Class CreateUserPoolClientRequest
- All Implemented Interfaces:
SdkPojo
,ToCopyableBuilder<CreateUserPoolClientRequest.Builder,
CreateUserPoolClientRequest>
Represents the request to create a user pool client.
-
Nested Class Summary
-
Method Summary
Modifier and TypeMethodDescriptionfinal Integer
The access token time limit.final List
<OAuthFlowType> The OAuth grant types that you want your app client to generate.The OAuth grant types that you want your app client to generate.final Boolean
Set totrue
to use OAuth 2.0 features in your user pool app client.The allowed OAuth scopes.The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.final Integer
Amazon Cognito creates a session token for each API request in an authentication flow.builder()
A list of allowed redirect (callback) URLs for the IdPs.final String
The client name for the user pool client you would like to create.final String
The default redirect URI.final Boolean
Activates the propagation of additional user context data.final Boolean
Activates or deactivates token revocation.final boolean
final boolean
equalsBySdkFields
(Object obj) Indicates whether some other object is "equal to" this one by SDK fields.final List
<ExplicitAuthFlowsType> The authentication flows that you want your user pool client to support.The authentication flows that you want your user pool client to support.final Boolean
Boolean to specify whether you want to generate a secret for the user pool client being created.final <T> Optional
<T> getValueForField
(String fieldName, Class<T> clazz) Used to retrieve the value of a field from any class that extendsSdkRequest
.final boolean
For responses, this returns true if the service returned a value for the AllowedOAuthFlows property.final boolean
For responses, this returns true if the service returned a value for the AllowedOAuthScopes property.final boolean
For responses, this returns true if the service returned a value for the CallbackURLs property.final boolean
For responses, this returns true if the service returned a value for the ExplicitAuthFlows property.final int
hashCode()
final boolean
For responses, this returns true if the service returned a value for the LogoutURLs property.final boolean
For responses, this returns true if the service returned a value for the ReadAttributes property.final boolean
For responses, this returns true if the service returned a value for the SupportedIdentityProviders property.final boolean
For responses, this returns true if the service returned a value for the WriteAttributes property.final Integer
The ID token time limit.A list of allowed logout URLs for the IdPs.Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.final String
Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool.The list of user attributes that you want your app client to have read-only access to.final Integer
The refresh token time limit.static Class
<? extends CreateUserPoolClientRequest.Builder> A list of provider names for the identity providers (IdPs) that are supported on this client.Take this object and create a builder that contains all of the current property values of this object.final TokenValidityUnitsType
The units in which the validity times are represented.final String
toString()
Returns a string representation of this object.final String
The user pool ID for the user pool where you want to create a user pool client.The list of user attributes that you want your app client to have write access to.Methods inherited from class software.amazon.awssdk.awscore.AwsRequest
overrideConfiguration
Methods inherited from interface software.amazon.awssdk.utils.builder.ToCopyableBuilder
copy
-
Method Details
-
userPoolId
The user pool ID for the user pool where you want to create a user pool client.
- Returns:
- The user pool ID for the user pool where you want to create a user pool client.
-
clientName
The client name for the user pool client you would like to create.
- Returns:
- The client name for the user pool client you would like to create.
-
generateSecret
Boolean to specify whether you want to generate a secret for the user pool client being created.
- Returns:
- Boolean to specify whether you want to generate a secret for the user pool client being created.
-
refreshTokenValidity
The refresh token time limit. After this limit expires, your user can't use their refresh token. To specify the time unit for
RefreshTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
RefreshTokenValidity
as10
andTokenValidityUnits
asdays
, your user can refresh their session and retrieve new access and ID tokens for 10 days.The default time unit for
RefreshTokenValidity
in an API request is days. You can't setRefreshTokenValidity
to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
- Returns:
- The refresh token time limit. After this limit expires, your user can't use their refresh token. To
specify the time unit for
RefreshTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
RefreshTokenValidity
as10
andTokenValidityUnits
asdays
, your user can refresh their session and retrieve new access and ID tokens for 10 days.The default time unit for
RefreshTokenValidity
in an API request is days. You can't setRefreshTokenValidity
to 0. If you do, Amazon Cognito overrides the value with the default value of 30 days. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your refresh tokens are valid for 30 days.
