{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.CognitoIdentityProvider.AdminInitiateAuth
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Initiates the authentication flow, as an administrator.
--
-- This action might generate an SMS text message. Starting June 1, 2021,
-- U.S. telecom carriers require that you register an origination phone
-- number before you can send SMS messages to U.S. phone numbers. If you
-- use SMS text messages in Amazon Cognito, you must register a phone
-- number with
-- <https://console.aws.amazon.com/pinpoint/home/ Amazon Pinpoint>. Cognito
-- will use the the registered number automatically. Otherwise, Cognito
-- users that must receive SMS messages might be unable to sign up,
-- activate their accounts, or sign in.
--
-- If you have never used SMS text messages with Amazon Cognito or any
-- other Amazon Web Service, Amazon SNS might place your account in SMS
-- sandbox. In
-- /<https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox.html sandbox mode>/
-- , you’ll have limitations, such as sending messages to only verified
-- phone numbers. After testing in the sandbox environment, you can move
-- out of the SMS sandbox and into production. For more information, see
-- <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-sms-userpool-settings.html SMS message settings for Cognito User Pools>
-- in the /Amazon Cognito Developer Guide/.
--
-- Calling this action requires developer credentials.
module Amazonka.CognitoIdentityProvider.AdminInitiateAuth
  ( -- * Creating a Request
    AdminInitiateAuth (..),
    newAdminInitiateAuth,

    -- * Request Lenses
    adminInitiateAuth_clientMetadata,
    adminInitiateAuth_contextData,
    adminInitiateAuth_analyticsMetadata,
    adminInitiateAuth_authParameters,
    adminInitiateAuth_userPoolId,
    adminInitiateAuth_clientId,
    adminInitiateAuth_authFlow,

    -- * Destructuring the Response
    AdminInitiateAuthResponse (..),
    newAdminInitiateAuthResponse,

    -- * Response Lenses
    adminInitiateAuthResponse_challengeName,
    adminInitiateAuthResponse_challengeParameters,
    adminInitiateAuthResponse_authenticationResult,
    adminInitiateAuthResponse_session,
    adminInitiateAuthResponse_httpStatus,
  )
where

import Amazonka.CognitoIdentityProvider.Types
import qualified Amazonka.Core as Core
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | Initiates the authorization request, as an administrator.
--
-- /See:/ 'newAdminInitiateAuth' smart constructor.
data AdminInitiateAuth = AdminInitiateAuth'
  { -- | A map of custom key-value pairs that you can provide as input for
    -- certain custom workflows that this action triggers.
    --
    -- You create custom workflows by assigning Lambda functions to user pool
    -- triggers. When you use the AdminInitiateAuth API action, Amazon Cognito
    -- invokes the Lambda functions that are specified for various triggers.
    -- The ClientMetadata value is passed as input to the functions for only
    -- the following triggers:
    --
    -- -   Pre signup
    --
    -- -   Pre authentication
    --
    -- -   User migration
    --
    -- When Amazon Cognito invokes the functions for these triggers, it passes
    -- a JSON payload, which the function receives as input. This payload
    -- contains a @validationData@ attribute, which provides the data that you
    -- assigned to the ClientMetadata parameter in your AdminInitiateAuth
    -- request. In your function code in Lambda, you can process the
    -- @validationData@ value to enhance your workflow for your specific needs.
    --
    -- When you use the AdminInitiateAuth API action, Amazon Cognito also
    -- invokes the functions for the following triggers, but it does not
    -- provide the ClientMetadata value as input:
    --
    -- -   Post authentication
    --
    -- -   Custom message
    --
    -- -   Pre token generation
    --
    -- -   Create auth challenge
    --
    -- -   Define auth challenge
    --
    -- -   Verify auth challenge
    --
    -- For more information, see
    -- <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html Customizing User Pool Workflows with Lambda Triggers>
    -- in the /Amazon Cognito Developer Guide/.
    --
    -- Take the following limitations into consideration when you use the
    -- ClientMetadata parameter:
    --
    -- -   Amazon Cognito does not store the ClientMetadata value. This data is
    --     available only to Lambda triggers that are assigned to a user pool
    --     to support custom workflows. If your user pool configuration does
    --     not include triggers, the ClientMetadata parameter serves no
    --     purpose.
    --
    -- -   Amazon Cognito does not validate the ClientMetadata value.
    --
    -- -   Amazon Cognito does not encrypt the the ClientMetadata value, so
    --     don\'t use it to provide sensitive information.
    AdminInitiateAuth -> Maybe (HashMap Text Text)
clientMetadata :: Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text),
    -- | Contextual data such as the user\'s device fingerprint, IP address, or
    -- location used for evaluating the risk of an unexpected event by Amazon
    -- Cognito advanced security.
    AdminInitiateAuth -> Maybe ContextDataType
contextData :: Prelude.Maybe ContextDataType,
    -- | The analytics metadata for collecting Amazon Pinpoint metrics for
    -- @AdminInitiateAuth@ calls.
    AdminInitiateAuth -> Maybe AnalyticsMetadataType
analyticsMetadata :: Prelude.Maybe AnalyticsMetadataType,
    -- | The authentication parameters. These are inputs corresponding to the
    -- @AuthFlow@ that you are invoking. The required values depend on the
    -- value of @AuthFlow@:
    --
    -- -   For @USER_SRP_AUTH@: @USERNAME@ (required), @SRP_A@ (required),
    --     @SECRET_HASH@ (required if the app client is configured with a
    --     client secret), @DEVICE_KEY@.
    --
    -- -   For @REFRESH_TOKEN_AUTH\/REFRESH_TOKEN@: @REFRESH_TOKEN@ (required),
    --     @SECRET_HASH@ (required if the app client is configured with a
    --     client secret), @DEVICE_KEY@.
    --
    -- -   For @ADMIN_NO_SRP_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if
    --     app client is configured with client secret), @PASSWORD@ (required),
    --     @DEVICE_KEY@.
    --
    -- -   For @CUSTOM_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if app
    --     client is configured with client secret), @DEVICE_KEY@. To start the
    --     authentication flow with password verification, include
    --     @ChallengeName: SRP_A@ and @SRP_A: (The SRP_A Value)@.
    AdminInitiateAuth -> Maybe (Sensitive (HashMap Text Text))
authParameters :: Prelude.Maybe (Core.Sensitive (Prelude.HashMap Prelude.Text Prelude.Text)),
    -- | The ID of the Amazon Cognito user pool.
    AdminInitiateAuth -> Text
userPoolId :: Prelude.Text,
    -- | The app client ID.
    AdminInitiateAuth -> Sensitive Text
clientId :: Core.Sensitive Prelude.Text,
    -- | The authentication flow for this call to execute. The API action will
    -- depend on this value. For example:
    --
    -- -   @REFRESH_TOKEN_AUTH@ will take in a valid refresh token and return
    --     new tokens.
    --
    -- -   @USER_SRP_AUTH@ will take in @USERNAME@ and @SRP_A@ and return the
    --     SRP variables to be used for next challenge execution.
    --
    -- -   @USER_PASSWORD_AUTH@ will take in @USERNAME@ and @PASSWORD@ and
    --     return the next challenge or tokens.
    --
    -- Valid values include:
    --
    -- -   @USER_SRP_AUTH@: Authentication flow for the Secure Remote Password
    --     (SRP) protocol.
    --
    -- -   @REFRESH_TOKEN_AUTH@\/@REFRESH_TOKEN@: Authentication flow for
    --     refreshing the access token and ID token by supplying a valid
    --     refresh token.
    --
    -- -   @CUSTOM_AUTH@: Custom authentication flow.
    --
    -- -   @ADMIN_NO_SRP_AUTH@: Non-SRP authentication flow; you can pass in
    --     the USERNAME and PASSWORD directly if the flow is enabled for
    --     calling the app client.
    --
    -- -   @USER_PASSWORD_AUTH@: Non-SRP authentication flow; USERNAME and
    --     PASSWORD are passed directly. If a user migration Lambda trigger is
    --     set, this flow will invoke the user migration Lambda if the USERNAME
    --     is not found in the user pool.
    --
    -- -   @ADMIN_USER_PASSWORD_AUTH@: Admin-based user password
    --     authentication. This replaces the @ADMIN_NO_SRP_AUTH@ authentication
    --     flow. In this flow, Cognito receives the password in the request
    --     instead of using the SRP process to verify passwords.
    AdminInitiateAuth -> AuthFlowType
authFlow :: AuthFlowType
  }
  deriving (AdminInitiateAuth -> AdminInitiateAuth -> Bool
(AdminInitiateAuth -> AdminInitiateAuth -> Bool)
-> (AdminInitiateAuth -> AdminInitiateAuth -> Bool)
-> Eq AdminInitiateAuth
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: AdminInitiateAuth -> AdminInitiateAuth -> Bool
$c/= :: AdminInitiateAuth -> AdminInitiateAuth -> Bool
== :: AdminInitiateAuth -> AdminInitiateAuth -> Bool
$c== :: AdminInitiateAuth -> AdminInitiateAuth -> Bool
Prelude.Eq, Int -> AdminInitiateAuth -> ShowS
[AdminInitiateAuth] -> ShowS
AdminInitiateAuth -> String
(Int -> AdminInitiateAuth -> ShowS)
-> (AdminInitiateAuth -> String)
-> ([AdminInitiateAuth] -> ShowS)
-> Show AdminInitiateAuth
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [AdminInitiateAuth] -> ShowS
$cshowList :: [AdminInitiateAuth] -> ShowS
show :: AdminInitiateAuth -> String
$cshow :: AdminInitiateAuth -> String
showsPrec :: Int -> AdminInitiateAuth -> ShowS
$cshowsPrec :: Int -> AdminInitiateAuth -> ShowS
Prelude.Show, (forall x. AdminInitiateAuth -> Rep AdminInitiateAuth x)
-> (forall x. Rep AdminInitiateAuth x -> AdminInitiateAuth)
-> Generic AdminInitiateAuth
forall x. Rep AdminInitiateAuth x -> AdminInitiateAuth
forall x. AdminInitiateAuth -> Rep AdminInitiateAuth x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep AdminInitiateAuth x -> AdminInitiateAuth
$cfrom :: forall x. AdminInitiateAuth -> Rep AdminInitiateAuth x
Prelude.Generic)

