aws-sdk-cognitoidentityprovider 1.50.0 → 1.54.0

data/lib/aws-sdk-cognitoidentityprovider/client_api.rb

@@ -345,6 +345,8 @@ module Aws::CognitoIdentityProvider
     ResourceServersListType = Shapes::ListShape.new(name: 'ResourceServersListType')
     RespondToAuthChallengeRequest = Shapes::StructureShape.new(name: 'RespondToAuthChallengeRequest')
     RespondToAuthChallengeResponse = Shapes::StructureShape.new(name: 'RespondToAuthChallengeResponse')
+    RevokeTokenRequest = Shapes::StructureShape.new(name: 'RevokeTokenRequest')
+    RevokeTokenResponse = Shapes::StructureShape.new(name: 'RevokeTokenResponse')
     RiskConfigurationType = Shapes::StructureShape.new(name: 'RiskConfigurationType')
     RiskDecisionType = Shapes::StringShape.new(name: 'RiskDecisionType')
     RiskExceptionConfigurationType = Shapes::StructureShape.new(name: 'RiskExceptionConfigurationType')
@@ -401,8 +403,11 @@ module Aws::CognitoIdentityProvider
     TooManyFailedAttemptsException = Shapes::StructureShape.new(name: 'TooManyFailedAttemptsException')
     TooManyRequestsException = Shapes::StructureShape.new(name: 'TooManyRequestsException')
     UICustomizationType = Shapes::StructureShape.new(name: 'UICustomizationType')
+    UnauthorizedException = Shapes::StructureShape.new(name: 'UnauthorizedException')
     UnexpectedLambdaException = Shapes::StructureShape.new(name: 'UnexpectedLambdaException')
     UnsupportedIdentityProviderException = Shapes::StructureShape.new(name: 'UnsupportedIdentityProviderException')
+    UnsupportedOperationException = Shapes::StructureShape.new(name: 'UnsupportedOperationException')
+    UnsupportedTokenTypeException = Shapes::StructureShape.new(name: 'UnsupportedTokenTypeException')
     UnsupportedUserStateException = Shapes::StructureShape.new(name: 'UnsupportedUserStateException')
     UntagResourceRequest = Shapes::StructureShape.new(name: 'UntagResourceRequest')
     UntagResourceResponse = Shapes::StructureShape.new(name: 'UntagResourceResponse')
@@ -917,6 +922,7 @@ module Aws::CognitoIdentityProvider
     CreateUserPoolClientRequest.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient"))
     CreateUserPoolClientRequest.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
     CreateUserPoolClientRequest.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
+    CreateUserPoolClientRequest.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     CreateUserPoolClientRequest.struct_class = Types::CreateUserPoolClientRequest
 
     CreateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -1506,6 +1512,13 @@ module Aws::CognitoIdentityProvider
     RespondToAuthChallengeResponse.add_member(:authentication_result, Shapes::ShapeRef.new(shape: AuthenticationResultType, location_name: "AuthenticationResult"))
     RespondToAuthChallengeResponse.struct_class = Types::RespondToAuthChallengeResponse
 
+    RevokeTokenRequest.add_member(:token, Shapes::ShapeRef.new(shape: TokenModelType, required: true, location_name: "Token"))
+    RevokeTokenRequest.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, required: true, location_name: "ClientId"))
+    RevokeTokenRequest.add_member(:client_secret, Shapes::ShapeRef.new(shape: ClientSecretType, location_name: "ClientSecret"))
+    RevokeTokenRequest.struct_class = Types::RevokeTokenRequest
+
+    RevokeTokenResponse.struct_class = Types::RevokeTokenResponse
+
     RiskConfigurationType.add_member(:user_pool_id, Shapes::ShapeRef.new(shape: UserPoolIdType, location_name: "UserPoolId"))
     RiskConfigurationType.add_member(:client_id, Shapes::ShapeRef.new(shape: ClientIdType, location_name: "ClientId"))
     RiskConfigurationType.add_member(:compromised_credentials_risk_configuration, Shapes::ShapeRef.new(shape: CompromisedCredentialsRiskConfigurationType, location_name: "CompromisedCredentialsRiskConfiguration"))
@@ -1665,12 +1678,21 @@ module Aws::CognitoIdentityProvider
     UICustomizationType.add_member(:creation_date, Shapes::ShapeRef.new(shape: DateType, location_name: "CreationDate"))
     UICustomizationType.struct_class = Types::UICustomizationType
 
+    UnauthorizedException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
+    UnauthorizedException.struct_class = Types::UnauthorizedException
+
     UnexpectedLambdaException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     UnexpectedLambdaException.struct_class = Types::UnexpectedLambdaException
 
     UnsupportedIdentityProviderException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     UnsupportedIdentityProviderException.struct_class = Types::UnsupportedIdentityProviderException
 
+    UnsupportedOperationException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
+    UnsupportedOperationException.struct_class = Types::UnsupportedOperationException
+
+    UnsupportedTokenTypeException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
+    UnsupportedTokenTypeException.struct_class = Types::UnsupportedTokenTypeException
+
     UnsupportedUserStateException.add_member(:message, Shapes::ShapeRef.new(shape: MessageType, location_name: "message"))
     UnsupportedUserStateException.struct_class = Types::UnsupportedUserStateException
 