-
accessTokenValidity
The access token time limit. After this limit expires, your user can't use their access token. To specify the time unit for
AccessTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
AccessTokenValidity
to10
andTokenValidityUnits
tohours
, your user can authorize access with their access token for 10 hours.The default time unit for
AccessTokenValidity
in an API request is hours. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
- Returns:
- The access token time limit. After this limit expires, your user can't use their access token. To specify
the time unit for
AccessTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
AccessTokenValidity
to10
andTokenValidityUnits
tohours
, your user can authorize access with their access token for 10 hours.The default time unit for
AccessTokenValidity
in an API request is hours. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your access tokens are valid for one hour.
-
idTokenValidity
The ID token time limit. After this limit expires, your user can't use their ID token. To specify the time unit for
IdTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
IdTokenValidity
as10
andTokenValidityUnits
ashours
, your user can authenticate their session with their ID token for 10 hours.The default time unit for
IdTokenValidity
in an API request is hours. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
- Returns:
- The ID token time limit. After this limit expires, your user can't use their ID token. To specify the
time unit for
IdTokenValidity
asseconds
,minutes
,hours
, ordays
, set aTokenValidityUnits
value in your API request.For example, when you set
IdTokenValidity
as10
andTokenValidityUnits
ashours
, your user can authenticate their session with their ID token for 10 hours.The default time unit for
IdTokenValidity
in an API request is hours. Valid range is displayed below in seconds.If you don't specify otherwise in the configuration of your app client, your ID tokens are valid for one hour.
-
tokenValidityUnits
The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
- Returns:
- The units in which the validity times are represented. The default unit for RefreshToken is days, and default for ID and access tokens are hours.
-
hasReadAttributes
public final boolean hasReadAttributes()For responses, this returns true if the service returned a value for the ReadAttributes property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
readAttributes
The list of user attributes that you want your app client to have read-only access to. After your user authenticates in your app, their access token authorizes them to read their own attribute value for any attribute in this list. An example of this kind of activity is when your user selects a link to view their profile information. Your app makes a GetUser API request to retrieve and display your user's profile data.
When you don't specify the
ReadAttributes
for your app client, your app can read the values ofemail_verified
,phone_number_verified
, and the Standard attributes of your user pool. When your user pool has read access to these default attributes,ReadAttributes
doesn't return any information. Amazon Cognito only populatesReadAttributes
in the API response if you have specified your own custom set of read attributes.Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasReadAttributes()
method.- Returns:
- The list of user attributes that you want your app client to have read-only access to. After your user
authenticates in your app, their access token authorizes them to read their own attribute value for any
attribute in this list. An example of this kind of activity is when your user selects a link to view
their profile information. Your app makes a GetUser API request to retrieve and display your user's profile data.
When you don't specify the
ReadAttributes
for your app client, your app can read the values ofemail_verified
,phone_number_verified
, and the Standard attributes of your user pool. When your user pool has read access to these default attributes,ReadAttributes
doesn't return any information. Amazon Cognito only populatesReadAttributes
in the API response if you have specified your own custom set of read attributes.
-
hasWriteAttributes
public final boolean hasWriteAttributes()For responses, this returns true if the service returned a value for the WriteAttributes property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
writeAttributes
The list of user attributes that you want your app client to have write access to. After your user authenticates in your app, their access token authorizes them to set or modify their own attribute value for any attribute in this list. An example of this kind of activity is when you present your user with a form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets
family_name
to the new value.When you don't specify the
WriteAttributes
for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes,WriteAttributes
doesn't return any information. Amazon Cognito only populatesWriteAttributes
in the API response if you have specified your own custom set of write attributes.If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasWriteAttributes()
method.- Returns:
- The list of user attributes that you want your app client to have write access to. After your user
authenticates in your app, their access token authorizes them to set or modify their own attribute value
for any attribute in this list. An example of this kind of activity is when you present your user with a
form to update their profile information and they change their last name. Your app then makes an UpdateUserAttributes API request and sets
family_name
to the new value.When you don't specify the
WriteAttributes
for your app client, your app can write the values of the Standard attributes of your user pool. When your user pool has write access to these default attributes,WriteAttributes
doesn't return any information. Amazon Cognito only populatesWriteAttributes
in the API response if you have specified your own custom set of write attributes.If your app client allows users to sign in through an IdP, this array must include all attributes that you have mapped to IdP attributes. Amazon Cognito updates mapped attributes when users sign in to your application through an IdP. If your app client does not have write access to a mapped attribute, Amazon Cognito throws an error when it tries to update the attribute. For more information, see Specifying IdP Attribute Mappings for Your user pool.