-- |
-- Create a value of 'AdminInitiateAuth' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'clientMetadata', 'adminInitiateAuth_clientMetadata' - A map of custom key-value pairs that you can provide as input for
-- certain custom workflows that this action triggers.
--
-- You create custom workflows by assigning Lambda functions to user pool
-- triggers. When you use the AdminInitiateAuth API action, Amazon Cognito
-- invokes the Lambda functions that are specified for various triggers.
-- The ClientMetadata value is passed as input to the functions for only
-- the following triggers:
--
-- -   Pre signup
--
-- -   Pre authentication
--
-- -   User migration
--
-- When Amazon Cognito invokes the functions for these triggers, it passes
-- a JSON payload, which the function receives as input. This payload
-- contains a @validationData@ attribute, which provides the data that you
-- assigned to the ClientMetadata parameter in your AdminInitiateAuth
-- request. In your function code in Lambda, you can process the
-- @validationData@ value to enhance your workflow for your specific needs.
--
-- When you use the AdminInitiateAuth API action, Amazon Cognito also
-- invokes the functions for the following triggers, but it does not
-- provide the ClientMetadata value as input:
--
-- -   Post authentication
--
-- -   Custom message
--
-- -   Pre token generation
--
-- -   Create auth challenge
--
-- -   Define auth challenge
--
-- -   Verify auth challenge
--
-- For more information, see
-- <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html Customizing User Pool Workflows with Lambda Triggers>
-- in the /Amazon Cognito Developer Guide/.
--
-- Take the following limitations into consideration when you use the
-- ClientMetadata parameter:
--
-- -   Amazon Cognito does not store the ClientMetadata value. This data is
--     available only to Lambda triggers that are assigned to a user pool
--     to support custom workflows. If your user pool configuration does
--     not include triggers, the ClientMetadata parameter serves no
--     purpose.
--
-- -   Amazon Cognito does not validate the ClientMetadata value.
--
-- -   Amazon Cognito does not encrypt the the ClientMetadata value, so
--     don\'t use it to provide sensitive information.
--
-- 'contextData', 'adminInitiateAuth_contextData' - Contextual data such as the user\'s device fingerprint, IP address, or
-- location used for evaluating the risk of an unexpected event by Amazon
-- Cognito advanced security.
--
-- 'analyticsMetadata', 'adminInitiateAuth_analyticsMetadata' - The analytics metadata for collecting Amazon Pinpoint metrics for
-- @AdminInitiateAuth@ calls.
--
-- 'authParameters', 'adminInitiateAuth_authParameters' - The authentication parameters. These are inputs corresponding to the
-- @AuthFlow@ that you are invoking. The required values depend on the
-- value of @AuthFlow@:
--
-- -   For @USER_SRP_AUTH@: @USERNAME@ (required), @SRP_A@ (required),
--     @SECRET_HASH@ (required if the app client is configured with a
--     client secret), @DEVICE_KEY@.
--
-- -   For @REFRESH_TOKEN_AUTH\/REFRESH_TOKEN@: @REFRESH_TOKEN@ (required),
--     @SECRET_HASH@ (required if the app client is configured with a
--     client secret), @DEVICE_KEY@.
--
-- -   For @ADMIN_NO_SRP_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if
--     app client is configured with client secret), @PASSWORD@ (required),
--     @DEVICE_KEY@.
--
-- -   For @CUSTOM_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if app
--     client is configured with client secret), @DEVICE_KEY@. To start the
--     authentication flow with password verification, include
--     @ChallengeName: SRP_A@ and @SRP_A: (The SRP_A Value)@.
--
-- 'userPoolId', 'adminInitiateAuth_userPoolId' - The ID of the Amazon Cognito user pool.
--
-- 'clientId', 'adminInitiateAuth_clientId' - The app client ID.
--
-- 'authFlow', 'adminInitiateAuth_authFlow' - The authentication flow for this call to execute. The API action will
-- depend on this value. For example:
--
-- -   @REFRESH_TOKEN_AUTH@ will take in a valid refresh token and return
--     new tokens.
--
-- -   @USER_SRP_AUTH@ will take in @USERNAME@ and @SRP_A@ and return the
--     SRP variables to be used for next challenge execution.
--
-- -   @USER_PASSWORD_AUTH@ will take in @USERNAME@ and @PASSWORD@ and
--     return the next challenge or tokens.
--
-- Valid values include:
--
-- -   @USER_SRP_AUTH@: Authentication flow for the Secure Remote Password
--     (SRP) protocol.
--
-- -   @REFRESH_TOKEN_AUTH@\/@REFRESH_TOKEN@: Authentication flow for
--     refreshing the access token and ID token by supplying a valid
--     refresh token.
--
-- -   @CUSTOM_AUTH@: Custom authentication flow.
--
-- -   @ADMIN_NO_SRP_AUTH@: Non-SRP authentication flow; you can pass in
--     the USERNAME and PASSWORD directly if the flow is enabled for
--     calling the app client.
--
-- -   @USER_PASSWORD_AUTH@: Non-SRP authentication flow; USERNAME and
--     PASSWORD are passed directly. If a user migration Lambda trigger is
--     set, this flow will invoke the user migration Lambda if the USERNAME
--     is not found in the user pool.
--
-- -   @ADMIN_USER_PASSWORD_AUTH@: Admin-based user password
--     authentication. This replaces the @ADMIN_NO_SRP_AUTH@ authentication
--     flow. In this flow, Cognito receives the password in the request
--     instead of using the SRP process to verify passwords.
newAdminInitiateAuth ::
  -- | 'userPoolId'
  Prelude.Text ->
  -- | 'clientId'
  Prelude.Text ->
  -- | 'authFlow'
  AuthFlowType ->
  AdminInitiateAuth
newAdminInitiateAuth :: Text -> Text -> AuthFlowType -> AdminInitiateAuth
newAdminInitiateAuth
  Text
pUserPoolId_
  Text
pClientId_
  AuthFlowType
pAuthFlow_ =
    AdminInitiateAuth' :: Maybe (HashMap Text Text)
-> Maybe ContextDataType
-> Maybe AnalyticsMetadataType
-> Maybe (Sensitive (HashMap Text Text))
-> Text
-> Sensitive Text
-> AuthFlowType
-> AdminInitiateAuth
AdminInitiateAuth'
      { $sel:clientMetadata:AdminInitiateAuth' :: Maybe (HashMap Text Text)
clientMetadata =
          Maybe (HashMap Text Text)
forall a. Maybe a
Prelude.Nothing,
        $sel:contextData:AdminInitiateAuth' :: Maybe ContextDataType
contextData = Maybe ContextDataType
forall a. Maybe a
Prelude.Nothing,
        $sel:analyticsMetadata:AdminInitiateAuth' :: Maybe AnalyticsMetadataType
analyticsMetadata = Maybe AnalyticsMetadataType
forall a. Maybe a
Prelude.Nothing,
        $sel:authParameters:AdminInitiateAuth' :: Maybe (Sensitive (HashMap Text Text))
authParameters = Maybe (Sensitive (HashMap Text Text))
forall a. Maybe a
Prelude.Nothing,
        $sel:userPoolId:AdminInitiateAuth' :: Text
userPoolId = Text
pUserPoolId_,
        $sel:clientId:AdminInitiateAuth' :: Sensitive Text
clientId = Tagged Text (Identity Text)
-> Tagged (Sensitive Text) (Identity (Sensitive Text))
forall a. Iso' (Sensitive a) a
Core._Sensitive (Tagged Text (Identity Text)
 -> Tagged (Sensitive Text) (Identity (Sensitive Text)))
-> Text -> Sensitive Text
forall t b. AReview t b -> b -> t
Lens.# Text
pClientId_,
        $sel:authFlow:AdminInitiateAuth' :: AuthFlowType
authFlow = AuthFlowType
pAuthFlow_
      }

