aws-sdk-cognitoidentityprovider 1.25.0 → 1.26.0

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -476,6 +476,7 @@ module Aws::CognitoIdentityProvider
 
     AdminConfirmSignUpRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     AdminConfirmSignUpRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
+    AdminConfirmSignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     AdminConfirmSignUpRequest.struct_class = Types::AdminConfirmSignUpRequest
 
     AdminConfirmSignUpResponse.struct_class = Types::AdminConfirmSignUpResponse
@@ -493,6 +494,7 @@ module Aws::CognitoIdentityProvider
     AdminCreateUserRequest.add_member(:force_alias_creation, Shapes::ShapeRef.new(shape: ForceAliasCreation, location_name: "ForceAliasCreation"))
     AdminCreateUserRequest.add_member(:message_action, Shapes::ShapeRef.new(shape: MessageActionType, location_name: "MessageAction"))
     AdminCreateUserRequest.add_member(:desired_delivery_mediums, Shapes::ShapeRef.new(shape: DeliveryMediumListType, location_name: "DesiredDeliveryMediums"))
+    AdminCreateUserRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     AdminCreateUserRequest.struct_class = Types::AdminCreateUserRequest
 
     AdminCreateUserResponse.add_member(:user, Shapes::ShapeRef.new(shape: UserType, location_name: "User"))
@@ -614,6 +616,7 @@ module Aws::CognitoIdentityProvider
 
     AdminResetUserPasswordRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     AdminResetUserPasswordRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
+    AdminResetUserPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     AdminResetUserPasswordRequest.struct_class = Types::AdminResetUserPasswordRequest
 
     AdminResetUserPasswordResponse.struct_class = Types::AdminResetUserPasswordResponse
@@ -625,6 +628,7 @@ module Aws::CognitoIdentityProvider
     AdminRespondToAuthChallengeRequest.add_member(:session, Shapes::ShapeRef.new(shape: SessionType, location_name: "Session"))
     AdminRespondToAuthChallengeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
     AdminRespondToAuthChallengeRequest.add_member(:context_data, Shapes::ShapeRef.new(shape: ContextDataType, location_name: "ContextData"))
+    AdminRespondToAuthChallengeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     AdminRespondToAuthChallengeRequest.struct_class = Types::AdminRespondToAuthChallengeRequest
 
     AdminRespondToAuthChallengeResponse.add_member(:challenge_name, Shapes::ShapeRef.new(shape: ChallengeNameType, location_name: "ChallengeName"))
@@ -675,6 +679,7 @@ module Aws::CognitoIdentityProvider
     AdminUpdateUserAttributesRequest.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, required: true, location_name: "UserPoolId"))
     AdminUpdateUserAttributesRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
     AdminUpdateUserAttributesRequest.add_member(:user_attributes, Shapes::ShapeRef.new(shape: AttributeListType, required: true, location_name: "UserAttributes"))
+    AdminUpdateUserAttributesRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     AdminUpdateUserAttributesRequest.struct_class = Types::AdminUpdateUserAttributesRequest
 
     AdminUpdateUserAttributesResponse.struct_class = Types::AdminUpdateUserAttributesResponse
@@ -808,6 +813,7 @@ module Aws::CognitoIdentityProvider
     ConfirmForgotPasswordRequest.add_member(:password, Shapes::ShapeRef.new(shape: PasswordType, required: true, location_name: "Password"))
     ConfirmForgotPasswordRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
     ConfirmForgotPasswordRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
+    ConfirmForgotPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     ConfirmForgotPasswordRequest.struct_class = Types::ConfirmForgotPasswordRequest
 
     ConfirmForgotPasswordResponse.struct_class = Types::ConfirmForgotPasswordResponse
@@ -819,6 +825,7 @@ module Aws::CognitoIdentityProvider
     ConfirmSignUpRequest.add_member(:force_alias_creation, Shapes::ShapeRef.new(shape: ForceAliasCreation, location_name: "ForceAliasCreation"))
     ConfirmSignUpRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
     ConfirmSignUpRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
+    ConfirmSignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     ConfirmSignUpRequest.struct_class = Types::ConfirmSignUpRequest
 
     ConfirmSignUpResponse.struct_class = Types::ConfirmSignUpResponse
@@ -1078,6 +1085,7 @@ module Aws::CognitoIdentityProvider
     ForgotPasswordRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
     ForgotPasswordRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
     ForgotPasswordRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
+    ForgotPasswordRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     ForgotPasswordRequest.struct_class = Types::ForgotPasswordRequest
 
     ForgotPasswordResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1126,6 +1134,7 @@ module Aws::CognitoIdentityProvider
 