-
explicitAuthFlows
The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
If you don't specify a value for
ExplicitAuthFlows
, your user client supportsALLOW_REFRESH_TOKEN_AUTH
,ALLOW_USER_SRP_AUTH
, andALLOW_CUSTOM_AUTH
.Valid values include:
-
ALLOW_ADMIN_USER_PASSWORD_AUTH
: Enable admin based user password authentication flowADMIN_USER_PASSWORD_AUTH
. This setting replaces theADMIN_NO_SRP_AUTH
setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. -
ALLOW_CUSTOM_AUTH
: Enable Lambda trigger based authentication. -
ALLOW_USER_PASSWORD_AUTH
: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. -
ALLOW_USER_SRP_AUTH
: Enable SRP-based authentication. -
ALLOW_REFRESH_TOKEN_AUTH
: Enable authflow to refresh tokens.
In some environments, you will see the values
ADMIN_NO_SRP_AUTH
,CUSTOM_AUTH_FLOW_ONLY
, orUSER_PASSWORD_AUTH
. You can't assign these legacyExplicitAuthFlows
values to user pool clients at the same time as values that begin withALLOW_
, likeALLOW_USER_SRP_AUTH
.Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasExplicitAuthFlows()
method.- Returns:
- The authentication flows that you want your user pool client to support. For each app client in your user
pool, you can sign in your users with any combination of one or more flows, including with a user name
and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you
define with Lambda functions.
If you don't specify a value for
ExplicitAuthFlows
, your user client supportsALLOW_REFRESH_TOKEN_AUTH
,ALLOW_USER_SRP_AUTH
, andALLOW_CUSTOM_AUTH
.Valid values include:
-
ALLOW_ADMIN_USER_PASSWORD_AUTH
: Enable admin based user password authentication flowADMIN_USER_PASSWORD_AUTH
. This setting replaces theADMIN_NO_SRP_AUTH
setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. -
ALLOW_CUSTOM_AUTH
: Enable Lambda trigger based authentication. -
ALLOW_USER_PASSWORD_AUTH
: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. -
ALLOW_USER_SRP_AUTH
: Enable SRP-based authentication. -
ALLOW_REFRESH_TOKEN_AUTH
: Enable authflow to refresh tokens.
In some environments, you will see the values
ADMIN_NO_SRP_AUTH
,CUSTOM_AUTH_FLOW_ONLY
, orUSER_PASSWORD_AUTH
. You can't assign these legacyExplicitAuthFlows
values to user pool clients at the same time as values that begin withALLOW_
, likeALLOW_USER_SRP_AUTH
. -
-
-
hasExplicitAuthFlows
public final boolean hasExplicitAuthFlows()For responses, this returns true if the service returned a value for the ExplicitAuthFlows property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
explicitAuthFlowsAsStrings
The authentication flows that you want your user pool client to support. For each app client in your user pool, you can sign in your users with any combination of one or more flows, including with a user name and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you define with Lambda functions.
If you don't specify a value for
ExplicitAuthFlows
, your user client supportsALLOW_REFRESH_TOKEN_AUTH
,ALLOW_USER_SRP_AUTH
, andALLOW_CUSTOM_AUTH
.Valid values include:
-
ALLOW_ADMIN_USER_PASSWORD_AUTH
: Enable admin based user password authentication flowADMIN_USER_PASSWORD_AUTH
. This setting replaces theADMIN_NO_SRP_AUTH
setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. -
ALLOW_CUSTOM_AUTH
: Enable Lambda trigger based authentication. -
ALLOW_USER_PASSWORD_AUTH
: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. -
ALLOW_USER_SRP_AUTH
: Enable SRP-based authentication. -
ALLOW_REFRESH_TOKEN_AUTH
: Enable authflow to refresh tokens.
In some environments, you will see the values
ADMIN_NO_SRP_AUTH
,CUSTOM_AUTH_FLOW_ONLY
, orUSER_PASSWORD_AUTH
. You can't assign these legacyExplicitAuthFlows
values to user pool clients at the same time as values that begin withALLOW_
, likeALLOW_USER_SRP_AUTH
.Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasExplicitAuthFlows()
method.- Returns:
- The authentication flows that you want your user pool client to support. For each app client in your user
pool, you can sign in your users with any combination of one or more flows, including with a user name
and Secure Remote Password (SRP), a user name and password, or a custom authentication process that you
define with Lambda functions.