-- | A map of custom key-value pairs that you can provide as input for
-- certain custom workflows that this action triggers.
--
-- You create custom workflows by assigning Lambda functions to user pool
-- triggers. When you use the AdminInitiateAuth API action, Amazon Cognito
-- invokes the Lambda functions that are specified for various triggers.
-- The ClientMetadata value is passed as input to the functions for only
-- the following triggers:
--
-- -   Pre signup
--
-- -   Pre authentication
--
-- -   User migration
--
-- When Amazon Cognito invokes the functions for these triggers, it passes
-- a JSON payload, which the function receives as input. This payload
-- contains a @validationData@ attribute, which provides the data that you
-- assigned to the ClientMetadata parameter in your AdminInitiateAuth
-- request. In your function code in Lambda, you can process the
-- @validationData@ value to enhance your workflow for your specific needs.
--
-- When you use the AdminInitiateAuth API action, Amazon Cognito also
-- invokes the functions for the following triggers, but it does not
-- provide the ClientMetadata value as input:
--
-- -   Post authentication
--
-- -   Custom message
--
-- -   Pre token generation
--
-- -   Create auth challenge
--
-- -   Define auth challenge
--
-- -   Verify auth challenge
--
-- For more information, see
-- <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html Customizing User Pool Workflows with Lambda Triggers>
-- in the /Amazon Cognito Developer Guide/.
--
-- Take the following limitations into consideration when you use the
-- ClientMetadata parameter:
--
-- -   Amazon Cognito does not store the ClientMetadata value. This data is
--     available only to Lambda triggers that are assigned to a user pool
--     to support custom workflows. If your user pool configuration does
--     not include triggers, the ClientMetadata parameter serves no
--     purpose.
--
-- -   Amazon Cognito does not validate the ClientMetadata value.
--
-- -   Amazon Cognito does not encrypt the the ClientMetadata value, so
--     don\'t use it to provide sensitive information.
adminInitiateAuth_clientMetadata :: Lens.Lens' AdminInitiateAuth (Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text))
adminInitiateAuth_clientMetadata :: (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_clientMetadata = (AdminInitiateAuth -> Maybe (HashMap Text Text))
-> (AdminInitiateAuth
    -> Maybe (HashMap Text Text) -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth
     AdminInitiateAuth
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Maybe (HashMap Text Text)
clientMetadata :: Maybe (HashMap Text Text)
$sel:clientMetadata:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe (HashMap Text Text)
clientMetadata} -> Maybe (HashMap Text Text)
clientMetadata) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Maybe (HashMap Text Text)
a -> AdminInitiateAuth
s {$sel:clientMetadata:AdminInitiateAuth' :: Maybe (HashMap Text Text)
clientMetadata = Maybe (HashMap Text Text)
a} :: AdminInitiateAuth) ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
 -> AdminInitiateAuth -> f AdminInitiateAuth)
-> ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
    -> Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuth
-> f AdminInitiateAuth
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
-> Iso
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | Contextual data such as the user\'s device fingerprint, IP address, or
-- location used for evaluating the risk of an unexpected event by Amazon
-- Cognito advanced security.
adminInitiateAuth_contextData :: Lens.Lens' AdminInitiateAuth (Prelude.Maybe ContextDataType)
adminInitiateAuth_contextData :: (Maybe ContextDataType -> f (Maybe ContextDataType))
-> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_contextData = (AdminInitiateAuth -> Maybe ContextDataType)
-> (AdminInitiateAuth
    -> Maybe ContextDataType -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth
     AdminInitiateAuth
     (Maybe ContextDataType)
     (Maybe ContextDataType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Maybe ContextDataType
contextData :: Maybe ContextDataType
$sel:contextData:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe ContextDataType
contextData} -> Maybe ContextDataType
contextData) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Maybe ContextDataType
a -> AdminInitiateAuth
s {$sel:contextData:AdminInitiateAuth' :: Maybe ContextDataType
contextData = Maybe ContextDataType
a} :: AdminInitiateAuth)

-- | The analytics metadata for collecting Amazon Pinpoint metrics for
-- @AdminInitiateAuth@ calls.
adminInitiateAuth_analyticsMetadata :: Lens.Lens' AdminInitiateAuth (Prelude.Maybe AnalyticsMetadataType)
adminInitiateAuth_analyticsMetadata :: (Maybe AnalyticsMetadataType -> f (Maybe AnalyticsMetadataType))
-> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_analyticsMetadata = (AdminInitiateAuth -> Maybe AnalyticsMetadataType)
-> (AdminInitiateAuth
    -> Maybe AnalyticsMetadataType -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth
     AdminInitiateAuth
     (Maybe AnalyticsMetadataType)
     (Maybe AnalyticsMetadataType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Maybe AnalyticsMetadataType
analyticsMetadata :: Maybe AnalyticsMetadataType
$sel:analyticsMetadata:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe AnalyticsMetadataType
analyticsMetadata} -> Maybe AnalyticsMetadataType
analyticsMetadata) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Maybe AnalyticsMetadataType
a -> AdminInitiateAuth
s {$sel:analyticsMetadata:AdminInitiateAuth' :: Maybe AnalyticsMetadataType
analyticsMetadata = Maybe AnalyticsMetadataType
a} :: AdminInitiateAuth)

