:doc:`CognitoIdentityProvider <../../cognito-idp>` / Paginator / AdminListUserAuthEvents

***********************
AdminListUserAuthEvents
***********************



.. py:class:: CognitoIdentityProvider.Paginator.AdminListUserAuthEvents

  ::

    
    paginator = client.get_paginator('admin_list_user_auth_events')

  
  

  .. py:method:: paginate(**kwargs)

    Creates an iterator that will paginate through responses from :py:meth:`CognitoIdentityProvider.Client.admin_list_user_auth_events`.

    See also: `AWS API Documentation <https://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminListUserAuthEvents>`_    


    **Request Syntax**
    ::

      response_iterator = paginator.paginate(
          UserPoolId='string',
          Username='string',
          PaginationConfig={
              'MaxItems': 123,
              'PageSize': 123,
              'StartingToken': 'string'
          }
      )
      
    :type UserPoolId: string
    :param UserPoolId: **[REQUIRED]** 

      The Id of the user pool that contains the user profile with the logged events.

      

    
    :type Username: string
    :param Username: **[REQUIRED]** 

      The name of the user that you want to query or modify. The value of this parameter is typically your user's username, but it can be any of their alias attributes. If ``username`` isn't an alias attribute in your user pool, this value must be the ``sub`` of a local user or the username of a user from a third-party IdP.

      

    
    :type PaginationConfig: dict
    :param PaginationConfig: 

      A dictionary that provides parameters to control pagination.

      

    
      - **MaxItems** *(integer) --* 

        The total number of items to return. If the total number of items available is more than the value specified in max-items then a ``NextToken`` will be provided in the output that you can use to resume pagination.

        

      
      - **PageSize** *(integer) --* 

        The size of each page.

        

      
      - **StartingToken** *(string) --* 

        A token to specify where to start paginating. This is the ``NextToken`` from a previous response.

        

      
    
    
    :rtype: dict
    :returns: 
      
      **Response Syntax**

      
      ::

        {
            'AuthEvents': [
                {
                    'EventId': 'string',
                    'EventType': 'SignIn'|'SignUp'|'ForgotPassword'|'PasswordChange'|'ResendCode',
                    'CreationDate': datetime(2015, 1, 1),
                    'EventResponse': 'Pass'|'Fail'|'InProgress',
                    'EventRisk': {
                        'RiskDecision': 'NoRisk'|'AccountTakeover'|'Block',
                        'RiskLevel': 'Low'|'Medium'|'High',
                        'CompromisedCredentialsDetected': True|False
                    },
                    'ChallengeResponses': [
                        {
                            'ChallengeName': 'Password'|'Mfa',
                            'ChallengeResponse': 'Success'|'Failure'
                        },
                    ],
                    'EventContextData': {
                        'IpAddress': 'string',
                        'DeviceName': 'string',
                        'Timezone': 'string',
                        'City': 'string',
                        'Country': 'string'
                    },
                    'EventFeedback': {
                        'FeedbackValue': 'Valid'|'Invalid',
                        'Provider': 'string',
                        'FeedbackDate': datetime(2015, 1, 1)
                    }
                },
            ],
            
        }
        
      **Response Structure**

      

      - *(dict) --* 
        

        - **AuthEvents** *(list) --* 

          The response object. It includes the ``EventID``, ``EventType``, ``CreationDate``, ``EventRisk``, and ``EventResponse``.

          
          

          - *(dict) --* 

            One authentication event that Amazon Cognito logged in a user pool with threat protection active. Contains user and device metadata and a risk assessment from your user pool.

            
            

            - **EventId** *(string) --* 

              The event ID.

              
            

            - **EventType** *(string) --* 

              The type of authentication event.

              
            

            - **CreationDate** *(datetime) --* 

              The date and time when the item was created. Amazon Cognito returns this timestamp in UNIX epoch time format. Your SDK might render the output in a human-readable format like ISO 8601 or a Java ``Date`` object.

              
            

            - **EventResponse** *(string) --* 

              The event response.

              
            

            - **EventRisk** *(dict) --* 

              The threat evaluation from your user pool about an event. Contains information about whether your user pool detected compromised credentials, whether the event triggered an automated response, and the level of risk.