If you don't specify a value for
ExplicitAuthFlows
, your user client supportsALLOW_REFRESH_TOKEN_AUTH
,ALLOW_USER_SRP_AUTH
, andALLOW_CUSTOM_AUTH
.Valid values include:
-
ALLOW_ADMIN_USER_PASSWORD_AUTH
: Enable admin based user password authentication flowADMIN_USER_PASSWORD_AUTH
. This setting replaces theADMIN_NO_SRP_AUTH
setting. With this authentication flow, your app passes a user name and password to Amazon Cognito in the request, instead of using the Secure Remote Password (SRP) protocol to securely transmit the password. -
ALLOW_CUSTOM_AUTH
: Enable Lambda trigger based authentication. -
ALLOW_USER_PASSWORD_AUTH
: Enable user password-based authentication. In this flow, Amazon Cognito receives the password in the request instead of using the SRP protocol to verify passwords. -
ALLOW_USER_SRP_AUTH
: Enable SRP-based authentication. -
ALLOW_REFRESH_TOKEN_AUTH
: Enable authflow to refresh tokens.
In some environments, you will see the values
ADMIN_NO_SRP_AUTH
,CUSTOM_AUTH_FLOW_ONLY
, orUSER_PASSWORD_AUTH
. You can't assign these legacyExplicitAuthFlows
values to user pool clients at the same time as values that begin withALLOW_
, likeALLOW_USER_SRP_AUTH
. -
-
-
hasSupportedIdentityProviders
public final boolean hasSupportedIdentityProviders()For responses, this returns true if the service returned a value for the SupportedIdentityProviders property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
supportedIdentityProviders
A list of provider names for the identity providers (IdPs) that are supported on this client. The following are supported:
COGNITO
,Facebook
,Google
,SignInWithApple
, andLoginWithAmazon
. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for exampleMySAMLIdP
orMyOIDCIdP
.Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasSupportedIdentityProviders()
method.- Returns:
- A list of provider names for the identity providers (IdPs) that are supported on this client. The
following are supported:
COGNITO
,Facebook
,Google
,SignInWithApple
, andLoginWithAmazon
. You can also specify the names that you configured for the SAML and OIDC IdPs in your user pool, for exampleMySAMLIdP
orMyOIDCIdP
.
-
hasCallbackURLs
public final boolean hasCallbackURLs()For responses, this returns true if the service returned a value for the CallbackURLs property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
callbackURLs
A list of allowed redirect (callback) URLs for the IdPs.
A redirect URI must:
-
Be an absolute URI.
-
Be registered with the authorization server.
-
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasCallbackURLs()
method.- Returns:
- A list of allowed redirect (callback) URLs for the IdPs.
A redirect URI must:
-
Be an absolute URI.
-
Be registered with the authorization server.
-
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
-
-
-
hasLogoutURLs
public final boolean hasLogoutURLs()For responses, this returns true if the service returned a value for the LogoutURLs property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
logoutURLs
A list of allowed logout URLs for the IdPs.
Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasLogoutURLs()
method.- Returns:
- A list of allowed logout URLs for the IdPs.
-
defaultRedirectURI
The default redirect URI. Must be in the
CallbackURLs
list.A redirect URI must:
-
Be an absolute URI.
-
Be registered with the authorization server.
-
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
- Returns:
- The default redirect URI. Must be in the
CallbackURLs
list.A redirect URI must:
-
Be an absolute URI.
-
Be registered with the authorization server.
-
Not include a fragment component.
See OAuth 2.0 - Redirection Endpoint.
Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
App callback URLs such as myapp://example are also supported.
-
-
-
allowedOAuthFlows
The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add
client_credentials
as the only allowed OAuth flow.- code
-
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the
/oauth2/token
endpoint. - implicit
-
Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
- client_credentials
-
Issue the access token from the
/oauth2/token
endpoint directly to a non-person user using a combination of the client ID and client secret.
Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasAllowedOAuthFlows()
method.- Returns:
- The OAuth grant types that you want your app client to generate. To create an app client that generates
client credentials grants, you must add
client_credentials
as the only allowed OAuth flow.- code
-
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the
/oauth2/token
endpoint. - implicit
-
Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
- client_credentials
-
Issue the access token from the
/oauth2/token
endpoint directly to a non-person user using a combination of the client ID and client secret.
-
hasAllowedOAuthFlows
public final boolean hasAllowedOAuthFlows()For responses, this returns true if the service returned a value for the AllowedOAuthFlows property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
allowedOAuthFlowsAsStrings
The OAuth grant types that you want your app client to generate. To create an app client that generates client credentials grants, you must add
client_credentials
as the only allowed OAuth flow.- code
-
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the
/oauth2/token
endpoint. - implicit
-
Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
- client_credentials
-
Issue the access token from the
/oauth2/token
endpoint directly to a non-person user using a combination of the client ID and client secret.
Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasAllowedOAuthFlows()
method.- Returns:
- The OAuth grant types that you want your app client to generate. To create an app client that generates
client credentials grants, you must add
client_credentials
as the only allowed OAuth flow.- code
-
Use a code grant flow, which provides an authorization code as the response. This code can be exchanged for access tokens with the
/oauth2/token
endpoint. - implicit
-
Issue the access token (and, optionally, ID token, based on scopes) directly to your user.
- client_credentials
-
Issue the access token from the
/oauth2/token
endpoint directly to a non-person user using a combination of the client ID and client secret.
-
hasAllowedOAuthScopes
public final boolean hasAllowedOAuthScopes()For responses, this returns true if the service returned a value for the AllowedOAuthScopes property. This DOES NOT check that the value is non-empty (for which, you should check theisEmpty()
method on the property). This is useful because the SDK will never return a null collection or map, but you may need to differentiate between the service returning nothing (or null) and the service returning an empty collection or map. For requests, this returns true if a value for the property was specified in the request builder, and false if a value was not specified. -
allowedOAuthScopes
The allowed OAuth scopes. Possible values provided by OAuth are
phone
,email
,openid
, andprofile
. Possible values provided by Amazon Web Services areaws.cognito.signin.user.admin
. Custom scopes created in Resource Servers are also supported.Attempts to modify the collection returned by this method will result in an UnsupportedOperationException.
This method will never return null. If you would like to know whether the service returned this field (so that you can differentiate between null and empty), you can use the
hasAllowedOAuthScopes()
method.- Returns:
- The allowed OAuth scopes. Possible values provided by OAuth are
phone
,email
,openid
, andprofile
. Possible values provided by Amazon Web Services areaws.cognito.signin.user.admin
. Custom scopes created in Resource Servers are also supported.
-
allowedOAuthFlowsUserPoolClient
Set to
true
to use OAuth 2.0 features in your user pool app client.AllowedOAuthFlowsUserPoolClient
must betrue
before you can configure the following features in your app client.-
CallBackURLs
: Callback URLs. -
LogoutURLs
: Sign-out redirect URLs. -
AllowedOAuthScopes
: OAuth 2.0 scopes. -
AllowedOAuthFlows
: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set
AllowedOAuthFlowsUserPoolClient
totrue
in aCreateUserPoolClient
orUpdateUserPoolClient
API request. If you don't set a value forAllowedOAuthFlowsUserPoolClient
in a request with the CLI or SDKs, it defaults tofalse
.- Returns:
- Set to
true
to use OAuth 2.0 features in your user pool app client.AllowedOAuthFlowsUserPoolClient
must betrue
before you can configure the following features in your app client.-
CallBackURLs
: Callback URLs. -
LogoutURLs
: Sign-out redirect URLs. -
AllowedOAuthScopes
: OAuth 2.0 scopes. -
AllowedOAuthFlows
: Support for authorization code, implicit, and client credentials OAuth 2.0 grants.
To use OAuth 2.0 features, configure one of these features in the Amazon Cognito console or set
AllowedOAuthFlowsUserPoolClient
totrue
in aCreateUserPoolClient
orUpdateUserPoolClient
API request. If you don't set a value forAllowedOAuthFlowsUserPoolClient
in a request with the CLI or SDKs, it defaults tofalse
. -
-
-
analyticsConfiguration
The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint campaign.
In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
- Returns:
- The user pool analytics configuration for collecting metrics and sending them to your Amazon Pinpoint
campaign.
In Amazon Web Services Regions where Amazon Pinpoint isn't available, user pools only support sending events to Amazon Pinpoint projects in Amazon Web Services Region us-east-1. In Regions where Amazon Pinpoint is available, user pools support sending events to Amazon Pinpoint projects within that same Region.
