2017/06/01 - Amazon Cognito Identity Provider - 9 new 4 updated api methods
Updates identity provider information for a user pool.
See also: AWS API Documentation
Request Syntax
client.update_identity_provider( UserPoolId='string', ProviderName='string', ProviderDetails={ 'string': 'string' }, AttributeMapping={ 'string': 'string' }, IdpIdentifiers=[ 'string', ] )
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The identity provider name.
dict
The identity provider details to be updated, such as MetadataURL and MetadataFile .
(string) --
(string) --
dict
The identity provider attribute mapping to be changed.
(string) --
(string) --
list
A list of identity provider identifiers.
(string) --
dict
Response Syntax
{ 'IdentityProvider': { 'UserPoolId': 'string', 'ProviderName': 'string', 'ProviderType': 'SAML', 'ProviderDetails': { 'string': 'string' }, 'AttributeMapping': { 'string': 'string' }, 'IdpIdentifiers': [ 'string', ], 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1) } }
Response Structure
(dict) --
IdentityProvider (dict) --
The identity provider object.
UserPoolId (string) --
The user pool ID.
ProviderName (string) --
The identity provider name.
ProviderType (string) --
The identity provider type.
ProviderDetails (dict) --
The identity provider details, such as MetadataURL and MetadataFile .
(string) --
(string) --
AttributeMapping (dict) --
A mapping of identity provider attributes to standard and custom user pool attributes.
(string) --
(string) --
IdpIdentifiers (list) --
A list of identity provider identifiers.
(string) --
LastModifiedDate (datetime) --
The date the identity provider was last modified.
CreationDate (datetime) --
The date the identity provider was created.
Deletes an identity provider for a user pool.
See also: AWS API Documentation
Request Syntax
client.delete_identity_provider( UserPoolId='string', ProviderName='string' )
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The identity provider name.
None
Gets information about a domain.
See also: AWS API Documentation
Request Syntax
client.describe_user_pool_domain( Domain='string' )
string
[REQUIRED]
The domain string.
dict
Response Syntax
{ 'DomainDescription': { 'UserPoolId': 'string', 'AWSAccountId': 'string', 'Domain': 'string', 'S3Bucket': 'string', 'CloudFrontDistribution': 'string', 'Version': 'string', 'Status': 'CREATING'|'DELETING'|'UPDATING'|'ACTIVE' } }
Response Structure
(dict) --
DomainDescription (dict) --
A domain description object containing information about the domain.
UserPoolId (string) --
The user pool ID.
AWSAccountId (string) --
The AWS account ID for the user pool owner.
Domain (string) --
The domain string.
S3Bucket (string) --
The S3 bucket where the static files for this domain are stored.
CloudFrontDistribution (string) --
The ARN of the CloudFront distribution.
Version (string) --
The app version.
Status (string) --
The domain status.
Creates an identity provider for a user pool.
See also: AWS API Documentation
Request Syntax
client.create_identity_provider( UserPoolId='string', ProviderName='string', ProviderType='SAML', ProviderDetails={ 'string': 'string' }, AttributeMapping={ 'string': 'string' }, IdpIdentifiers=[ 'string', ] )
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The identity provider name.
string
[REQUIRED]
The identity provider type.
dict
[REQUIRED]
The identity provider details, such as MetadataURL and MetadataFile .
(string) --
(string) --
dict
A mapping of identity provider attributes to standard and custom user pool attributes.
(string) --
(string) --
list
A list of identity provider identifiers.
(string) --
dict
Response Syntax
{ 'IdentityProvider': { 'UserPoolId': 'string', 'ProviderName': 'string', 'ProviderType': 'SAML', 'ProviderDetails': { 'string': 'string' }, 'AttributeMapping': { 'string': 'string' }, 'IdpIdentifiers': [ 'string', ], 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1) } }
Response Structure
(dict) --
IdentityProvider (dict) --
The newly created identity provider object.
UserPoolId (string) --
The user pool ID.