     GetUserAttributeVerificationCodeRequest.add_member(:access_token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "AccessToken"))
     GetUserAttributeVerificationCodeRequest.add_member(:attribute_name, Shapes::ShapeRef.new(shape: AttributeNameType, required: true, location_name: "AttributeName"))
+    GetUserAttributeVerificationCodeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     GetUserAttributeVerificationCodeRequest.struct_class = Types::GetUserAttributeVerificationCodeRequest
 
     GetUserAttributeVerificationCodeResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1410,6 +1419,7 @@ module Aws::CognitoIdentityProvider
     ResendConfirmationCodeRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
     ResendConfirmationCodeRequest.add_member(:username, Shapes::ShapeRef.new(shape: UsernameType, required: true, location_name: "Username"))
     ResendConfirmationCodeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
+    ResendConfirmationCodeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     ResendConfirmationCodeRequest.struct_class = Types::ResendConfirmationCodeRequest
 
     ResendConfirmationCodeResponse.add_member(:code_delivery_details, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsType, location_name: "CodeDeliveryDetails"))
@@ -1438,6 +1448,7 @@ module Aws::CognitoIdentityProvider
     RespondToAuthChallengeRequest.add_member(:challenge_responses, Shapes::ShapeRef.new(shape: ChallengeResponsesType, location_name: "ChallengeResponses"))
     RespondToAuthChallengeRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
     RespondToAuthChallengeRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
+    RespondToAuthChallengeRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     RespondToAuthChallengeRequest.struct_class = Types::RespondToAuthChallengeRequest
 
     RespondToAuthChallengeResponse.add_member(:challenge_name, Shapes::ShapeRef.new(shape: ChallengeNameType, location_name: "ChallengeName"))
@@ -1531,6 +1542,7 @@ module Aws::CognitoIdentityProvider
     SignUpRequest.add_member(:validation_data, Shapes::ShapeRef.new(shape: AttributeListType, location_name: "ValidationData"))
     SignUpRequest.add_member(:analytics_metadata, Shapes::ShapeRef.new(shape: AnalyticsMetadataType, location_name: "AnalyticsMetadata"))
     SignUpRequest.add_member(:user_context_data, Shapes::ShapeRef.new(shape: UserContextDataType, location_name: "UserContextData"))
+    SignUpRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     SignUpRequest.struct_class = Types::SignUpRequest
 
     SignUpResponse.add_member(:user_confirmed, Shapes::ShapeRef.new(shape: BooleanType, required: true, location_name: "UserConfirmed"))
@@ -1579,7 +1591,7 @@ module Aws::CognitoIdentityProvider
     SupportedIdentityProvidersListType.member = Shapes::ShapeRef.new(shape: ProviderNameType)
 
     TagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "ResourceArn"))
-    TagResourceRequest.add_member(:tags, Shapes::ShapeRef.new(shape: UserPoolTagsType, location_name: "Tags"))
+    TagResourceRequest.add_member(:tags, Shapes::ShapeRef.new(shape: UserPoolTagsType, required: true, location_name: "Tags"))
     TagResourceRequest.struct_class = Types::TagResourceRequest
 
     TagResourceResponse.struct_class = Types::TagResourceResponse
@@ -1609,7 +1621,7 @@ module Aws::CognitoIdentityProvider
     UnsupportedUserStateException.struct_class = Types::UnsupportedUserStateException
 
     UntagResourceRequest.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ArnType, required: true, location_name: "ResourceArn"))
-    UntagResourceRequest.add_member(:tag_keys, Shapes::ShapeRef.new(shape: UserPoolTagsListType, location_name: "TagKeys"))
+    UntagResourceRequest.add_member(:tag_keys, Shapes::ShapeRef.new(shape: UserPoolTagsListType, required: true, location_name: "TagKeys"))
     UntagResourceRequest.struct_class = Types::UntagResourceRequest
 
     UntagResourceResponse.struct_class = Types::UntagResourceResponse
@@ -1661,6 +1673,7 @@ module Aws::CognitoIdentityProvider
 
     UpdateUserAttributesRequest.add_member(:user_attributes, Shapes::ShapeRef.new(shape: AttributeListType, required: true, location_name: "UserAttributes"))
     UpdateUserAttributesRequest.add_member(:access_token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "AccessToken"))
+    UpdateUserAttributesRequest.add_member(:client_metadata, Shapes::ShapeRef.new(shape: ClientMetadataType, location_name: "ClientMetadata"))
     UpdateUserAttributesRequest.struct_class = Types::UpdateUserAttributesRequest
 
