedInUser = new ScenarioAction(
"deleteSignedInUser",
async (/** @type {State} */ state) => {
const [_, err] = await deleteUser({
region: state.stackRegion,
accessToken: state.token,
});
if (err) {
state.errors.push(err);
}
},
{
skipWhen: (/** @type {State} */ state) =>
skipWhenErrors(state) || !state.confirmDeleteSignedInUser,
},
);
const logErrors = new ScenarioOutput(
"logErrors",
(/** @type {State}*/ state) => {
const errorList = state.errors
.map((err) => ` - ${err.name}: ${err.message}`)
.join("\n");
return `Scenario errors found:\n${errorList}`;
},
{
// Don't log errors when there aren't any!
skipWhen: (/** @type {State} */ state) => state.errors.length === 0,
},
);
export const AutoConfirm = (context) =>
new Scenario(
"AutoConfirm",
[
promptForStackName,
promptForStackRegion,
getStackOutputs,
greeting,
logPopulatingUsers,
populateUsers,
logPopulatingUsersComplete,
logSetupSignUpTrigger,
setupSignUpTrigger,
logSetupSignUpTriggerComplete,
selectUser,
checkIfUserAlreadyExists,
createPassword,
logSignUpExistingUser,
signUpExistingUser,
logSignUpExistingUserComplete,
logLambdaLogs,
logSignInUser,
signInUser,
logSignInUserComplete,
confirmDeleteSignedInUser,
deleteSignedInUser,
logCleanUpReminder,
logErrors,
],
context,
);
```
這些是與其他案例共用的步驟。
```
import {
ScenarioAction,
ScenarioInput,
ScenarioOutput,
} from "@aws-doc-sdk-examples/lib/scenario/scenario.js";
import { getCfnOutputs } from "@aws-doc-sdk-examples/lib/sdk/cfn-outputs.js";
export const skipWhenErrors = (state) => state.errors.length > 0;
export const getStackOutputs = new ScenarioAction(
"getStackOutputs",
async (state) => {
if (!state.stackName || !state.stackRegion) {
state.errors.push(
new Error(
"No stack name or region provided. The stack name and \
region are required to fetch CFN outputs relevant to this example.",
),
);
return;
}
const outputs = await getCfnOutputs(state.stackName, state.stackRegion);
Object.assign(state, outputs);
},
);
export const promptForStackName = new ScenarioInput(
"stackName",
"Enter the name of the stack you deployed earlier.",
{ type: "input", default: "PoolsAndTriggersStack" },
);
export const promptForStackRegion = new ScenarioInput(
"stackRegion",
"Enter the region of the stack you deployed earlier.",
{ type: "input", default: "us-east-1" },
);
export const logCleanUpReminder = new ScenarioOutput(
"logCleanUpReminder",
"All done. Remember to run 'cdk destroy' to teardown the stack.",
{ skipWhen: skipWhenErrors },
);
```
具有 Lambda 函數之 `PreSignUp` 觸發條件的處理常式。
```
import type { PreSignUpTriggerEvent, Handler } from "aws-lambda";
import type { UserRepository } from "./user-repository";
import { DynamoDBUserRepository } from "./user-repository";
export class PreSignUpHandler {
private userRepository: UserRepository;
constructor(userRepository: UserRepository) {
this.userRepository = userRepository;
}
private isPreSignUpTriggerSource(event: PreSignUpTriggerEvent): boolean {
return event.triggerSource === "PreSignUp_SignUp";
}
private getEventUserEmail(event: PreSignUpTriggerEvent): string {
return event.request.userAttributes.email;
}
async handlePreSignUpTriggerEvent(
event: PreSignUpTriggerEvent,
): Promise {
console.log(
`Received presignup from ${event.triggerSource} for user '${event.userName}'`,
);
if (!this.isPreSignUpTriggerSource(event)) {
return event;
}
const eventEmail = this.getEventUserEmail(event);
console.log(`Looking up email ${eventEmail}.`);
const storedUserInfo =
await this.userRepository.getUserInfoByEmail(eventEmail);
if (!storedUserInfo) {
console.log(
`Email ${eventEmail} not found. Email verification is required.`,
);
return event;
}
if (storedUserInfo.UserName !== event.userName) {
console.log(
`UserEmail ${eventEmail} found, but stored UserName '${storedUserInfo.UserName}' does not match supplied UserName '${event.userName}'. Verification is required.`,
);
} else {
console.log(
`UserEmail ${eventEmail} found with matching UserName ${storedUserInfo.UserName}. User is confirmed.`,
);
event.response.autoConfirmUser = true;
event.response.autoVerifyEmail = true;
}
return event;
}
}
const createPreSignUpHandler = (): PreSignUpHandler => {
const tableName = process.env.TABLE_NAME;
if (!tableName) {
throw new Error("TABLE_NAME environment variable is not set");
}
const userRepository = new DynamoDBUserRepository(tableName);
return new PreSignUpHandler(userRepository);
};
export const handler: Handler = async (event: PreSignUpTriggerEvent) => {
const preSignUpHandler = createPreSignUpHandler();
return preSignUpHandler.handlePreSignUpTriggerEvent(event);
};
```
CloudWatch Logs 動作的模組。
```
import {
CloudWatchLogsClient,
GetLogEventsCommand,
OrderBy,
paginateDescribeLogStreams,
} from "@aws-sdk/client-cloudwatch-logs";
/**
* Get the latest log stream for a Lambda function.
* @param {{ functionName: string, region: string }} config
* @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").LogStream | null, unknown]>}
*/
export const getLatestLogStreamForLambda = async ({ functionName, region }) => {
try {
const logGroupName = `/aws/lambda/${functionName}`;
const cwlClient = new CloudWatchLogsClient({ region });
const paginator = paginateDescribeLogStreams(
{ client: cwlClient },
{
descending: true,
limit: 1,
orderBy: OrderBy.LastEventTime,
logGroupName,
},
);
for await (const page of paginator) {
return [page.logStreams[0], null];
}
} catch (err) {
return [null, err];
}
};
/**
* Get the log events for a Lambda function's log stream.
* @param {{
* functionName: string,
* logStreamName: string,
* eventCount: number,
* region: string
* }} config
* @returns {Promise<[import("@aws-sdk/client-cloudwatch-logs").OutputLogEvent[] | null, unknown]>}
*/
export const getLogEvents = async ({
functionName,
logStreamName,
eventCount,
region,
}) => {
try {
const cwlClient = new CloudWatchLogsClient({ region });
const logGroupName = `/aws/lambda/${functionName}`;
const response = await cwlClient.send(
new GetLogEventsCommand({
logStreamName: logStreamName,
limit: eventCount,
logGroupName: logGroupName,
}),
);
return [response.events, null];
} catch (err) {
return [null, err];
}
};
```
Amazon Cognito 動作的模組。
```
import {
AdminGetUserCommand,
CognitoIdentityProviderClient,
DeleteUserCommand,
InitiateAuthCommand,
SignUpCommand,
UpdateUserPoolCommand,
} from "@aws-sdk/client-cognito-identity-provider";
/**
* Connect a Lambda function to the PreSignUp trigger for a Cognito user pool
* @param {{ region: string, userPoolId: string, handlerArn: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").UpdateUserPoolCommandOutput | null, unknown]>}
*/
export const addPreSignUpHandler = async ({
region,
userPoolId,
handlerArn,
}) => {
try {
const cognitoClient = new CognitoIdentityProviderClient({
region,
});
const command = new UpdateUserPoolCommand({
UserPoolId: userPoolId,
LambdaConfig: {
PreSignUp: handlerArn,
},
});
const response = await cognitoClient.send(command);
return [response, null];
} catch (err) {
return [null, err];
}
};
/**
* Attempt to register a user to a user pool with a given username and password.
* @param {{
* region: string,
* userPoolClientId: string,
* username: string,
* email: string,
* password: string
* }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").SignUpCommandOutput | null, unknown]>}
*/
export const signUpUser = async ({
region,
userPoolClientId,
username,
email,
password,
}) => {
try {
const cognitoClient = new CognitoIdentityProviderClient({
region,
});
const response = await cognitoClient.send(
new SignUpCommand({
ClientId: userPoolClientId,
Username: username,
Password: password,
UserAttributes: [{ Name: "email", Value: email }],
}),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
/**
* Sign in a user to Amazon Cognito using a username and password authentication flow.
* @param {{ region: string, clientId: string, username: string, password: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").InitiateAuthCommandOutput | null, unknown]>}
*/
export const signIn = async ({ region, clientId, username, password }) => {
try {
const cognitoClient = new CognitoIdentityProviderClient({ region });
const response = await cognitoClient.send(
new InitiateAuthCommand({
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: clientId,
AuthParameters: { USERNAME: username, PASSWORD: password },
}),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
/**
* Retrieve an existing user from a user pool.
* @param {{ region: string, userPoolId: string, username: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").AdminGetUserCommandOutput | null, unknown]>}
*/
export const getUser = async ({ region, userPoolId, username }) => {
try {
const cognitoClient = new CognitoIdentityProviderClient({ region });
const response = await cognitoClient.send(
new AdminGetUserCommand({
UserPoolId: userPoolId,
Username: username,
}),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
/**
* Delete the signed-in user. Useful for allowing a user to delete their
* own profile.
* @param {{ region: string, accessToken: string }} config
* @returns {Promise<[import("@aws-sdk/client-cognito-identity-provider").DeleteUserCommandOutput | null, unknown]>}
*/
export const deleteUser = async ({ region, accessToken }) => {
try {
const client = new CognitoIdentityProviderClient({ region });
const response = await client.send(
new DeleteUserCommand({ AccessToken: accessToken }),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
```
DynamoDB 動作的模組。
```
import { DynamoDBClient } from "@aws-sdk/client-dynamodb";
import {
BatchWriteCommand,
DynamoDBDocumentClient,
} from "@aws-sdk/lib-dynamodb";
/**
* Populate a DynamoDB table with provide items.
* @param {{ region: string, tableName: string, items: Record[] }} config
* @returns {Promise<[import("@aws-sdk/lib-dynamodb").BatchWriteCommandOutput | null, unknown]>}
*/
export const populateTable = async ({ region, tableName, items }) => {
try {
const ddbClient = new DynamoDBClient({ region });
const docClient = DynamoDBDocumentClient.from(ddbClient);
const response = await docClient.send(
new BatchWriteCommand({
RequestItems: {
[tableName]: items.map((item) => ({
PutRequest: {
Item: item,
},
})),
},
}),
);
return [response, null];
} catch (err) {
return [null, err];
}
};
```
+ 如需 API 詳細資訊,請參閱《*適用於 JavaScript 的 AWS SDK API 參考*》中的下列主題。
+ [DeleteUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/DeleteUserCommand)
+ [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand)
+ [SignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/SignUpCommand)
+ [UpdateUserPool](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/UpdateUserPoolCommand)
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 SDK 透過 Lambda 函數自動遷移已知的 Amazon Cognito 使用者 AWS
下列程式碼範例示範如何使用 Lambda 函數自動遷移已知的 Amazon Cognito 使用者。
+ 設定使用者集區以呼叫 `MigrateUser` 觸發條件的 Lambda 函數。
+ 使用不在使用者集區中的使用者名稱和電子郵件登入 Amazon Cognito。
+ Lambda 函數會掃描 DynamoDB 資料表,並自動將已知使用者遷移至使用者集區。
+ 執行忘記密碼流程,重設已遷移使用者的密碼。
+ 以新使用者身分登入,然後清除資源。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
import (
"context"
"errors"
"fmt"
"log"
"strings"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// MigrateUser separates the steps of this scenario into individual functions so that
// they are simpler to read and understand.
type MigrateUser struct {
helper IScenarioHelper
questioner demotools.IQuestioner
resources Resources
cognitoActor *actions.CognitoActions
}
// NewMigrateUser constructs a new migrate user runner.
func NewMigrateUser(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) MigrateUser {
scenario := MigrateUser{
helper: helper,
questioner: questioner,
resources: Resources{},
cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)},
}
scenario.resources.init(scenario.cognitoActor, questioner)
return scenario
}
// AddMigrateUserTrigger adds a Lambda handler as an invocation target for the MigrateUser trigger.
func (runner *MigrateUser) AddMigrateUserTrigger(ctx context.Context, userPoolId string, functionArn string) {
log.Printf("Let's add a Lambda function to handle the MigrateUser trigger from Cognito.\n" +
"This trigger happens when an unknown user signs in, and lets your function take action before Cognito\n" +
"rejects the user.\n\n")
err := runner.cognitoActor.UpdateTriggers(
ctx, userPoolId,
actions.TriggerInfo{Trigger: actions.UserMigration, HandlerArn: aws.String(functionArn)})
if err != nil {
panic(err)
}
log.Printf("Lambda function %v added to user pool %v to handle the MigrateUser trigger.\n",
functionArn, userPoolId)
log.Println(strings.Repeat("-", 88))
}
// SignInUser adds a new user to the known users table and signs that user in to Amazon Cognito.
func (runner *MigrateUser) SignInUser(ctx context.Context, usersTable string, clientId string) (bool, actions.User) {
log.Println("Let's sign in a user to your Cognito user pool. When the username and email matches an entry in the\n" +
"DynamoDB known users table, the email is automatically verified and the user is migrated to the Cognito user pool.")
user := actions.User{}
user.UserName = runner.questioner.Ask("\nEnter a username:")
user.UserEmail = runner.questioner.Ask("\nEnter an email that you own. This email will be used to confirm user migration\n" +
"during this example:")
runner.helper.AddKnownUser(ctx, usersTable, user)
var err error
var resetRequired *types.PasswordResetRequiredException
var authResult *types.AuthenticationResultType
signedIn := false
for !signedIn && resetRequired == nil {
log.Printf("Signing in to Cognito as user '%v'. The expected result is a PasswordResetRequiredException.\n\n", user.UserName)
authResult, err = runner.cognitoActor.SignIn(ctx, clientId, user.UserName, "_")
if err != nil {
if errors.As(err, &resetRequired) {
log.Printf("\nUser '%v' is not in the Cognito user pool but was found in the DynamoDB known users table.\n"+
"User migration is started and a password reset is required.", user.UserName)
} else {
panic(err)
}
} else {
log.Printf("User '%v' successfully signed in. This is unexpected and probably means you have not\n"+
"cleaned up a previous run of this scenario, so the user exist in the Cognito user pool.\n"+
"You can continue this example and select to clean up resources, or manually remove\n"+
"the user from your user pool and try again.", user.UserName)
runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken)
signedIn = true
}
}
log.Println(strings.Repeat("-", 88))
return resetRequired != nil, user
}
// ResetPassword starts a password recovery flow.
func (runner *MigrateUser) ResetPassword(ctx context.Context, clientId string, user actions.User) {
wantCode := runner.questioner.AskBool(fmt.Sprintf("In order to migrate the user to Cognito, you must be able to receive a confirmation\n"+
"code by email at %v. Do you want to send a code (y/n)?", user.UserEmail), "y")
if !wantCode {
log.Println("To complete this example and successfully migrate a user to Cognito, you must enter an email\n" +
"you own that can receive a confirmation code.")
return
}
codeDelivery, err := runner.cognitoActor.ForgotPassword(ctx, clientId, user.UserName)
if err != nil {
panic(err)
}
log.Printf("\nA confirmation code has been sent to %v.", *codeDelivery.Destination)
code := runner.questioner.Ask("Check your email and enter it here:")
confirmed := false
password := runner.questioner.AskPassword("\nEnter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+
"(the password will not display as you type):", 8)
for !confirmed {
log.Printf("\nConfirming password reset for user '%v'.\n", user.UserName)
err = runner.cognitoActor.ConfirmForgotPassword(ctx, clientId, code, user.UserName, password)
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
password = runner.questioner.AskPassword("\nEnter another password:", 8)
} else {
panic(err)
}
} else {
confirmed = true
}
}
log.Printf("User '%v' successfully confirmed and migrated.\n", user.UserName)
log.Println("Signing in with your username and password...")
authResult, err := runner.cognitoActor.SignIn(ctx, clientId, user.UserName, password)
if err != nil {
panic(err)
}
log.Printf("Successfully signed in. Your access token starts with: %v...\n", (*authResult.AccessToken)[:10])
runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken)
log.Println(strings.Repeat("-", 88))
}
// Run runs the scenario.
func (runner *MigrateUser) Run(ctx context.Context, stackName string) {
defer func() {
if r := recover(); r != nil {
log.Println("Something went wrong with the demo.")
runner.resources.Cleanup(ctx)
}
}()
log.Println(strings.Repeat("-", 88))
log.Printf("Welcome\n")
log.Println(strings.Repeat("-", 88))
stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName)
if err != nil {
panic(err)
}
runner.resources.userPoolId = stackOutputs["UserPoolId"]
runner.AddMigrateUserTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["MigrateUserFunctionArn"])
runner.resources.triggers = append(runner.resources.triggers, actions.UserMigration)
resetNeeded, user := runner.SignInUser(ctx, stackOutputs["TableName"], stackOutputs["UserPoolClientId"])
if resetNeeded {
runner.helper.ListRecentLogEvents(ctx, stackOutputs["MigrateUserFunction"])
runner.ResetPassword(ctx, stackOutputs["UserPoolClientId"], user)
}
runner.resources.Cleanup(ctx)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
```
使用 Lambda 函數來處理 `MigrateUser` 觸發條件。
```
import (
"context"
"log"
"os"
"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
)
const TABLE_NAME = "TABLE_NAME"
// UserInfo defines structured user data that can be marshalled to a DynamoDB format.
type UserInfo struct {
UserName string `dynamodbav:"UserName"`
UserEmail string `dynamodbav:"UserEmail"`
}
type handler struct {
dynamoClient *dynamodb.Client
}
// HandleRequest handles the MigrateUser event by looking up a user in an Amazon DynamoDB table and
// specifying whether they should be migrated to the user pool.
func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsMigrateUser) (events.CognitoEventUserPoolsMigrateUser, error) {
log.Printf("Received migrate trigger from %v for user '%v'", event.TriggerSource, event.UserName)
if event.TriggerSource != "UserMigration_Authentication" {
return event, nil
}
tableName := os.Getenv(TABLE_NAME)
user := UserInfo{
UserName: event.UserName,
}
log.Printf("Looking up user '%v' in table %v.\n", user.UserName, tableName)
filterEx := expression.Name("UserName").Equal(expression.Value(user.UserName))
expr, err := expression.NewBuilder().WithFilter(filterEx).Build()
if err != nil {
log.Printf("Error building expression to query for user '%v'.\n", user.UserName)
return event, err
}
output, err := h.dynamoClient.Scan(ctx, &dynamodb.ScanInput{
TableName: aws.String(tableName),
FilterExpression: expr.Filter(),
ExpressionAttributeNames: expr.Names(),
ExpressionAttributeValues: expr.Values(),
})
if err != nil {
log.Printf("Error looking up user '%v'.\n", user.UserName)
return event, err
}
if len(output.Items) == 0 {
log.Printf("User '%v' not found, not migrating user.\n", user.UserName)
return event, err
}
var users []UserInfo
err = attributevalue.UnmarshalListOfMaps(output.Items, &users)
if err != nil {
log.Printf("Couldn't unmarshal DynamoDB items. Here's why: %v\n", err)
return event, err
}
user = users[0]
log.Printf("UserName '%v' found with email %v. User is migrated and must reset password.\n", user.UserName, user.UserEmail)
event.CognitoEventUserPoolsMigrateUserResponse.UserAttributes = map[string]string{
"email": user.UserEmail,
"email_verified": "true", // email_verified is required for the forgot password flow.