ProviderName (string) --
The identity provider name.
ProviderType (string) --
The identity provider type.
ProviderDetails (dict) --
The identity provider details, such as MetadataURL and MetadataFile .
(string) --
(string) --
AttributeMapping (dict) --
A mapping of identity provider attributes to standard and custom user pool attributes.
(string) --
(string) --
IdpIdentifiers (list) --
A list of identity provider identifiers.
(string) --
LastModifiedDate (datetime) --
The date the identity provider was last modified.
CreationDate (datetime) --
The date the identity provider was created.
Gets the specified identity provider.
See also: AWS API Documentation
Request Syntax
client.get_identity_provider_by_identifier( UserPoolId='string', IdpIdentifier='string' )
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The identity provider ID.
dict
Response Syntax
{ 'IdentityProvider': { 'UserPoolId': 'string', 'ProviderName': 'string', 'ProviderType': 'SAML', 'ProviderDetails': { 'string': 'string' }, 'AttributeMapping': { 'string': 'string' }, 'IdpIdentifiers': [ 'string', ], 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1) } }
Response Structure
(dict) --
IdentityProvider (dict) --
The identity provider object.
UserPoolId (string) --
The user pool ID.
ProviderName (string) --
The identity provider name.
ProviderType (string) --
The identity provider type.
ProviderDetails (dict) --
The identity provider details, such as MetadataURL and MetadataFile .
(string) --
(string) --
AttributeMapping (dict) --
A mapping of identity provider attributes to standard and custom user pool attributes.
(string) --
(string) --
IdpIdentifiers (list) --
A list of identity provider identifiers.
(string) --
LastModifiedDate (datetime) --
The date the identity provider was last modified.
CreationDate (datetime) --
The date the identity provider was created.
Lists information about all identity providers for a user pool.
See also: AWS API Documentation
Request Syntax
client.list_identity_providers( UserPoolId='string', MaxResults=123, NextToken='string' )
string
[REQUIRED]
The user pool ID.
integer
The maximum number of identity providers to return.
string
A pagination token.
dict
Response Syntax
{ 'Providers': [ { 'ProviderName': 'string', 'ProviderType': 'SAML', 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1) }, ], 'NextToken': 'string' }
Response Structure
(dict) --
Providers (list) --
A list of identity provider objects.
(dict) --
A container for identity provider details.
ProviderName (string) --
The identity provider name.
ProviderType (string) --
The identity provider type.
LastModifiedDate (datetime) --
The date the provider was last modified.
CreationDate (datetime) --
The date the provider was added to the user pool.
NextToken (string) --
A pagination token.
Deletes a domain for a user pool.
See also: AWS API Documentation
Request Syntax
client.delete_user_pool_domain( Domain='string', UserPoolId='string' )
string
[REQUIRED]
The domain string.
string
[REQUIRED]
The user pool ID.
dict
Response Syntax
{}
Response Structure
(dict) --
Gets information about a specific identity provider.
See also: AWS API Documentation
Request Syntax
client.describe_identity_provider( UserPoolId='string', ProviderName='string' )
string
[REQUIRED]
The user pool ID.
string
[REQUIRED]
The identity provider name.
dict
Response Syntax
{ 'IdentityProvider': { 'UserPoolId': 'string', 'ProviderName': 'string', 'ProviderType': 'SAML', 'ProviderDetails': { 'string': 'string' }, 'AttributeMapping': { 'string': 'string' }, 'IdpIdentifiers': [ 'string', ], 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1) } }
Response Structure
(dict) --
IdentityProvider (dict) --
The identity provider that was deleted.
UserPoolId (string) --
The user pool ID.
ProviderName (string) --
The identity provider name.
ProviderType (string) --
The identity provider type.
ProviderDetails (dict) --
The identity provider details, such as MetadataURL and MetadataFile .
(string) --
(string) --
AttributeMapping (dict) --
A mapping of identity provider attributes to standard and custom user pool attributes.
