RubyGems - aws-sdk-cognitoidentityprovider - Versions diffs - 1.86.0 → 1.88.0 - Mend

aws-sdk-cognitoidentityprovider 1.86.0 → 1.88.0

Files changed (10) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +10 -0
data/VERSION +1 -1
data/lib/aws-sdk-cognitoidentityprovider/client.rb +442 -184
data/lib/aws-sdk-cognitoidentityprovider/client_api.rb +2 -1
data/lib/aws-sdk-cognitoidentityprovider/types.rb +437 -206
data/lib/aws-sdk-cognitoidentityprovider.rb +1 -1
data/sig/client.rbs +2 -2
data/sig/types.rbs +1 -1
metadata +2 -2

data/lib/aws-sdk-cognitoidentityprovider/types.rb CHANGED Viewed

@@ -133,8 +133,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] group_name
@@ -161,8 +161,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] client_metadata
@@ -474,8 +474,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] user_attribute_names
@@ -514,8 +514,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminDeleteUserRequest AWS API Documentation
@@ -559,8 +559,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminDisableUserRequest AWS API Documentation
@@ -590,8 +590,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminEnableUserRequest AWS API Documentation
@@ -620,8 +620,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -652,8 +652,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetDeviceRequest AWS API Documentation
@@ -691,8 +691,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserRequest AWS API Documentation
@@ -1148,8 +1148,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] limit
@@ -1204,8 +1204,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] user_pool_id
@@ -1260,8 +1260,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] max_results
@@ -1311,8 +1311,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] group_name
@@ -1341,8 +1341,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] client_metadata
@@ -1661,8 +1661,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] user_pool_id
@@ -1693,8 +1693,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] password
@@ -1732,8 +1732,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
@@ -1766,8 +1766,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] event_id
@@ -1809,8 +1809,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] device_key
@@ -1851,8 +1851,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] user_attributes
@@ -1944,8 +1944,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUserGlobalSignOutRequest AWS API Documentation
@@ -2461,8 +2461,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] confirmation_code
@@ -2567,8 +2567,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] confirmation_code
@@ -2775,74 +2775,127 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The IdP details. The following list describes the provider detail
-    #   keys for each IdP type.
-    #
-    #   * For Google and Login with Amazon:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #   * For Facebook:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #     * api\_version
-    #
-    #   * For Sign in with Apple:
-    #
-    #     * client\_id
-    #
-    #     * team\_id
-    #
-    #     * key\_id
-    #
-    #     * private\_key
-    #
-    #     * authorize\_scopes
-    #
-    #   * For OpenID Connect (OIDC) providers:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * attributes\_request\_method
-    #
-    #     * oidc\_issuer
-    #
-    #     * authorize\_scopes
-    #
-    #     * The following keys are only present if Amazon Cognito didn't
-    #       discover them at the `oidc_issuer` URL.
-    #
-    #       * authorize\_url
-    #
-    #       * token\_url
-    #
-    #       * attributes\_url
-    #
-    #       * jwks\_uri
-    #
-    #     * Amazon Cognito sets the value of the following keys
-    #       automatically. They are read-only.
-    #
-    #       * attributes\_url\_add\_attributes
-    #
-    #       ^
-    #
-    #   * For SAML providers:
-    #
-    #     * MetadataFile or MetadataURL
-    #
-    #     * IDPSignout *optional*
+    #   The scopes, URLs, and identifiers for your external identity
+    #   provider. The following examples describe the provider detail keys
+    #   for each IdP type. These values and their schema are subject to
+    #   change. Social IdP `authorize_scopes` values must match the values
+    #   listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails":
+    #     \{ "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata
+    #     document with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "email profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email name", "client_id":
+    #     "com.example.cognito", "private_key": "1EXAMPLE", "key_id":
+    #     "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "email name", "authorize_url":
+    #     "https://appleid.apple.com/auth/authorize", "client_id":
+    #     "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer":
+    #     "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping
@@ -3190,7 +3243,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] allowed_o_auth_flows
-    #   The allowed OAuth flows.
+    #   The OAuth grant types that you want your app client to generate. To
+    #   create an app client that generates client credentials grants, you
+    #   must add `client_credentials` as the only allowed OAuth flow.
     #
     #   code
     #
@@ -3388,6 +3443,9 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] cloud_front_domain
     #   The Amazon CloudFront endpoint that you use as the target of the
     #   alias that you set up with your Domain Name Service (DNS) provider.
+    #   Amazon Cognito returns this value if you set a custom domain with
+    #   `CustomDomainConfig`. If you set an Amazon Cognito prefix domain,
+    #   this operation returns a blank response.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolDomainResponse AWS API Documentation
@@ -4592,8 +4650,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
@@ -5196,77 +5254,127 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The IdP details. The following list describes the provider detail
-    #   keys for each IdP type.
-    #
-    #   * For Google and Login with Amazon:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #   * For Facebook:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #     * api\_version
-    #
-    #   * For Sign in with Apple:
-    #
-    #     * client\_id
-    #
-    #     * team\_id
-    #
-    #     * key\_id
-    #
-    #     * private\_key
-    #
-    #       *You can submit a private\_key when you add or update an IdP.
-    #       Describe operations don't return the private key.*
-    #
-    #     * authorize\_scopes
-    #