     UpdateUserAttributesResponse.add_member(:code_delivery_details_list, Shapes::ShapeRef.new(shape: CodeDeliveryDetailsListType, location_name: "CodeDeliveryDetailsList"))
@@ -2856,6 +2869,7 @@ module Aws::CognitoIdentityProvider
         o.input = Shapes::ShapeRef.new(shape: GetSigningCertificateRequest)
         o.output = Shapes::ShapeRef.new(shape: GetSigningCertificateResponse)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
       end)
 
@@ -2960,6 +2974,8 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: UserNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: UserNotConfirmedException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidSmsRoleAccessPolicyException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidSmsRoleTrustRelationshipException)
       end)
 
       api.add_operation(:list_devices, Seahorse::Model::Operation.new.tap do |o|
@@ -3110,6 +3126,12 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
         o.errors << Shapes::ShapeRef.new(shape: NotAuthorizedException)
         o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o[:pager] = Aws::Pager.new(
+          limit_key: "limit",
+          tokens: {
+            "pagination_token" => "pagination_token"
+          }
+        )
       end)
 
       api.add_operation(:list_users_in_group, Seahorse::Model::Operation.new.tap do |o|

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -232,6 +232,9 @@ module Aws::CognitoIdentityProvider
     #       {
     #         user_pool_id: "UserPoolIdType", # required
     #         username: "UsernameType", # required
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -242,11 +245,50 @@ module Aws::CognitoIdentityProvider
     #   The user name for which you want to confirm user registration.
     #   @return [String]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   If your user pool configuration includes triggers, the
+    #   AdminConfirmSignUp API action invokes the AWS Lambda function that
+    #   is specified for the *post confirmation* trigger. When Amazon
+    #   Cognito invokes this function, it passes a JSON payload, which the
+    #   function receives as input. In this payload, the `clientMetadata`
+    #   attribute provides the data that you assigned to the ClientMetadata
+    #   parameter in your AdminConfirmSignUp request. In your function code
+    #   in AWS Lambda, you can process the ClientMetadata value to enhance
+    #   your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminConfirmSignUpRequest AWS API Documentation
     #
     class AdminConfirmSignUpRequest < Struct.new(
       :user_pool_id,
-      :username)
+      :username,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -299,7 +341,7 @@ module Aws::CognitoIdentityProvider
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-message-customizations.html#cognito-user-pool-settings-user-invitation-message-customization
     #   @return [Types::MessageTemplateType]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminCreateUserConfigType AWS API Documentation
@@ -335,6 +377,9 @@ module Aws::CognitoIdentityProvider
     #         force_alias_creation: false,
     #         message_action: "RESEND", # accepts RESEND, SUPPRESS
     #         desired_delivery_mediums: ["SMS"], # accepts SMS, EMAIL
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -442,6 +487,45 @@ module Aws::CognitoIdentityProvider
     #   is `"SMS"`. More than one value can be specified.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the AdminCreateUser API action,
+    #   Amazon Cognito invokes the function that is assigned to the *pre
+    #   sign-up* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   AdminCreateUser request. In your function code in AWS Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminCreateUserRequest AWS API Documentation
     #
     class AdminCreateUserRequest < Struct.new(
@@ -452,7 +536,8 @@ module Aws::CognitoIdentityProvider
       :temporary_password,
       :force_alias_creation,
       :message_action,
-      :desired_delivery_mediums)
+      :desired_delivery_mediums,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -792,7 +877,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   *This response parameter is no longer supported.* It provides
+    #   information only about SMS MFA configurations. It doesn't provide
+    #   information about TOTP software token MFA configurations. To look up
+    #   information about either type of MFA configuration, use the
+    #   AdminGetUserResponse$UserMFASettingList response instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -800,7 +889,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_mfa_setting_list
