aws-sdk-cognitoidentityprovider 1.86.0 → 1.88.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -488,7 +488,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :group_name
     #   The name of the group that you want to add your user to.
@@ -550,7 +551,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Hash<String,String>] :client_metadata
     #   A map of custom key-value pairs that you can provide as input for any
@@ -960,7 +962,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1009,7 +1012,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, Array<String>] :user_attribute_names
     #   An array of strings representing the user attribute names you want to
@@ -1146,7 +1150,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1193,7 +1198,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1240,7 +1246,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -1294,7 +1301,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Types::AdminGetDeviceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1356,7 +1364,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Types::AdminGetUserResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1796,7 +1805,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Integer] :limit
     #   The limit of the devices request.
@@ -1868,7 +1878,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -1946,7 +1957,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Integer] :max_results
     #   The maximum number of authentication events to return. Returns 60
@@ -2031,7 +2043,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :group_name
     #   The group name.
@@ -2058,11 +2071,15 @@ module Aws::CognitoIdentityProvider
     # Resets the specified user's password in a user pool as an
     # administrator. Works on any user.
     #
+    # To use this API operation, your user pool must have self-service
+    # account recovery configured. Use [AdminSetUserPassword][1] if you
+    # manage passwords as an administrator.
+    #
     # <note markdown="1"> This action might generate an SMS text message. Starting June 1, 2021,
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][1]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][2]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -2074,7 +2091,7 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][2] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][3] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
@@ -2096,18 +2113,19 @@ module Aws::CognitoIdentityProvider
     #
     #  **Learn more**
     #
-    #  * [Signing Amazon Web Services API Requests][3]
+    #  * [Signing Amazon Web Services API Requests][4]
     #
-    # * [Using the Amazon Cognito user pools API and user pool endpoints][4]
+    # * [Using the Amazon Cognito user pools API and user pool endpoints][5]
     #
     #  </note>
     #
     #
     #
-    # [1]: https://console.aws.amazon.com/pinpoint/home/
-    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
-    # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
-    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html
+    # [2]: https://console.aws.amazon.com/pinpoint/home/
+    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
+    # [5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to reset the user's
@@ -2117,7 +2135,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Hash<String,String>] :client_metadata
     #   A map of custom key-value pairs that you can provide as input for any
@@ -2500,7 +2519,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -2584,7 +2604,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :password
     #   The password for the user.
@@ -2644,7 +2665,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, Array<Types::MFAOptionType>] :mfa_options
     #   You can use this parameter only to set an SMS configuration that uses
@@ -2704,7 +2726,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :event_id
     #   The authentication event ID.
@@ -2764,7 +2787,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -2852,7 +2876,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, Array<Types::AttributeType>] :user_attributes
     #   An array of name-value pairs representing user attributes.
@@ -2991,7 +3016,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -3037,8 +3063,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -3084,12 +3110,15 @@ module Aws::CognitoIdentityProvider
 
     # Changes the password for a specified user in a user pool.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -3127,20 +3156,25 @@ module Aws::CognitoIdentityProvider
     end
 