(string) --
(string) --
IdpIdentifiers (list) --
A list of identity provider identifiers.
(string) --
LastModifiedDate (datetime) --
The date the identity provider was last modified.
CreationDate (datetime) --
The date the identity provider was created.
Creates a new domain for a user pool.
See also: AWS API Documentation
Request Syntax
client.create_user_pool_domain( Domain='string', UserPoolId='string' )
string
[REQUIRED]
The domain string.
string
[REQUIRED]
The user pool ID.
dict
Response Syntax
{}
Response Structure
(dict) --
{'AllowedOAuthFlows': ['code | implicit | client_credentials'], 'AllowedOAuthFlowsUserPoolClient': 'boolean', 'AllowedOAuthScopes': ['string'], 'CallbackURLs': ['string'], 'DefaultRedirectURI': 'string', 'LogoutURLs': ['string'], 'SupportedIdentityProviders': ['string']}Response
{'UserPoolClient': {'AllowedOAuthFlows': ['code | implicit | ' 'client_credentials'], 'AllowedOAuthFlowsUserPoolClient': 'boolean', 'AllowedOAuthScopes': ['string'], 'CallbackURLs': ['string'], 'DefaultRedirectURI': 'string', 'LogoutURLs': ['string'], 'SupportedIdentityProviders': ['string']}}
Creates the user pool client.
See also: AWS API Documentation
Request Syntax
client.create_user_pool_client( UserPoolId='string', ClientName='string', GenerateSecret=True|False, RefreshTokenValidity=123, ReadAttributes=[ 'string', ], WriteAttributes=[ 'string', ], ExplicitAuthFlows=[ 'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY', ], SupportedIdentityProviders=[ 'string', ], CallbackURLs=[ 'string', ], LogoutURLs=[ 'string', ], DefaultRedirectURI='string', AllowedOAuthFlows=[ 'code'|'implicit'|'client_credentials', ], AllowedOAuthScopes=[ 'string', ], AllowedOAuthFlowsUserPoolClient=True|False )
string
[REQUIRED]
The user pool ID for the user pool where you want to create a user pool client.
string
[REQUIRED]
The client name for the user pool client you would like to create.
boolean
Boolean to specify whether you want to generate a secret for the user pool client being created.
integer
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
list
The read attributes.
(string) --
list
The write attributes.
(string) --
list
The explicit authentication flows.
(string) --
list
A list of provider names for the identity providers that are supported on this client.
(string) --
list
A list of allowed callback URLs for the identity providers.
(string) --
list
A list of allowed logout URLs for the identity providers.
(string) --
string
The default redirect URI. Must be in the CallbackURLs list.
list
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
list
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
boolean
Set to True if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
dict
Response Syntax
{ 'UserPoolClient': { 'UserPoolId': 'string', 'ClientName': 'string', 'ClientId': 'string', 'ClientSecret': 'string', 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1), 'RefreshTokenValidity': 123, 'ReadAttributes': [ 'string', ], 'WriteAttributes': [ 'string', ], 'ExplicitAuthFlows': [ 'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY', ], 'SupportedIdentityProviders': [ 'string', ], 'CallbackURLs': [ 'string', ], 'LogoutURLs': [ 'string', ], 'DefaultRedirectURI': 'string', 'AllowedOAuthFlows': [ 'code'|'implicit'|'client_credentials', ], 'AllowedOAuthScopes': [ 'string', ], 'AllowedOAuthFlowsUserPoolClient': True|False } }
Response Structure
(dict) --
Represents the response from the server to create a user pool client.
UserPoolClient (dict) --
The user pool client that was just created.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list ofallowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
{'UserPoolClient': {'AllowedOAuthFlows': ['code | implicit | ' 'client_credentials'], 'AllowedOAuthFlowsUserPoolClient': 'boolean', 'AllowedOAuthScopes': ['string'], 'CallbackURLs': ['string'], 'DefaultRedirectURI': 'string', 'LogoutURLs': ['string'], 'SupportedIdentityProviders': ['string']}}
Client method for returning the configuration information and metadata of the specified user pool client.