-    #   The list of the user's MFA settings.
+    #   The MFA options that are enabled for the user. The possible values
+    #   in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminGetUserResponse AWS API Documentation
@@ -914,10 +1004,67 @@ module Aws::CognitoIdentityProvider
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
-    #   This is a random key-value pair map which can contain any key and
-    #   will be passed to your PreAuthentication Lambda trigger as-is. It
-    #   can be used to implement additional validations around
-    #   authentication.
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the AdminInitiateAuth API action,
+    #   Amazon Cognito invokes the AWS Lambda functions that are specified
+    #   for various triggers. The ClientMetadata value is passed as input to
+    #   the functions for only the following triggers:
+    #
+    #   * Pre signup
+    #
+    #   * Pre authentication
+    #
+    #   * User migration
+    #
+    #   When Amazon Cognito invokes the functions for these triggers, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `validationData` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   AdminInitiateAuth request. In your function code in AWS Lambda, you
+    #   can process the `validationData` value to enhance your workflow for
+    #   your specific needs.
+    #
+    #   When you use the AdminInitiateAuth API action, Amazon Cognito also
+    #   invokes the functions for the following triggers, but it does not
+    #   provide the ClientMetadata value as input:
+    #
+    #   * Post authentication
+    #
+    #   * Custom message
+    #
+    #   * Pre token generation
+    #
+    #   * Create auth challenge
+    #
+    #   * Define auth challenge
+    #
+    #   * Verify auth challenge
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] analytics_metadata
@@ -1314,6 +1461,9 @@ module Aws::CognitoIdentityProvider
     #       {
     #         user_pool_id: "UserPoolIdType", # required
     #         username: "UsernameType", # required
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -1325,11 +1475,51 @@ module Aws::CognitoIdentityProvider
     #   The user name of the user whose password you wish to reset.
     #   @return [String]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the AdminResetUserPassword API
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   AdminResetUserPassword request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminResetUserPasswordRequest AWS API Documentation
     #
     class AdminResetUserPasswordRequest < Struct.new(
       :user_pool_id,
-      :username)
+      :username,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -1369,6 +1559,9 @@ module Aws::CognitoIdentityProvider
     #           ],
     #           encoded_data: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -1428,6 +1621,48 @@ module Aws::CognitoIdentityProvider
     #   Amazon Cognito advanced security.
     #   @return [Types::ContextDataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the AdminRespondToAuthChallenge API
+    #   action, Amazon Cognito invokes any functions that are assigned to
+    #   the following triggers: *pre sign-up*, *custom message*, *post
+    #   authentication*, *user migration*, *pre token generation*, *define
+    #   auth challenge*, *create auth challenge*, and *verify auth challenge
+    #   response*. When Amazon Cognito invokes any of these functions, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   AdminRespondToAuthChallenge request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminRespondToAuthChallengeRequest AWS API Documentation
     #
     class AdminRespondToAuthChallengeRequest < Struct.new(
@@ -1437,7 +1672,8 @@ module Aws::CognitoIdentityProvider
       :challenge_responses,
       :session,
       :analytics_metadata,
-      :context_data)
+      :context_data,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -1531,15 +1767,20 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] user_pool_id
+    #   The user pool ID for the user pool where you want to set the user's
+    #   password.
     #   @return [String]
     #
     # @!attribute [rw] username
+    #   The user name of the user whose password you wish to set.
     #   @return [String]
     #
     # @!attribute [rw] password
+    #   The password for the user.
     #   @return [String]
     #
     # @!attribute [rw] permanent
+    #   `True` if the password is permanent, `False` if it is temporary.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserPasswordRequest AWS API Documentation
@@ -1556,7 +1797,8 @@ module Aws::CognitoIdentityProvider
     #
     class AdminSetUserPasswordResponse < Aws::EmptyStructure; end
 