-- | The authentication parameters. These are inputs corresponding to the
-- @AuthFlow@ that you are invoking. The required values depend on the
-- value of @AuthFlow@:
--
-- -   For @USER_SRP_AUTH@: @USERNAME@ (required), @SRP_A@ (required),
--     @SECRET_HASH@ (required if the app client is configured with a
--     client secret), @DEVICE_KEY@.
--
-- -   For @REFRESH_TOKEN_AUTH\/REFRESH_TOKEN@: @REFRESH_TOKEN@ (required),
--     @SECRET_HASH@ (required if the app client is configured with a
--     client secret), @DEVICE_KEY@.
--
-- -   For @ADMIN_NO_SRP_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if
--     app client is configured with client secret), @PASSWORD@ (required),
--     @DEVICE_KEY@.
--
-- -   For @CUSTOM_AUTH@: @USERNAME@ (required), @SECRET_HASH@ (if app
--     client is configured with client secret), @DEVICE_KEY@. To start the
--     authentication flow with password verification, include
--     @ChallengeName: SRP_A@ and @SRP_A: (The SRP_A Value)@.
adminInitiateAuth_authParameters :: Lens.Lens' AdminInitiateAuth (Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text))
adminInitiateAuth_authParameters :: (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_authParameters = (AdminInitiateAuth -> Maybe (Sensitive (HashMap Text Text)))
-> (AdminInitiateAuth
    -> Maybe (Sensitive (HashMap Text Text)) -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth
     AdminInitiateAuth
     (Maybe (Sensitive (HashMap Text Text)))
     (Maybe (Sensitive (HashMap Text Text)))
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Maybe (Sensitive (HashMap Text Text))
authParameters :: Maybe (Sensitive (HashMap Text Text))
$sel:authParameters:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe (Sensitive (HashMap Text Text))
authParameters} -> Maybe (Sensitive (HashMap Text Text))
authParameters) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Maybe (Sensitive (HashMap Text Text))
a -> AdminInitiateAuth
s {$sel:authParameters:AdminInitiateAuth' :: Maybe (Sensitive (HashMap Text Text))
authParameters = Maybe (Sensitive (HashMap Text Text))
a} :: AdminInitiateAuth) ((Maybe (Sensitive (HashMap Text Text))
  -> f (Maybe (Sensitive (HashMap Text Text))))
 -> AdminInitiateAuth -> f AdminInitiateAuth)
-> ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
    -> Maybe (Sensitive (HashMap Text Text))
    -> f (Maybe (Sensitive (HashMap Text Text))))
-> (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuth
-> f AdminInitiateAuth
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso
  (Sensitive (HashMap Text Text))
  (Sensitive (HashMap Text Text))
  (HashMap Text Text)
  (HashMap Text Text)
-> Iso
     (Maybe (Sensitive (HashMap Text Text)))
     (Maybe (Sensitive (HashMap Text Text)))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping (AnIso
  (Sensitive (HashMap Text Text))
  (Sensitive (HashMap Text Text))
  (HashMap Text Text)
  (HashMap Text Text)
forall a. Iso' (Sensitive a) a
Core._Sensitive AnIso
  (Sensitive (HashMap Text Text))
  (Sensitive (HashMap Text Text))
  (HashMap Text Text)
  (HashMap Text Text)
-> AnIso
     (HashMap Text Text)
     (HashMap Text Text)
     (HashMap Text Text)
     (HashMap Text Text)
-> AnIso
     (Sensitive (HashMap Text Text))
     (Sensitive (HashMap Text Text))
     (HashMap Text Text)
     (HashMap Text Text)
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced)

-- | The ID of the Amazon Cognito user pool.
adminInitiateAuth_userPoolId :: Lens.Lens' AdminInitiateAuth Prelude.Text
adminInitiateAuth_userPoolId :: (Text -> f Text) -> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_userPoolId = (AdminInitiateAuth -> Text)
-> (AdminInitiateAuth -> Text -> AdminInitiateAuth)
-> Lens AdminInitiateAuth AdminInitiateAuth Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Text
userPoolId :: Text
$sel:userPoolId:AdminInitiateAuth' :: AdminInitiateAuth -> Text
userPoolId} -> Text
userPoolId) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Text
a -> AdminInitiateAuth
s {$sel:userPoolId:AdminInitiateAuth' :: Text
userPoolId = Text
a} :: AdminInitiateAuth)

-- | The app client ID.
adminInitiateAuth_clientId :: Lens.Lens' AdminInitiateAuth Prelude.Text
adminInitiateAuth_clientId :: (Text -> f Text) -> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_clientId = (AdminInitiateAuth -> Sensitive Text)
-> (AdminInitiateAuth -> Sensitive Text -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth
     AdminInitiateAuth
     (Sensitive Text)
     (Sensitive Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {Sensitive Text
clientId :: Sensitive Text
$sel:clientId:AdminInitiateAuth' :: AdminInitiateAuth -> Sensitive Text
clientId} -> Sensitive Text
clientId) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} Sensitive Text
a -> AdminInitiateAuth
s {$sel:clientId:AdminInitiateAuth' :: Sensitive Text
clientId = Sensitive Text
a} :: AdminInitiateAuth) ((Sensitive Text -> f (Sensitive Text))
 -> AdminInitiateAuth -> f AdminInitiateAuth)
-> ((Text -> f Text) -> Sensitive Text -> f (Sensitive Text))
-> (Text -> f Text)
-> AdminInitiateAuth
-> f AdminInitiateAuth
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. (Text -> f Text) -> Sensitive Text -> f (Sensitive Text)
forall a. Iso' (Sensitive a) a
Core._Sensitive

-- | The authentication flow for this call to execute. The API action will
-- depend on this value. For example:
--
-- -   @REFRESH_TOKEN_AUTH@ will take in a valid refresh token and return
--     new tokens.
--
-- -   @USER_SRP_AUTH@ will take in @USERNAME@ and @SRP_A@ and return the
--     SRP variables to be used for next challenge execution.
--
-- -   @USER_PASSWORD_AUTH@ will take in @USERNAME@ and @PASSWORD@ and
--     return the next challenge or tokens.
--
-- Valid values include:
--
-- -   @USER_SRP_AUTH@: Authentication flow for the Secure Remote Password
--     (SRP) protocol.
--
-- -   @REFRESH_TOKEN_AUTH@\/@REFRESH_TOKEN@: Authentication flow for
--     refreshing the access token and ID token by supplying a valid
--     refresh token.
--
-- -   @CUSTOM_AUTH@: Custom authentication flow.
--
-- -   @ADMIN_NO_SRP_AUTH@: Non-SRP authentication flow; you can pass in
--     the USERNAME and PASSWORD directly if the flow is enabled for
--     calling the app client.
--
-- -   @USER_PASSWORD_AUTH@: Non-SRP authentication flow; USERNAME and
--     PASSWORD are passed directly. If a user migration Lambda trigger is
--     set, this flow will invoke the user migration Lambda if the USERNAME
--     is not found in the user pool.
--
-- -   @ADMIN_USER_PASSWORD_AUTH@: Admin-based user password
--     authentication. This replaces the @ADMIN_NO_SRP_AUTH@ authentication
--     flow. In this flow, Cognito receives the password in the request
--     instead of using the SRP process to verify passwords.
adminInitiateAuth_authFlow :: Lens.Lens' AdminInitiateAuth AuthFlowType
adminInitiateAuth_authFlow :: (AuthFlowType -> f AuthFlowType)
-> AdminInitiateAuth -> f AdminInitiateAuth
adminInitiateAuth_authFlow = (AdminInitiateAuth -> AuthFlowType)
-> (AdminInitiateAuth -> AuthFlowType -> AdminInitiateAuth)
-> Lens
     AdminInitiateAuth AdminInitiateAuth AuthFlowType AuthFlowType
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuth' {AuthFlowType
authFlow :: AuthFlowType
$sel:authFlow:AdminInitiateAuth' :: AdminInitiateAuth -> AuthFlowType
authFlow} -> AuthFlowType
authFlow) (\s :: AdminInitiateAuth
s@AdminInitiateAuth' {} AuthFlowType
a -> AdminInitiateAuth
s {$sel:authFlow:AdminInitiateAuth' :: AuthFlowType
authFlow = AuthFlowType
a} :: AdminInitiateAuth)

