The responses to the challenge that you received in the previous request. Each challenge
has its own required response parameters. The following examples are partial JSON
request bodies that highlight challenge-response parameters.
You must provide a SECRET_HASH parameter in all challenge responses to an app client
that has a client secret. Include a DEVICE_KEY for device authentication.
- SELECT_CHALLENGE
"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}Available challenges are
PASSWORD,PASSWORD_SRP,EMAIL_OTP,SMS_OTP, andWEB_AUTHN.Complete authentication in the
SELECT_CHALLENGEresponse forPASSWORD,PASSWORD_SRP, andWEB_AUTHN:"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}
For
SMS_OTPandEMAIL_OTP, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response."ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}
- SMS_OTP
"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}- EMAIL_OTP
"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}- SMS_MFA
"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}- PASSWORD_VERIFIER
This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a
NotAuthorizedExceptionerror."ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}Add
"DEVICE_KEY"when you sign in with a remembered device.- CUSTOM_CHALLENGE
"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}Add
"DEVICE_KEY"when you sign in with a remembered device.- NEW_PASSWORD_REQUIRED
"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}To set any required attributes that
InitiateAuthreturned in anrequiredAttributesparameter, add"userAttributes.[attribute_name]": "[attribute_value]". This parameter can also set values for writable attributes that aren't required by your user pool.In a
NEW_PASSWORD_REQUIREDchallenge response, you can't modify a required attribute that already has a value. InAdminRespondToAuthChallengeorRespondToAuthChallenge, set a value for any keys that Amazon Cognito returned in therequiredAttributesparameter, then use theAdminUpdateUserAttributesorUpdateUserAttributesAPI operation to modify the value of any additional attributes.- SOFTWARE_TOKEN_MFA
"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}- DEVICE_SRP_AUTH
"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}- DEVICE_PASSWORD_VERIFIER
"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}- MFA_SETUP
"ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"- SELECT_MFA_TYPE
"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA or SOFTWARE_TOKEN_MFA]"}
For more information about SECRET_HASH, see Computing
secret hash values. For information about DEVICE_KEY, see Working
with user devices in your user pool.
Inheritance Hierarchy
Namespace: Amazon.CognitoIdentityProvider.Model
Assembly: AWSSDK.CognitoIdentityProvider.dll
Version: 3.x.y.z
Syntax
public class ChallengeResponseType
The ChallengeResponseType type exposes the following members
Constructors
| Name | Description | |
|---|---|---|
|
ChallengeResponseType() |
Properties
| Name | Type | Description | |
|---|---|---|---|
|
|
ChallengeName | Amazon.CognitoIdentityProvider.ChallengeName |
Gets and sets the property ChallengeName.
The type of challenge that your previous authentication request returned in the parameter
|
|
|
ChallengeResponse | Amazon.CognitoIdentityProvider.ChallengeResponse |
Gets and sets the property ChallengeResponse. The set of key-value pairs that provides a response to the requested challenge. |
Version Information
.NET:
Supported in: 8.0 and newer, Core 3.1
.NET Standard:
Supported in: 2.0
.NET Framework:
Supported in: 4.5 and newer, 3.5