-    # Represents the request to set user settings as an administrator.
+    # You can use this parameter to set an MFA configuration that uses the
+    # SMS delivery medium.
     #
     # @note When making an API call, you may pass AdminSetUserSettingsRequest
     #   data as a hash:
@@ -1573,16 +1815,17 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] user_pool_id
-    #   The user pool ID for the user pool where you want to set the user's
-    #   settings, such as MFA options.
+    #   The ID of the user pool that contains the user that you are setting
+    #   options for.
     #   @return [String]
     #
     # @!attribute [rw] username
-    #   The user name of the user for whom you wish to set user settings.
+    #   The user name of the user that you are setting options for.
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   You can use this parameter only to set an SMS configuration that
+    #   uses SMS for delivery.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminSetUserSettingsRequest AWS API Documentation
@@ -1701,6 +1944,9 @@ module Aws::CognitoIdentityProvider
     #             value: "AttributeValueType",
     #           },
     #         ],
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -1720,12 +1966,52 @@ module Aws::CognitoIdentityProvider
     #   attribute name.
     #   @return [Array<Types::AttributeType>]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the AdminUpdateUserAttributes API
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   AdminUpdateUserAttributes request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUpdateUserAttributesRequest AWS API Documentation
     #
     class AdminUpdateUserAttributesRequest < Struct.new(
       :user_pool_id,
       :username,
-      :user_attributes)
+      :user_attributes,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -2251,6 +2537,9 @@ module Aws::CognitoIdentityProvider
     #         user_context_data: {
     #           encoded_data: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -2289,6 +2578,46 @@ module Aws::CognitoIdentityProvider
     #   Amazon Cognito advanced security.
     #   @return [Types::UserContextDataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the ConfirmForgotPassword API
+    #   action, Amazon Cognito invokes the functions that are assigned to
+    #   the *post confirmation* and *pre mutation* triggers. When Amazon
+    #   Cognito invokes either of these functions, it passes a JSON payload,
+    #   which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your
+    #   ConfirmForgotPassword request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmForgotPasswordRequest AWS API Documentation
     #
     class ConfirmForgotPasswordRequest < Struct.new(
@@ -2298,7 +2627,8 @@ module Aws::CognitoIdentityProvider
       :confirmation_code,
       :password,
       :analytics_metadata,
-      :user_context_data)
+      :user_context_data,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -2326,6 +2656,9 @@ module Aws::CognitoIdentityProvider
     #         user_context_data: {
     #           encoded_data: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -2368,6 +2701,45 @@ module Aws::CognitoIdentityProvider
     #   Amazon Cognito advanced security.
     #   @return [Types::UserContextDataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the ConfirmSignUp API action,
+    #   Amazon Cognito invokes the function that is assigned to the *post
+    #   confirmation* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   ConfirmSignUp request. In your function code in AWS Lambda, you can
+    #   process the `clientMetadata` value to enhance your workflow for your
+    #   specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmSignUpRequest AWS API Documentation
     #
     class ConfirmSignUpRequest < Struct.new(
@@ -2377,7 +2749,8 @@ module Aws::CognitoIdentityProvider
       :confirmation_code,
       :force_alias_creation,
       :analytics_metadata,
-      :user_context_data)
+      :user_context_data,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -2816,7 +3189,9 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] allowed_o_auth_scopes
     #   A list of allowed `OAuth` scopes. Currently supported values are
-    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
+    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
+    #   these values, custom scopes created in Resource Servers are also
+    #   supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -4008,6 +4383,9 @@ module Aws::CognitoIdentityProvider
     #         analytics_metadata: {
     #           analytics_endpoint_id: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -4036,6 +4414,46 @@ module Aws::CognitoIdentityProvider
     #   `ForgotPassword` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the ForgotPassword API action,
+    #   Amazon Cognito invokes any functions that are assigned to the
+    #   following triggers: *pre sign-up*, *custom message*, and *user
+    #   migration*. When Amazon Cognito invokes any of these functions, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   ForgotPassword request. In your function code in AWS Lambda, you can
+    #   process the `clientMetadata` value to enhance your workflow for your
+    #   specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ForgotPasswordRequest AWS API Documentation
     #
     class ForgotPasswordRequest < Struct.new(
@@ -4043,7 +4461,8 @@ module Aws::CognitoIdentityProvider
       :secret_hash,
       :user_context_data,
       :username,
-      :analytics_metadata)
+      :analytics_metadata,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -4289,6 +4708,9 @@ module Aws::CognitoIdentityProvider
     #       {
     #         access_token: "TokenModelType", # required
     #         attribute_name: "AttributeNameType", # required
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] access_token
@@ -4301,11 +4723,52 @@ module Aws::CognitoIdentityProvider
     #   attribute verification code.
     #   @return [String]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the
+    #   GetUserAttributeVerificationCode API action, Amazon Cognito invokes
+    #   the function that is assigned to the *custom message* trigger. When