instance Core.AWSRequest AdminInitiateAuth where
  type
    AWSResponse AdminInitiateAuth =
      AdminInitiateAuthResponse
  request :: AdminInitiateAuth -> Request AdminInitiateAuth
request = Service -> AdminInitiateAuth -> Request AdminInitiateAuth
forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON Service
defaultService
  response :: Logger
-> Service
-> Proxy AdminInitiateAuth
-> ClientResponse ClientBody
-> m (Either
        Error (ClientResponse (AWSResponse AdminInitiateAuth)))
response =
    (Int
 -> ResponseHeaders
 -> Object
 -> Either String (AWSResponse AdminInitiateAuth))
-> Logger
-> Service
-> Proxy AdminInitiateAuth
-> ClientResponse ClientBody
-> m (Either
        Error (ClientResponse (AWSResponse AdminInitiateAuth)))
forall (m :: * -> *) a.
MonadResource m =>
(Int -> ResponseHeaders -> Object -> Either String (AWSResponse a))
-> Logger
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveJSON
      ( \Int
s ResponseHeaders
h Object
x ->
          Maybe ChallengeNameType
-> Maybe (HashMap Text Text)
-> Maybe AuthenticationResultType
-> Maybe Text
-> Int
-> AdminInitiateAuthResponse
AdminInitiateAuthResponse'
            (Maybe ChallengeNameType
 -> Maybe (HashMap Text Text)
 -> Maybe AuthenticationResultType
 -> Maybe Text
 -> Int
 -> AdminInitiateAuthResponse)
-> Either String (Maybe ChallengeNameType)
-> Either
     String
     (Maybe (HashMap Text Text)
      -> Maybe AuthenticationResultType
      -> Maybe Text
      -> Int
      -> AdminInitiateAuthResponse)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Either String (Maybe ChallengeNameType)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"ChallengeName")
            Either
  String
  (Maybe (HashMap Text Text)
   -> Maybe AuthenticationResultType
   -> Maybe Text
   -> Int
   -> AdminInitiateAuthResponse)
-> Either String (Maybe (HashMap Text Text))
-> Either
     String
     (Maybe AuthenticationResultType
      -> Maybe Text -> Int -> AdminInitiateAuthResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> ( Object
x Object -> Text -> Either String (Maybe (Maybe (HashMap Text Text)))
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"ChallengeParameters"
                            Either String (Maybe (Maybe (HashMap Text Text)))
-> Maybe (HashMap Text Text)
-> Either String (Maybe (HashMap Text Text))
forall (f :: * -> *) a. Functor f => f (Maybe a) -> a -> f a
Core..!@ Maybe (HashMap Text Text)
forall a. Monoid a => a
Prelude.mempty
                        )
            Either
  String
  (Maybe AuthenticationResultType
   -> Maybe Text -> Int -> AdminInitiateAuthResponse)
-> Either String (Maybe AuthenticationResultType)
-> Either String (Maybe Text -> Int -> AdminInitiateAuthResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe AuthenticationResultType)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"AuthenticationResult")
            Either String (Maybe Text -> Int -> AdminInitiateAuthResponse)
-> Either String (Maybe Text)
-> Either String (Int -> AdminInitiateAuthResponse)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Either String (Maybe Text)
forall a. FromJSON a => Object -> Text -> Either String (Maybe a)
Core..?> Text
"Session")
            Either String (Int -> AdminInitiateAuthResponse)
-> Either String Int -> Either String AdminInitiateAuthResponse
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Int -> Either String Int
forall (f :: * -> *) a. Applicative f => a -> f a
Prelude.pure (Int -> Int
forall a. Enum a => a -> Int
Prelude.fromEnum Int
s))
      )

instance Prelude.Hashable AdminInitiateAuth

instance Prelude.NFData AdminInitiateAuth

instance Core.ToHeaders AdminInitiateAuth where
  toHeaders :: AdminInitiateAuth -> ResponseHeaders
toHeaders =
    ResponseHeaders -> AdminInitiateAuth -> ResponseHeaders
forall a b. a -> b -> a
Prelude.const
      ( [ResponseHeaders] -> ResponseHeaders
forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"AWSCognitoIdentityProviderService.AdminInitiateAuth" ::
                          Prelude.ByteString
                      ),
            HeaderName
"Content-Type"
              HeaderName -> ByteString -> ResponseHeaders
forall a. ToHeader a => HeaderName -> a -> ResponseHeaders
Core.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Core.ToJSON AdminInitiateAuth where
  toJSON :: AdminInitiateAuth -> Value
toJSON AdminInitiateAuth' {Maybe (HashMap Text Text)
Maybe (Sensitive (HashMap Text Text))
Maybe AnalyticsMetadataType
Maybe ContextDataType
Text
Sensitive Text
AuthFlowType
authFlow :: AuthFlowType
clientId :: Sensitive Text
userPoolId :: Text
authParameters :: Maybe (Sensitive (HashMap Text Text))
analyticsMetadata :: Maybe AnalyticsMetadataType
contextData :: Maybe ContextDataType
clientMetadata :: Maybe (HashMap Text Text)
$sel:authFlow:AdminInitiateAuth' :: AdminInitiateAuth -> AuthFlowType
$sel:clientId:AdminInitiateAuth' :: AdminInitiateAuth -> Sensitive Text
$sel:userPoolId:AdminInitiateAuth' :: AdminInitiateAuth -> Text
$sel:authParameters:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe (Sensitive (HashMap Text Text))
$sel:analyticsMetadata:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe AnalyticsMetadataType
$sel:contextData:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe ContextDataType
$sel:clientMetadata:AdminInitiateAuth' :: AdminInitiateAuth -> Maybe (HashMap Text Text)
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"ClientMetadata" Text -> HashMap Text Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (HashMap Text Text -> Pair)
-> Maybe (HashMap Text Text) -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe (HashMap Text Text)
clientMetadata,
            (Text
"ContextData" Text -> ContextDataType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (ContextDataType -> Pair) -> Maybe ContextDataType -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe ContextDataType
contextData,
            (Text
"AnalyticsMetadata" Text -> AnalyticsMetadataType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (AnalyticsMetadataType -> Pair)
-> Maybe AnalyticsMetadataType -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe AnalyticsMetadataType
analyticsMetadata,
            (Text
"AuthParameters" Text -> Sensitive (HashMap Text Text) -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (Sensitive (HashMap Text Text) -> Pair)
-> Maybe (Sensitive (HashMap Text Text)) -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe (Sensitive (HashMap Text Text))
authParameters,
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"UserPoolId" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
userPoolId),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"ClientId" Text -> Sensitive Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Sensitive Text
clientId),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"AuthFlow" Text -> AuthFlowType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= AuthFlowType
authFlow)
          ]
      )

instance Core.ToPath AdminInitiateAuth where
  toPath :: AdminInitiateAuth -> ByteString
toPath = ByteString -> AdminInitiateAuth -> ByteString
forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Core.ToQuery AdminInitiateAuth where
  toQuery :: AdminInitiateAuth -> QueryString
toQuery = QueryString -> AdminInitiateAuth -> QueryString
forall a b. a -> b -> a
Prelude.const QueryString
forall a. Monoid a => a
Prelude.mempty