See also: AWS API Documentation
Request Syntax
client.describe_user_pool_client( UserPoolId='string', ClientId='string' )
string
[REQUIRED]
The user pool ID for the user pool you want to describe.
string
[REQUIRED]
The ID of the client associated with the user pool.
dict
Response Syntax
{ 'UserPoolClient': { 'UserPoolId': 'string', 'ClientName': 'string', 'ClientId': 'string', 'ClientSecret': 'string', 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1), 'RefreshTokenValidity': 123, 'ReadAttributes': [ 'string', ], 'WriteAttributes': [ 'string', ], 'ExplicitAuthFlows': [ 'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY', ], 'SupportedIdentityProviders': [ 'string', ], 'CallbackURLs': [ 'string', ], 'LogoutURLs': [ 'string', ], 'DefaultRedirectURI': 'string', 'AllowedOAuthFlows': [ 'code'|'implicit'|'client_credentials', ], 'AllowedOAuthScopes': [ 'string', ], 'AllowedOAuthFlowsUserPoolClient': True|False } }
Response Structure
(dict) --
Represents the response from the server from a request to describe the user pool client.
UserPoolClient (dict) --
The user pool client from a server response to describe the user pool client.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list ofallowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
{'UserSub': 'string'}
Registers the user in the specified user pool and creates a user name, password, and user attributes.
See also: AWS API Documentation
Request Syntax
client.sign_up( ClientId='string', SecretHash='string', Username='string', Password='string', UserAttributes=[ { 'Name': 'string', 'Value': 'string' }, ], ValidationData=[ { 'Name': 'string', 'Value': 'string' }, ] )
string
[REQUIRED]
The ID of the client associated with the user pool.
string
A keyed-hash message authentication code (HMAC) calculated using the secret key of a user pool client and username plus the client ID in the message.
string
[REQUIRED]
The user name of the user you wish to register.
string
[REQUIRED]
The password of the user you wish to register.
list
An array of name-value pairs representing user attributes.
For custom attributes, you must prepend the custom: prefix to the attribute name.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
list
The validation data in the request to register a user.
(dict) --
Specifies whether the attribute is standard or custom.
Name (string) -- [REQUIRED]
The name of the attribute.
Value (string) --
The value of the attribute.
dict
Response Syntax
{ 'UserConfirmed': True|False, 'CodeDeliveryDetails': { 'Destination': 'string', 'DeliveryMedium': 'SMS'|'EMAIL', 'AttributeName': 'string' }, 'UserSub': 'string' }
Response Structure
(dict) --
The response from the server for a registration request.
UserConfirmed (boolean) --
A response from the server indicating that a user registration has been confirmed.
CodeDeliveryDetails (dict) --
The code delivery details returned by the server response to the user registration request.
Destination (string) --
The destination for the code delivery details.
DeliveryMedium (string) --
The delivery medium (email message or phone number).
AttributeName (string) --
The name of the attribute in the code delivery details type.
UserSub (string) --
The UUID of the authenticated user. This is not the same as username .
{'AllowedOAuthFlows': ['code | implicit | client_credentials'], 'AllowedOAuthFlowsUserPoolClient': 'boolean', 'AllowedOAuthScopes': ['string'], 'CallbackURLs': ['string'], 'DefaultRedirectURI': 'string', 'LogoutURLs': ['string'], 'SupportedIdentityProviders': ['string']}Response
{'UserPoolClient': {'AllowedOAuthFlows': ['code | implicit | ' 'client_credentials'], 'AllowedOAuthFlowsUserPoolClient': 'boolean', 'AllowedOAuthScopes': ['string'], 'CallbackURLs': ['string'], 'DefaultRedirectURI': 'string', 'LogoutURLs': ['string'], 'SupportedIdentityProviders': ['string']}}
Allows the developer to update the specified user pool client and password policy.