+    #   Amazon Cognito invokes this function, it passes a JSON payload,
+    #   which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your
+    #   GetUserAttributeVerificationCode request. In your function code in
+    #   AWS Lambda, you can process the `clientMetadata` value to enhance
+    #   your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserAttributeVerificationCodeRequest AWS API Documentation
     #
     class GetUserAttributeVerificationCodeRequest < Struct.new(
       :access_token,
-      :attribute_name)
+      :attribute_name,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -4351,7 +4814,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The multi-factor (MFA) configuration.
+    #   The multi-factor (MFA) configuration. Valid values include:
+    #
+    #   * `OFF` MFA will not be used for any users.
+    #
+    #   * `ON` MFA is required for all users to sign in.
+    #
+    #   * `OPTIONAL` MFA will be required only for individual users who have
+    #     an MFA factor enabled.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserPoolMfaConfigResponse AWS API Documentation
@@ -4400,7 +4870,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Array<Types::AttributeType>]
     #
     # @!attribute [rw] mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   *This response parameter is no longer supported.* It provides
+    #   information only about SMS MFA configurations. It doesn't provide
+    #   information about TOTP software token MFA configurations. To look up
+    #   information about either type of MFA configuration, use the use the
+    #   GetUserResponse$UserMFASettingList response instead.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @!attribute [rw] preferred_mfa_setting
@@ -4408,7 +4882,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] user_mfa_setting_list
-    #   The list of the user's MFA settings.
+    #   The MFA options that are enabled for the user. The possible values
+    #   in this list are `SMS_MFA` and `SOFTWARE_TOKEN_MFA`.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/GetUserResponse AWS API Documentation
@@ -4668,10 +5143,67 @@ module Aws::CognitoIdentityProvider
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_metadata
-    #   This is a random key-value pair map which can contain any key and
-    #   will be passed to your PreAuthentication Lambda trigger as-is. It
-    #   can be used to implement additional validations around
-    #   authentication.
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the InitiateAuth API action, Amazon
+    #   Cognito invokes the AWS Lambda functions that are specified for
+    #   various triggers. The ClientMetadata value is passed as input to the
+    #   functions for only the following triggers:
+    #
+    #   * Pre signup
+    #
+    #   * Pre authentication
+    #
+    #   * User migration
+    #
+    #   When Amazon Cognito invokes the functions for these triggers, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `validationData` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   InitiateAuth request. In your function code in AWS Lambda, you can
+    #   process the `validationData` value to enhance your workflow for your
+    #   specific needs.
+    #
+    #   When you use the InitiateAuth API action, Amazon Cognito also
+    #   invokes the functions for the following triggers, but it does not
+    #   provide the ClientMetadata value as input:
+    #
+    #   * Post authentication
+    #
+    #   * Custom message
+    #
+    #   * Pre token generation
+    #
+    #   * Create auth challenge
+    #
+    #   * Define auth challenge
+    #
+    #   * Verify auth challenge
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] client_id
@@ -5515,8 +6047,8 @@ module Aws::CognitoIdentityProvider
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
-    #   [2]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ListUsersRequest AWS API Documentation
@@ -5565,8 +6097,16 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # Specifies the different settings for multi-factor authentication
-    # (MFA).
+    # *This data type is no longer supported.* You can use it only for SMS
+    # MFA configurations. You can't use it for TOTP software token MFA
+    # configurations.
+    #
+    # To set either type of MFA configuration, use the
+    # AdminSetUserMFAPreference or SetUserMFAPreference actions.
+    #
+    # To look up information about either type of MFA configuration, use the
+    # AdminGetUserResponse$UserMFASettingList or
+    # GetUserResponse$UserMFASettingList responses.
     #
     # @note When making an API call, you may pass MFAOptionType
     #   data as a hash:
@@ -5577,12 +6117,13 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] delivery_medium
-    #   The delivery medium (email message or SMS message) to send the MFA
-    #   code.
+    #   The delivery medium to send the MFA code. You can use this parameter
+    #   to set only the `SMS` delivery medium value.
     #   @return [String]
     #
     # @!attribute [rw] attribute_name
-    #   The attribute name of the MFA option type.
+    #   The attribute name of the MFA option type. The only valid value is
+    #   `phone_number`.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/MFAOptionType AWS API Documentation
@@ -5825,6 +6366,15 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] temporary_password_validity_days
+    #   In the password policy you have set, refers to the number of days a
+    #   temporary password is valid. If the user does not sign-in during
+    #   this time, their password will need to be reset by an administrator.
+    #
+    #   <note markdown="1"> When you set `TemporaryPasswordValidityDays` for a user pool, you
+    #   will no longer be able to set the deprecated
+    #   `UnusedAccountValidityDays` value for that user pool.
+    #
+    #    </note>
     #   @return [Integer]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/PasswordPolicyType AWS API Documentation
@@ -5944,6 +6494,9 @@ module Aws::CognitoIdentityProvider
     #         analytics_metadata: {
     #           analytics_endpoint_id: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -5972,6 +6525,45 @@ module Aws::CognitoIdentityProvider
     #   `ResendConfirmationCode` calls.