-- | Initiates the authentication response, as an administrator.
--
-- /See:/ 'newAdminInitiateAuthResponse' smart constructor.
data AdminInitiateAuthResponse = AdminInitiateAuthResponse'
  { -- | The name of the challenge which you are responding to with this call.
    -- This is returned to you in the @AdminInitiateAuth@ response if you need
    -- to pass another challenge.
    --
    -- -   @MFA_SETUP@: If MFA is required, users who do not have at least one
    --     of the MFA methods set up are presented with an @MFA_SETUP@
    --     challenge. The user must set up at least one MFA type to continue to
    --     authenticate.
    --
    -- -   @SELECT_MFA_TYPE@: Selects the MFA type. Valid MFA options are
    --     @SMS_MFA@ for text SMS MFA, and @SOFTWARE_TOKEN_MFA@ for TOTP
    --     software token MFA.
    --
    -- -   @SMS_MFA@: Next challenge is to supply an @SMS_MFA_CODE@, delivered
    --     via SMS.
    --
    -- -   @PASSWORD_VERIFIER@: Next challenge is to supply
    --     @PASSWORD_CLAIM_SIGNATURE@, @PASSWORD_CLAIM_SECRET_BLOCK@, and
    --     @TIMESTAMP@ after the client-side SRP calculations.
    --
    -- -   @CUSTOM_CHALLENGE@: This is returned if your custom authentication
    --     flow determines that the user should pass another challenge before
    --     tokens are issued.
    --
    -- -   @DEVICE_SRP_AUTH@: If device tracking was enabled on your user pool
    --     and the previous challenges were passed, this challenge is returned
    --     so that Amazon Cognito can start tracking this device.
    --
    -- -   @DEVICE_PASSWORD_VERIFIER@: Similar to @PASSWORD_VERIFIER@, but for
    --     devices only.
    --
    -- -   @ADMIN_NO_SRP_AUTH@: This is returned if you need to authenticate
    --     with @USERNAME@ and @PASSWORD@ directly. An app client must be
    --     enabled to use this flow.
    --
    -- -   @NEW_PASSWORD_REQUIRED@: For users who are required to change their
    --     passwords after successful first login. This challenge should be
    --     passed with @NEW_PASSWORD@ and any other required attributes.
    --
    -- -   @MFA_SETUP@: For users who are required to setup an MFA factor
    --     before they can sign-in. The MFA types enabled for the user pool
    --     will be listed in the challenge parameters @MFA_CAN_SETUP@ value.
    --
    --     To setup software token MFA, use the session returned here from
    --     @InitiateAuth@ as an input to @AssociateSoftwareToken@, and use the
    --     session returned by @VerifySoftwareToken@ as an input to
    --     @RespondToAuthChallenge@ with challenge name @MFA_SETUP@ to complete
    --     sign-in. To setup SMS MFA, users will need help from an
    --     administrator to add a phone number to their account and then call
    --     @InitiateAuth@ again to restart sign-in.
    AdminInitiateAuthResponse -> Maybe ChallengeNameType
challengeName :: Prelude.Maybe ChallengeNameType,
    -- | The challenge parameters. These are returned to you in the
    -- @AdminInitiateAuth@ response if you need to pass another challenge. The
    -- responses in this parameter should be used to compute inputs to the next
    -- call (@AdminRespondToAuthChallenge@).
    --
    -- All challenges require @USERNAME@ and @SECRET_HASH@ (if applicable).
    --
    -- The value of the @USER_ID_FOR_SRP@ attribute will be the user\'s actual
    -- username, not an alias (such as email address or phone number), even if
    -- you specified an alias in your call to @AdminInitiateAuth@. This is
    -- because, in the @AdminRespondToAuthChallenge@ API @ChallengeResponses@,
    -- the @USERNAME@ attribute cannot be an alias.
    AdminInitiateAuthResponse -> Maybe (HashMap Text Text)
challengeParameters :: Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text),
    -- | The result of the authentication response. This is only returned if the
    -- caller does not need to pass another challenge. If the caller does need
    -- to pass another challenge before it gets tokens, @ChallengeName@,
    -- @ChallengeParameters@, and @Session@ are returned.
    AdminInitiateAuthResponse -> Maybe AuthenticationResultType
authenticationResult :: Prelude.Maybe AuthenticationResultType,
    -- | The session which should be passed both ways in challenge-response calls
    -- to the service. If @AdminInitiateAuth@ or @AdminRespondToAuthChallenge@
    -- API call determines that the caller needs to go through another
    -- challenge, they return a session with other challenge parameters. This
    -- session should be passed as it is to the next
    -- @AdminRespondToAuthChallenge@ API call.
    AdminInitiateAuthResponse -> Maybe Text
session :: Prelude.Maybe Prelude.Text,
    -- | The response's http status code.
    AdminInitiateAuthResponse -> Int
httpStatus :: Prelude.Int
  }
  deriving (AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool
(AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool)
-> (AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool)
-> Eq AdminInitiateAuthResponse
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool
$c/= :: AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool
== :: AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool
$c== :: AdminInitiateAuthResponse -> AdminInitiateAuthResponse -> Bool
Prelude.Eq, Int -> AdminInitiateAuthResponse -> ShowS
[AdminInitiateAuthResponse] -> ShowS
AdminInitiateAuthResponse -> String
(Int -> AdminInitiateAuthResponse -> ShowS)
-> (AdminInitiateAuthResponse -> String)
-> ([AdminInitiateAuthResponse] -> ShowS)
-> Show AdminInitiateAuthResponse
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [AdminInitiateAuthResponse] -> ShowS
$cshowList :: [AdminInitiateAuthResponse] -> ShowS
show :: AdminInitiateAuthResponse -> String
$cshow :: AdminInitiateAuthResponse -> String
showsPrec :: Int -> AdminInitiateAuthResponse -> ShowS
$cshowsPrec :: Int -> AdminInitiateAuthResponse -> ShowS
Prelude.Show, (forall x.
 AdminInitiateAuthResponse -> Rep AdminInitiateAuthResponse x)
-> (forall x.
    Rep AdminInitiateAuthResponse x -> AdminInitiateAuthResponse)
-> Generic AdminInitiateAuthResponse
forall x.
Rep AdminInitiateAuthResponse x -> AdminInitiateAuthResponse
forall x.
AdminInitiateAuthResponse -> Rep AdminInitiateAuthResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x.
Rep AdminInitiateAuthResponse x -> AdminInitiateAuthResponse
$cfrom :: forall x.
AdminInitiateAuthResponse -> Rep AdminInitiateAuthResponse x
Prelude.Generic)