}
event.CognitoEventUserPoolsMigrateUserResponse.FinalUserStatus = "RESET_REQUIRED"
event.CognitoEventUserPoolsMigrateUserResponse.MessageAction = "SUPPRESS"
return event, err
}
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
log.Panicln(err)
}
h := handler{
dynamoClient: dynamodb.NewFromConfig(sdkConfig),
}
lambda.Start(h.HandleRequest)
}
```
建立執行一般任務的 struct。
```
import (
"context"
"log"
"strings"
"time"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// IScenarioHelper defines common functions used by the workflows in this example.
type IScenarioHelper interface {
Pause(secs int)
GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error)
PopulateUserTable(ctx context.Context, tableName string)
GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error)
AddKnownUser(ctx context.Context, tableName string, user actions.User)
ListRecentLogEvents(ctx context.Context, functionName string)
}
// ScenarioHelper contains AWS wrapper structs used by the workflows in this example.
type ScenarioHelper struct {
questioner demotools.IQuestioner
dynamoActor *actions.DynamoActions
cfnActor *actions.CloudFormationActions
cwlActor *actions.CloudWatchLogsActions
isTestRun bool
}
// NewScenarioHelper constructs a new scenario helper.
func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper {
scenario := ScenarioHelper{
questioner: questioner,
dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)},
cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)},
cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)},
}
return scenario
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
if !helper.isTestRun {
time.Sleep(time.Duration(secs) * time.Second)
}
}
// GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format.
func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) {
return helper.cfnActor.GetOutputs(ctx, stackName), nil
}
// PopulateUserTable fills the known user table with example data.
func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) {
log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName)
err := helper.dynamoActor.PopulateTable(ctx, tableName)
if err != nil {
panic(err)
}
}
// GetKnownUsers gets the users from the known users table in a structured format.
func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) {
knownUsers, err := helper.dynamoActor.Scan(ctx, tableName)
if err != nil {
log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err)
}
return knownUsers, err
}
// AddKnownUser adds a user to the known users table.
func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) {
log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n",
user.UserName, user.UserEmail)
err := helper.dynamoActor.AddUser(ctx, tableName, user)
if err != nil {
panic(err)
}
}
// ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them.
func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) {
log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...")
helper.Pause(10)
log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.")
logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName)
if err != nil {
panic(err)
}
log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName)
events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10)
if err != nil {
panic(err)
}
for _, event := range events {
log.Printf("\t%v", *event.Message)
}
log.Println(strings.Repeat("-", 88))
}
```
建立包裝 Amazon Cognito 動作的 struct。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger.
type Trigger int
const (
PreSignUp Trigger = iota
UserMigration
PostAuthentication
)
type TriggerInfo struct {
Trigger Trigger
HandlerArn *string
}
// UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value,
// it is removed from the user pool.
func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error {
output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{
UserPoolId: aws.String(userPoolId),
})
if err != nil {
log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err)
return err
}
lambdaConfig := output.UserPool.LambdaConfig
for _, trigger := range triggers {
switch trigger.Trigger {
case PreSignUp:
lambdaConfig.PreSignUp = trigger.HandlerArn
case UserMigration:
lambdaConfig.UserMigration = trigger.HandlerArn
case PostAuthentication:
lambdaConfig.PostAuthentication = trigger.HandlerArn
}
}
_, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{
UserPoolId: aws.String(userPoolId),
LambdaConfig: lambdaConfig,
})
if err != nil {
log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err)
}
return err
}
// SignUp signs up a user with Amazon Cognito.
func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) {
confirmed := false
output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{
ClientId: aws.String(clientId),
Password: aws.String(password),
Username: aws.String(userName),
UserAttributes: []types.AttributeType{
{Name: aws.String("email"), Value: aws.String(userEmail)},
},
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err)
}
} else {
confirmed = output.UserConfirmed
}
return confirmed, err
}
// SignIn signs in a user to Amazon Cognito using a username and password authentication flow.
func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) {
var authResult *types.AuthenticationResultType
output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: aws.String(clientId),
AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password},
})
if err != nil {
var resetRequired *types.PasswordResetRequiredException
if errors.As(err, &resetRequired) {
log.Println(*resetRequired.Message)
} else {
log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err)
}
} else {
authResult = output.AuthenticationResult
}
return authResult, err
}
// ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code
// to the user's configured notification destination, such as email.
func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) {
output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{
ClientId: aws.String(clientId),
Username: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err)
}
return output.CodeDeliveryDetails, err
}
// ConfirmForgotPassword confirms a user with a confirmation code and a new password.
func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error {
_, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{
ClientId: aws.String(clientId),
ConfirmationCode: aws.String(code),
Password: aws.String(password),
Username: aws.String(userName),
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err)
}
}
return err
}
// DeleteUser removes a user from the user pool.
func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error {
_, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{
AccessToken: aws.String(userAccessToken),
})
if err != nil {
log.Printf("Couldn't delete user. Here's why: %v\n", err)
}
return err
}
// AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user
// in a state that requires they enter a new password next time they sign in.
func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error {
_, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
MessageAction: types.MessageActionTypeSuppress,
UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}},
})
if err != nil {
var userExists *types.UsernameExistsException
if errors.As(err, &userExists) {
log.Printf("User %v already exists in the user pool.", userName)
err = nil
} else {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
}
}
return err
}
// AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a
// temporary password.
func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error {
_, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{
Password: aws.String(password),
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
Permanent: true,
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err)
}
}
return err
}
```
建立包裝 DynamoDB 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
// DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions
// used in the examples.
type DynamoActions struct {
DynamoClient *dynamodb.Client
}
// User defines structured user data.
type User struct {
UserName string
UserEmail string
LastLogin *LoginInfo `dynamodbav:",omitempty"`
}
// LoginInfo defines structured custom login data.
type LoginInfo struct {
UserPoolId string
ClientId string
Time string
}
// UserList defines a list of users.
type UserList struct {
Users []User
}
// UserNameList returns the usernames contained in a UserList as a list of strings.
func (users *UserList) UserNameList() []string {
names := make([]string, len(users.Users))
for i := 0; i < len(users.Users); i++ {
names[i] = users.Users[i].UserName
}
return names
}
// PopulateTable adds a set of test users to the table.
func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error {
var err error
var item map[string]types.AttributeValue
var writeReqs []types.WriteRequest
for i := 1; i < 4; i++ {
item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)})
if err != nil {
log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err)
return err
}
writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}})
}
_, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{
RequestItems: map[string][]types.WriteRequest{tableName: writeReqs},
})
if err != nil {
log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err)
}
return err
}
// Scan scans the table for all items.
func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) {
var userList UserList
output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err)
} else {
err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users)
if err != nil {
log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err)
}
}
return userList, err
}
// AddUser adds a user item to a table.
func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error {
userItem, err := attributevalue.MarshalMap(user)
if err != nil {
log.Printf("Couldn't marshall user to item. Here's why: %v\n", err)
}
_, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{
Item: userItem,
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err)
}
return err
}
```
建立包裝 CloudWatch Logs 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
)
type CloudWatchLogsActions struct {
CwlClient *cloudwatchlogs.Client
}
// GetLatestLogStream gets the most recent log stream for a Lambda function.
func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) {
var logStream types.LogStream
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{
Descending: aws.Bool(true),
Limit: aws.Int32(1),
LogGroupName: aws.String(logGroupName),
OrderBy: types.OrderByLastEventTime,
})
if err != nil {
log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err)
} else {
logStream = output.LogStreams[0]
}
return logStream, err
}
// GetLogEvents gets the most recent eventCount events from the specified log stream.
func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) (
[]types.OutputLogEvent, error) {
var events []types.OutputLogEvent
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{
LogStreamName: aws.String(logStreamName),
Limit: aws.Int32(eventCount),
LogGroupName: aws.String(logGroupName),
})
if err != nil {
log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err)
} else {
events = output.Events
}
return events, err
}
```
建立包裝 CloudFormation 動作的結構。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
)
// StackOutputs defines a map of outputs from a specific stack.
type StackOutputs map[string]string
type CloudFormationActions struct {
CfnClient *cloudformation.Client
}
// GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format.
func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs {
output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{
StackName: aws.String(stackName),
})
if err != nil || len(output.Stacks) == 0 {
log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err)
}
stackOutputs := StackOutputs{}
for _, out := range output.Stacks[0].Outputs {
stackOutputs[*out.OutputKey] = *out.OutputValue
}
return stackOutputs
}
```
清除資源。
```
import (
"context"
"log"
"user_pools_and_lambda_triggers/actions"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// Resources keeps track of AWS resources created during an example and handles
// cleanup when the example finishes.
type Resources struct {
userPoolId string
userAccessTokens []string
triggers []actions.Trigger
cognitoActor *actions.CognitoActions
questioner demotools.IQuestioner
}
func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) {
resources.userAccessTokens = []string{}
resources.triggers = []actions.Trigger{}
resources.cognitoActor = cognitoActor
resources.questioner = questioner
}
// Cleanup deletes all AWS resources created during an example.
func (resources *Resources) Cleanup(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong during cleanup.\n%v\n", r)
log.Println("Use the AWS Management Console to remove any remaining resources \n" +
"that were created for this scenario.")
}
}()
wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+
"during this demo (y/n)?", "y")
if wantDelete {
for _, accessToken := range resources.userAccessTokens {
err := resources.cognitoActor.DeleteUser(ctx, accessToken)
if err != nil {
log.Println("Couldn't delete user during cleanup.")
panic(err)
}
log.Println("Deleted user.")
}
triggerList := make([]actions.TriggerInfo, len(resources.triggers))
for i := 0; i < len(resources.triggers); i++ {
triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil}
}
err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...)
if err != nil {
log.Println("Couldn't update Cognito triggers during cleanup.")
panic(err)
}
log.Println("Removed Cognito triggers from user pool.")
} else {
log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!")
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Go 的 AWS SDK API 參考*》中的下列主題。
+ [ConfirmForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ConfirmForgotPassword)
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser)
+ [ForgotPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.ForgotPassword)
+ [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth)
+ [SignUp](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.SignUp)
+ [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool)
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 SDK 向需要 MFA 的 Amazon Cognito 使用者集區註冊使用者 AWS
下列程式碼範例示範如何:
+ 使用使用者名稱、密碼和電子郵件地址註冊並確認使用者。
+ 透過將 MFA 應用程式與使用者建立關聯,以設定多重要素身分驗證。
+ 使用密碼和 MFA 代碼登入。
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
namespace CognitoBasics;
public class CognitoBasics
{
private static ILogger logger = null!;
static async Task Main(string[] args)
{
// Set up dependency injection for Amazon Cognito.
using var host = Host.CreateDefaultBuilder(args)
.ConfigureLogging(logging =>
logging.AddFilter("System", LogLevel.Debug)
.AddFilter("Microsoft", LogLevel.Information)
.AddFilter("Microsoft", LogLevel.Trace))
.ConfigureServices((_, services) =>
services.AddAWSService()
.AddTransient()
)
.Build();
logger = LoggerFactory.Create(builder => { builder.AddConsole(); })
.CreateLogger();
var configuration = new ConfigurationBuilder()
.SetBasePath(Directory.GetCurrentDirectory())
.AddJsonFile("settings.json") // Load settings from .json file.
.AddJsonFile("settings.local.json",
true) // Optionally load local settings.
.Build();
var cognitoWrapper = host.Services.GetRequiredService();
Console.WriteLine(new string('-', 80));
UiMethods.DisplayOverview();
Console.WriteLine(new string('-', 80));
// clientId - The app client Id value that you get from the AWS CDK script.
var clientId = configuration["ClientId"]; // "*** REPLACE WITH CLIENT ID VALUE FROM CDK SCRIPT";
// poolId - The pool Id that you get from the AWS CDK script.
var poolId = configuration["PoolId"]!; // "*** REPLACE WITH POOL ID VALUE FROM CDK SCRIPT";
var userName = configuration["UserName"];
var password = configuration["Password"];
var email = configuration["Email"];
// If the username wasn't set in the configuration file,
// get it from the user now.
if (userName is null)
{
do
{
Console.Write("Username: ");
userName = Console.ReadLine();
}
while (string.IsNullOrEmpty(userName));
}
Console.WriteLine($"\nUsername: {userName}");
// If the password wasn't set in the configuration file,
// get it from the user now.
if (password is null)
{
do
{
Console.Write("Password: ");
password = Console.ReadLine();
}
while (string.IsNullOrEmpty(password));
}
// If the email address wasn't set in the configuration file,
// get it from the user now.
if (email is null)
{
do
{
Console.Write("Email: ");
email = Console.ReadLine();
} while (string.IsNullOrEmpty(email));
}
// Now sign up the user.
Console.WriteLine($"\nSigning up {userName} with email address: {email}");
await cognitoWrapper.SignUpAsync(clientId, userName, password, email);
// Add the user to the user pool.
Console.WriteLine($"Adding {userName} to the user pool");
await cognitoWrapper.GetAdminUserAsync(userName, poolId);
UiMethods.DisplayTitle("Get confirmation code");
Console.WriteLine($"Conformation code sent to {userName}.");
Console.Write("Would you like to send a new code? (Y/N) ");
var answer = Console.ReadLine();
if (answer!.ToLower() == "y")
{
await cognitoWrapper.ResendConfirmationCodeAsync(clientId, userName);
Console.WriteLine("Sending a new confirmation code");
}
Console.Write("Enter confirmation code (from Email): ");
var code = Console.ReadLine();
await cognitoWrapper.ConfirmSignupAsync(clientId, code, userName);
UiMethods.DisplayTitle("Checking status");
Console.WriteLine($"Rechecking the status of {userName} in the user pool");
await cognitoWrapper.GetAdminUserAsync(userName, poolId);
Console.WriteLine($"Setting up authenticator for {userName} in the user pool");
var setupResponse = await cognitoWrapper.InitiateAuthAsync(clientId, userName, password);
var setupSession = await cognitoWrapper.AssociateSoftwareTokenAsync(setupResponse.Session);
Console.Write("Enter the 6-digit code displayed in Google Authenticator: ");
var setupCode = Console.ReadLine();
var setupResult = await cognitoWrapper.VerifySoftwareTokenAsync(setupSession, setupCode);
Console.WriteLine($"Setup status: {setupResult}");
Console.WriteLine($"Now logging in {userName} in the user pool");
var authSession = await cognitoWrapper.AdminInitiateAuthAsync(clientId, poolId, userName, password);
Console.Write("Enter a new 6-digit code displayed in Google Authenticator: ");
var authCode = Console.ReadLine();
var authResult = await cognitoWrapper.AdminRespondToAuthChallengeAsync(userName, clientId, authCode, authSession, poolId);
Console.WriteLine($"Authenticated and received access token: {authResult.AccessToken}");
Console.WriteLine(new string('-', 80));
Console.WriteLine("Cognito scenario is complete.");
Console.WriteLine(new string('-', 80));
}
}
using System.Net;
namespace CognitoActions;
///
/// Methods to perform Amazon Cognito Identity Provider actions.
///
public class CognitoWrapper
{
private readonly IAmazonCognitoIdentityProvider _cognitoService;
///
/// Constructor for the wrapper class containing Amazon Cognito actions.
///
/// The Amazon Cognito client object.
public CognitoWrapper(IAmazonCognitoIdentityProvider cognitoService)
{
_cognitoService = cognitoService;
}
///
/// List the Amazon Cognito user pools for an account.
///
/// A list of UserPoolDescriptionType objects.
public async Task> ListUserPoolsAsync()
{
var userPools = new List();
var userPoolsPaginator = _cognitoService.Paginators.ListUserPools(new ListUserPoolsRequest());
await foreach (var response in userPoolsPaginator.Responses)
{
userPools.AddRange(response.UserPools);
}
return userPools;
}
///
/// Get a list of users for the Amazon Cognito user pool.
///
/// The user pool ID.
/// A list of users.
public async Task> ListUsersAsync(string userPoolId)
{
var request = new ListUsersRequest
{
UserPoolId = userPoolId
};
var users = new List();
var usersPaginator = _cognitoService.Paginators.ListUsers(request);
await foreach (var response in usersPaginator.Responses)
{
users.AddRange(response.Users);
}
return users;
}
///
/// Respond to an admin authentication challenge.
///
/// The name of the user.
/// The client ID.
/// The multi-factor authentication code.
/// The current application session.
/// The user pool ID.