See also: AWS API Documentation
Request Syntax
client.update_user_pool_client( UserPoolId='string', ClientId='string', ClientName='string', RefreshTokenValidity=123, ReadAttributes=[ 'string', ], WriteAttributes=[ 'string', ], ExplicitAuthFlows=[ 'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY', ], SupportedIdentityProviders=[ 'string', ], CallbackURLs=[ 'string', ], LogoutURLs=[ 'string', ], DefaultRedirectURI='string', AllowedOAuthFlows=[ 'code'|'implicit'|'client_credentials', ], AllowedOAuthScopes=[ 'string', ], AllowedOAuthFlowsUserPoolClient=True|False )
string
[REQUIRED]
The user pool ID for the user pool where you want to update the user pool client.
string
[REQUIRED]
The ID of the client associated with the user pool.
string
The client name from the update user pool client request.
integer
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
list
The read-only attributes of the user pool.
(string) --
list
The writeable attributes of the user pool.
(string) --
list
Explicit authentication flows.
(string) --
list
A list of provider names for the identity providers that are supported on this client.
(string) --
list
A list of allowed callback URLs for the identity providers.
(string) --
list
A list ofallowed logout URLs for the identity providers.
(string) --
string
The default redirect URI. Must be in the CallbackURLs list.
list
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
list
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
boolean
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
dict
Response Syntax
{ 'UserPoolClient': { 'UserPoolId': 'string', 'ClientName': 'string', 'ClientId': 'string', 'ClientSecret': 'string', 'LastModifiedDate': datetime(2015, 1, 1), 'CreationDate': datetime(2015, 1, 1), 'RefreshTokenValidity': 123, 'ReadAttributes': [ 'string', ], 'WriteAttributes': [ 'string', ], 'ExplicitAuthFlows': [ 'ADMIN_NO_SRP_AUTH'|'CUSTOM_AUTH_FLOW_ONLY', ], 'SupportedIdentityProviders': [ 'string', ], 'CallbackURLs': [ 'string', ], 'LogoutURLs': [ 'string', ], 'DefaultRedirectURI': 'string', 'AllowedOAuthFlows': [ 'code'|'implicit'|'client_credentials', ], 'AllowedOAuthScopes': [ 'string', ], 'AllowedOAuthFlowsUserPoolClient': True|False } }
Response Structure
(dict) --
Represents the response from the server to the request to update the user pool client.
UserPoolClient (dict) --
The user pool client value from the response from the server when an update user pool client request is made.
UserPoolId (string) --
The user pool ID for the user pool client.
ClientName (string) --
The client name from the user pool request of the client type.
ClientId (string) --
The ID of the client associated with the user pool.
ClientSecret (string) --
The client secret from the user pool request of the client type.
LastModifiedDate (datetime) --
The date the user pool client was last modified.
CreationDate (datetime) --
The date the user pool client was created.
RefreshTokenValidity (integer) --
The time limit, in days, after which the refresh token is no longer valid and cannot be used.
ReadAttributes (list) --
The Read-only attributes.
(string) --
WriteAttributes (list) --
The writeable attributes.
(string) --
ExplicitAuthFlows (list) --
The explicit authentication flows.
(string) --
SupportedIdentityProviders (list) --
A list of provider names for the identity providers that are supported on this client.
(string) --
CallbackURLs (list) --
A list of allowed callback URLs for the identity providers.
(string) --
LogoutURLs (list) --
A list ofallowed logout URLs for the identity providers.
(string) --
DefaultRedirectURI (string) --
The default redirect URI. Must be in the CallbackURLs list.
AllowedOAuthFlows (list) --
Set to code to initiate a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the token endpoint.
Set to token to specify that the client should get the access token (and, optionally, ID token, based on scopes) directly.
(string) --
AllowedOAuthScopes (list) --
A list of allowed OAuth scopes. Currently supported values are "phone" , "email" , "openid" , and "Cognito" .
(string) --
AllowedOAuthFlowsUserPoolClient (boolean) --
Set to TRUE if the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.