Add cognitoidp.admin_respond_to_auth_challenge

IMPLEMENTATION_COVERAGE.md

@@ -1180,7 +1180,7 @@
 
 ## cognito-idp
 <details>
-<summary>59% implemented</summary>
+<summary>60% implemented</summary>
 
 - [X] add_custom_attributes
 - [X] admin_add_user_to_group
@@ -1201,7 +1201,7 @@
 - [ ] admin_list_user_auth_events
 - [X] admin_remove_user_from_group
 - [X] admin_reset_user_password
-- [ ] admin_respond_to_auth_challenge
+- [X] admin_respond_to_auth_challenge
 - [X] admin_set_user_mfa_preference
 - [X] admin_set_user_password
 - [ ] admin_set_user_settings

docs/docs/services/cognito-idp.rst

@@ -46,7 +46,7 @@ cognito-idp
 - [ ] admin_list_user_auth_events
 - [X] admin_remove_user_from_group
 - [X] admin_reset_user_password
-- [ ] admin_respond_to_auth_challenge
+- [X] admin_respond_to_auth_challenge
 - [X] admin_set_user_mfa_preference
 - [X] admin_set_user_password
 - [ ] admin_set_user_settings

moto/cognitoidp/models.py

@@ -1483,13 +1483,39 @@ def admin_initiate_auth(
             # We shouldn't get here due to enum validation of auth_flow
             return None  # type: ignore[return-value]
 
+    def admin_respond_to_auth_challenge(
+        self,
+        session: str,
+        client_id: str,
+        challenge_name: str,
+        challenge_responses: Dict[str, str],
+    ) -> Dict[str, Any]:
+        """
+        Responds to an authentication challenge, as an administrator.
+
+        The only differences between this admin endpoint and public endpoint are not relevant and so we can safely call
+        the public endpoint to do the work:
+        - The admin endpoint requires a user pool id along with a session; the public endpoint searches across all pools
+        - ContextData is passed in; we don't use it
+
+        ref: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html
+        """
+        return self.respond_to_auth_challenge(
+            session, client_id, challenge_name, challenge_responses
+        )
+
     def respond_to_auth_challenge(
         self,
         session: str,
         client_id: str,
         challenge_name: str,
         challenge_responses: Dict[str, str],
     ) -> Dict[str, Any]:
+        """
+        Responds to an authentication challenge, from public client.
+
+        ref: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
+        """
         if challenge_name == "PASSWORD_VERIFIER":
             session = challenge_responses.get("PASSWORD_CLAIM_SECRET_BLOCK")  # type: ignore[assignment]
 
@@ -2180,6 +2206,18 @@ def get_user(self, access_token: str) -> CognitoIdpUser:
         backend = self._find_backend_by_access_token(access_token)
         return backend.get_user(access_token)
 
+    def admin_respond_to_auth_challenge(
+        self,
+        session: str,
+        client_id: str,
+        challenge_name: str,
+        challenge_responses: Dict[str, str],
+    ) -> Dict[str, Any]:
+        backend = self._find_backend_for_clientid(client_id)
+        return backend.admin_respond_to_auth_challenge(
+            session, client_id, challenge_name, challenge_responses
+        )
+
     def respond_to_auth_challenge(
         self,
         session: str,

moto/cognitoidp/responses.py

@@ -449,6 +449,17 @@ def admin_initiate_auth(self) -> str:
 
         return json.dumps(auth_result)
 
+    def admin_respond_to_auth_challenge(self) -> str:
+        session = self._get_param("Session")
+        client_id = self._get_param("ClientId")
+        challenge_name = self._get_param("ChallengeName")
+        challenge_responses = self._get_param("ChallengeResponses")
+        auth_result = region_agnostic_backend.admin_respond_to_auth_challenge(
+            session, client_id, challenge_name, challenge_responses
+        )
+
+        return json.dumps(auth_result)
+
     def respond_to_auth_challenge(self) -> str:
         session = self._get_param("Session")
         client_id = self._get_param("ClientId")

tests/test_cognitoidp/test_cognitoidp.py

@@ -1532,7 +1532,8 @@ def test_group_in_access_token():
 
     # This sets a new password and logs the user in (creates tokens)
     new_password = "P2$Sword"
-    result = conn.respond_to_auth_challenge(
+    result = conn.admin_respond_to_auth_challenge(
+        UserPoolId=user_pool_id,
         Session=result["Session"],
         ClientId=client_id,
         ChallengeName="NEW_PASSWORD_REQUIRED",
@@ -1585,7 +1586,8 @@ def test_group_in_id_token():
 
     # This sets a new password and logs the user in (creates tokens)
     new_password = "P2$Sword"
-    result = conn.respond_to_auth_challenge(
+    result = conn.admin_respond_to_auth_challenge(
+        UserPoolId=user_pool_id,
         Session=result["Session"],
         ClientId=client_id,
         ChallengeName="NEW_PASSWORD_REQUIRED",
@@ -2749,7 +2751,8 @@ def authentication_flow(conn, auth_flow):
 
     # This sets a new password and logs the user in (creates tokens)
     new_password = "P2$Sword"
-    result = conn.respond_to_auth_challenge(
+    result = conn.admin_respond_to_auth_challenge(
+        UserPoolId=user_pool_id,
         Session=result["Session"],
         ClientId=client_id,
         ChallengeName="NEW_PASSWORD_REQUIRED",
@@ -4388,7 +4391,8 @@ def test_admin_initiate_auth_when_token_totp_enabled():
     assert result["Session"] != ""
 
     # Respond to challenge with TOTP
-    result = conn.respond_to_auth_challenge(
+    result = conn.admin_respond_to_auth_challenge(
+        UserPoolId=user_pool_id,
         ClientId=client_id,
         ChallengeName="SOFTWARE_TOKEN_MFA",
         Session=result["Session"],