/// The result of the authentication response.
public async Task AdminRespondToAuthChallengeAsync(
string userName,
string clientId,
string mfaCode,
string session,
string userPoolId)
{
Console.WriteLine("SOFTWARE_TOKEN_MFA challenge is generated");
var challengeResponses = new Dictionary();
challengeResponses.Add("USERNAME", userName);
challengeResponses.Add("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
var respondToAuthChallengeRequest = new AdminRespondToAuthChallengeRequest
{
ChallengeName = ChallengeNameType.SOFTWARE_TOKEN_MFA,
ClientId = clientId,
ChallengeResponses = challengeResponses,
Session = session,
UserPoolId = userPoolId,
};
var response = await _cognitoService.AdminRespondToAuthChallengeAsync(respondToAuthChallengeRequest);
Console.WriteLine($"Response to Authentication {response.AuthenticationResult.TokenType}");
return response.AuthenticationResult;
}
///
/// Verify the TOTP and register for MFA.
///
/// The name of the session.
/// The MFA code.
/// The status of the software token.
public async Task VerifySoftwareTokenAsync(string session, string code)
{
var tokenRequest = new VerifySoftwareTokenRequest
{
UserCode = code,
Session = session,
};
var verifyResponse = await _cognitoService.VerifySoftwareTokenAsync(tokenRequest);
return verifyResponse.Status;
}
///
/// Get an MFA token to authenticate the user with the authenticator.
///
/// The session name.
/// The session name.
public async Task AssociateSoftwareTokenAsync(string session)
{
var softwareTokenRequest = new AssociateSoftwareTokenRequest
{
Session = session,
};
var tokenResponse = await _cognitoService.AssociateSoftwareTokenAsync(softwareTokenRequest);
var secretCode = tokenResponse.SecretCode;
Console.WriteLine($"Use the following secret code to set up the authenticator: {secretCode}");
return tokenResponse.Session;
}
///
/// Initiate an admin auth request.
///
/// The client ID to use.
/// The ID of the user pool.
/// The username to authenticate.
/// The user's password.
/// The session to use in challenge-response.
public async Task AdminInitiateAuthAsync(string clientId, string userPoolId, string userName, string password)
{
var authParameters = new Dictionary();
authParameters.Add("USERNAME", userName);
authParameters.Add("PASSWORD", password);
var request = new AdminInitiateAuthRequest
{
ClientId = clientId,
UserPoolId = userPoolId,
AuthParameters = authParameters,
AuthFlow = AuthFlowType.ADMIN_USER_PASSWORD_AUTH,
};
var response = await _cognitoService.AdminInitiateAuthAsync(request);
return response.Session;
}
///
/// Initiate authorization.
///
/// The client Id of the application.
/// The name of the user who is authenticating.
/// The password for the user who is authenticating.
/// The response from the initiate auth request.
public async Task InitiateAuthAsync(string clientId, string userName, string password)
{
var authParameters = new Dictionary();
authParameters.Add("USERNAME", userName);
authParameters.Add("PASSWORD", password);
var authRequest = new InitiateAuthRequest
{
ClientId = clientId,
AuthParameters = authParameters,
AuthFlow = AuthFlowType.USER_PASSWORD_AUTH,
};
var response = await _cognitoService.InitiateAuthAsync(authRequest);
Console.WriteLine($"Result Challenge is : {response.ChallengeName}");
return response;
}
///
/// Confirm that the user has signed up.
///
/// The Id of this application.
/// The confirmation code sent to the user.
/// The username.
/// True if successful.
public async Task ConfirmSignupAsync(string clientId, string code, string userName)
{
var signUpRequest = new ConfirmSignUpRequest
{
ClientId = clientId,
ConfirmationCode = code,
Username = userName,
};
var response = await _cognitoService.ConfirmSignUpAsync(signUpRequest);
if (response.HttpStatusCode == HttpStatusCode.OK)
{
Console.WriteLine($"{userName} was confirmed");
return true;
}
return false;
}
///
/// Initiates and confirms tracking of the device.
///
/// The user's access token.
/// The key of the device from Amazon Cognito.
/// The device name.
///
public async Task ConfirmDeviceAsync(string accessToken, string deviceKey, string deviceName)
{
var request = new ConfirmDeviceRequest
{
AccessToken = accessToken,
DeviceKey = deviceKey,
DeviceName = deviceName
};
var response = await _cognitoService.ConfirmDeviceAsync(request);
return response.UserConfirmationNecessary;
}
///
/// Send a new confirmation code to a user.
///
/// The Id of the client application.
/// The username of user who will receive the code.
/// The delivery details.
public async Task ResendConfirmationCodeAsync(string clientId, string userName)
{
var codeRequest = new ResendConfirmationCodeRequest
{
ClientId = clientId,
Username = userName,
};
var response = await _cognitoService.ResendConfirmationCodeAsync(codeRequest);
Console.WriteLine($"Method of delivery is {response.CodeDeliveryDetails.DeliveryMedium}");
return response.CodeDeliveryDetails;
}
///
/// Get the specified user from an Amazon Cognito user pool with administrator access.
///
/// The name of the user.
/// The Id of the Amazon Cognito user pool.
/// Async task.
public async Task GetAdminUserAsync(string userName, string poolId)
{
AdminGetUserRequest userRequest = new AdminGetUserRequest
{
Username = userName,
UserPoolId = poolId,
};
var response = await _cognitoService.AdminGetUserAsync(userRequest);
Console.WriteLine($"User status {response.UserStatus}");
return response.UserStatus;
}
///
/// Sign up a new user.
///
/// The client Id of the application.
/// The username to use.
/// The user's password.
/// The email address of the user.
/// A Boolean value indicating whether the user was confirmed.
public async Task SignUpAsync(string clientId, string userName, string password, string email)
{
var userAttrs = new AttributeType
{
Name = "email",
Value = email,
};
var userAttrsList = new List();
userAttrsList.Add(userAttrs);
var signUpRequest = new SignUpRequest
{
UserAttributes = userAttrsList,
Username = userName,
ClientId = clientId,
Password = password
};
var response = await _cognitoService.SignUpAsync(signUpRequest);
return response.HttpStatusCode == HttpStatusCode.OK;
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 .NET 的 AWS SDK API 參考*》中的下列主題。
+ [AdminGetUser](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminGetUser)
+ [AdminInitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminInitiateAuth)
+ [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)
+ [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/AssociateSoftwareToken)
+ [ConfirmDevice](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmDevice)
+ [ConfirmSignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ConfirmSignUp)
+ [InitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/InitiateAuth)
+ [ListUsers](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ListUsers)
+ [ResendConfirmationCode](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/ResendConfirmationCode)
+ [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/RespondToAuthChallenge)
+ [SignUp](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/SignUp)
+ [VerifySoftwareToken](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/VerifySoftwareToken)
------
#### [ C\$1\$1 ]
**適用於 C\$1\$1 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/cognito#code-examples)中設定和執行。
```
Aws::Client::ClientConfiguration clientConfig;
// Optional: Set to the AWS Region (overrides config file).
// clientConfig.region = "us-east-1";
//! Scenario that adds a user to an Amazon Cognito user pool.
/*!
\sa gettingStartedWithUserPools()
\param clientID: Client ID associated with an Amazon Cognito user pool.
\param userPoolID: An Amazon Cognito user pool ID.
\param clientConfig: Aws client configuration.
\return bool: Successful completion.
*/
bool AwsDoc::Cognito::gettingStartedWithUserPools(const Aws::String &clientID,
const Aws::String &userPoolID,
const Aws::Client::ClientConfiguration &clientConfig) {
printAsterisksLine();
std::cout
<< "Welcome to the Amazon Cognito example scenario."
<< std::endl;
printAsterisksLine();
std::cout
<< "This scenario will add a user to an Amazon Cognito user pool."
<< std::endl;
const Aws::String userName = askQuestion("Enter a new username: ");
const Aws::String password = askQuestion("Enter a new password: ");
const Aws::String email = askQuestion("Enter a valid email for the user: ");
std::cout << "Signing up " << userName << std::endl;
Aws::CognitoIdentityProvider::CognitoIdentityProviderClient client(clientConfig);
bool userExists = false;
do {
// 1. Add a user with a username, password, and email address.
Aws::CognitoIdentityProvider::Model::SignUpRequest request;
request.AddUserAttributes(
Aws::CognitoIdentityProvider::Model::AttributeType().WithName(
"email").WithValue(email));
request.SetUsername(userName);
request.SetPassword(password);
request.SetClientId(clientID);
Aws::CognitoIdentityProvider::Model::SignUpOutcome outcome =
client.SignUp(request);
if (outcome.IsSuccess()) {
std::cout << "The signup request for " << userName << " was successful."
<< std::endl;
}
else if (outcome.GetError().GetErrorType() ==
Aws::CognitoIdentityProvider::CognitoIdentityProviderErrors::USERNAME_EXISTS) {
std::cout
<< "The username already exists. Please enter a different username."
<< std::endl;
userExists = true;
}
else {
std::cerr << "Error with CognitoIdentityProvider::SignUpRequest. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
} while (userExists);
printAsterisksLine();
std::cout << "Retrieving status of " << userName << " in the user pool."
<< std::endl;
// 2. Confirm that the user was added to the user pool.
if (!checkAdminUserStatus(userName, userPoolID, client)) {
return false;
}
std::cout << "A confirmation code was sent to " << email << "." << std::endl;
bool resend = askYesNoQuestion("Would you like to send a new code? (y/n) ");
if (resend) {
// Request a resend of the confirmation code to the email address. (ResendConfirmationCode)
Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeRequest request;
request.SetUsername(userName);
request.SetClientId(clientID);
Aws::CognitoIdentityProvider::Model::ResendConfirmationCodeOutcome outcome =
client.ResendConfirmationCode(request);
if (outcome.IsSuccess()) {
std::cout
<< "CognitoIdentityProvider::ResendConfirmationCode was successful."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::ResendConfirmationCode. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
}
printAsterisksLine();
{
// 4. Send the confirmation code that's received in the email. (ConfirmSignUp)
const Aws::String confirmationCode = askQuestion(
"Enter the confirmation code that was emailed: ");
Aws::CognitoIdentityProvider::Model::ConfirmSignUpRequest request;
request.SetClientId(clientID);
request.SetConfirmationCode(confirmationCode);
request.SetUsername(userName);
Aws::CognitoIdentityProvider::Model::ConfirmSignUpOutcome outcome =
client.ConfirmSignUp(request);
if (outcome.IsSuccess()) {
std::cout << "ConfirmSignup was Successful."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::ConfirmSignUp. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
}
std::cout << "Rechecking the status of " << userName << " in the user pool."
<< std::endl;
if (!checkAdminUserStatus(userName, userPoolID, client)) {
return false;
}
printAsterisksLine();
std::cout << "Initiating authorization using the username and password."
<< std::endl;
Aws::String session;
// 5. Initiate authorization with username and password. (AdminInitiateAuth)
if (!adminInitiateAuthorization(clientID, userPoolID, userName, password, session, client)) {
return false;
}
printAsterisksLine();
std::cout
<< "Starting setup of time-based one-time password (TOTP) multi-factor authentication (MFA)."
<< std::endl;
{
// 6. Request a setup key for one-time password (TOTP)
// multi-factor authentication (MFA). (AssociateSoftwareToken)
Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenRequest request;
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::AssociateSoftwareTokenOutcome outcome =
client.AssociateSoftwareToken(request);
if (outcome.IsSuccess()) {
std::cout
<< "Enter this setup key into an authenticator app, for example Google Authenticator."
<< std::endl;
std::cout << "Setup key: " << outcome.GetResult().GetSecretCode()
<< std::endl;
#ifdef USING_QR
printAsterisksLine();
std::cout << "\nOr scan the QR code in the file '" << QR_CODE_PATH << "."
<< std::endl;
saveQRCode(std::string("otpauth://totp/") + userName + "?secret=" +
outcome.GetResult().GetSecretCode());
#endif // USING_QR
session = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AssociateSoftwareToken. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
}
askQuestion("Type enter to continue...", alwaysTrueTest);
printAsterisksLine();
{
Aws::String userCode = askQuestion(
"Enter the 6 digit code displayed in the authenticator app: ");
// 7. Send the MFA code copied from an authenticator app. (VerifySoftwareToken)
Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenRequest request;
request.SetUserCode(userCode);
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::VerifySoftwareTokenOutcome outcome =
client.VerifySoftwareToken(request);
if (outcome.IsSuccess()) {
std::cout << "Verification of the code was successful."
<< std::endl;
session = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::VerifySoftwareToken. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
}
printAsterisksLine();
std::cout << "You have completed the MFA authentication setup." << std::endl;
std::cout << "Now, sign in." << std::endl;
// 8. Initiate authorization again with username and password. (AdminInitiateAuth)
if (!adminInitiateAuthorization(clientID, userPoolID, userName, password, session, client)) {
return false;
}
Aws::String accessToken;
{
Aws::String mfaCode = askQuestion(
"Re-enter the 6 digit code displayed in the authenticator app: ");
// 9. Send a new MFA code copied from an authenticator app. (AdminRespondToAuthChallenge)
Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeRequest request;
request.AddChallengeResponses("USERNAME", userName);
request.AddChallengeResponses("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
request.SetChallengeName(
Aws::CognitoIdentityProvider::Model::ChallengeNameType::SOFTWARE_TOKEN_MFA);
request.SetClientId(clientID);
request.SetUserPoolId(userPoolID);
request.SetSession(session);
Aws::CognitoIdentityProvider::Model::AdminRespondToAuthChallengeOutcome outcome =
client.AdminRespondToAuthChallenge(request);
if (outcome.IsSuccess()) {
std::cout << "Here is the response to the challenge.\n" <<
outcome.GetResult().GetAuthenticationResult().Jsonize().View().WriteReadable()
<< std::endl;
accessToken = outcome.GetResult().GetAuthenticationResult().GetAccessToken();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminRespondToAuthChallenge. "
<< outcome.GetError().GetMessage()
<< std::endl;
return false;
}
std::cout << "You have successfully added a user to Amazon Cognito."
<< std::endl;
}
if (askYesNoQuestion("Would you like to delete the user that you just added? (y/n) ")) {
// 10. Delete the user that you just added. (DeleteUser)
Aws::CognitoIdentityProvider::Model::DeleteUserRequest request;
request.SetAccessToken(accessToken);
Aws::CognitoIdentityProvider::Model::DeleteUserOutcome outcome =
client.DeleteUser(request);
if (outcome.IsSuccess()) {
std::cout << "The user " << userName << " was deleted."
<< std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::DeleteUser. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
}
return true;
}
//! Routine which checks the user status in an Amazon Cognito user pool.
/*!
\sa checkAdminUserStatus()
\param userName: A username.
\param userPoolID: An Amazon Cognito user pool ID.
\return bool: Successful completion.
*/
bool AwsDoc::Cognito::checkAdminUserStatus(const Aws::String &userName,
const Aws::String &userPoolID,
const Aws::CognitoIdentityProvider::CognitoIdentityProviderClient &client) {
Aws::CognitoIdentityProvider::Model::AdminGetUserRequest request;
request.SetUsername(userName);
request.SetUserPoolId(userPoolID);
Aws::CognitoIdentityProvider::Model::AdminGetUserOutcome outcome =
client.AdminGetUser(request);
if (outcome.IsSuccess()) {
std::cout << "The status for " << userName << " is " <<
Aws::CognitoIdentityProvider::Model::UserStatusTypeMapper::GetNameForUserStatusType(
outcome.GetResult().GetUserStatus()) << std::endl;
std::cout << "Enabled is " << outcome.GetResult().GetEnabled() << std::endl;
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminGetUser. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
return outcome.IsSuccess();
}
//! Routine which starts authorization of an Amazon Cognito user.
//! This routine requires administrator credentials.
/*!
\sa adminInitiateAuthorization()
\param clientID: Client ID of tracked device.
\param userPoolID: An Amazon Cognito user pool ID.
\param userName: A username.
\param password: A password.
\param sessionResult: String to receive a session token.
\return bool: Successful completion.
*/
bool AwsDoc::Cognito::adminInitiateAuthorization(const Aws::String &clientID,
const Aws::String &userPoolID,
const Aws::String &userName,
const Aws::String &password,
Aws::String &sessionResult,
const Aws::CognitoIdentityProvider::CognitoIdentityProviderClient &client) {
Aws::CognitoIdentityProvider::Model::AdminInitiateAuthRequest request;
request.SetClientId(clientID);
request.SetUserPoolId(userPoolID);
request.AddAuthParameters("USERNAME", userName);
request.AddAuthParameters("PASSWORD", password);
request.SetAuthFlow(
Aws::CognitoIdentityProvider::Model::AuthFlowType::ADMIN_USER_PASSWORD_AUTH);
Aws::CognitoIdentityProvider::Model::AdminInitiateAuthOutcome outcome =
client.AdminInitiateAuth(request);
if (outcome.IsSuccess()) {
std::cout << "Call to AdminInitiateAuth was successful." << std::endl;
sessionResult = outcome.GetResult().GetSession();
}
else {
std::cerr << "Error with CognitoIdentityProvider::AdminInitiateAuth. "
<< outcome.GetError().GetMessage()
<< std::endl;
}
return outcome.IsSuccess();
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 C\$1\$1 的 AWS SDK API 參考*》中的下列主題。
+ [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminGetUser)
+ [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminInitiateAuth)
+ [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)
+ [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/AssociateSoftwareToken)
+ [ConfirmDevice](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmDevice)
+ [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ConfirmSignUp)
+ [InitiateAuth](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/InitiateAuth)
+ [ListUsers](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ListUsers)
+ [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/ResendConfirmationCode)
+ [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/RespondToAuthChallenge)
+ [SignUp](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/SignUp)
+ [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForCpp/cognito-idp-2016-04-18/VerifySoftwareToken)
------
#### [ Java ]
**SDK for Java 2.x**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/cognito#code-examples)中設定和執行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.cognitoidentityprovider.CognitoIdentityProviderClient;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminGetUserResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminInitiateAuthResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminRespondToAuthChallengeRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AdminRespondToAuthChallengeResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AssociateSoftwareTokenRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AssociateSoftwareTokenResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AttributeType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.AuthFlowType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ChallengeNameType;
import software.amazon.awssdk.services.cognitoidentityprovider.model.CognitoIdentityProviderException;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ConfirmSignUpRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ResendConfirmationCodeRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.ResendConfirmationCodeResponse;
import software.amazon.awssdk.services.cognitoidentityprovider.model.SignUpRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.VerifySoftwareTokenRequest;
import software.amazon.awssdk.services.cognitoidentityprovider.model.VerifySoftwareTokenResponse;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Scanner;
/**
* Before running this Java V2 code example, set up your development
* environment, including your credentials.