-- |
-- Create a value of 'AdminInitiateAuthResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'challengeName', 'adminInitiateAuthResponse_challengeName' - The name of the challenge which you are responding to with this call.
-- This is returned to you in the @AdminInitiateAuth@ response if you need
-- to pass another challenge.
--
-- -   @MFA_SETUP@: If MFA is required, users who do not have at least one
--     of the MFA methods set up are presented with an @MFA_SETUP@
--     challenge. The user must set up at least one MFA type to continue to
--     authenticate.
--
-- -   @SELECT_MFA_TYPE@: Selects the MFA type. Valid MFA options are
--     @SMS_MFA@ for text SMS MFA, and @SOFTWARE_TOKEN_MFA@ for TOTP
--     software token MFA.
--
-- -   @SMS_MFA@: Next challenge is to supply an @SMS_MFA_CODE@, delivered
--     via SMS.
--
-- -   @PASSWORD_VERIFIER@: Next challenge is to supply
--     @PASSWORD_CLAIM_SIGNATURE@, @PASSWORD_CLAIM_SECRET_BLOCK@, and
--     @TIMESTAMP@ after the client-side SRP calculations.
--
-- -   @CUSTOM_CHALLENGE@: This is returned if your custom authentication
--     flow determines that the user should pass another challenge before
--     tokens are issued.
--
-- -   @DEVICE_SRP_AUTH@: If device tracking was enabled on your user pool
--     and the previous challenges were passed, this challenge is returned
--     so that Amazon Cognito can start tracking this device.
--
-- -   @DEVICE_PASSWORD_VERIFIER@: Similar to @PASSWORD_VERIFIER@, but for
--     devices only.
--
-- -   @ADMIN_NO_SRP_AUTH@: This is returned if you need to authenticate
--     with @USERNAME@ and @PASSWORD@ directly. An app client must be
--     enabled to use this flow.
--
-- -   @NEW_PASSWORD_REQUIRED@: For users who are required to change their
--     passwords after successful first login. This challenge should be
--     passed with @NEW_PASSWORD@ and any other required attributes.
--
-- -   @MFA_SETUP@: For users who are required to setup an MFA factor
--     before they can sign-in. The MFA types enabled for the user pool
--     will be listed in the challenge parameters @MFA_CAN_SETUP@ value.
--
--     To setup software token MFA, use the session returned here from
--     @InitiateAuth@ as an input to @AssociateSoftwareToken@, and use the
--     session returned by @VerifySoftwareToken@ as an input to
--     @RespondToAuthChallenge@ with challenge name @MFA_SETUP@ to complete
--     sign-in. To setup SMS MFA, users will need help from an
--     administrator to add a phone number to their account and then call
--     @InitiateAuth@ again to restart sign-in.
--
-- 'challengeParameters', 'adminInitiateAuthResponse_challengeParameters' - The challenge parameters. These are returned to you in the
-- @AdminInitiateAuth@ response if you need to pass another challenge. The
-- responses in this parameter should be used to compute inputs to the next
-- call (@AdminRespondToAuthChallenge@).
--
-- All challenges require @USERNAME@ and @SECRET_HASH@ (if applicable).
--
-- The value of the @USER_ID_FOR_SRP@ attribute will be the user\'s actual
-- username, not an alias (such as email address or phone number), even if
-- you specified an alias in your call to @AdminInitiateAuth@. This is
-- because, in the @AdminRespondToAuthChallenge@ API @ChallengeResponses@,
-- the @USERNAME@ attribute cannot be an alias.
--
-- 'authenticationResult', 'adminInitiateAuthResponse_authenticationResult' - The result of the authentication response. This is only returned if the
-- caller does not need to pass another challenge. If the caller does need
-- to pass another challenge before it gets tokens, @ChallengeName@,
-- @ChallengeParameters@, and @Session@ are returned.
--
-- 'session', 'adminInitiateAuthResponse_session' - The session which should be passed both ways in challenge-response calls
-- to the service. If @AdminInitiateAuth@ or @AdminRespondToAuthChallenge@
-- API call determines that the caller needs to go through another
-- challenge, they return a session with other challenge parameters. This
-- session should be passed as it is to the next
-- @AdminRespondToAuthChallenge@ API call.
--
-- 'httpStatus', 'adminInitiateAuthResponse_httpStatus' - The response's http status code.
newAdminInitiateAuthResponse ::
  -- | 'httpStatus'
  Prelude.Int ->
  AdminInitiateAuthResponse
newAdminInitiateAuthResponse :: Int -> AdminInitiateAuthResponse
newAdminInitiateAuthResponse Int
pHttpStatus_ =
  AdminInitiateAuthResponse' :: Maybe ChallengeNameType
-> Maybe (HashMap Text Text)
-> Maybe AuthenticationResultType
-> Maybe Text
-> Int
-> AdminInitiateAuthResponse
AdminInitiateAuthResponse'
    { $sel:challengeName:AdminInitiateAuthResponse' :: Maybe ChallengeNameType
challengeName =
        Maybe ChallengeNameType
forall a. Maybe a
Prelude.Nothing,
      $sel:challengeParameters:AdminInitiateAuthResponse' :: Maybe (HashMap Text Text)
challengeParameters = Maybe (HashMap Text Text)
forall a. Maybe a
Prelude.Nothing,
      $sel:authenticationResult:AdminInitiateAuthResponse' :: Maybe AuthenticationResultType
authenticationResult = Maybe AuthenticationResultType
forall a. Maybe a
Prelude.Nothing,
      $sel:session:AdminInitiateAuthResponse' :: Maybe Text
session = Maybe Text
forall a. Maybe a
Prelude.Nothing,
      $sel:httpStatus:AdminInitiateAuthResponse' :: Int
httpStatus = Int
pHttpStatus_
    }

-- | The name of the challenge which you are responding to with this call.
-- This is returned to you in the @AdminInitiateAuth@ response if you need
-- to pass another challenge.
--
-- -   @MFA_SETUP@: If MFA is required, users who do not have at least one
--     of the MFA methods set up are presented with an @MFA_SETUP@
--     challenge. The user must set up at least one MFA type to continue to
--     authenticate.
--
-- -   @SELECT_MFA_TYPE@: Selects the MFA type. Valid MFA options are
--     @SMS_MFA@ for text SMS MFA, and @SOFTWARE_TOKEN_MFA@ for TOTP
--     software token MFA.
--
-- -   @SMS_MFA@: Next challenge is to supply an @SMS_MFA_CODE@, delivered
--     via SMS.
--
-- -   @PASSWORD_VERIFIER@: Next challenge is to supply
--     @PASSWORD_CLAIM_SIGNATURE@, @PASSWORD_CLAIM_SECRET_BLOCK@, and
--     @TIMESTAMP@ after the client-side SRP calculations.
--
-- -   @CUSTOM_CHALLENGE@: This is returned if your custom authentication
--     flow determines that the user should pass another challenge before
--     tokens are issued.
--
-- -   @DEVICE_SRP_AUTH@: If device tracking was enabled on your user pool
--     and the previous challenges were passed, this challenge is returned
--     so that Amazon Cognito can start tracking this device.
--
-- -   @DEVICE_PASSWORD_VERIFIER@: Similar to @PASSWORD_VERIFIER@, but for
--     devices only.
--
-- -   @ADMIN_NO_SRP_AUTH@: This is returned if you need to authenticate
--     with @USERNAME@ and @PASSWORD@ directly. An app client must be
--     enabled to use this flow.
--
-- -   @NEW_PASSWORD_REQUIRED@: For users who are required to change their
--     passwords after successful first login. This challenge should be
--     passed with @NEW_PASSWORD@ and any other required attributes.
--
-- -   @MFA_SETUP@: For users who are required to setup an MFA factor
--     before they can sign-in. The MFA types enabled for the user pool
--     will be listed in the challenge parameters @MFA_CAN_SETUP@ value.
--
--     To setup software token MFA, use the session returned here from
--     @InitiateAuth@ as an input to @AssociateSoftwareToken@, and use the
--     session returned by @VerifySoftwareToken@ as an input to
--     @RespondToAuthChallenge@ with challenge name @MFA_SETUP@ to complete
--     sign-in. To setup SMS MFA, users will need help from an
--     administrator to add a phone number to their account and then call
--     @InitiateAuth@ again to restart sign-in.
adminInitiateAuthResponse_challengeName :: Lens.Lens' AdminInitiateAuthResponse (Prelude.Maybe ChallengeNameType)
adminInitiateAuthResponse_challengeName :: (Maybe ChallengeNameType -> f (Maybe ChallengeNameType))
-> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse
adminInitiateAuthResponse_challengeName = (AdminInitiateAuthResponse -> Maybe ChallengeNameType)
-> (AdminInitiateAuthResponse
    -> Maybe ChallengeNameType -> AdminInitiateAuthResponse)
-> Lens
     AdminInitiateAuthResponse
     AdminInitiateAuthResponse
     (Maybe ChallengeNameType)
     (Maybe ChallengeNameType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuthResponse' {Maybe ChallengeNameType
challengeName :: Maybe ChallengeNameType
$sel:challengeName:AdminInitiateAuthResponse' :: AdminInitiateAuthResponse -> Maybe ChallengeNameType
challengeName} -> Maybe ChallengeNameType
challengeName) (\s :: AdminInitiateAuthResponse
s@AdminInitiateAuthResponse' {} Maybe ChallengeNameType
a -> AdminInitiateAuthResponse
s {$sel:challengeName:AdminInitiateAuthResponse' :: Maybe ChallengeNameType
challengeName = Maybe ChallengeNameType
a} :: AdminInitiateAuthResponse)