     # Confirms tracking of the device. This API call is the call that begins
-    # device tracking.
+    # device tracking. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -3191,8 +3225,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -3217,7 +3251,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :confirmation_code
     #   The confirmation code from your user's request to reset their
@@ -3330,8 +3365,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][3].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][3].
     #
     #  </note>
     #
@@ -3353,7 +3388,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :confirmation_code
     #   The confirmation code sent by a user's request to confirm
@@ -3531,7 +3567,8 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Creates an IdP for a user pool.
+    # Adds a configuration and trust relationship between a third-party
+    # identity provider (IdP) and a user pool.
     #
     # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
     # in requests for this API operation. For this operation, you must use
@@ -3561,74 +3598,123 @@ module Aws::CognitoIdentityProvider
     #   The IdP type.
     #
     # @option params [required, Hash<String,String>] :provider_details
-    #   The IdP details. The following list describes the provider detail keys
-    #   for each IdP type.
-    #
-    #   * For Google and Login with Amazon:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #   * For Facebook:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #     * api\_version
-    #
-    #   * For Sign in with Apple:
-    #
-    #     * client\_id
-    #
-    #     * team\_id
-    #
-    #     * key\_id
-    #
-    #     * private\_key
-    #
-    #     * authorize\_scopes
-    #
-    #   * For OpenID Connect (OIDC) providers:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * attributes\_request\_method
-    #
-    #     * oidc\_issuer
-    #
-    #     * authorize\_scopes
-    #
-    #     * The following keys are only present if Amazon Cognito didn't
-    #       discover them at the `oidc_issuer` URL.
-    #
-    #       * authorize\_url
-    #
-    #       * token\_url
-    #
-    #       * attributes\_url
-    #
-    #       * jwks\_uri
-    #
-    #     * Amazon Cognito sets the value of the following keys automatically.
-    #       They are read-only.
-    #
-    #       * attributes\_url\_add\_attributes
-    #
-    #       ^
-    #
-    #   * For SAML providers:
-    #
-    #     * MetadataFile or MetadataURL
-    #
-    #     * IDPSignout *optional*
+    #   The scopes, URLs, and identifiers for your external identity provider.
+    #   The following examples describe the provider detail keys for each IdP
+    #   type. These values and their schema are subject to change. Social IdP
+    #   `authorize_scopes` values must match the values listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm":
+    #     "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata document
+    #     with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes": "email
+    #     profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email name", "client_id": "com.example.cognito", "private_key":
+    #     "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes": "email
+    #     name", "authorize_url": "https://appleid.apple.com/auth/authorize",
+    #     "client_id": "com.example.cognito", "key_id": "1EXAMPLE",
+    #     "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #
     # @option params [Hash<String,String>] :attribute_mapping
     #   A mapping of IdP attributes to standard and custom user pool
@@ -4525,11 +4611,11 @@ module Aws::CognitoIdentityProvider
     #       create_auth_challenge: "ArnType",
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
+    #       user_migration: "ArnType",
     #       pre_token_generation_config: {
     #         lambda_version: "V1_0", # required, accepts V1_0, V2_0
     #         lambda_arn: "ArnType", # required
     #       },
-    #       user_migration: "ArnType",
     #       custom_sms_sender: {
     #         lambda_version: "V1_0", # required, accepts V1_0
     #         lambda_arn: "ArnType", # required
@@ -4640,9 +4726,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.create_auth_challenge #=> String
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
+    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -4957,7 +5043,9 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://tools.ietf.org/html/rfc6749#section-3.1.2
     #
     # @option params [Array<String>] :allowed_o_auth_flows
-    #   The allowed OAuth flows.
+    #   The OAuth grant types that you want your app client to generate. To
+    #   create an app client that generates client credentials grants, you
+    #   must add `client_credentials` as the only allowed OAuth flow.
     #
     #   code
     #
@@ -5436,12 +5524,15 @@ module Aws::CognitoIdentityProvider
 
     # Allows a user to delete their own user profile.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -5472,12 +5563,15 @@ module Aws::CognitoIdentityProvider
 
     # Deletes the attributes for a user.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -5828,9 +5922,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.create_auth_challenge #=> String
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
+    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -6032,20 +6126,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Forgets the specified device.
+    # Forgets the specified device. For more information about device
+    # authentication, see [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -6086,12 +6185,16 @@ module Aws::CognitoIdentityProvider
     # client secret and you don't provide a `SECRET_HASH` parameter, this
     # API returns `NotAuthorizedException`.
     #
+    # To use this API operation, your user pool must have self-service
+    # account recovery configured. Use [AdminSetUserPassword][3] if you
+    # manage passwords as an administrator.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][3].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][4].
     #
     #  </note>
     #
@@ -6099,7 +6202,7 @@ module Aws::CognitoIdentityProvider
     # US telecom carriers require you to register an origination phone
     # number before you can send SMS messages to US phone numbers. If you
     # use SMS text messages in Amazon Cognito, you must register a phone
-    # number with [Amazon Pinpoint][4]. Amazon Cognito uses the registered
+    # number with [Amazon Pinpoint][5]. Amazon Cognito uses the registered
     # number automatically. Otherwise, Amazon Cognito users who must receive
     # SMS messages might not be able to sign up, activate their accounts, or
     # sign in.
@@ -6111,7 +6214,7 @@ module Aws::CognitoIdentityProvider
     # mode</a> </i>, you can send messages only to verified phone numbers.
     # After you test your app while in the sandbox environment, you can move
     # out of the sandbox and into production. For more information, see [
-    # SMS message settings for Amazon Cognito user pools][5] in the *Amazon
+    # SMS message settings for Amazon Cognito user pools][6] in the *Amazon
     # Cognito Developer Guide*.
     #
     #  </note>
@@ -6120,9 +6223,10 @@ module Aws::CognitoIdentityProvider
     #
     # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-recover-a-user-account.html
     # [2]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_ConfirmForgotPassword.html
-    # [3]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
-    # [4]: https://console.aws.amazon.com/pinpoint/home/
-    # [5]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
+    # [3]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html
+    # [4]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [5]: https://console.aws.amazon.com/pinpoint/home/
+    # [6]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-sms-settings.html
     #
     # @option params [required, String] :client_id
     #   The ID of the client associated with the user pool.
@@ -6143,7 +6247,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The Amazon Pinpoint analytics metadata that contributes to your
@@ -6256,20 +6361,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Gets the device.
+    # Gets the device. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -6502,12 +6612,15 @@ module Aws::CognitoIdentityProvider
 
     # Gets the user attributes and metadata for a user.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6559,12 +6672,15 @@ module Aws::CognitoIdentityProvider
     # attribute name. Sends a message to a user with a code that they must
     # return in a VerifyUserAttribute request.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6728,12 +6844,15 @@ module Aws::CognitoIdentityProvider
     #
     # Other requests might be valid until your user's token expires.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6773,8 +6892,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -7029,20 +7148,25 @@ module Aws::CognitoIdentityProvider
     end
 