*
* For more information, see the following documentation:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*
* TIP: To set up the required user pool, run the AWS Cloud Development Kit (AWS
* CDK) script provided in this GitHub repo at
* resources/cdk/cognito_scenario_user_pool_with_mfa.
*
* This code example performs the following operations:
*
* 1. Invokes the signUp method to sign up a user.
* 2. Invokes the adminGetUser method to get the user's confirmation status.
* 3. Invokes the ResendConfirmationCode method if the user requested another
* code.
* 4. Invokes the confirmSignUp method.
* 5. Invokes the AdminInitiateAuth to sign in. This results in being prompted
* to set up TOTP (time-based one-time password). (The response is
* “ChallengeName”: “MFA_SETUP”).
* 6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private
* key. This can be used with Google Authenticator.
* 7. Invokes the VerifySoftwareToken method to verify the TOTP and register for
* MFA.
* 8. Invokes the AdminInitiateAuth to sign in again. This results in being
* prompted to submit a TOTP (Response: “ChallengeName”: “SOFTWARE_TOKEN_MFA”).
* 9. Invokes the AdminRespondToAuthChallenge to get back a token.
*/
public class CognitoMVP {
public static final String DASHES = new String(new char[80]).replace("\0", "-");
public static void main(String[] args) throws NoSuchAlgorithmException, InvalidKeyException {
final String usage = """
Usage:
Where:
clientId - The app client Id value that you can get from the AWS CDK script.
poolId - The pool Id that you can get from the AWS CDK script.\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String clientId = args[0];
String poolId = args[1];
CognitoIdentityProviderClient identityProviderClient = CognitoIdentityProviderClient.builder()
.region(Region.US_EAST_1)
.build();
System.out.println(DASHES);
System.out.println("Welcome to the Amazon Cognito example scenario.");
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("*** Enter your user name");
Scanner in = new Scanner(System.in);
String userName = in.nextLine();
System.out.println("*** Enter your password");
String password = in.nextLine();
System.out.println("*** Enter your email");
String email = in.nextLine();
System.out.println("1. Signing up " + userName);
signUp(identityProviderClient, clientId, userName, password, email);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("2. Getting " + userName + " in the user pool");
getAdminUser(identityProviderClient, userName, poolId);
System.out
.println("*** Conformation code sent to " + userName + ". Would you like to send a new code? (Yes/No)");
System.out.println(DASHES);
System.out.println(DASHES);
String ans = in.nextLine();
if (ans.compareTo("Yes") == 0) {
resendConfirmationCode(identityProviderClient, clientId, userName);
System.out.println("3. Sending a new confirmation code");
}
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("4. Enter confirmation code that was emailed");
String code = in.nextLine();
confirmSignUp(identityProviderClient, clientId, code, userName);
System.out.println("Rechecking the status of " + userName + " in the user pool");
getAdminUser(identityProviderClient, userName, poolId);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("5. Invokes the initiateAuth to sign in");
AdminInitiateAuthResponse authResponse = initiateAuth(identityProviderClient, clientId, userName, password,
poolId);
String mySession = authResponse.session();
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("6. Invokes the AssociateSoftwareToken method to generate a TOTP key");
String newSession = getSecretForAppMFA(identityProviderClient, mySession);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("*** Enter the 6-digit code displayed in Google Authenticator");
String myCode = in.nextLine();
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("7. Verify the TOTP and register for MFA");
verifyTOTP(identityProviderClient, newSession, myCode);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("8. Re-enter a 6-digit code displayed in Google Authenticator");
String mfaCode = in.nextLine();
AdminInitiateAuthResponse authResponse1 = initiateAuth(identityProviderClient, clientId, userName, password,
poolId);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("9. Invokes the AdminRespondToAuthChallenge");
String session2 = authResponse1.session();
adminRespondToAuthChallenge(identityProviderClient, userName, clientId, mfaCode, session2);
System.out.println(DASHES);
System.out.println(DASHES);
System.out.println("All Amazon Cognito operations were successfully performed");
System.out.println(DASHES);
}
// Respond to an authentication challenge.
public static void adminRespondToAuthChallenge(CognitoIdentityProviderClient identityProviderClient,
String userName, String clientId, String mfaCode, String session) {
System.out.println("SOFTWARE_TOKEN_MFA challenge is generated");
Map challengeResponses = new HashMap<>();
challengeResponses.put("USERNAME", userName);
challengeResponses.put("SOFTWARE_TOKEN_MFA_CODE", mfaCode);
AdminRespondToAuthChallengeRequest respondToAuthChallengeRequest = AdminRespondToAuthChallengeRequest.builder()
.challengeName(ChallengeNameType.SOFTWARE_TOKEN_MFA)
.clientId(clientId)
.challengeResponses(challengeResponses)
.session(session)
.build();
AdminRespondToAuthChallengeResponse respondToAuthChallengeResult = identityProviderClient
.adminRespondToAuthChallenge(respondToAuthChallengeRequest);
System.out.println("respondToAuthChallengeResult.getAuthenticationResult()"
+ respondToAuthChallengeResult.authenticationResult());
}
// Verify the TOTP and register for MFA.
public static void verifyTOTP(CognitoIdentityProviderClient identityProviderClient, String session, String code) {
try {
VerifySoftwareTokenRequest tokenRequest = VerifySoftwareTokenRequest.builder()
.userCode(code)
.session(session)
.build();
VerifySoftwareTokenResponse verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest);
System.out.println("The status of the token is " + verifyResponse.statusAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static AdminInitiateAuthResponse initiateAuth(CognitoIdentityProviderClient identityProviderClient,
String clientId, String userName, String password, String userPoolId) {
try {
Map authParameters = new HashMap<>();
authParameters.put("USERNAME", userName);
authParameters.put("PASSWORD", password);
AdminInitiateAuthRequest authRequest = AdminInitiateAuthRequest.builder()
.clientId(clientId)
.userPoolId(userPoolId)
.authParameters(authParameters)
.authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
.build();
AdminInitiateAuthResponse response = identityProviderClient.adminInitiateAuth(authRequest);
System.out.println("Result Challenge is : " + response.challengeName());
return response;
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
return null;
}
public static String getSecretForAppMFA(CognitoIdentityProviderClient identityProviderClient, String session) {
AssociateSoftwareTokenRequest softwareTokenRequest = AssociateSoftwareTokenRequest.builder()
.session(session)
.build();
AssociateSoftwareTokenResponse tokenResponse = identityProviderClient
.associateSoftwareToken(softwareTokenRequest);
String secretCode = tokenResponse.secretCode();
System.out.println("Enter this token into Google Authenticator");
System.out.println(secretCode);
return tokenResponse.session();
}
public static void confirmSignUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String code,
String userName) {
try {
ConfirmSignUpRequest signUpRequest = ConfirmSignUpRequest.builder()
.clientId(clientId)
.confirmationCode(code)
.username(userName)
.build();
identityProviderClient.confirmSignUp(signUpRequest);
System.out.println(userName + " was confirmed");
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void resendConfirmationCode(CognitoIdentityProviderClient identityProviderClient, String clientId,
String userName) {
try {
ResendConfirmationCodeRequest codeRequest = ResendConfirmationCodeRequest.builder()
.clientId(clientId)
.username(userName)
.build();
ResendConfirmationCodeResponse response = identityProviderClient.resendConfirmationCode(codeRequest);
System.out.println("Method of delivery is " + response.codeDeliveryDetails().deliveryMediumAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void signUp(CognitoIdentityProviderClient identityProviderClient, String clientId, String userName,
String password, String email) {
AttributeType userAttrs = AttributeType.builder()
.name("email")
.value(email)
.build();
List userAttrsList = new ArrayList<>();
userAttrsList.add(userAttrs);
try {
SignUpRequest signUpRequest = SignUpRequest.builder()
.userAttributes(userAttrsList)
.username(userName)
.clientId(clientId)
.password(password)
.build();
identityProviderClient.signUp(signUpRequest);
System.out.println("User has been signed up ");
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
public static void getAdminUser(CognitoIdentityProviderClient identityProviderClient, String userName,
String poolId) {
try {
AdminGetUserRequest userRequest = AdminGetUserRequest.builder()
.username(userName)
.userPoolId(poolId)
.build();
AdminGetUserResponse response = identityProviderClient.adminGetUser(userRequest);
System.out.println("User status " + response.userStatusAsString());
} catch (CognitoIdentityProviderException e) {
System.err.println(e.awsErrorDetails().errorMessage());
System.exit(1);
}
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS SDK for Java 2.x API 參考*》中的下列主題。
+ [AdminGetUser](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminGetUser)
+ [AdminInitiateAuth](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminInitiateAuth)
+ [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)
+ [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/AssociateSoftwareToken)
+ [ConfirmDevice](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmDevice)
+ [ConfirmSignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ConfirmSignUp)
+ [InitiateAuth](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/InitiateAuth)
+ [ListUsers](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ListUsers)
+ [ResendConfirmationCode](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/ResendConfirmationCode)
+ [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/RespondToAuthChallenge)
+ [SignUp](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/SignUp)
+ [VerifySoftwareToken](https://docs.aws.amazon.com/goto/SdkForJavaV2/cognito-idp-2016-04-18/VerifySoftwareToken)
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider/scenarios/basic#code-examples)中設定和執行。
為了獲得最佳體驗,請複製 GitHub 儲存庫並執行此範例。下列程式碼代表完整範例應用程式的範例。
```
import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js";
import { signUp } from "../../../actions/sign-up.js";
import { FILE_USER_POOLS } from "./constants.js";
import { getSecondValuesFromEntries } from "@aws-doc-sdk-examples/lib/utils/util-csv.js";
const validateClient = (clientId) => {
if (!clientId) {
throw new Error(
`App client id is missing. Did you run 'create-user-pool'?`,
);
}
};
const validateUser = (username, password, email) => {
if (!(username && password && email)) {
throw new Error(
`Username, password, and email must be provided as arguments to the 'sign-up' command.`,
);
}
};
const signUpHandler = async (commands) => {
const [_, username, password, email] = commands;
try {
validateUser(username, password, email);
/**
* @type {string[]}
*/
const values = getSecondValuesFromEntries(FILE_USER_POOLS);
const clientId = values[0];
validateClient(clientId);
logger.log("Signing up.");
await signUp({ clientId, username, password, email });
logger.log(`Signed up. A confirmation email has been sent to: ${email}.`);
logger.log(
`Run 'confirm-sign-up ${username} ' to confirm your account.`,
);
} catch (err) {
logger.error(err);
}
};
export { signUpHandler };
const signUp = ({ clientId, username, password, email }) => {
const client = new CognitoIdentityProviderClient({});
const command = new SignUpCommand({
ClientId: clientId,
Username: username,
Password: password,
UserAttributes: [{ Name: "email", Value: email }],
});
return client.send(command);
};
import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js";
import { confirmSignUp } from "../../../actions/confirm-sign-up.js";
import { FILE_USER_POOLS } from "./constants.js";
import { getSecondValuesFromEntries } from "@aws-doc-sdk-examples/lib/utils/util-csv.js";
const validateClient = (clientId) => {
if (!clientId) {
throw new Error(
`App client id is missing. Did you run 'create-user-pool'?`,
);
}
};
const validateUser = (username) => {
if (!username) {
throw new Error(
`Username name is missing. It must be provided as an argument to the 'confirm-sign-up' command.`,
);
}
};
const validateCode = (code) => {
if (!code) {
throw new Error(
`Verification code is missing. It must be provided as an argument to the 'confirm-sign-up' command.`,
);
}
};
const confirmSignUpHandler = async (commands) => {
const [_, username, code] = commands;
try {
validateUser(username);
validateCode(code);
/**
* @type {string[]}
*/
const values = getSecondValuesFromEntries(FILE_USER_POOLS);
const clientId = values[0];
validateClient(clientId);
logger.log("Confirming user.");
await confirmSignUp({ clientId, username, code });
logger.log(
`User confirmed. Run 'admin-initiate-auth ${username} ' to sign in.`,
);
} catch (err) {
logger.error(err);
}
};
export { confirmSignUpHandler };
const confirmSignUp = ({ clientId, username, code }) => {
const client = new CognitoIdentityProviderClient({});
const command = new ConfirmSignUpCommand({
ClientId: clientId,
Username: username,
ConfirmationCode: code,
});
return client.send(command);
};
import qrcode from "qrcode-terminal";
import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js";
import { adminInitiateAuth } from "../../../actions/admin-initiate-auth.js";
import { associateSoftwareToken } from "../../../actions/associate-software-token.js";
import { FILE_USER_POOLS } from "./constants.js";
import { getFirstEntry } from "@aws-doc-sdk-examples/lib/utils/util-csv.js";
const handleMfaSetup = async (session, username) => {
const { SecretCode, Session } = await associateSoftwareToken(session);
// Store the Session for use with 'VerifySoftwareToken'.
process.env.SESSION = Session;
console.log(
"Scan this code in your preferred authenticator app, then run 'verify-software-token' to finish the setup.",
);
qrcode.generate(
`otpauth://totp/${username}?secret=${SecretCode}`,
{ small: true },
console.log,
);
};
const handleSoftwareTokenMfa = (session) => {
// Store the Session for use with 'AdminRespondToAuthChallenge'.
process.env.SESSION = session;
};
const validateClient = (id) => {
if (!id) {
throw new Error(
`User pool client id is missing. Did you run 'create-user-pool'?`,
);
}
};
const validateId = (id) => {
if (!id) {
throw new Error(`User pool id is missing. Did you run 'create-user-pool'?`);
}
};
const validateUser = (username, password) => {
if (!(username && password)) {
throw new Error(
`Username and password must be provided as arguments to the 'admin-initiate-auth' command.`,
);
}
};
const adminInitiateAuthHandler = async (commands) => {
const [_, username, password] = commands;
try {
validateUser(username, password);
const [userPoolId, clientId] = getFirstEntry(FILE_USER_POOLS);
validateId(userPoolId);
validateClient(clientId);
logger.log("Signing in.");
const { ChallengeName, Session } = await adminInitiateAuth({
clientId,
userPoolId,
username,
password,
});
if (ChallengeName === "MFA_SETUP") {
logger.log("MFA setup is required.");
return handleMfaSetup(Session, username);
}
if (ChallengeName === "SOFTWARE_TOKEN_MFA") {
handleSoftwareTokenMfa(Session);
logger.log(`Run 'admin-respond-to-auth-challenge ${username} '`);
}
} catch (err) {
logger.error(err);
}
};
export { adminInitiateAuthHandler };
const adminInitiateAuth = ({ clientId, userPoolId, username, password }) => {
const client = new CognitoIdentityProviderClient({});
const command = new AdminInitiateAuthCommand({
ClientId: clientId,
UserPoolId: userPoolId,
AuthFlow: AuthFlowType.ADMIN_USER_PASSWORD_AUTH,
AuthParameters: { USERNAME: username, PASSWORD: password },
});
return client.send(command);
};
import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js";
import { adminRespondToAuthChallenge } from "../../../actions/admin-respond-to-auth-challenge.js";
import { getFirstEntry } from "@aws-doc-sdk-examples/lib/utils/util-csv.js";
import { FILE_USER_POOLS } from "./constants.js";
const verifyUsername = (username) => {
if (!username) {
throw new Error(
`Username is missing. It must be provided as an argument to the 'admin-respond-to-auth-challenge' command.`,
);
}
};
const verifyTotp = (totp) => {
if (!totp) {
throw new Error(
`Time-based one-time password (TOTP) is missing. It must be provided as an argument to the 'admin-respond-to-auth-challenge' command.`,
);
}
};
const storeAccessToken = (token) => {
process.env.AccessToken = token;
};
const adminRespondToAuthChallengeHandler = async (commands) => {
const [_, username, totp] = commands;
try {
verifyUsername(username);
verifyTotp(totp);
const [userPoolId, clientId] = getFirstEntry(FILE_USER_POOLS);
const session = process.env.SESSION;
const { AuthenticationResult } = await adminRespondToAuthChallenge({
clientId,
userPoolId,
username,
totp,
session,
});
storeAccessToken(AuthenticationResult.AccessToken);
logger.log("Successfully authenticated.");
} catch (err) {
logger.error(err);
}
};
export { adminRespondToAuthChallengeHandler };
const respondToAuthChallenge = ({
clientId,
username,
session,
userPoolId,
code,
}) => {
const client = new CognitoIdentityProviderClient({});
const command = new RespondToAuthChallengeCommand({
ChallengeName: ChallengeNameType.SOFTWARE_TOKEN_MFA,
ChallengeResponses: {
SOFTWARE_TOKEN_MFA_CODE: code,
USERNAME: username,
},
ClientId: clientId,
UserPoolId: userPoolId,
Session: session,
});
return client.send(command);
};
import { logger } from "@aws-doc-sdk-examples/lib/utils/util-log.js";
import { verifySoftwareToken } from "../../../actions/verify-software-token.js";
const validateTotp = (totp) => {
if (!totp) {
throw new Error(
`Time-based one-time password (TOTP) must be provided to the 'validate-software-token' command.`,
);
}
};
const verifySoftwareTokenHandler = async (commands) => {
const [_, totp] = commands;
try {
validateTotp(totp);
logger.log("Verifying TOTP.");
await verifySoftwareToken(totp);
logger.log("TOTP Verified. Run 'admin-initiate-auth' again to sign-in.");
} catch (err) {
logger.error(err);
}
};
export { verifySoftwareTokenHandler };
const verifySoftwareToken = (totp) => {
const client = new CognitoIdentityProviderClient({});
// The 'Session' is provided in the response to 'AssociateSoftwareToken'.
const session = process.env.SESSION;
if (!session) {
throw new Error(
"Missing a valid Session. Did you run 'admin-initiate-auth'?",
);
}
const command = new VerifySoftwareTokenCommand({
Session: session,
UserCode: totp,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《*適用於 JavaScript 的 AWS SDK API 參考*》中的下列主題。
+ [AdminGetUser](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminGetUserCommand)
+ [AdminInitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminInitiateAuthCommand)
+ [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AdminRespondToAuthChallengeCommand)
+ [AssociateSoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/AssociateSoftwareTokenCommand)
+ [ConfirmDevice](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmDeviceCommand)
+ [ConfirmSignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ConfirmSignUpCommand)
+ [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand)
+ [ListUsers](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ListUsersCommand)
+ [ResendConfirmationCode](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/ResendConfirmationCodeCommand)
+ [RespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/RespondToAuthChallengeCommand)
+ [SignUp](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/SignUpCommand)
+ [VerifySoftwareToken](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/VerifySoftwareTokenCommand)
------
#### [ Kotlin ]
**適用於 Kotlin 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/kotlin/services/cognito#code-examples)中設定和執行。
```
/**
Before running this Kotlin code example, set up your development environment, including your credentials.