     #   @return [Types::AnalyticsMetadataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the ResendConfirmationCode API
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   ResendConfirmationCode request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ResendConfirmationCodeRequest AWS API Documentation
     #
     class ResendConfirmationCodeRequest < Struct.new(
@@ -5979,7 +6571,8 @@ module Aws::CognitoIdentityProvider
       :secret_hash,
       :user_context_data,
       :username,
-      :analytics_metadata)
+      :analytics_metadata,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -6085,6 +6678,9 @@ module Aws::CognitoIdentityProvider
     #         user_context_data: {
     #           encoded_data: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -6110,16 +6706,27 @@ module Aws::CognitoIdentityProvider
     #   The challenge responses. These are inputs corresponding to the value
     #   of `ChallengeName`, for example:
     #
-    #   * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`, `SECRET_HASH` (if app
-    #     client is configured with client secret).
+    #   <note markdown="1"> `SECRET_HASH` (if app client is configured with client secret)
+    #   applies to all inputs below (including `SOFTWARE_TOKEN_MFA`).
+    #
+    #    </note>
+    #
+    #   * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`.
     #
     #   * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
-    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`,
-    #     `SECRET_HASH` (if app client is configured with client secret).
+    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
     #
     #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
-    #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
-    #     with client secret).
+    #     attributes, `USERNAME`.
+    #
+    #   * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE`
+    #     are required attributes.
+    #
+    #   * `DEVICE_SRP_AUTH` requires `USERNAME`, `DEVICE_KEY`, `SRP_A` (and
+    #     `SECRET_HASH`).
+    #
+    #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
+    #     `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] analytics_metadata
@@ -6133,6 +6740,47 @@ module Aws::CognitoIdentityProvider
     #   Amazon Cognito advanced security.
     #   @return [Types::UserContextDataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the RespondToAuthChallenge API
+    #   action, Amazon Cognito invokes any functions that are assigned to
+    #   the following triggers: *post authentication*, *pre token
+    #   generation*, *define auth challenge*, *create auth challenge*, and
+    #   *verify auth challenge*. When Amazon Cognito invokes any of these
+    #   functions, it passes a JSON payload, which the function receives as
+    #   input. This payload contains a `clientMetadata` attribute, which
+    #   provides the data that you assigned to the ClientMetadata parameter
+    #   in your RespondToAuthChallenge request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RespondToAuthChallengeRequest AWS API Documentation
     #
     class RespondToAuthChallengeRequest < Struct.new(
@@ -6141,7 +6789,8 @@ module Aws::CognitoIdentityProvider
       :session,
       :challenge_responses,
       :analytics_metadata,
-      :user_context_data)
+      :user_context_data,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -6248,7 +6897,7 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The SMS multi-factor authentication (MFA) settings type.
+    # The type used for enabling SMS MFA at the user level.
     #
     # @note When making an API call, you may pass SMSMfaSettingsType
     #   data as a hash:
@@ -6263,7 +6912,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] preferred_mfa
-    #   The preferred MFA method.
+    #   Specifies whether SMS is the preferred MFA method.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SMSMfaSettingsType AWS API Documentation
@@ -6536,7 +7185,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaSettingsType]
     #
     # @!attribute [rw] access_token
-    #   The access token.
+    #   The access token for the user.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserMFAPreferenceRequest AWS API Documentation
@@ -6583,7 +7232,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The MFA configuration.
+    #   The MFA configuration. Valid values include:
+    #
+    #   * `OFF` MFA will not be used for any users.
+    #
+    #   * `ON` MFA is required for all users to sign in.
+    #
+    #   * `OPTIONAL` MFA will be required only for individual users who have
+    #     an MFA factor enabled.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigRequest AWS API Documentation
@@ -6605,7 +7261,14 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The MFA configuration.
+    #   The MFA configuration. Valid values include:
+    #
+    #   * `OFF` MFA will not be used for any users.
+    #
+    #   * `ON` MFA is required for all users to sign in.
+    #
+    #   * `OPTIONAL` MFA will be required only for individual users who have
+    #     an MFA factor enabled.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserPoolMfaConfigResponse AWS API Documentation
@@ -6637,7 +7300,8 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   You can use this parameter only to set an SMS configuration that
+    #   uses SMS for delivery.
     #   @return [Array<Types::MFAOptionType>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SetUserSettingsRequest AWS API Documentation
@@ -6682,6 +7346,9 @@ module Aws::CognitoIdentityProvider
     #         user_context_data: {
     #           encoded_data: "StringType",
     #         },
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] client_id
@@ -6724,6 +7391,46 @@ module Aws::CognitoIdentityProvider
     #   Amazon Cognito advanced security.
     #   @return [Types::UserContextDataType]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the SignUp API action, Amazon
+    #   Cognito invokes any functions that are assigned to the following
+    #   triggers: *pre sign-up*, *custom message*, and *post confirmation*.
+    #   When Amazon Cognito invokes any of these functions, it passes a JSON
+    #   payload, which the function receives as input. This payload contains