     # Lists the sign-in devices that Amazon Cognito has registered to the
-    # current user.
+    # current user. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose list
@@ -7519,9 +7643,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pools[0].lambda_config.create_auth_challenge #=> String
     #   resp.user_pools[0].lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pools[0].lambda_config.pre_token_generation #=> String
+    #   resp.user_pools[0].lambda_config.user_migration #=> String
     #   resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pools[0].lambda_config.user_migration #=> String
     #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pools[0].lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -7592,15 +7716,15 @@ module Aws::CognitoIdentityProvider
     # @option params [String] :filter
     #   A filter string of the form "*AttributeName* *Filter-Type*
     #   "*AttributeValue*"". Quotation marks within the filter string must
-    #   be escaped using the backslash (\\) character. For example,
-    #   "`family_name` = \\"Reddy\\"".
+    #   be escaped using the backslash (``) character. For example,
+    #   `"family_name = "Reddy""`.
     #
     #   * *AttributeName*: The name of the attribute to search for. You can
     #     only search for one attribute at a time.
     #
-    #   * *Filter-Type*: For an exact match, use =, for example,
-    #     "`given_name` = \\"Jon\\"". For a prefix ("starts with")
-    #     match, use ^=, for example, "`given_name` ^= \\"Jon\\"".
+    #   * *Filter-Type*: For an exact match, use `=`, for example,
+    #     "`given_name = "Jon"`". For a prefix ("starts with") match,
+    #     use `^=`, for example, "`given_name ^= "Jon"`".
     #
     #   * *AttributeValue*: The attribute value that must be matched for each
     #     user.
@@ -7858,8 +7982,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -7909,7 +8033,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The Amazon Pinpoint analytics metadata that contributes to your
@@ -8003,8 +8128,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -8255,8 +8380,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -8537,12 +8662,15 @@ module Aws::CognitoIdentityProvider
     # based on the assessed risk level of sign-in attempts, deactivate MFA
     # for users and turn on Adaptive Authentication for the user pool.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -8686,12 +8814,15 @@ module Aws::CognitoIdentityProvider
     # (TOTP) software token MFA. To configure either type of MFA, use
     # [SetUserMFAPreference][1] instead.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -8738,8 +8869,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9087,8 +9218,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9103,7 +9234,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias attribute
-    #   in your user pool, you can also use their `sub` in this request.
+    #   in your user pool, this value must be the `sub` of a local user or the
+    #   username of a user from a third-party IdP.
     #
     # @option params [required, String] :event_id
     #   The event ID.
@@ -9140,20 +9272,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Updates the device status.
+    # Updates the device status. For more information about device
+    # authentication, see [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -9286,8 +9423,123 @@ module Aws::CognitoIdentityProvider
     #   The IdP name.
     #
     # @option params [Hash<String,String>] :provider_details
-    #   The IdP details to be updated, such as `MetadataURL` and
-    #   `MetadataFile`.
+    #   The scopes, URLs, and identifiers for your external identity provider.
+    #   The following examples describe the provider detail keys for each IdP
+    #   type. These values and their schema are subject to change. Social IdP
+    #   `authorize_scopes` values must match the values listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm":
+    #     "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata document
+    #     with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes": "email
+    #     profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email name", "client_id": "com.example.cognito", "private_key":
+    #     "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes": "email
+    #     name", "authorize_url": "https://appleid.apple.com/auth/authorize",
+    #     "client_id": "com.example.cognito", "key_id": "1EXAMPLE",
+    #     "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #
     # @option params [Hash<String,String>] :attribute_mapping
     #   The IdP attribute mapping to be changed.
@@ -9414,12 +9666,15 @@ module Aws::CognitoIdentityProvider
     # submit the attribute in your API request with a blank value. Custom
     # attribute values in this request must include the `custom:` prefix.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9754,11 +10009,11 @@ module Aws::CognitoIdentityProvider
     #       create_auth_challenge: "ArnType",
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
+    #       user_migration: "ArnType",
     #       pre_token_generation_config: {
     #         lambda_version: "V1_0", # required, accepts V1_0, V2_0
     #         lambda_arn: "ArnType", # required
     #       },
-    #       user_migration: "ArnType",
     #       custom_sms_sender: {
     #         lambda_version: "V1_0", # required, accepts V1_0
     #         lambda_arn: "ArnType", # required
@@ -10376,8 +10631,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -10439,12 +10694,15 @@ module Aws::CognitoIdentityProvider
     # attribute to its pending value. For more information, see [
     # UserAttributeUpdateSettingsType][1].
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -10495,7 +10753,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.86.0'
+      context[:gem_version] = '1.88.0'
       Seahorse::Client::Request.new(handlers, context)
     end