For more information, see the following documentation:
https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/setup.html
TIP: To set up the required user pool, run the AWS Cloud Development Kit (AWS CDK) script provided in this GitHub repo at resources/cdk/cognito_scenario_user_pool_with_mfa.
This code example performs the following operations:
1. Invokes the signUp method to sign up a user.
2. Invokes the adminGetUser method to get the user's confirmation status.
3. Invokes the ResendConfirmationCode method if the user requested another code.
4. Invokes the confirmSignUp method.
5. Invokes the initiateAuth to sign in. This results in being prompted to set up TOTP (time-based one-time password). (The response is “ChallengeName”: “MFA_SETUP”).
6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private key. This can be used with Google Authenticator.
7. Invokes the VerifySoftwareToken method to verify the TOTP and register for MFA.
8. Invokes the AdminInitiateAuth to sign in again. This results in being prompted to submit a TOTP (Response: “ChallengeName”: “SOFTWARE_TOKEN_MFA”).
9. Invokes the AdminRespondToAuthChallenge to get back a token.
*/
suspend fun main(args: Array) {
val usage = """
Usage:
Where:
clientId - The app client Id value that you can get from the AWS CDK script.
poolId - The pool Id that you can get from the AWS CDK script.
"""
if (args.size != 2) {
println(usage)
exitProcess(1)
}
val clientId = args[0]
val poolId = args[1]
// Use the console to get data from the user.
println("*** Enter your use name")
val inOb = Scanner(System.`in`)
val userName = inOb.nextLine()
println(userName)
println("*** Enter your password")
val password: String = inOb.nextLine()
println("*** Enter your email")
val email = inOb.nextLine()
println("*** Signing up $userName")
signUp(clientId, userName, password, email)
println("*** Getting $userName in the user pool")
getAdminUser(userName, poolId)
println("*** Conformation code sent to $userName. Would you like to send a new code? (Yes/No)")
val ans = inOb.nextLine()
if (ans.compareTo("Yes") == 0) {
println("*** Sending a new confirmation code")
resendConfirmationCode(clientId, userName)
}
println("*** Enter the confirmation code that was emailed")
val code = inOb.nextLine()
confirmSignUp(clientId, code, userName)
println("*** Rechecking the status of $userName in the user pool")
getAdminUser(userName, poolId)
val authResponse = checkAuthMethod(clientId, userName, password, poolId)
val mySession = authResponse.session
val newSession = getSecretForAppMFA(mySession)
println("*** Enter the 6-digit code displayed in Google Authenticator")
val myCode = inOb.nextLine()
// Verify the TOTP and register for MFA.
verifyTOTP(newSession, myCode)
println("*** Re-enter a 6-digit code displayed in Google Authenticator")
val mfaCode: String = inOb.nextLine()
val authResponse1 = checkAuthMethod(clientId, userName, password, poolId)
val session2 = authResponse1.session
adminRespondToAuthChallenge(userName, clientId, mfaCode, session2)
}
suspend fun checkAuthMethod(
clientIdVal: String,
userNameVal: String,
passwordVal: String,
userPoolIdVal: String,
): AdminInitiateAuthResponse {
val authParas = mutableMapOf()
authParas["USERNAME"] = userNameVal
authParas["PASSWORD"] = passwordVal
val authRequest =
AdminInitiateAuthRequest {
clientId = clientIdVal
userPoolId = userPoolIdVal
authParameters = authParas
authFlow = AuthFlowType.AdminUserPasswordAuth
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.adminInitiateAuth(authRequest)
println("Result Challenge is ${response.challengeName}")
return response
}
}
suspend fun resendConfirmationCode(
clientIdVal: String?,
userNameVal: String?,
) {
val codeRequest =
ResendConfirmationCodeRequest {
clientId = clientIdVal
username = userNameVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.resendConfirmationCode(codeRequest)
println("Method of delivery is " + (response.codeDeliveryDetails?.deliveryMedium))
}
}
// Respond to an authentication challenge.
suspend fun adminRespondToAuthChallenge(
userName: String,
clientIdVal: String?,
mfaCode: String,
sessionVal: String?,
) {
println("SOFTWARE_TOKEN_MFA challenge is generated")
val challengeResponsesOb = mutableMapOf()
challengeResponsesOb["USERNAME"] = userName
challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode
val adminRespondToAuthChallengeRequest =
AdminRespondToAuthChallengeRequest {
challengeName = ChallengeNameType.SoftwareTokenMfa
clientId = clientIdVal
challengeResponses = challengeResponsesOb
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val respondToAuthChallengeResult = identityProviderClient.adminRespondToAuthChallenge(adminRespondToAuthChallengeRequest)
println("respondToAuthChallengeResult.getAuthenticationResult() ${respondToAuthChallengeResult.authenticationResult}")
}
}
// Verify the TOTP and register for MFA.
suspend fun verifyTOTP(
sessionVal: String?,
codeVal: String?,
) {
val tokenRequest =
VerifySoftwareTokenRequest {
userCode = codeVal
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val verifyResponse = identityProviderClient.verifySoftwareToken(tokenRequest)
println("The status of the token is ${verifyResponse.status}")
}
}
suspend fun getSecretForAppMFA(sessionVal: String?): String? {
val softwareTokenRequest =
AssociateSoftwareTokenRequest {
session = sessionVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val tokenResponse = identityProviderClient.associateSoftwareToken(softwareTokenRequest)
val secretCode = tokenResponse.secretCode
println("Enter this token into Google Authenticator")
println(secretCode)
return tokenResponse.session
}
}
suspend fun confirmSignUp(
clientIdVal: String?,
codeVal: String?,
userNameVal: String?,
) {
val signUpRequest =
ConfirmSignUpRequest {
clientId = clientIdVal
confirmationCode = codeVal
username = userNameVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
identityProviderClient.confirmSignUp(signUpRequest)
println("$userNameVal was confirmed")
}
}
suspend fun getAdminUser(
userNameVal: String?,
poolIdVal: String?,
) {
val userRequest =
AdminGetUserRequest {
username = userNameVal
userPoolId = poolIdVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
val response = identityProviderClient.adminGetUser(userRequest)
println("User status ${response.userStatus}")
}
}
suspend fun signUp(
clientIdVal: String?,
userNameVal: String?,
passwordVal: String?,
emailVal: String?,
) {
val userAttrs =
AttributeType {
name = "email"
value = emailVal
}
val userAttrsList = mutableListOf()
userAttrsList.add(userAttrs)
val signUpRequest =
SignUpRequest {
userAttributes = userAttrsList
username = userNameVal
clientId = clientIdVal
password = passwordVal
}
CognitoIdentityProviderClient.fromEnvironment { region = "us-east-1" }.use { identityProviderClient ->
identityProviderClient.signUp(signUpRequest)
println("User has been signed up")
}
}
```
+ 如需 API 詳細資訊,請參閱《*AWS SDK for Kotlin API 參考*》中的下列主題。
+ [AdminGetUser](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [AdminInitiateAuth](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [AssociateSoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [ConfirmDevice](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [ConfirmSignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [InitiateAuth](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [ListUsers](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [ResendConfirmationCode](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [RespondToAuthChallenge](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [SignUp](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
+ [VerifySoftwareToken](https://sdk.amazonaws.com/kotlin/api/latest/index.html)
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
建立包裝案例中所用 Amazon Cognito 函數的類別。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def _secret_hash(self, user_name):
"""
Calculates a secret hash from a user name and a client secret.
:param user_name: The user name to use when calculating the hash.
:return: The secret hash.
"""
key = self.client_secret.encode()
msg = bytes(user_name + self.client_id, "utf-8")
secret_hash = base64.b64encode(
hmac.new(key, msg, digestmod=hashlib.sha256).digest()
).decode()
logger.info("Made secret hash for %s: %s.", user_name, secret_hash)
return secret_hash
def sign_up_user(self, user_name, password, user_email):
"""
Signs up a new user with Amazon Cognito. This action prompts Amazon Cognito
to send an email to the specified email address. The email contains a code that
can be used to confirm the user.
When the user already exists, the user status is checked to determine whether
the user has been confirmed.
:param user_name: The user name that identifies the new user.
:param password: The password for the new user.
:param user_email: The email address for the new user.
:return: True when the user is already confirmed with Amazon Cognito.
Otherwise, false.
"""
try:
kwargs = {
"ClientId": self.client_id,
"Username": user_name,
"Password": password,
"UserAttributes": [{"Name": "email", "Value": user_email}],
}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
response = self.cognito_idp_client.sign_up(**kwargs)
confirmed = response["UserConfirmed"]
except ClientError as err:
if err.response["Error"]["Code"] == "UsernameExistsException":
response = self.cognito_idp_client.admin_get_user(
UserPoolId=self.user_pool_id, Username=user_name
)
logger.warning(
"User %s exists and is %s.", user_name, response["UserStatus"]
)
confirmed = response["UserStatus"] == "CONFIRMED"
else:
logger.error(
"Couldn't sign up %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
return confirmed
def resend_confirmation(self, user_name):
"""
Prompts Amazon Cognito to resend an email with a new confirmation code.
:param user_name: The name of the user who will receive the email.
:return: Delivery information about where the email is sent.
"""
try:
kwargs = {"ClientId": self.client_id, "Username": user_name}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
response = self.cognito_idp_client.resend_confirmation_code(**kwargs)
delivery = response["CodeDeliveryDetails"]
except ClientError as err:
logger.error(
"Couldn't resend confirmation to %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return delivery
def confirm_user_sign_up(self, user_name, confirmation_code):
"""
Confirms a previously created user. A user must be confirmed before they
can sign in to Amazon Cognito.
:param user_name: The name of the user to confirm.
:param confirmation_code: The confirmation code sent to the user's registered
email address.
:return: True when the confirmation succeeds.
"""
try:
kwargs = {
"ClientId": self.client_id,
"Username": user_name,
"ConfirmationCode": confirmation_code,
}
if self.client_secret is not None:
kwargs["SecretHash"] = self._secret_hash(user_name)
self.cognito_idp_client.confirm_sign_up(**kwargs)
except ClientError as err:
logger.error(
"Couldn't confirm sign up for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return True
def list_users(self):
"""
Returns a list of the users in the current user pool.
:return: The list of users.
"""
try:
response = self.cognito_idp_client.list_users(UserPoolId=self.user_pool_id)
users = response["Users"]
except ClientError as err:
logger.error(
"Couldn't list users for %s. Here's why: %s: %s",
self.user_pool_id,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return users
def start_sign_in(self, user_name, password):
"""
Starts the sign-in process for a user by using administrator credentials.
This method of signing in is appropriate for code running on a secure server.
If the user pool is configured to require MFA and this is the first sign-in
for the user, Amazon Cognito returns a challenge response to set up an
MFA application. When this occurs, this function gets an MFA secret from
Amazon Cognito and returns it to the caller.
:param user_name: The name of the user to sign in.
:param password: The user's password.
:return: The result of the sign-in attempt. When sign-in is successful, this
returns an access token that can be used to get AWS credentials. Otherwise,
Amazon Cognito returns a challenge to set up an MFA application,
or a challenge to enter an MFA code from a registered MFA application.
"""
try:
kwargs = {
"UserPoolId": self.user_pool_id,
"ClientId": self.client_id,
"AuthFlow": "ADMIN_USER_PASSWORD_AUTH",
"AuthParameters": {"USERNAME": user_name, "PASSWORD": password},
}
if self.client_secret is not None:
kwargs["AuthParameters"]["SECRET_HASH"] = self._secret_hash(user_name)
response = self.cognito_idp_client.admin_initiate_auth(**kwargs)
challenge_name = response.get("ChallengeName", None)
if challenge_name == "MFA_SETUP":
if (
"SOFTWARE_TOKEN_MFA"
in response["ChallengeParameters"]["MFAS_CAN_SETUP"]
):
response.update(self.get_mfa_secret(response["Session"]))
else:
raise RuntimeError(
"The user pool requires MFA setup, but the user pool is not "
"configured for TOTP MFA. This example requires TOTP MFA."
)
except ClientError as err:
logger.error(
"Couldn't start sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
def get_mfa_secret(self, session):
"""
Gets a token that can be used to associate an MFA application with the user.
:param session: Session information returned from a previous call to initiate
authentication.
:return: An MFA token that can be used to set up an MFA application.
"""
try:
response = self.cognito_idp_client.associate_software_token(Session=session)
except ClientError as err:
logger.error(
"Couldn't get MFA secret. Here's why: %s: %s",
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
def verify_mfa(self, session, user_code):
"""
Verify a new MFA application that is associated with a user.
:param session: Session information returned from a previous call to initiate
authentication.
:param user_code: A code generated by the associated MFA application.
:return: Status that indicates whether the MFA application is verified.
"""
try:
response = self.cognito_idp_client.verify_software_token(
Session=session, UserCode=user_code
)
except ClientError as err:
logger.error(
"Couldn't verify MFA. Here's why: %s: %s",
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
response.pop("ResponseMetadata", None)
return response
def respond_to_mfa_challenge(self, user_name, session, mfa_code):
"""
Responds to a challenge for an MFA code. This completes the second step of
a two-factor sign-in. When sign-in is successful, it returns an access token
that can be used to get AWS credentials from Amazon Cognito.
:param user_name: The name of the user who is signing in.
:param session: Session information returned from a previous call to initiate
authentication.
:param mfa_code: A code generated by the associated MFA application.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
kwargs = {
"UserPoolId": self.user_pool_id,
"ClientId": self.client_id,
"ChallengeName": "SOFTWARE_TOKEN_MFA",
"Session": session,
"ChallengeResponses": {
"USERNAME": user_name,
"SOFTWARE_TOKEN_MFA_CODE": mfa_code,
},
}
if self.client_secret is not None:
kwargs["ChallengeResponses"]["SECRET_HASH"] = self._secret_hash(
user_name
)
response = self.cognito_idp_client.admin_respond_to_auth_challenge(**kwargs)
auth_result = response["AuthenticationResult"]
except ClientError as err:
if err.response["Error"]["Code"] == "ExpiredCodeException":
logger.warning(
"Your MFA code has expired or has been used already. You might have "
"to wait a few seconds until your app shows you a new code."
)
else:
logger.error(
"Couldn't respond to mfa challenge for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_result
def confirm_mfa_device(
self,
user_name,
device_key,
device_group_key,
device_password,
access_token,
aws_srp,
):
"""
Confirms an MFA device to be tracked by Amazon Cognito. When a device is
tracked, its key and password can be used to sign in without requiring a new
MFA code from the MFA application.
:param user_name: The user that is associated with the device.
:param device_key: The key of the device, returned by Amazon Cognito.
:param device_group_key: The group key of the device, returned by Amazon Cognito.
:param device_password: The password that is associated with the device.
:param access_token: The user's access token.
:param aws_srp: A class that helps with Secure Remote Password (SRP)
calculations. The scenario associated with this example uses
the warrant package.
:return: True when the user must confirm the device. Otherwise, False. When
False, the device is automatically confirmed and tracked.
"""
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
device_and_pw = f"{device_group_key}{device_key}:{device_password}"
device_and_pw_hash = aws_srp.hash_sha256(device_and_pw.encode("utf-8"))
salt = aws_srp.pad_hex(aws_srp.get_random(16))
x_value = aws_srp.hex_to_long(aws_srp.hex_hash(salt + device_and_pw_hash))
verifier = aws_srp.pad_hex(pow(srp_helper.val_g, x_value, srp_helper.big_n))
device_secret_verifier_config = {
"PasswordVerifier": base64.standard_b64encode(
bytearray.fromhex(verifier)
).decode("utf-8"),
"Salt": base64.standard_b64encode(bytearray.fromhex(salt)).decode("utf-8"),
}
try:
response = self.cognito_idp_client.confirm_device(
AccessToken=access_token,
DeviceKey=device_key,
DeviceSecretVerifierConfig=device_secret_verifier_config,
)
user_confirm = response["UserConfirmationNecessary"]
except ClientError as err:
logger.error(
"Couldn't confirm mfa device %s. Here's why: %s: %s",
device_key,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return user_confirm
def sign_in_with_tracked_device(
self,
user_name,
password,
device_key,
device_group_key,
device_password,
aws_srp,
):
"""
Signs in to Amazon Cognito as a user who has a tracked device. Signing in
with a tracked device lets a user sign in without entering a new MFA code.
Signing in with a tracked device requires that the client respond to the SRP
protocol. The scenario associated with this example uses the warrant package
to help with SRP calculations.
For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol.
:param user_name: The user that is associated with the device.
:param password: The user's password.
:param device_key: The key of a tracked device.
:param device_group_key: The group key of a tracked device.
:param device_password: The password that is associated with the device.
:param aws_srp: A class that helps with SRP calculations. The scenario
associated with this example uses the warrant package.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
response_init = self.cognito_idp_client.initiate_auth(
ClientId=self.client_id,
AuthFlow="USER_PASSWORD_AUTH",
AuthParameters={
"USERNAME": user_name,
"PASSWORD": password,
"DEVICE_KEY": device_key,
},
)
if response_init["ChallengeName"] != "DEVICE_SRP_AUTH":
raise RuntimeError(
f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}."
)
auth_params = srp_helper.get_auth_params()
auth_params["DEVICE_KEY"] = device_key
response_auth = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_SRP_AUTH",
ChallengeResponses=auth_params,
)
if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER":
raise RuntimeError(
f"Expected DEVICE_PASSWORD_VERIFIER challenge but got "
f"{response_init['ChallengeName']}."