-- | The challenge parameters. These are returned to you in the
-- @AdminInitiateAuth@ response if you need to pass another challenge. The
-- responses in this parameter should be used to compute inputs to the next
-- call (@AdminRespondToAuthChallenge@).
--
-- All challenges require @USERNAME@ and @SECRET_HASH@ (if applicable).
--
-- The value of the @USER_ID_FOR_SRP@ attribute will be the user\'s actual
-- username, not an alias (such as email address or phone number), even if
-- you specified an alias in your call to @AdminInitiateAuth@. This is
-- because, in the @AdminRespondToAuthChallenge@ API @ChallengeResponses@,
-- the @USERNAME@ attribute cannot be an alias.
adminInitiateAuthResponse_challengeParameters :: Lens.Lens' AdminInitiateAuthResponse (Prelude.Maybe (Prelude.HashMap Prelude.Text Prelude.Text))
adminInitiateAuthResponse_challengeParameters :: (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse
adminInitiateAuthResponse_challengeParameters = (AdminInitiateAuthResponse -> Maybe (HashMap Text Text))
-> (AdminInitiateAuthResponse
    -> Maybe (HashMap Text Text) -> AdminInitiateAuthResponse)
-> Lens
     AdminInitiateAuthResponse
     AdminInitiateAuthResponse
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuthResponse' {Maybe (HashMap Text Text)
challengeParameters :: Maybe (HashMap Text Text)
$sel:challengeParameters:AdminInitiateAuthResponse' :: AdminInitiateAuthResponse -> Maybe (HashMap Text Text)
challengeParameters} -> Maybe (HashMap Text Text)
challengeParameters) (\s :: AdminInitiateAuthResponse
s@AdminInitiateAuthResponse' {} Maybe (HashMap Text Text)
a -> AdminInitiateAuthResponse
s {$sel:challengeParameters:AdminInitiateAuthResponse' :: Maybe (HashMap Text Text)
challengeParameters = Maybe (HashMap Text Text)
a} :: AdminInitiateAuthResponse) ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
 -> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse)
-> ((Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
    -> Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> (Maybe (HashMap Text Text) -> f (Maybe (HashMap Text Text)))
-> AdminInitiateAuthResponse
-> f AdminInitiateAuthResponse
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
-> Iso
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
     (Maybe (HashMap Text Text))
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
  (HashMap Text Text)
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | The result of the authentication response. This is only returned if the
-- caller does not need to pass another challenge. If the caller does need
-- to pass another challenge before it gets tokens, @ChallengeName@,
-- @ChallengeParameters@, and @Session@ are returned.
adminInitiateAuthResponse_authenticationResult :: Lens.Lens' AdminInitiateAuthResponse (Prelude.Maybe AuthenticationResultType)
adminInitiateAuthResponse_authenticationResult :: (Maybe AuthenticationResultType
 -> f (Maybe AuthenticationResultType))
-> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse
adminInitiateAuthResponse_authenticationResult = (AdminInitiateAuthResponse -> Maybe AuthenticationResultType)
-> (AdminInitiateAuthResponse
    -> Maybe AuthenticationResultType -> AdminInitiateAuthResponse)
-> Lens
     AdminInitiateAuthResponse
     AdminInitiateAuthResponse
     (Maybe AuthenticationResultType)
     (Maybe AuthenticationResultType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuthResponse' {Maybe AuthenticationResultType
authenticationResult :: Maybe AuthenticationResultType
$sel:authenticationResult:AdminInitiateAuthResponse' :: AdminInitiateAuthResponse -> Maybe AuthenticationResultType
authenticationResult} -> Maybe AuthenticationResultType
authenticationResult) (\s :: AdminInitiateAuthResponse
s@AdminInitiateAuthResponse' {} Maybe AuthenticationResultType
a -> AdminInitiateAuthResponse
s {$sel:authenticationResult:AdminInitiateAuthResponse' :: Maybe AuthenticationResultType
authenticationResult = Maybe AuthenticationResultType
a} :: AdminInitiateAuthResponse)

-- | The session which should be passed both ways in challenge-response calls
-- to the service. If @AdminInitiateAuth@ or @AdminRespondToAuthChallenge@
-- API call determines that the caller needs to go through another
-- challenge, they return a session with other challenge parameters. This
-- session should be passed as it is to the next
-- @AdminRespondToAuthChallenge@ API call.
adminInitiateAuthResponse_session :: Lens.Lens' AdminInitiateAuthResponse (Prelude.Maybe Prelude.Text)
adminInitiateAuthResponse_session :: (Maybe Text -> f (Maybe Text))
-> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse
adminInitiateAuthResponse_session = (AdminInitiateAuthResponse -> Maybe Text)
-> (AdminInitiateAuthResponse
    -> Maybe Text -> AdminInitiateAuthResponse)
-> Lens
     AdminInitiateAuthResponse
     AdminInitiateAuthResponse
     (Maybe Text)
     (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuthResponse' {Maybe Text
session :: Maybe Text
$sel:session:AdminInitiateAuthResponse' :: AdminInitiateAuthResponse -> Maybe Text
session} -> Maybe Text
session) (\s :: AdminInitiateAuthResponse
s@AdminInitiateAuthResponse' {} Maybe Text
a -> AdminInitiateAuthResponse
s {$sel:session:AdminInitiateAuthResponse' :: Maybe Text
session = Maybe Text
a} :: AdminInitiateAuthResponse)

-- | The response's http status code.
adminInitiateAuthResponse_httpStatus :: Lens.Lens' AdminInitiateAuthResponse Prelude.Int
adminInitiateAuthResponse_httpStatus :: (Int -> f Int)
-> AdminInitiateAuthResponse -> f AdminInitiateAuthResponse
adminInitiateAuthResponse_httpStatus = (AdminInitiateAuthResponse -> Int)
-> (AdminInitiateAuthResponse -> Int -> AdminInitiateAuthResponse)
-> Lens AdminInitiateAuthResponse AdminInitiateAuthResponse Int Int
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\AdminInitiateAuthResponse' {Int
httpStatus :: Int
$sel:httpStatus:AdminInitiateAuthResponse' :: AdminInitiateAuthResponse -> Int
httpStatus} -> Int
httpStatus) (\s :: AdminInitiateAuthResponse
s@AdminInitiateAuthResponse' {} Int
a -> AdminInitiateAuthResponse
s {$sel:httpStatus:AdminInitiateAuthResponse' :: Int
httpStatus = Int
a} :: AdminInitiateAuthResponse)

instance Prelude.NFData AdminInitiateAuthResponse