-    #   * For OIDC providers:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * attributes\_request\_method
-    #
-    #     * oidc\_issuer
-    #
-    #     * authorize\_scopes
-    #
-    #     * The following keys are only present if Amazon Cognito didn't
-    #       discover them at the `oidc_issuer` URL.
-    #
-    #       * authorize\_url
-    #
-    #       * token\_url
-    #
-    #       * attributes\_url
-    #
-    #       * jwks\_uri
-    #
-    #     * Amazon Cognito sets the value of the following keys
-    #       automatically. They are read-only.
-    #
-    #       * attributes\_url\_add\_attributes
-    #
-    #       ^
-    #
-    #   * For SAML providers:
-    #
-    #     * MetadataFile or MetadataURL
-    #
-    #     * IDPSignout *optional*
+    #   The scopes, URLs, and identifiers for your external identity
+    #   provider. The following examples describe the provider detail keys
+    #   for each IdP type. These values and their schema are subject to
+    #   change. Social IdP `authorize_scopes` values must match the values
+    #   listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails":
+    #     \{ "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata
+    #     document with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "email profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email name", "client_id":
+    #     "com.example.cognito", "private_key": "1EXAMPLE", "key_id":
+    #     "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "email name", "authorize_url":
+    #     "https://appleid.apple.com/auth/authorize", "client_id":
+    #     "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer":
+    #     "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping
@@ -5762,16 +5870,16 @@ module Aws::CognitoIdentityProvider
     #   You can set ``
     #   @return [String]
     #
+    # @!attribute [rw] user_migration
+    #   The user migration Lambda config type.
+    #   @return [String]
+    #
     # @!attribute [rw] pre_token_generation_config
     #   The detailed configuration of a pre token generation trigger. If you
     #   also set an ARN in `PreTokenGeneration`, its value must be identical
     #   to `PreTokenGenerationConfig`.
     #   @return [Types::PreTokenGenerationVersionConfigType]
     #
-    # @!attribute [rw] user_migration
-    #   The user migration Lambda config type.
-    #   @return [String]
-    #
     # @!attribute [rw] custom_sms_sender
     #   A custom SMS sender Lambda trigger.
     #   @return [Types::CustomSMSLambdaVersionConfigType]
@@ -5799,8 +5907,8 @@ module Aws::CognitoIdentityProvider
       :create_auth_challenge,
       :verify_auth_challenge_response,
       :pre_token_generation,
-      :pre_token_generation_config,
       :user_migration,
+      :pre_token_generation_config,
       :custom_sms_sender,
       :custom_email_sender,
       :kms_key_id)
@@ -6257,15 +6365,15 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] filter
     #   A filter string of the form "*AttributeName* *Filter-Type*
     #   "*AttributeValue*"". Quotation marks within the filter string
-    #   must be escaped using the backslash (\\) character. For example,
-    #   "`family_name` = \\"Reddy\\"".
+    #   must be escaped using the backslash (``) character. For example,
+    #   `"family_name = "Reddy""`.
     #
     #   * *AttributeName*: The name of the attribute to search for. You can
     #     only search for one attribute at a time.
     #
-    #   * *Filter-Type*: For an exact match, use =, for example,
-    #     "`given_name` = \\"Jon\\"". For a prefix ("starts with")
-    #     match, use ^=, for example, "`given_name` ^= \\"Jon\\"".
+    #   * *Filter-Type*: For an exact match, use `=`, for example,
+    #     "`given_name = "Jon"`". For a prefix ("starts with") match,
+    #     use `^=`, for example, "`given_name ^= "Jon"`".
     #
     #   * *AttributeValue*: The attribute value that must be matched for
     #     each user.
@@ -6605,7 +6713,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] max_value
-    #   The maximum value of an attribute that is of the number data type.
+    #   The maximum length of a number attribute value. Must be a number
+    #   less than or equal to `2^1023`, represented as a string with a
+    #   length of 131072 characters or fewer.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/NumberAttributeConstraintsType AWS API Documentation
@@ -6832,8 +6942,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] analytics_metadata
@@ -8049,7 +8159,9 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] max_length
-    #   The maximum length.
+    #   The maximum length of a string attribute value. Must be a number
+    #   less than or equal to `2^1023`, represented as a string with a
+    #   length of 131072 characters or fewer.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/StringAttributeConstraintsType AWS API Documentation
@@ -8322,8 +8434,8 @@ module Aws::CognitoIdentityProvider
     #   The username of the user that you want to query or modify. The value
     #   of this parameter is typically your user's username, but it can be
     #   any of their alias attributes. If `username` isn't an alias
-    #   attribute in your user pool, you can also use their `sub` in this
-    #   request.
+    #   attribute in your user pool, this value must be the `sub` of a local
+    #   user or the username of a user from a third-party IdP.
     #   @return [String]
     #
     # @!attribute [rw] event_id
@@ -8451,8 +8563,127 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] provider_details
-    #   The IdP details to be updated, such as `MetadataURL` and
-    #   `MetadataFile`.
+    #   The scopes, URLs, and identifiers for your external identity
+    #   provider. The following examples describe the provider detail keys
+    #   for each IdP type. These values and their schema are subject to
+    #   change. Social IdP `authorize_scopes` values must match the values
+    #   listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails":
+    #     \{ "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata
+    #     document with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "email profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{
+    #     "authorize_scopes": "email name", "client_id":
+    #     "com.example.cognito", "private_key": "1EXAMPLE", "key_id":
+    #     "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "email name", "authorize_url":
+    #     "https://appleid.apple.com/auth/authorize", "client_id":
+    #     "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer":
+    #     "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] attribute_mapping