-
preventUserExistenceErrors
Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to
ENABLED
and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set toLEGACY
, those APIs return aUserNotFoundException
exception if the user doesn't exist in the user pool.Valid values include:
-
ENABLED
- This prevents user existence-related errors. -
LEGACY
- This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
If the service returns an enum value that is not available in the current SDK version,
preventUserExistenceErrors
will returnPreventUserExistenceErrorTypes.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available frompreventUserExistenceErrorsAsString()
.- Returns:
- Errors and responses that you want Amazon Cognito APIs to return during authentication, account
confirmation, and password recovery when the user doesn't exist in the user pool. When set to
ENABLED
and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set toLEGACY
, those APIs return aUserNotFoundException
exception if the user doesn't exist in the user pool.Valid values include:
-
ENABLED
- This prevents user existence-related errors. -
LEGACY
- This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
-
- See Also:
-
-
preventUserExistenceErrorsAsString
Errors and responses that you want Amazon Cognito APIs to return during authentication, account confirmation, and password recovery when the user doesn't exist in the user pool. When set to
ENABLED
and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set toLEGACY
, those APIs return aUserNotFoundException
exception if the user doesn't exist in the user pool.Valid values include:
-
ENABLED
- This prevents user existence-related errors. -
LEGACY
- This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
If the service returns an enum value that is not available in the current SDK version,
preventUserExistenceErrors
will returnPreventUserExistenceErrorTypes.UNKNOWN_TO_SDK_VERSION
. The raw value returned by the service is available frompreventUserExistenceErrorsAsString()
.- Returns:
- Errors and responses that you want Amazon Cognito APIs to return during authentication, account
confirmation, and password recovery when the user doesn't exist in the user pool. When set to
ENABLED
and the user doesn't exist, authentication returns an error indicating either the username or password was incorrect. Account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set toLEGACY
, those APIs return aUserNotFoundException
exception if the user doesn't exist in the user pool.Valid values include:
-
ENABLED
- This prevents user existence-related errors. -
LEGACY
- This represents the early behavior of Amazon Cognito where user existence related errors aren't prevented.
-
- See Also:
-
-
enableTokenRevocation
Activates or deactivates token revocation. For more information about revoking tokens, see RevokeToken.
If you don't include this parameter, token revocation is automatically activated for the new user pool client.
- Returns:
- Activates or deactivates token revocation. For more information about revoking tokens, see RevokeToken.
If you don't include this parameter, token revocation is automatically activated for the new user pool client.
-
enablePropagateAdditionalUserContextData
Activates the propagation of additional user context data. For more information about propagation of user context data, see Adding advanced security to a user pool. If you don’t include this parameter, you can't send device fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only activate
EnablePropagateAdditionalUserContextData
in an app client that has a client secret.- Returns:
- Activates the propagation of additional user context data. For more information about propagation of user
context data, see Adding advanced security to a user pool. If you don’t include this parameter, you can't send device
fingerprint information, including source IP address, to Amazon Cognito advanced security. You can only
activate
EnablePropagateAdditionalUserContextData
in an app client that has a client secret.
-
authSessionValidity
Amazon Cognito creates a session token for each API request in an authentication flow.
AuthSessionValidity
is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.- Returns:
- Amazon Cognito creates a session token for each API request in an authentication flow.
AuthSessionValidity
is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires.
-
toBuilder
Description copied from interface:ToCopyableBuilder
Take this object and create a builder that contains all of the current property values of this object.- Specified by:
toBuilder
in interfaceToCopyableBuilder<CreateUserPoolClientRequest.Builder,
CreateUserPoolClientRequest> - Specified by:
toBuilder
in classCognitoIdentityProviderRequest
- Returns:
- a builder for type T
-
builder
-
serializableBuilderClass
-
hashCode
public final int hashCode()- Overrides:
hashCode
in classAwsRequest
-
equals
- Overrides:
equals
in classAwsRequest
-
equalsBySdkFields
Description copied from interface:SdkPojo
Indicates whether some other object is "equal to" this one by SDK fields. An SDK field is a modeled, non-inherited field in anSdkPojo
class, and is generated based on a service model.If an
SdkPojo
class does not have any inherited fields,equalsBySdkFields
andequals
are essentially the same.- Specified by:
equalsBySdkFields
in interfaceSdkPojo
- Parameters:
obj
- the object to be compared with- Returns:
- true if the other object equals to this object by sdk fields, false otherwise.
-
toString
Returns a string representation of this object. This is useful for testing and debugging. Sensitive data will be redacted from this string using a placeholder value. -
getValueForField
Description copied from class:SdkRequest
Used to retrieve the value of a field from any class that extendsSdkRequest
. The field name specified should match the member name from the corresponding service-2.json model specified in the codegen-resources folder for a given service. The class specifies what class to cast the returned value to. If the returned value is also a modeled class, theSdkRequest.getValueForField(String, Class)
method will again be available.- Overrides:
getValueForField
in classSdkRequest
- Parameters:
fieldName
- The name of the member to be retrieved.clazz
- The class to cast the returned object to.- Returns:
- Optional containing the casted return value
-
sdkFields
-