              
              

              - **RiskDecision** *(string) --* 

                The action taken by adaptive authentication. If ``NoRisk``, your user pool took no action. If ``AccountTakeover``, your user pool applied the adaptive authentication automated response that you configured. If ``Block``, your user pool prevented the attempt.

                
              

              - **RiskLevel** *(string) --* 

                The risk level that adaptive authentication assessed for the authentication event.

                
              

              - **CompromisedCredentialsDetected** *(boolean) --* 

                Indicates whether compromised credentials were detected during an authentication event.

                
          
            

            - **ChallengeResponses** *(list) --* 

              A list of the challenges that the user was requested to answer, for example ``Password``, and the result, for example ``Success``.

              
              

              - *(dict) --* 

                The responses to the challenge that you received in the previous request. Each challenge has its own required response parameters. The following examples are partial JSON request bodies that highlight challenge-response parameters.

                 

                .. warning::

                   

                  You must provide a SECRET_HASH parameter in all challenge responses to an app client that has a client secret. Include a ``DEVICE_KEY`` for device authentication.

                   

                  SELECT_CHALLENGE  

                ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "USERNAME": "[username]", "ANSWER": "[Challenge name]"}``

                 

                Available challenges are ``PASSWORD``, ``PASSWORD_SRP``, ``EMAIL_OTP``, ``SMS_OTP``, and ``WEB_AUTHN``.

                 

                Complete authentication in the ``SELECT_CHALLENGE`` response for ``PASSWORD``, ``PASSWORD_SRP``, and ``WEB_AUTHN``:

                 

                
                * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "WEB_AUTHN", "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}`` See `AuthenticationResponseJSON <https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson>`__.
                 
                * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD", "USERNAME": "[username]", "PASSWORD": "[password]"}``
                 
                * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "PASSWORD_SRP", "USERNAME": "[username]", "SRP_A": "[SRP_A]"}``
                

                 

                For ``SMS_OTP`` and ``EMAIL_OTP``, respond with the username and answer. Your user pool will send a code for the user to submit in the next challenge response.

                 

                
                * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "SMS_OTP", "USERNAME": "[username]"}``
                 
                * ``"ChallengeName": "SELECT_CHALLENGE", "ChallengeResponses": { "ANSWER": "EMAIL_OTP", "USERNAME": "[username]"}``
                

                  WEB_AUTHN  

                ``"ChallengeName": "WEB_AUTHN", "ChallengeResponses": { "USERNAME": "[username]", "CREDENTIAL": "[AuthenticationResponseJSON]"}``

                 

                See `AuthenticationResponseJSON <https://www.w3.org/TR/WebAuthn-3/#dictdef-authenticationresponsejson>`__.

                  PASSWORD  

                ``"ChallengeName": "PASSWORD", "ChallengeResponses": { "USERNAME": "[username]", "PASSWORD": "[password]"}``

                  PASSWORD_SRP  

                ``"ChallengeName": "PASSWORD_SRP", "ChallengeResponses": { "USERNAME": "[username]", "SRP_A": "[SRP_A]"}``

                  SMS_OTP  

                ``"ChallengeName": "SMS_OTP", "ChallengeResponses": {"SMS_OTP_CODE": "[code]", "USERNAME": "[username]"}``

                  EMAIL_OTP  

                ``"ChallengeName": "EMAIL_OTP", "ChallengeResponses": {"EMAIL_OTP_CODE": "[code]", "USERNAME": "[username]"}``

                  SMS_MFA  

                ``"ChallengeName": "SMS_MFA", "ChallengeResponses": {"SMS_MFA_CODE": "[code]", "USERNAME": "[username]"}``

                  PASSWORD_VERIFIER  

                This challenge response is part of the SRP flow. Amazon Cognito requires that your application respond to this challenge within a few seconds. When the response time exceeds this period, your user pool returns a ``NotAuthorizedException`` error.

                 

                ``"ChallengeName": "PASSWORD_VERIFIER", "ChallengeResponses": {"PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}``

                  CUSTOM_CHALLENGE  

                ``"ChallengeName": "CUSTOM_CHALLENGE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[challenge_answer]"}``

                  NEW_PASSWORD_REQUIRED  

                ``"ChallengeName": "NEW_PASSWORD_REQUIRED", "ChallengeResponses": {"NEW_PASSWORD": "[new_password]", "USERNAME": "[username]"}``

                 

                To set any required attributes that ``InitiateAuth`` returned in an ``requiredAttributes`` parameter, add ``"userAttributes.[attribute_name]": "[attribute_value]"``. This parameter can also set values for writable attributes that aren't required by your user pool.