)
challenge_params = response_auth["ChallengeParameters"]
challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key
cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name})
cr["USERNAME"] = user_name
cr["DEVICE_KEY"] = device_key
response_verifier = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_PASSWORD_VERIFIER",
ChallengeResponses=cr,
)
auth_tokens = response_verifier["AuthenticationResult"]
except ClientError as err:
logger.error(
"Couldn't start client sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_tokens
```
建立可執行案例的類別。此範例也會註冊要由 Amazon Cognito 追蹤的 MFA 裝置,並向您展示如何使用來自追蹤裝置的密碼和資訊登入。這樣就不需要輸入新的 MFA 代碼。
```
def run_scenario(cognito_idp_client, user_pool_id, client_id):
logging.basicConfig(level=logging.INFO, format="%(levelname)s: %(message)s")
print("-" * 88)
print("Welcome to the Amazon Cognito user signup with MFA demo.")
print("-" * 88)
cog_wrapper = CognitoIdentityProviderWrapper(
cognito_idp_client, user_pool_id, client_id
)
user_name = q.ask("Let's sign up a new user. Enter a user name: ", q.non_empty)
password = q.ask("Enter a password for the user: ", q.non_empty)
email = q.ask("Enter a valid email address that you own: ", q.non_empty)
confirmed = cog_wrapper.sign_up_user(user_name, password, email)
while not confirmed:
print(
f"User {user_name} requires confirmation. Check {email} for "
f"a verification code."
)
confirmation_code = q.ask("Enter the confirmation code from the email: ")
if not confirmation_code:
if q.ask("Do you need another confirmation code (y/n)? ", q.is_yesno):
delivery = cog_wrapper.resend_confirmation(user_name)
print(
f"Confirmation code sent by {delivery['DeliveryMedium']} "
f"to {delivery['Destination']}."
)
else:
confirmed = cog_wrapper.confirm_user_sign_up(user_name, confirmation_code)
print(f"User {user_name} is confirmed and ready to use.")
print("-" * 88)
print("Let's get a list of users in the user pool.")
q.ask("Press Enter when you're ready.")
users = cog_wrapper.list_users()
if users:
print(f"Found {len(users)} users:")
pp(users)
else:
print("No users found.")
print("-" * 88)
print("Let's sign in and get an access token.")
auth_tokens = None
challenge = "ADMIN_USER_PASSWORD_AUTH"
response = {}
while challenge is not None:
if challenge == "ADMIN_USER_PASSWORD_AUTH":
response = cog_wrapper.start_sign_in(user_name, password)
challenge = response["ChallengeName"]
elif response["ChallengeName"] == "MFA_SETUP":
print("First, we need to set up an MFA application.")
qr_img = qrcode.make(
f"otpauth://totp/{user_name}?secret={response['SecretCode']}"
)
qr_img.save("qr.png")
q.ask(
"Press Enter to see a QR code on your screen. Scan it into an MFA "
"application, such as Google Authenticator."
)
webbrowser.open("qr.png")
mfa_code = q.ask(
"Enter the verification code from your MFA application: ", q.non_empty
)
response = cog_wrapper.verify_mfa(response["Session"], mfa_code)
print(f"MFA device setup {response['Status']}")
print("Now that an MFA application is set up, let's sign in again.")
print(
"You might have to wait a few seconds for a new MFA code to appear in "
"your MFA application."
)
challenge = "ADMIN_USER_PASSWORD_AUTH"
elif response["ChallengeName"] == "SOFTWARE_TOKEN_MFA":
auth_tokens = None
while auth_tokens is None:
mfa_code = q.ask(
"Enter a verification code from your MFA application: ", q.non_empty
)
auth_tokens = cog_wrapper.respond_to_mfa_challenge(
user_name, response["Session"], mfa_code
)
print(f"You're signed in as {user_name}.")
print("Here's your access token:")
pp(auth_tokens["AccessToken"])
print("And your device information:")
pp(auth_tokens["NewDeviceMetadata"])
challenge = None
else:
raise Exception(f"Got unexpected challenge {response['ChallengeName']}")
print("-" * 88)
device_group_key = auth_tokens["NewDeviceMetadata"]["DeviceGroupKey"]
device_key = auth_tokens["NewDeviceMetadata"]["DeviceKey"]
device_password = base64.standard_b64encode(os.urandom(40)).decode("utf-8")
print("Let's confirm your MFA device so you don't have re-enter MFA tokens for it.")
q.ask("Press Enter when you're ready.")
cog_wrapper.confirm_mfa_device(
user_name,
device_key,
device_group_key,
device_password,
auth_tokens["AccessToken"],
aws_srp,
)
print(f"Your device {device_key} is confirmed.")
print("-" * 88)
print(
f"Now let's sign in as {user_name} from your confirmed device {device_key}.\n"
f"Because this device is tracked by Amazon Cognito, you won't have to re-enter an MFA code."
)
q.ask("Press Enter when ready.")
auth_tokens = cog_wrapper.sign_in_with_tracked_device(
user_name, password, device_key, device_group_key, device_password, aws_srp
)
print("You're signed in. Your access token is:")
pp(auth_tokens["AccessToken"])
print("-" * 88)
print("Don't forget to delete your user pool when you're done with this example.")
print("\nThanks for watching!")
print("-" * 88)
def main():
parser = argparse.ArgumentParser(
description="Shows how to sign up a new user with Amazon Cognito and associate "
"the user with an MFA application for multi-factor authentication."
)
parser.add_argument(
"user_pool_id", help="The ID of the user pool to use for the example."
)
parser.add_argument(
"client_id", help="The ID of the client application to use for the example."
)
args = parser.parse_args()
try:
run_scenario(boto3.client("cognito-idp"), args.user_pool_id, args.client_id)
except Exception:
logging.exception("Something went wrong with the demo.")
if __name__ == "__main__":
main()
```
+ 如需 API 詳細資訊,請參閱《適用於 Python (Boto3) 的AWS SDK API 參考》**中的下列主題。
+ [AdminGetUser](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminGetUser)
+ [AdminInitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminInitiateAuth)
+ [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AdminRespondToAuthChallenge)
+ [AssociateSoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/AssociateSoftwareToken)
+ [ConfirmDevice](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmDevice)
+ [ConfirmSignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ConfirmSignUp)
+ [InitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/InitiateAuth)
+ [ListUsers](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ListUsers)
+ [ResendConfirmationCode](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/ResendConfirmationCode)
+ [RespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RespondToAuthChallenge)
+ [SignUp](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/SignUp)
+ [VerifySoftwareToken](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/VerifySoftwareToken)
------
#### [ Swift ]
**適用於 Swift 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/cognito-identity-provider#code-examples)中設定和執行。
`Package.swift` 檔。
```
// swift-tools-version: 5.9
//
// The swift-tools-version declares the minimum version of Swift required to
// build this package.
import PackageDescription
let package = Package(
name: "cognito-scenario",
// Let Xcode know the minimum Apple platforms supported.
platforms: [
.macOS(.v13),
.iOS(.v15)
],
dependencies: [
// Dependencies declare other packages that this package depends on.
.package(
url: "https://github.com/awslabs/aws-sdk-swift",
from: "1.0.0"),
.package(
url: "https://github.com/apple/swift-argument-parser.git",
branch: "main"
)
],
targets: [
// Targets are the basic building blocks of a package, defining a module or a test suite.
// Targets can depend on other targets in this package and products
// from dependencies.
.executableTarget(
name: "cognito-scenario",
dependencies: [
.product(name: "AWSCognitoIdentityProvider", package: "aws-sdk-swift"),
.product(name: "ArgumentParser", package: "swift-argument-parser")
],
path: "Sources")
]
)
```
Swift 程式碼檔案。
```
// An example demonstrating various features of Amazon Cognito. Before running
// this Swift code example, set up your development environment, including
// your credentials.
//
// For more information, see the following documentation:
// https://docs.aws.amazon.com/sdk-for-kotlin/latest/developer-guide/setup.html
//
// TIP: To set up the required user pool, run the AWS Cloud Development Kit
// (AWS CDK) script provided in this GitHub repo at
// resources/cdk/cognito_scenario_user_pool_with_mfa.
//
// This example performs the following functions:
//
// 1. Invokes the signUp method to sign up a user.
// 2. Invokes the adminGetUser method to get the user's confirmation status.
// 3. Invokes the ResendConfirmationCode method if the user requested another
// code.
// 4. Invokes the confirmSignUp method.
// 5. Invokes the initiateAuth to sign in. This results in being prompted to
// set up TOTP (time-based one-time password). (The response is
// “ChallengeName”: “MFA_SETUP”).
// 6. Invokes the AssociateSoftwareToken method to generate a TOTP MFA private
// key. This can be used with Google Authenticator.
// 7. Invokes the VerifySoftwareToken method to verify the TOTP and register
// for MFA.
// 8. Invokes the AdminInitiateAuth to sign in again. This results in being
// prompted to submit a TOTP (Response: “ChallengeName”:
// “SOFTWARE_TOKEN_MFA”).
// 9. Invokes the AdminRespondToAuthChallenge to get back a token.
import ArgumentParser
import Foundation
import AWSClientRuntime
import AWSCognitoIdentityProvider
struct ExampleCommand: ParsableCommand {
@Argument(help: "The application clientId.")
var clientId: String
@Argument(help: "The user pool ID to use.")
var poolId: String
@Option(help: "Name of the Amazon Region to use")
var region = "us-east-1"
static var configuration = CommandConfiguration(
commandName: "cognito-scenario",
abstract: """
Demonstrates various features of Amazon Cognito.
""",
discussion: """
"""
)
/// Prompt for an input string of at least a minimum length.
///
/// - Parameters:
/// - prompt: The prompt string to display.
/// - minLength: The minimum number of characters to allow in the
/// response. Default value is 0.
///
/// - Returns: The entered string.
func stringRequest(_ prompt: String, minLength: Int = 1) -> String {
while true {
print(prompt, terminator: "")
let str = readLine()
guard let str else {
continue
}
if str.count >= minLength {
return str
} else {
print("*** Response must be at least \(minLength) character(s) long.")
}
}
}
/// Ask a yes/no question.
///
/// - Parameter prompt: A prompt string to print.
///
/// - Returns: `true` if the user answered "Y", otherwise `false`.
func yesNoRequest(_ prompt: String) -> Bool {
while true {
let answer = stringRequest(prompt).lowercased()
if answer == "y" || answer == "n" {
return answer == "y"
}
}
}
/// Get information about a specific user in a user pool.
///
/// - Parameters:
/// - cipClient: The Amazon Cognito Identity Provider client to use.
/// - userName: The user to retrieve information about.
/// - userPoolId: The user pool to search for the specified user.
///
/// - Returns: `true` if the user's information was successfully
/// retrieved. Otherwise returns `false`.
func adminGetUser(cipClient: CognitoIdentityProviderClient, userName: String,
userPoolId: String) async -> Bool {
do {
let output = try await cipClient.adminGetUser(
input: AdminGetUserInput(
userPoolId: userPoolId,
username: userName
)
)
guard let userStatus = output.userStatus else {
print("*** Unable to get the user's status.")
return false
}
print("User status: \(userStatus)")
return true
} catch {
return false
}
}
/// Create a new user in a user pool.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The ID of the app client to create a user for.
/// - userName: The username for the new user.
/// - password: The new user's password.
/// - email: The new user's email address.
///
/// - Returns: `true` if successful; otherwise `false`.
func signUp(cipClient: CognitoIdentityProviderClient, clientId: String, userName: String, password: String, email: String) async -> Bool {
let emailAttr = CognitoIdentityProviderClientTypes.AttributeType(
name: "email",
value: email
)
let userAttrsList = [emailAttr]
do {
_ = try await cipClient.signUp(
input: SignUpInput(
clientId: clientId,
password: password,
userAttributes: userAttrsList,
username: userName
)
)
print("=====> User \(userName) signed up.")
} catch _ as AWSCognitoIdentityProvider.UsernameExistsException {
print("*** The username \(userName) already exists. Please use a different one.")
return false
} catch let error as AWSCognitoIdentityProvider.InvalidPasswordException {
print("*** Error: The specified password is invalid. Reason: \(error.properties.message ?? "").")
return false
} catch _ as AWSCognitoIdentityProvider.ResourceNotFoundException {
print("*** Error: The specified client ID (\(clientId)) doesn't exist.")
return false
} catch {
print("*** Unexpected error: \(error)")
return false
}
return true
}
/// Requests a new confirmation code be sent to the given user's contact
/// method.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The application client ID.
/// - userName: The user to resend a code for.
///
/// - Returns: `true` if a new code was sent successfully, otherwise
/// `false`.
func resendConfirmationCode(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String) async -> Bool {
do {
let output = try await cipClient.resendConfirmationCode(
input: ResendConfirmationCodeInput(
clientId: clientId,
username: userName
)
)
guard let deliveryMedium = output.codeDeliveryDetails?.deliveryMedium else {
print("*** Unable to get the delivery method for the resent code.")
return false
}
print("=====> A new code has been sent by \(deliveryMedium)")
return true
} catch {
print("*** Unable to resend the confirmation code to user \(userName).")
return false
}
}
/// Submit a confirmation code for the specified user. This is the code as
/// entered by the user after they've received it by email or text
/// message.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - clientId: The app client ID the user is signing up for.
/// - userName: The username of the user whose code is being sent.
/// - code: The user's confirmation code.
///
/// - Returns: `true` if the code was successfully confirmed; otherwise `false`.
func confirmSignUp(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String, code: String) async -> Bool {
do {
_ = try await cipClient.confirmSignUp(
input: ConfirmSignUpInput(
clientId: clientId,
confirmationCode: code,
username: userName
)
)
print("=====> \(userName) has been confirmed.")
return true
} catch {
print("=====> \(userName)'s code was entered incorrectly.")
return false
}
}
/// Begin an authentication session.
///
/// - Parameters:
/// - cipClient: The `CongitoIdentityProviderClient` to use.
/// - clientId: The app client ID to use.
/// - userName: The username to check.
/// - password: The user's password.
/// - userPoolId: The user pool to use.
///
/// - Returns: The session token associated with this authentication
/// session.
func initiateAuth(cipClient: CognitoIdentityProviderClient, clientId: String,
userName: String, password: String,
userPoolId: String) async -> String? {
var authParams: [String: String] = [:]
authParams["USERNAME"] = userName
authParams["PASSWORD"] = password
do {
let output = try await cipClient.adminInitiateAuth(
input: AdminInitiateAuthInput(
authFlow: CognitoIdentityProviderClientTypes.AuthFlowType.adminUserPasswordAuth,
authParameters: authParams,
clientId: clientId,
userPoolId: userPoolId
)
)
guard let challengeName = output.challengeName else {
print("*** Invalid response from the auth service.")
return nil
}
print("=====> Response challenge is \(challengeName)")
return output.session
} catch _ as UserNotFoundException {
print("*** The specified username, \(userName), doesn't exist.")
return nil
} catch _ as UserNotConfirmedException {
print("*** The user \(userName) has not been confirmed.")
return nil
} catch {
print("*** An unexpected error occurred.")
return nil
}
}
/// Request and display an MFA secret token that the user should enter
/// into their authenticator to set it up for the user account.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - authSession: The authentication session to request an MFA secret
/// for.
///
/// - Returns: A string containing the MFA secret token that should be
/// entered into the authenticator software.
func getSecretForAppMFA(cipClient: CognitoIdentityProviderClient, authSession: String?) async -> String? {
do {
let output = try await cipClient.associateSoftwareToken(
input: AssociateSoftwareTokenInput(
session: authSession
)
)
guard let secretCode = output.secretCode else {
print("*** Unable to get the secret code")
return nil
}
print("=====> Enter this token into Google Authenticator: \(secretCode)")
return output.session
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return nil
} catch {
print("*** An unexpected error occurred getting the secret for the app's MFA.")
return nil
}
}
/// Confirm that the user's TOTP authenticator is configured correctly by
/// sending a code to it to check that it matches successfully.
///
/// - Parameters:
/// - cipClient: The `CongnitoIdentityProviderClient` to use.
/// - session: An authentication session previously returned by an
/// `associateSoftwareToken()` call.
/// - mfaCode: The 6-digit code currently displayed by the user's
/// authenticator, as provided by the user.
func verifyTOTP(cipClient: CognitoIdentityProviderClient, session: String?, mfaCode: String?) async {
do {
let output = try await cipClient.verifySoftwareToken(
input: VerifySoftwareTokenInput(
session: session,
userCode: mfaCode
)
)
guard let tokenStatus = output.status else {
print("*** Unable to get the token's status.")
return
}
print("=====> The token's status is: \(tokenStatus)")
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return
} catch _ as CodeMismatchException {
print("*** The specified MFA code doesn't match the expected value.")
return
} catch _ as UserNotFoundException {
print("*** The specified username doesn't exist.")
return
} catch _ as UserNotConfirmedException {
print("*** The user has not been confirmed.")
return
} catch {
print("*** Error verifying the MFA token!")
return
}
}
/// Respond to the authentication challenge received from Cognito after
/// initiating an authentication session. This involves sending a current
/// MFA code to the service.
///
/// - Parameters:
/// - cipClient: The `CognitoIdentityProviderClient` to use.
/// - userName: The user's username.
/// - clientId: The app client ID.
/// - userPoolId: The user pool to sign into.
/// - mfaCode: The 6-digit MFA code currently displayed by the user's
/// authenticator.
