CognitoIdentityProvider / Paginator / AdminListUserAuthEvents

AdminListUserAuthEvents

class CognitoIdentityProvider.Paginator.AdminListUserAuthEvents

paginator = client.get_paginator('admin_list_user_auth_events')

paginate(**kwargs)

Creates an iterator that will paginate through responses from CognitoIdentityProvider.Client.admin_list_user_auth_events().

See also: AWS API Documentation

Request Syntax

response_iterator = paginator.paginate(
    UserPoolId='string',
    Username='string',
    PaginationConfig={
        'MaxItems': 123,
        'PageSize': 123,
        'StartingToken': 'string'
    }
)

Parameters:

• UserPoolId (string) –

  [REQUIRED]

  The Id of the user pool that contains the user profile with the logged events.

• Username (string) –

  [REQUIRED]

  The username of the user that you want to query or modify. The value of this parameter is typically your user’s username, but it can be any of their alias attributes. If username isn’t an alias attribute in your user pool, this value must be the sub of a local user or the username of a user from a third-party IdP.

• PaginationConfig (dict) –

  A dictionary that provides parameters to control pagination.

  • MaxItems (integer) –

    The total number of items to return. If the total number of items available is more than the value specified in max-items then a NextToken will be provided in the output that you can use to resume pagination.

  • PageSize (integer) –

    The size of each page.

  • StartingToken (string) –

    A token to specify where to start paginating. This is the NextToken from a previous response.

Return type:

dict

Returns:

Response Syntax

{
    'AuthEvents': [
        {
            'EventId': 'string',
            'EventType': 'SignIn'|'SignUp'|'ForgotPassword'|'PasswordChange'|'ResendCode',
            'CreationDate': datetime(2015, 1, 1),
            'EventResponse': 'Pass'|'Fail'|'InProgress',
            'EventRisk': {
                'RiskDecision': 'NoRisk'|'AccountTakeover'|'Block',
                'RiskLevel': 'Low'|'Medium'|'High',
                'CompromisedCredentialsDetected': True|False
            },
            'ChallengeResponses': [
                {
                    'ChallengeName': 'Password'|'Mfa',
                    'ChallengeResponse': 'Success'|'Failure'
                },
            ],
            'EventContextData': {
                'IpAddress': 'string',
                'DeviceName': 'string',
                'Timezone': 'string',
                'City': 'string',
                'Country': 'string'
            },
            'EventFeedback': {
                'FeedbackValue': 'Valid'|'Invalid',
                'Provider': 'string',
                'FeedbackDate': datetime(2015, 1, 1)
            }
        },
    ],

}

Response Structure

• (dict) –

  • AuthEvents (list) –

    The response object. It includes the EventID, EventType, CreationDate, EventRisk, and EventResponse.

    • (dict) –

      One authentication event that Amazon Cognito logged in a user pool with advanced security features active. Contains user and device metadata and a risk assessment from your user pool.

      This data type is a request parameter of AdminListUserAuthEvents.

      • EventId (string) –

        The event ID.

      • EventType (string) –

        The type of authentication event.

      • CreationDate (datetime) –

        The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java Date object.

      • EventResponse (string) –

        The event response.

      • EventRisk (dict) –

        The threat evaluation from your user pool about an event. Contains information about whether your user pool detected compromised credentials, whether the event triggered an automated response, and the level of risk.

        • RiskDecision (string) –

          The action taken by adaptive authentication. If NoRisk, your user pool took no action. If AccountTakeover, your user pool applied the adaptive authentication automated response that you configured. If Block, your user pool prevented the attempt.

        • RiskLevel (string) –

          The risk level that adaptive authentication assessed for the authentication event.

        • CompromisedCredentialsDetected (boolean) –

          Indicates whether compromised credentials were detected during an authentication event.

      • ChallengeResponses (list) –

        A list of the challenges that the user was requested to answer, for example Password, and the result, for example Success.

        • (dict) –

          The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

          Warning

          You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret. Include a DEVICE_KEY for device authentication.

          SELECT_CHALLENGE

          "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}

          Available challenges are PASSWORD, PASSWORD_SRP, EMAIL_OTP, SMS_OTP, and WEB_AUTHN.

          Complete authentication in the SELECT_CHALLENGE response for PASSWORD, PASSWORD_SRP, and WEB_AUTHN:

          • "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"} See AuthenticationResponseJSON.

          • "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}

          • "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}

          For SMS_OTP and EMAIL_OTP, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response.

          • "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}

          • "ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}

            SMS_OTP

          "ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}

          EMAIL_OTP

          "ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}

          SMS_MFA

          "ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}

          PASSWORD_VERIFIER

          This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a NotAuthorizedException error.

          "ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}

          Add "DEVICE_KEY" when you sign in with a remembered device.

          CUSTOM_CHALLENGE

          "ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}

          Add "DEVICE_KEY" when you sign in with a remembered device.

          NEW_PASSWORD_REQUIRED

          "ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}

          To set any required attributes that InitiateAuth returned in an requiredAttributes parameter, add "userAttributes.[attribute_name]": "[attribute_value]". This parameter can also set values for writable attributes that aren’t required by your user pool.

          Note

          In a NEW_PASSWORD_REQUIRED challenge response, you can’t modify a required attribute that already has a value. In RespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in the requiredAttributes parameter, then use the UpdateUserAttributes API operation to modify the value of any additional attributes.

          SOFTWARE_TOKEN_MFA

          "ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}

          DEVICE_SRP_AUTH

          "ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}

          DEVICE_PASSWORD_VERIFIER

          "ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}

          MFA_SETUP

          "ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"

          SELECT_MFA_TYPE

          "ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"}

          For more information about SECRET_HASH, see Computing secret hash values. For information about DEVICE_KEY, see Working with user devices in your user pool.

          This data type is a request parameter of RespondToAuthChallenge and AdminRespondToAuthChallenge.

          • ChallengeName (string) –

            The type of challenge that your previous authentication request returned in the parameter ChallengeName, for example SMS_MFA.

          • ChallengeResponse (string) –

            The set of key-value pairs that provides a response to the requested challenge.

      • EventContextData (dict) –

        The user context data captured at the time of an event request. This value provides additional information about the client from which event the request is received.

        • IpAddress (string) –

          The source IP address of your user’s device.

        • DeviceName (string) –

          The user’s device name.

        • Timezone (string) –

          The user’s time zone.

        • City (string) –

          The user’s city.

        • Country (string) –

          The user’s country.

      • EventFeedback (dict) –

        The UpdateAuthEventFeedback or AdminUpdateAuthEventFeedback feedback that you or your user provided in response to the event. A value of Valid indicates that you disagreed with the level of risk that your user pool assigned, and evaluated a session to be valid, or likely safe. A value of Invalid indicates that you agreed with the user pool risk level and evaluated a session to be invalid, or likely malicious.

        • FeedbackValue (string) –

          The authentication event feedback value. When you provide a FeedbackValue value of valid, you tell Amazon Cognito that you trust a user session where Amazon Cognito has evaluated some level of risk. When you provide a FeedbackValue value of invalid, you tell Amazon Cognito that you don’t trust a user session, or you don’t believe that Amazon Cognito evaluated a high-enough risk level.

        • Provider (string) –

          The submitter of the event feedback. For example, if you submit event feedback in the Amazon Cognito console, this value is Admin.

        • FeedbackDate (datetime) –

          The date that you or your user submitted the feedback.