+    #   a `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your SignUp request. In
+    #   your function code in AWS Lambda, you can process the
+    #   `clientMetadata` value to enhance your workflow for your specific
+    #   needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SignUpRequest AWS API Documentation
     #
     class SignUpRequest < Struct.new(
@@ -6734,7 +7441,8 @@ module Aws::CognitoIdentityProvider
       :user_attributes,
       :validation_data,
       :analytics_metadata,
-      :user_context_data)
+      :user_context_data,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -6764,7 +7472,11 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # The SMS configuration type.
+    # The SMS configuration type that includes the settings the Cognito User
+    # Pool needs to call for the Amazon SNS service to send an SMS message
+    # from your AWS account. The Cognito User Pool makes the request to the
+    # Amazon SNS Service by using an AWS IAM role that you provide for your
+    # AWS account.
     #
     # @note When making an API call, you may pass SmsConfigurationType
     #   data as a hash:
@@ -6776,11 +7488,20 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] sns_caller_arn
     #   The Amazon Resource Name (ARN) of the Amazon Simple Notification
-    #   Service (SNS) caller.
+    #   Service (SNS) caller. This is the ARN of the IAM role in your AWS
+    #   account which Cognito will use to send SMS messages.
     #   @return [String]
     #
     # @!attribute [rw] external_id
-    #   The external ID.
+    #   The external ID is a value that we recommend you use to add security
+    #   to your IAM role which is used to call Amazon SNS to send SMS
+    #   messages for your user pool. If you provide an `ExternalId`, the
+    #   Cognito User Pool will include it when attempting to assume your IAM
+    #   role, so that you can set your roles trust policy to require the
+    #   `ExternalID`. If you use the Cognito Management Console to create a
+    #   role for SMS MFA, Cognito will create a role with the required
+    #   permissions and a trust policy that demonstrates use of the
+    #   `ExternalId`.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SmsConfigurationType AWS API Documentation
@@ -6806,7 +7527,10 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] sms_authentication_message
-    #   The SMS authentication message.
+    #   The SMS authentication message that will be sent to users with the
+    #   code they need to sign in. The message must contain the
+    #   ‘\\\{####\\}’ placeholder, which will be replaced with the code. If
+    #   the message is not included, and default message will be used.
     #   @return [String]
     #
     # @!attribute [rw] sms_configuration
@@ -6869,7 +7593,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Boolean]
     #
     # @!attribute [rw] preferred_mfa
-    #   The preferred MFA method.
+    #   Specifies whether software token MFA is the preferred MFA method.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SoftwareTokenMfaSettingsType AWS API Documentation
@@ -6993,7 +7717,7 @@ module Aws::CognitoIdentityProvider
     #
     #       {
     #         resource_arn: "ArnType", # required
-    #         tags: {
+    #         tags: { # required
     #           "TagKeysType" => "TagValueType",
     #         },
     #       }
@@ -7139,7 +7863,7 @@ module Aws::CognitoIdentityProvider
     #
     #       {
     #         resource_arn: "ArnType", # required
-    #         tag_keys: ["TagKeysType"],
+    #         tag_keys: ["TagKeysType"], # required
     #       }
     #
     # @!attribute [rw] resource_arn
@@ -7425,6 +8149,9 @@ module Aws::CognitoIdentityProvider
     #           },
     #         ],
     #         access_token: "TokenModelType", # required
+    #         client_metadata: {
+    #           "StringType" => "StringType",
+    #         },
     #       }
     #
     # @!attribute [rw] user_attributes
@@ -7438,11 +8165,52 @@ module Aws::CognitoIdentityProvider
     #   The access token for the request to update user attributes.
     #   @return [String]
     #
+    # @!attribute [rw] client_metadata
+    #   A map of custom key-value pairs that you can provide as input for
+    #   any custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to
+    #   user pool triggers. When you use the UpdateUserAttributes API
+    #   action, Amazon Cognito invokes the functions that are assigned to
+    #   the *custom message* and *pre mutation* triggers. When Amazon
+    #   Cognito invokes either of these functions, it passes a JSON payload,
+    #   which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your
+    #   UpdateUserAttributes request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with
+    #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data
+    #     is available only to AWS Lambda triggers that are assigned to a
+    #     user pool to support custom workflows. If your user pool
+    #     configuration does not include triggers, the ClientMetadata
+    #     parameter serves no purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserAttributesRequest AWS API Documentation
     #
     class UpdateUserAttributesRequest < Struct.new(
       :user_attributes,
-      :access_token)
+      :access_token,
+      :client_metadata)
       include Aws::Structure
     end
 
@@ -7583,7 +8351,9 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] allowed_o_auth_scopes
     #   A list of allowed `OAuth` scopes. Currently supported values are
-    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
+    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
+    #   these values, custom scopes created in Resource Servers are also
+    #   supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -8210,7 +8980,9 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] allowed_o_auth_scopes
     #   A list of allowed `OAuth` scopes. Currently supported values are
-    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
+    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
+    #   these values, custom scopes created in Resource Servers are also
+    #   supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client