                 

                .. note::

                  

                  In a ``NEW_PASSWORD_REQUIRED`` challenge response, you can't modify a required attribute that already has a value. In ``AdminRespondToAuthChallenge`` or ``RespondToAuthChallenge``, set a value for any keys that Amazon Cognito returned in the ``requiredAttributes`` parameter, then use the ``AdminUpdateUserAttributes`` or ``UpdateUserAttributes`` API operation to modify the value of any additional attributes.

                  

                  SOFTWARE_TOKEN_MFA  

                ``"ChallengeName": "SOFTWARE_TOKEN_MFA", "ChallengeResponses": {"USERNAME": "[username]", "SOFTWARE_TOKEN_MFA_CODE": [authenticator_code]}``

                  DEVICE_SRP_AUTH  

                ``"ChallengeName": "DEVICE_SRP_AUTH", "ChallengeResponses": {"USERNAME": "[username]", "DEVICE_KEY": "[device_key]", "SRP_A": "[srp_a]"}``

                  DEVICE_PASSWORD_VERIFIER  

                ``"ChallengeName": "DEVICE_PASSWORD_VERIFIER", "ChallengeResponses": {"DEVICE_KEY": "[device_key]", "PASSWORD_CLAIM_SIGNATURE": "[claim_signature]", "PASSWORD_CLAIM_SECRET_BLOCK": "[secret_block]", "TIMESTAMP": [timestamp], "USERNAME": "[username]"}``

                  MFA_SETUP  

                ``"ChallengeName": "MFA_SETUP", "ChallengeResponses": {"USERNAME": "[username]"}, "SESSION": "[Session ID from VerifySoftwareToken]"``

                  SELECT_MFA_TYPE  

                ``"ChallengeName": "SELECT_MFA_TYPE", "ChallengeResponses": {"USERNAME": "[username]", "ANSWER": "[SMS_MFA|EMAIL_MFA|SOFTWARE_TOKEN_MFA]"}``

                   

                For more information about ``SECRET_HASH``, see `Computing secret hash values <https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash>`__. For information about ``DEVICE_KEY``, see `Working with user devices in your user pool <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html>`__.

                
                

                - **ChallengeName** *(string) --* 

                  The type of challenge that your previous authentication request returned in the parameter ``ChallengeName``, for example ``SMS_MFA``.

                  
                

                - **ChallengeResponse** *(string) --* 

                  The set of key-value pairs that provides a response to the requested challenge.

                  
            
          
            

            - **EventContextData** *(dict) --* 

              The user context data captured at the time of an event request. This value provides additional information about the client from which event the request is received.

              
              

              - **IpAddress** *(string) --* 

                The source IP address of your user's device.

                
              

              - **DeviceName** *(string) --* 

                The user's device name.

                
              

              - **Timezone** *(string) --* 

                The user's time zone.

                
              

              - **City** *(string) --* 

                The user's city.

                
              

              - **Country** *(string) --* 

                The user's country.

                
          
            

            - **EventFeedback** *(dict) --* 

              The ``UpdateAuthEventFeedback`` or ``AdminUpdateAuthEventFeedback`` feedback that you or your user provided in response to the event. A value of ``Valid`` indicates that you disagreed with the level of risk that your user pool assigned, and evaluated a session to be valid, or likely safe. A value of ``Invalid`` indicates that you agreed with the user pool risk level and evaluated a session to be invalid, or likely malicious.

              
              

              - **FeedbackValue** *(string) --* 

                Your feedback to the authentication event. When you provide a ``FeedbackValue`` value of ``valid``, you tell Amazon Cognito that you trust a user session where Amazon Cognito has evaluated some level of risk. When you provide a ``FeedbackValue`` value of ``invalid``, you tell Amazon Cognito that you don't trust a user session, or you don't believe that Amazon Cognito evaluated a high-enough risk level.

                
              

              - **Provider** *(string) --* 

                The submitter of the event feedback. For example, if you submit event feedback in the Amazon Cognito console, this value is ``Admin``.

                
              

              - **FeedbackDate** *(datetime) --* 

                The date that you or your user submitted the feedback.

                
          
        
      
    