/// - session: The authentication session to continue processing.
func adminRespondToAuthChallenge(cipClient: CognitoIdentityProviderClient, userName: String,
clientId: String, userPoolId: String, mfaCode: String,
session: String) async {
print("=====> SOFTWARE_TOKEN_MFA challenge is generated...")
var challengeResponsesOb: [String: String] = [:]
challengeResponsesOb["USERNAME"] = userName
challengeResponsesOb["SOFTWARE_TOKEN_MFA_CODE"] = mfaCode
do {
let output = try await cipClient.adminRespondToAuthChallenge(
input: AdminRespondToAuthChallengeInput(
challengeName: CognitoIdentityProviderClientTypes.ChallengeNameType.softwareTokenMfa,
challengeResponses: challengeResponsesOb,
clientId: clientId,
session: session,
userPoolId: userPoolId
)
)
guard let authenticationResult = output.authenticationResult else {
print("*** Unable to get authentication result.")
return
}
print("=====> Authentication result (JWTs are redacted):")
print(authenticationResult)
} catch _ as SoftwareTokenMFANotFoundException {
print("*** The specified user pool isn't configured for MFA.")
return
} catch _ as CodeMismatchException {
print("*** The specified MFA code doesn't match the expected value.")
return
} catch _ as UserNotFoundException {
print("*** The specified username, \(userName), doesn't exist.")
return
} catch _ as UserNotConfirmedException {
print("*** The user \(userName) has not been confirmed.")
return
} catch let error as NotAuthorizedException {
print("*** Unauthorized access. Reason: \(error.properties.message ?? "")")
} catch {
print("*** Error responding to the MFA challenge.")
return
}
}
/// Called by ``main()`` to run the bulk of the example.
func runAsync() async throws {
let config = try await CognitoIdentityProviderClient.CognitoIdentityProviderClientConfiguration(region: region)
let cipClient = CognitoIdentityProviderClient(config: config)
print("""
This example collects information about a user, then creates that user in the
specified user pool. Then, it enables Multi-Factor Authentication (MFA) for that
user by associating an authenticator application (such as Google Authenticator
or a password manager that supports TOTP). Then, the user uses a code from their
authenticator application to sign in.
""")
let userName = stringRequest("Please enter a new username: ")
let password = stringRequest("Enter a password: ")
let email = stringRequest("Enter your email address: ", minLength: 5)
// Submit the sign-up request to AWS.
print("==> Signing up user \(userName)...")
if await signUp(cipClient: cipClient, clientId: clientId,
userName: userName, password: password,
email: email) == false {
return
}
// Check the user's status. This time, it should come back "unconfirmed".
print("==> Getting the status of user \(userName) from the user pool (should be 'unconfirmed')...")
if await adminGetUser(cipClient: cipClient, userName: userName, userPoolId: poolId) == false {
return
}
// Ask the user if they want a replacement code sent, such as if the
// code hasn't arrived yet. If the user responds with a "yes," send a
// new code.
if yesNoRequest("==> A confirmation code was sent to \(userName). Would you like to send a new code (Y/N)? ") {
print("==> Sending a new confirmation code...")
if await resendConfirmationCode(cipClient: cipClient, clientId: clientId, userName: userName) == false {
return
}
}
// Ask the user to enter the confirmation code, then send it to Amazon
// Cognito to verify it.
let code = stringRequest("==> Enter the confirmation code sent to \(userName): ")
if await confirmSignUp(cipClient: cipClient, clientId: clientId, userName: userName, code: code) == false {
// The code didn't match. Your application may wish to offer to
// re-send the confirmation code here and try again.
return
}
// Check the user's status again. This time it should come back
// "confirmed".
print("==> Rechecking status of user \(userName) in the user pool (should be 'confirmed')...")
if await adminGetUser(cipClient: cipClient, userName: userName, userPoolId: poolId) == false {
return
}
// Check the challenge mode. Here, it should be "mfaSetup", indicating
// that the user needs to add MFA before using it. This returns a
// session that can be used to register MFA, or nil if an error occurs.
let authSession = await initiateAuth(cipClient: cipClient, clientId: clientId,
userName: userName, password: password,
userPoolId: poolId)
if authSession == nil {
return
}
// Ask Cognito for an MFA secret token that the user should enter into
// their authenticator software (such as Google Authenticator) or
// password manager to configure it for this user account. This
// returns a new session that should be used for the new stage of the
// authentication process.
let newSession = await getSecretForAppMFA(cipClient: cipClient, authSession: authSession)
if newSession == nil {
return
}
// Ask the user to enter the current 6-digit code displayed by their
// authenticator. Then verify that it matches the value expected for
// the session.
let mfaCode1 = stringRequest("==> Enter the 6-digit code displayed in your authenticator: ",
minLength: 6)
await verifyTOTP(cipClient: cipClient, session: newSession, mfaCode: mfaCode1)
// Ask the user to authenticate now that the authenticator has been
// configured. This creates a new session using the user's username
// and password as already entered.
print("\nNow starting the sign-in process for user \(userName)...\n")
let session2 = await initiateAuth(cipClient: cipClient, clientId: clientId,
userName: userName, password: password, userPoolId: poolId)
guard let session2 else {
return
}
// Now that we have a new auth session, `session2`, ask the user for a
// new 6-digit code from their authenticator, and send it to the auth
// session.
let mfaCode2 = stringRequest("==> Wait for your authenticator to show a new 6-digit code, then enter it: ",
minLength: 6)
await adminRespondToAuthChallenge(cipClient: cipClient, userName: userName,
clientId: clientId, userPoolId: poolId,
mfaCode: mfaCode2, session: session2)
}
}
/// The program's asynchronous entry point.
@main
struct Main {
static func main() async {
let args = Array(CommandLine.arguments.dropFirst())
do {
let command = try ExampleCommand.parse(args)
try await command.runAsync()
} catch {
ExampleCommand.exit(withError: error)
}
}
}
```
+ 如需 API 詳細資訊,請參閱*適用於 Swift 的AWS SDK API 參考*中的下列主題。
+ [AdminGetUser](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admingetuser(input:))
+ [AdminInitiateAuth](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/admininitiateauth(input:))
+ [AdminRespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/adminrespondtoauthchallenge(input:))
+ [AssociateSoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/associatesoftwaretoken(input:))
+ [ConfirmDevice](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/confirmdevice(input:))
+ [ConfirmSignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/confirmsignup(input:))
+ [InitiateAuth](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/initiateauth(input:))
+ [ListUsers](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/listusers(input:))
+ [ResendConfirmationCode](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/resendconfirmationcode(input:))
+ [RespondToAuthChallenge](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/respondtoauthchallenge(input:))
+ [SignUp](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/signup(input:))
+ [VerifySoftwareToken](https://sdk.amazonaws.com/swift/api/awscognitoidentityprovider/latest/documentation/awscognitoidentityprovider/cognitoidentityproviderclient/verifysoftwaretoken(input:))
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 Amazon Cognito 身分集區和身分驗證流程
下列程式碼範例示範如何建立 Web 型示範應用程式,以示範身分集區身分驗證流程。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
顯示 Web 型示範應用程式,示範 Amazon Cognito 身分集區身分驗證流程,讓使用者能夠以互動方式探索各種身分提供者的增強型和基本身分驗證流程。
如需完整的原始碼和如何設定及執行的指示,請參閱 [GitHub](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito/scenarios/identity_pools_example_demo) 上的完整範例。
**此範例中使用的服務**
+ Amazon Cognito 身分提供者
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDK 進行 Amazon Cognito 使用者身分驗證後,使用 Lambda 函數寫入自訂活動資料
下列程式碼範例示範如何在 Amazon Cognito 使用者身分驗證之後,使用 Lambda 函數撰寫自訂活動資料。
+ 使用管理員函數將使用者新增至使用者集區。
+ 設定使用者集區以呼叫 `PostAuthentication` 觸發條件的 Lambda 函數。
+ 將新使用者登入 Amazon Cognito。
+ Lambda 函數會將自訂資訊寫入 CloudWatch Logs 和 DynamoDB 資料表。
+ 從 DynamoDB 資料表取得並顯示自訂資料,然後清除資源。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/workflows/user_pools_and_lambda_triggers#code-examples)中設定和執行。
在命令提示中執行互動式案例。
```
import (
"context"
"errors"
"log"
"strings"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// ActivityLog separates the steps of this scenario into individual functions so that
// they are simpler to read and understand.
type ActivityLog struct {
helper IScenarioHelper
questioner demotools.IQuestioner
resources Resources
cognitoActor *actions.CognitoActions
}
// NewActivityLog constructs a new activity log runner.
func NewActivityLog(sdkConfig aws.Config, questioner demotools.IQuestioner, helper IScenarioHelper) ActivityLog {
scenario := ActivityLog{
helper: helper,
questioner: questioner,
resources: Resources{},
cognitoActor: &actions.CognitoActions{CognitoClient: cognitoidentityprovider.NewFromConfig(sdkConfig)},
}
scenario.resources.init(scenario.cognitoActor, questioner)
return scenario
}
// AddUserToPool selects a user from the known users table and uses administrator credentials to add the user to the user pool.
func (runner *ActivityLog) AddUserToPool(ctx context.Context, userPoolId string, tableName string) (string, string) {
log.Println("To facilitate this example, let's add a user to the user pool using administrator privileges.")
users, err := runner.helper.GetKnownUsers(ctx, tableName)
if err != nil {
panic(err)
}
user := users.Users[0]
log.Printf("Adding known user %v to the user pool.\n", user.UserName)
err = runner.cognitoActor.AdminCreateUser(ctx, userPoolId, user.UserName, user.UserEmail)
if err != nil {
panic(err)
}
pwSet := false
password := runner.questioner.AskPassword("\nEnter a password that has at least eight characters, uppercase, lowercase, numbers and symbols.\n"+
"(the password will not display as you type):", 8)
for !pwSet {
log.Printf("\nSetting password for user '%v'.\n", user.UserName)
err = runner.cognitoActor.AdminSetUserPassword(ctx, userPoolId, user.UserName, password)
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
password = runner.questioner.AskPassword("\nEnter another password:", 8)
} else {
panic(err)
}
} else {
pwSet = true
}
}
log.Println(strings.Repeat("-", 88))
return user.UserName, password
}
// AddActivityLogTrigger adds a Lambda handler as an invocation target for the PostAuthentication trigger.
func (runner *ActivityLog) AddActivityLogTrigger(ctx context.Context, userPoolId string, activityLogArn string) {
log.Println("Let's add a Lambda function to handle the PostAuthentication trigger from Cognito.\n" +
"This trigger happens after a user is authenticated, and lets your function take action, such as logging\n" +
"the outcome.")
err := runner.cognitoActor.UpdateTriggers(
ctx, userPoolId,
actions.TriggerInfo{Trigger: actions.PostAuthentication, HandlerArn: aws.String(activityLogArn)})
if err != nil {
panic(err)
}
runner.resources.triggers = append(runner.resources.triggers, actions.PostAuthentication)
log.Printf("Lambda function %v added to user pool %v to handle PostAuthentication Cognito trigger.\n",
activityLogArn, userPoolId)
log.Println(strings.Repeat("-", 88))
}
// SignInUser signs in as the specified user.
func (runner *ActivityLog) SignInUser(ctx context.Context, clientId string, userName string, password string) {
log.Printf("Now we'll sign in user %v and check the results in the logs and the DynamoDB table.", userName)
runner.questioner.Ask("Press Enter when you're ready.")
authResult, err := runner.cognitoActor.SignIn(ctx, clientId, userName, password)
if err != nil {
panic(err)
}
log.Println("Sign in successful.",
"The PostAuthentication Lambda handler writes custom information to CloudWatch Logs.")
runner.resources.userAccessTokens = append(runner.resources.userAccessTokens, *authResult.AccessToken)
}
// GetKnownUserLastLogin gets the login info for a user from the Amazon DynamoDB table and displays it.
func (runner *ActivityLog) GetKnownUserLastLogin(ctx context.Context, tableName string, userName string) {
log.Println("The PostAuthentication handler also writes login data to the DynamoDB table.")
runner.questioner.Ask("Press Enter when you're ready to continue.")
users, err := runner.helper.GetKnownUsers(ctx, tableName)
if err != nil {
panic(err)
}
for _, user := range users.Users {
if user.UserName == userName {
log.Println("The last login info for the user in the known users table is:")
log.Printf("\t%+v", *user.LastLogin)
}
}
log.Println(strings.Repeat("-", 88))
}
// Run runs the scenario.
func (runner *ActivityLog) Run(ctx context.Context, stackName string) {
defer func() {
if r := recover(); r != nil {
log.Println("Something went wrong with the demo.")
runner.resources.Cleanup(ctx)
}
}()
log.Println(strings.Repeat("-", 88))
log.Printf("Welcome\n")
log.Println(strings.Repeat("-", 88))
stackOutputs, err := runner.helper.GetStackOutputs(ctx, stackName)
if err != nil {
panic(err)
}
runner.resources.userPoolId = stackOutputs["UserPoolId"]
runner.helper.PopulateUserTable(ctx, stackOutputs["TableName"])
userName, password := runner.AddUserToPool(ctx, stackOutputs["UserPoolId"], stackOutputs["TableName"])
runner.AddActivityLogTrigger(ctx, stackOutputs["UserPoolId"], stackOutputs["ActivityLogFunctionArn"])
runner.SignInUser(ctx, stackOutputs["UserPoolClientId"], userName, password)
runner.helper.ListRecentLogEvents(ctx, stackOutputs["ActivityLogFunction"])
runner.GetKnownUserLastLogin(ctx, stackOutputs["TableName"], userName)
runner.resources.Cleanup(ctx)
log.Println(strings.Repeat("-", 88))
log.Println("Thanks for watching!")
log.Println(strings.Repeat("-", 88))
}
```
使用 Lambda 函數來處理 `PostAuthentication` 觸發條件。
```
import (
"context"
"fmt"
"log"
"os"
"time"
"github.com/aws/aws-lambda-go/events"
"github.com/aws/aws-lambda-go/lambda"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/config"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
dynamodbtypes "github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
const TABLE_NAME = "TABLE_NAME"
// LoginInfo defines structured login data that can be marshalled to a DynamoDB format.
type LoginInfo struct {
UserPoolId string `dynamodbav:"UserPoolId"`
ClientId string `dynamodbav:"ClientId"`
Time string `dynamodbav:"Time"`
}
// UserInfo defines structured user data that can be marshalled to a DynamoDB format.
type UserInfo struct {
UserName string `dynamodbav:"UserName"`
UserEmail string `dynamodbav:"UserEmail"`
LastLogin LoginInfo `dynamodbav:"LastLogin"`
}
// GetKey marshals the user email value to a DynamoDB key format.
func (user UserInfo) GetKey() map[string]dynamodbtypes.AttributeValue {
userEmail, err := attributevalue.Marshal(user.UserEmail)
if err != nil {
panic(err)
}
return map[string]dynamodbtypes.AttributeValue{"UserEmail": userEmail}
}
type handler struct {
dynamoClient *dynamodb.Client
}
// HandleRequest handles the PostAuthentication event by writing custom data to the logs and
// to an Amazon DynamoDB table.
func (h *handler) HandleRequest(ctx context.Context, event events.CognitoEventUserPoolsPostAuthentication) (events.CognitoEventUserPoolsPostAuthentication, error) {
log.Printf("Received post authentication trigger from %v for user '%v'", event.TriggerSource, event.UserName)
tableName := os.Getenv(TABLE_NAME)
user := UserInfo{
UserName: event.UserName,
UserEmail: event.Request.UserAttributes["email"],
LastLogin: LoginInfo{
UserPoolId: event.UserPoolID,
ClientId: event.CallerContext.ClientID,
Time: time.Now().Format(time.UnixDate),
},
}
// Write to CloudWatch Logs.
fmt.Printf("%#v", user)
// Also write to an external system. This examples uses DynamoDB to demonstrate.
userMap, err := attributevalue.MarshalMap(user)
if err != nil {
log.Printf("Couldn't marshal to DynamoDB map. Here's why: %v\n", err)
} else if len(userMap) == 0 {
log.Printf("User info marshaled to an empty map.")
} else {
_, err := h.dynamoClient.PutItem(ctx, &dynamodb.PutItemInput{
Item: userMap,
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't write to DynamoDB. Here's why: %v\n", err)
} else {
log.Printf("Wrote user info to DynamoDB table %v.\n", tableName)
}
}
return event, nil
}
func main() {
ctx := context.Background()
sdkConfig, err := config.LoadDefaultConfig(ctx)
if err != nil {
log.Panicln(err)
}
h := handler{
dynamoClient: dynamodb.NewFromConfig(sdkConfig),
}
lambda.Start(h.HandleRequest)
}
```
建立執行一般任務的 struct。
```
import (
"context"
"log"
"strings"
"time"
"user_pools_and_lambda_triggers/actions"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// IScenarioHelper defines common functions used by the workflows in this example.
type IScenarioHelper interface {
Pause(secs int)
GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error)
PopulateUserTable(ctx context.Context, tableName string)
GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error)
AddKnownUser(ctx context.Context, tableName string, user actions.User)
ListRecentLogEvents(ctx context.Context, functionName string)
}
// ScenarioHelper contains AWS wrapper structs used by the workflows in this example.
type ScenarioHelper struct {
questioner demotools.IQuestioner
dynamoActor *actions.DynamoActions
cfnActor *actions.CloudFormationActions
cwlActor *actions.CloudWatchLogsActions
isTestRun bool
}
// NewScenarioHelper constructs a new scenario helper.
func NewScenarioHelper(sdkConfig aws.Config, questioner demotools.IQuestioner) ScenarioHelper {
scenario := ScenarioHelper{
questioner: questioner,
dynamoActor: &actions.DynamoActions{DynamoClient: dynamodb.NewFromConfig(sdkConfig)},
cfnActor: &actions.CloudFormationActions{CfnClient: cloudformation.NewFromConfig(sdkConfig)},
cwlActor: &actions.CloudWatchLogsActions{CwlClient: cloudwatchlogs.NewFromConfig(sdkConfig)},
}
return scenario
}
// Pause waits for the specified number of seconds.
func (helper ScenarioHelper) Pause(secs int) {
if !helper.isTestRun {
time.Sleep(time.Duration(secs) * time.Second)
}
}
// GetStackOutputs gets the outputs from the specified CloudFormation stack in a structured format.
func (helper ScenarioHelper) GetStackOutputs(ctx context.Context, stackName string) (actions.StackOutputs, error) {
return helper.cfnActor.GetOutputs(ctx, stackName), nil
}
// PopulateUserTable fills the known user table with example data.
func (helper ScenarioHelper) PopulateUserTable(ctx context.Context, tableName string) {
log.Printf("First, let's add some users to the DynamoDB %v table we'll use for this example.\n", tableName)
err := helper.dynamoActor.PopulateTable(ctx, tableName)
if err != nil {
panic(err)
}
}
// GetKnownUsers gets the users from the known users table in a structured format.
func (helper ScenarioHelper) GetKnownUsers(ctx context.Context, tableName string) (actions.UserList, error) {
knownUsers, err := helper.dynamoActor.Scan(ctx, tableName)
if err != nil {
log.Printf("Couldn't get known users from table %v. Here's why: %v\n", tableName, err)
}
return knownUsers, err
}
// AddKnownUser adds a user to the known users table.
func (helper ScenarioHelper) AddKnownUser(ctx context.Context, tableName string, user actions.User) {
log.Printf("Adding user '%v' with email '%v' to the DynamoDB known users table...\n",
user.UserName, user.UserEmail)
err := helper.dynamoActor.AddUser(ctx, tableName, user)
if err != nil {
panic(err)
}
}
// ListRecentLogEvents gets the most recent log stream and events for the specified Lambda function and displays them.
func (helper ScenarioHelper) ListRecentLogEvents(ctx context.Context, functionName string) {
log.Println("Waiting a few seconds to let Lambda write to CloudWatch Logs...")
helper.Pause(10)
log.Println("Okay, let's check the logs to find what's happened recently with your Lambda function.")
logStream, err := helper.cwlActor.GetLatestLogStream(ctx, functionName)
if err != nil {
panic(err)
}
log.Printf("Getting some recent events from log stream %v\n", *logStream.LogStreamName)
events, err := helper.cwlActor.GetLogEvents(ctx, functionName, *logStream.LogStreamName, 10)
if err != nil {
panic(err)
}
for _, event := range events {
log.Printf("\t%v", *event.Message)
}
log.Println(strings.Repeat("-", 88))
}
```
建立包裝 Amazon Cognito 動作的 struct。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// Trigger and TriggerInfo define typed data for updating an Amazon Cognito trigger.
type Trigger int
const (
PreSignUp Trigger = iota
UserMigration
PostAuthentication
)
type TriggerInfo struct {
Trigger Trigger
HandlerArn *string
}
// UpdateTriggers adds or removes Lambda triggers for a user pool. When a trigger is specified with a `nil` value,
// it is removed from the user pool.
func (actor CognitoActions) UpdateTriggers(ctx context.Context, userPoolId string, triggers ...TriggerInfo) error {
output, err := actor.CognitoClient.DescribeUserPool(ctx, &cognitoidentityprovider.DescribeUserPoolInput{
UserPoolId: aws.String(userPoolId),
})
if err != nil {
log.Printf("Couldn't get info about user pool %v. Here's why: %v\n", userPoolId, err)
return err
}
lambdaConfig := output.UserPool.LambdaConfig
for _, trigger := range triggers {
switch trigger.Trigger {
case PreSignUp:
lambdaConfig.PreSignUp = trigger.HandlerArn
case UserMigration:
lambdaConfig.UserMigration = trigger.HandlerArn
case PostAuthentication:
lambdaConfig.PostAuthentication = trigger.HandlerArn
}
}
_, err = actor.CognitoClient.UpdateUserPool(ctx, &cognitoidentityprovider.UpdateUserPoolInput{
UserPoolId: aws.String(userPoolId),
LambdaConfig: lambdaConfig,
})
if err != nil {
log.Printf("Couldn't update user pool %v. Here's why: %v\n", userPoolId, err)
}
return err
}
// SignUp signs up a user with Amazon Cognito.
func (actor CognitoActions) SignUp(ctx context.Context, clientId string, userName string, password string, userEmail string) (bool, error) {
confirmed := false
output, err := actor.CognitoClient.SignUp(ctx, &cognitoidentityprovider.SignUpInput{
ClientId: aws.String(clientId),
Password: aws.String(password),
Username: aws.String(userName),
UserAttributes: []types.AttributeType{
{Name: aws.String("email"), Value: aws.String(userEmail)},
},
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't sign up user %v. Here's why: %v\n", userName, err)
}
} else {
confirmed = output.UserConfirmed
}
return confirmed, err
}
// SignIn signs in a user to Amazon Cognito using a username and password authentication flow.
func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) {
var authResult *types.AuthenticationResultType
output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: aws.String(clientId),
AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password},
})
if err != nil {
var resetRequired *types.PasswordResetRequiredException
if errors.As(err, &resetRequired) {
log.Println(*resetRequired.Message)
} else {
log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err)
}
} else {
authResult = output.AuthenticationResult
}
return authResult, err
}
// ForgotPassword starts a password recovery flow for a user. This flow typically sends a confirmation code
// to the user's configured notification destination, such as email.
func (actor CognitoActions) ForgotPassword(ctx context.Context, clientId string, userName string) (*types.CodeDeliveryDetailsType, error) {
output, err := actor.CognitoClient.ForgotPassword(ctx, &cognitoidentityprovider.ForgotPasswordInput{
ClientId: aws.String(clientId),
Username: aws.String(userName),
})
if err != nil {
log.Printf("Couldn't start password reset for user '%v'. Here;s why: %v\n", userName, err)
}
return output.CodeDeliveryDetails, err
}
// ConfirmForgotPassword confirms a user with a confirmation code and a new password.
func (actor CognitoActions) ConfirmForgotPassword(ctx context.Context, clientId string, code string, userName string, password string) error {
_, err := actor.CognitoClient.ConfirmForgotPassword(ctx, &cognitoidentityprovider.ConfirmForgotPasswordInput{
ClientId: aws.String(clientId),
ConfirmationCode: aws.String(code),
Password: aws.String(password),
Username: aws.String(userName),
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't confirm user %v. Here's why: %v", userName, err)
}
}
return err
}
// DeleteUser removes a user from the user pool.
func (actor CognitoActions) DeleteUser(ctx context.Context, userAccessToken string) error {
_, err := actor.CognitoClient.DeleteUser(ctx, &cognitoidentityprovider.DeleteUserInput{
AccessToken: aws.String(userAccessToken),
})
if err != nil {
log.Printf("Couldn't delete user. Here's why: %v\n", err)
}
return err
}
// AdminCreateUser uses administrator credentials to add a user to a user pool. This method leaves the user
// in a state that requires they enter a new password next time they sign in.
func (actor CognitoActions) AdminCreateUser(ctx context.Context, userPoolId string, userName string, userEmail string) error {
_, err := actor.CognitoClient.AdminCreateUser(ctx, &cognitoidentityprovider.AdminCreateUserInput{
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
MessageAction: types.MessageActionTypeSuppress,
UserAttributes: []types.AttributeType{{Name: aws.String("email"), Value: aws.String(userEmail)}},
})
if err != nil {
var userExists *types.UsernameExistsException
if errors.As(err, &userExists) {
log.Printf("User %v already exists in the user pool.", userName)
err = nil
} else {
log.Printf("Couldn't create user %v. Here's why: %v\n", userName, err)
}
}
return err
}
// AdminSetUserPassword uses administrator credentials to set a password for a user without requiring a
// temporary password.
func (actor CognitoActions) AdminSetUserPassword(ctx context.Context, userPoolId string, userName string, password string) error {
_, err := actor.CognitoClient.AdminSetUserPassword(ctx, &cognitoidentityprovider.AdminSetUserPasswordInput{
Password: aws.String(password),
UserPoolId: aws.String(userPoolId),
Username: aws.String(userName),
Permanent: true,
})
if err != nil {
var invalidPassword *types.InvalidPasswordException
if errors.As(err, &invalidPassword) {
log.Println(*invalidPassword.Message)
} else {
log.Printf("Couldn't set password for user %v. Here's why: %v\n", userName, err)
}
}
return err
}
```
建立包裝 DynamoDB 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue"
"github.com/aws/aws-sdk-go-v2/service/dynamodb"
"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
)
// DynamoActions encapsulates the Amazon Simple Notification Service (Amazon SNS) actions
// used in the examples.
type DynamoActions struct {
DynamoClient *dynamodb.Client
}
// User defines structured user data.
type User struct {
UserName string
UserEmail string
LastLogin *LoginInfo `dynamodbav:",omitempty"`
}
// LoginInfo defines structured custom login data.
type LoginInfo struct {
UserPoolId string
ClientId string
Time string
}
// UserList defines a list of users.
type UserList struct {
Users []User
}
// UserNameList returns the usernames contained in a UserList as a list of strings.
func (users *UserList) UserNameList() []string {
names := make([]string, len(users.Users))
for i := 0; i < len(users.Users); i++ {
names[i] = users.Users[i].UserName
}
return names
}
// PopulateTable adds a set of test users to the table.
func (actor DynamoActions) PopulateTable(ctx context.Context, tableName string) error {
var err error
var item map[string]types.AttributeValue
var writeReqs []types.WriteRequest
for i := 1; i < 4; i++ {
item, err = attributevalue.MarshalMap(User{UserName: fmt.Sprintf("test_user_%v", i), UserEmail: fmt.Sprintf("test_email_%v@example.com", i)})
if err != nil {
log.Printf("Couldn't marshall user into DynamoDB format. Here's why: %v\n", err)
return err
}
writeReqs = append(writeReqs, types.WriteRequest{PutRequest: &types.PutRequest{Item: item}})
}
_, err = actor.DynamoClient.BatchWriteItem(ctx, &dynamodb.BatchWriteItemInput{
RequestItems: map[string][]types.WriteRequest{tableName: writeReqs},
})
if err != nil {
log.Printf("Couldn't populate table %v with users. Here's why: %v\n", tableName, err)
}
return err
}
// Scan scans the table for all items.
func (actor DynamoActions) Scan(ctx context.Context, tableName string) (UserList, error) {
var userList UserList
output, err := actor.DynamoClient.Scan(ctx, &dynamodb.ScanInput{
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't scan table %v for items. Here's why: %v\n", tableName, err)
} else {
err = attributevalue.UnmarshalListOfMaps(output.Items, &userList.Users)
if err != nil {
log.Printf("Couldn't unmarshal items into users. Here's why: %v\n", err)
}
}
return userList, err
}
// AddUser adds a user item to a table.
func (actor DynamoActions) AddUser(ctx context.Context, tableName string, user User) error {
userItem, err := attributevalue.MarshalMap(user)
if err != nil {
log.Printf("Couldn't marshall user to item. Here's why: %v\n", err)
}
_, err = actor.DynamoClient.PutItem(ctx, &dynamodb.PutItemInput{
Item: userItem,
TableName: aws.String(tableName),
})
if err != nil {
log.Printf("Couldn't put item in table %v. Here's why: %v", tableName, err)
}
return err
}
```
建立包裝 CloudWatch Logs 動作的 struct。
```
import (
"context"
"fmt"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs"
"github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs/types"
)
type CloudWatchLogsActions struct {
CwlClient *cloudwatchlogs.Client
}
// GetLatestLogStream gets the most recent log stream for a Lambda function.
func (actor CloudWatchLogsActions) GetLatestLogStream(ctx context.Context, functionName string) (types.LogStream, error) {
var logStream types.LogStream
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.DescribeLogStreams(ctx, &cloudwatchlogs.DescribeLogStreamsInput{
Descending: aws.Bool(true),
Limit: aws.Int32(1),
LogGroupName: aws.String(logGroupName),
OrderBy: types.OrderByLastEventTime,
})
if err != nil {
log.Printf("Couldn't get log streams for log group %v. Here's why: %v\n", logGroupName, err)
} else {
logStream = output.LogStreams[0]
}
return logStream, err
}
// GetLogEvents gets the most recent eventCount events from the specified log stream.
func (actor CloudWatchLogsActions) GetLogEvents(ctx context.Context, functionName string, logStreamName string, eventCount int32) (
[]types.OutputLogEvent, error) {
var events []types.OutputLogEvent
logGroupName := fmt.Sprintf("/aws/lambda/%s", functionName)
output, err := actor.CwlClient.GetLogEvents(ctx, &cloudwatchlogs.GetLogEventsInput{
LogStreamName: aws.String(logStreamName),
Limit: aws.Int32(eventCount),
LogGroupName: aws.String(logGroupName),
})
if err != nil {
log.Printf("Couldn't get log event for log stream %v. Here's why: %v\n", logStreamName, err)
} else {
events = output.Events
}
return events, err
}
```
建立包裝 CloudFormation 動作的結構。
```
import (
"context"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cloudformation"
)
// StackOutputs defines a map of outputs from a specific stack.
type StackOutputs map[string]string
type CloudFormationActions struct {
CfnClient *cloudformation.Client
}
// GetOutputs gets the outputs from a CloudFormation stack and puts them into a structured format.
func (actor CloudFormationActions) GetOutputs(ctx context.Context, stackName string) StackOutputs {
output, err := actor.CfnClient.DescribeStacks(ctx, &cloudformation.DescribeStacksInput{
StackName: aws.String(stackName),
})
if err != nil || len(output.Stacks) == 0 {
log.Panicf("Couldn't find a CloudFormation stack named %v. Here's why: %v\n", stackName, err)
}
stackOutputs := StackOutputs{}
for _, out := range output.Stacks[0].Outputs {
stackOutputs[*out.OutputKey] = *out.OutputValue
}
return stackOutputs
}
```
清除資源。
```
import (
"context"
"log"
"user_pools_and_lambda_triggers/actions"
"github.com/awsdocs/aws-doc-sdk-examples/gov2/demotools"
)
// Resources keeps track of AWS resources created during an example and handles
// cleanup when the example finishes.
type Resources struct {
userPoolId string
userAccessTokens []string
triggers []actions.Trigger
cognitoActor *actions.CognitoActions
questioner demotools.IQuestioner
}
func (resources *Resources) init(cognitoActor *actions.CognitoActions, questioner demotools.IQuestioner) {
resources.userAccessTokens = []string{}
resources.triggers = []actions.Trigger{}
resources.cognitoActor = cognitoActor
resources.questioner = questioner
}
// Cleanup deletes all AWS resources created during an example.
func (resources *Resources) Cleanup(ctx context.Context) {
defer func() {
if r := recover(); r != nil {
log.Printf("Something went wrong during cleanup.\n%v\n", r)
log.Println("Use the AWS Management Console to remove any remaining resources \n" +
"that were created for this scenario.")
}
}()
wantDelete := resources.questioner.AskBool("Do you want to remove all of the AWS resources that were created "+
"during this demo (y/n)?", "y")
if wantDelete {
for _, accessToken := range resources.userAccessTokens {
err := resources.cognitoActor.DeleteUser(ctx, accessToken)
if err != nil {
log.Println("Couldn't delete user during cleanup.")
panic(err)
}
log.Println("Deleted user.")
}
triggerList := make([]actions.TriggerInfo, len(resources.triggers))
for i := 0; i < len(resources.triggers); i++ {
triggerList[i] = actions.TriggerInfo{Trigger: resources.triggers[i], HandlerArn: nil}
}
err := resources.cognitoActor.UpdateTriggers(ctx, resources.userPoolId, triggerList...)
if err != nil {
log.Println("Couldn't update Cognito triggers during cleanup.")
panic(err)
}
log.Println("Removed Cognito triggers from user pool.")
} else {
log.Println("Be sure to remove resources when you're done with them to avoid unexpected charges!")
}
}
```
+ 如需 API 詳細資訊,請參閱《*適用於 Go 的 AWS SDK API 參考*》中的下列主題。
+ [AdminCreateUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminCreateUser)
+ [AdminSetUserPassword](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.AdminSetUserPassword)
+ [DeleteUser](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.DeleteUser)
+ [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth)
+ [UpdateUserPool](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.UpdateUserPool)
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
# 使用 AWS SDKs 的 Amazon Cognito Sync 程式碼範例
下列程式碼範例示範如何使用 Amazon Cognito Sync 搭配 AWS 軟體開發套件 (SDK)。
*Actions* 是大型程式的程式碼摘錄,必須在內容中執行。雖然動作會告訴您如何呼叫個別服務函數,但您可以在其相關情境中查看內容中的動作。
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。
**Contents**
+ [基本概念](service_code_examples_cognito-sync_basics.md)
+ [動作](service_code_examples_cognito-sync_actions.md)
+ [`ListIdentityPoolUsage`](cognito-sync_example_cognito-sync_ListIdentityPoolUsage_section.md)
# 使用 AWS SDKs 的 Amazon Cognito Sync 基本範例
下列程式碼範例示範如何搭配 AWS SDK 使用 Amazon Cognito Sync。
**Contents**
+ [動作](service_code_examples_cognito-sync_actions.md)
+ [`ListIdentityPoolUsage`](cognito-sync_example_cognito-sync_ListIdentityPoolUsage_section.md)
# 使用 AWS SDKs 的 Amazon Cognito Sync 動作
下列程式碼範例示範如何使用 AWS SDKs 執行個別 Amazon Cognito Sync 動作。每個範例均包含 GitHub 的連結,您可以在連結中找到設定和執行程式碼的相關說明。
下列範例僅包含最常使用的動作。如需完整清單,請參閱 [Amazon Cognito Sync API 參考](https://docs.aws.amazon.com/cognitosync/latest/APIReference/Welcome.html)。
**Topics**
+ [`ListIdentityPoolUsage`](cognito-sync_example_cognito-sync_ListIdentityPoolUsage_section.md)
# `ListIdentityPoolUsage` 搭配 AWS SDK 使用
以下程式碼範例顯示如何使用 `ListIdentityPoolUsage`。
------
#### [ Rust ]
**適用於 Rust 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/cognitosync#code-examples)中設定和執行。
```
async fn show_pools(client: &Client) -> Result<(), Error> {
let response = client
.list_identity_pool_usage()
.max_results(10)
.send()
.await?;
let pools = response.identity_pool_usages();
println!("Identity pools:");
for pool in pools {
println!(
" Identity pool ID: {}",
pool.identity_pool_id().unwrap_or_default()
);
println!(
" Data storage: {}",
pool.data_storage().unwrap_or_default()
);
println!(
" Sync sessions count: {}",
pool.sync_sessions_count().unwrap_or_default()
);
println!(
" Last modified: {}",
pool.last_modified_date().unwrap().to_chrono_utc()?
);
println!();
}
println!("Next token: {}", response.next_token().unwrap_or_default());
Ok(())
}
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Rust API 參考》**中的 [ListIdentityPoolUsage](https://docs.rs/aws-sdk-cognitosync/latest/aws_sdk_cognitosync/client/struct.Client.html#method.list_identity_pool_usage)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。