@@ -1752,6 +1774,7 @@ module Aws::CognitoIdentityProvider
     UpdateUserPoolClientRequest.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient"))
     UpdateUserPoolClientRequest.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
     UpdateUserPoolClientRequest.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
+    UpdateUserPoolClientRequest.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     UpdateUserPoolClientRequest.struct_class = Types::UpdateUserPoolClientRequest
 
     UpdateUserPoolClientResponse.add_member(:user_pool_client, Shapes::ShapeRef.new(shape: UserPoolClientType, location_name: "UserPoolClient"))
@@ -1855,6 +1878,7 @@ module Aws::CognitoIdentityProvider
     UserPoolClientType.add_member(:allowed_o_auth_flows_user_pool_client, Shapes::ShapeRef.new(shape: BooleanType, location_name: "AllowedOAuthFlowsUserPoolClient", metadata: {"box"=>true}))
     UserPoolClientType.add_member(:analytics_configuration, Shapes::ShapeRef.new(shape: AnalyticsConfigurationType, location_name: "AnalyticsConfiguration"))
     UserPoolClientType.add_member(:prevent_user_existence_errors, Shapes::ShapeRef.new(shape: PreventUserExistenceErrorTypes, location_name: "PreventUserExistenceErrors"))
+    UserPoolClientType.add_member(:enable_token_revocation, Shapes::ShapeRef.new(shape: WrappedBooleanType, location_name: "EnableTokenRevocation"))
     UserPoolClientType.struct_class = Types::UserPoolClientType
 
     UserPoolDescriptionType.add_member(:id, Shapes::ShapeRef.new(shape: UserPoolIdType, location_name: "Id"))
@@ -3276,6 +3300,20 @@ module Aws::CognitoIdentityProvider
         o.errors << Shapes::ShapeRef.new(shape: SoftwareTokenMFANotFoundException)
       end)
 
+      api.add_operation(:revoke_token, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "RevokeToken"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: RevokeTokenRequest)
+        o.output = Shapes::ShapeRef.new(shape: RevokeTokenResponse)
+        o.errors << Shapes::ShapeRef.new(shape: TooManyRequestsException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalErrorException)
+        o.errors << Shapes::ShapeRef.new(shape: UnauthorizedException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedOperationException)
+        o.errors << Shapes::ShapeRef.new(shape: UnsupportedTokenTypeException)
+      end)
+
       api.add_operation(:set_risk_configuration, Seahorse::Model::Operation.new.tap do |o|
         o.name = "SetRiskConfiguration"
         o.http_method = "POST"

data/lib/aws-sdk-cognitoidentityprovider/customizations.rb

@@ -2,7 +2,7 @@
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing for info on making contributions:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 

data/lib/aws-sdk-cognitoidentityprovider/errors.rb

@@ -54,8 +54,11 @@ module Aws::CognitoIdentityProvider
   # * {SoftwareTokenMFANotFoundException}
   # * {TooManyFailedAttemptsException}
   # * {TooManyRequestsException}
+  # * {UnauthorizedException}
   # * {UnexpectedLambdaException}
   # * {UnsupportedIdentityProviderException}
+  # * {UnsupportedOperationException}
+  # * {UnsupportedTokenTypeException}
   # * {UnsupportedUserStateException}
   # * {UserImportInProgressException}
   # * {UserLambdaValidationException}
@@ -476,6 +479,21 @@ module Aws::CognitoIdentityProvider
       end
     end
 
+    class UnauthorizedException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::CognitoIdentityProvider::Types::UnauthorizedException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class UnexpectedLambdaException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context
@@ -506,6 +524,36 @@ module Aws::CognitoIdentityProvider
       end
     end
 
+    class UnsupportedOperationException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::CognitoIdentityProvider::Types::UnsupportedOperationException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
+    class UnsupportedTokenTypeException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::CognitoIdentityProvider::Types::UnsupportedTokenTypeException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class UnsupportedUserStateException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-cognitoidentityprovider/types.rb

@@ -283,14 +283,14 @@ module Aws::CognitoIdentityProvider
     #   any custom workflows that this action triggers.
     #
     #   If your user pool configuration includes triggers, the
-    #   AdminConfirmSignUp API action invokes the AWS Lambda function that
-    #   is specified for the *post confirmation* trigger. When Amazon
-    #   Cognito invokes this function, it passes a JSON payload, which the
-    #   function receives as input. In this payload, the `clientMetadata`
-    #   attribute provides the data that you assigned to the ClientMetadata
-    #   parameter in your AdminConfirmSignUp request. In your function code
-    #   in AWS Lambda, you can process the ClientMetadata value to enhance
-    #   your workflow for your specific needs.
+    #   AdminConfirmSignUp API action invokes the Lambda function that is
+    #   specified for the *post confirmation* trigger. When Amazon Cognito
+    #   invokes this function, it passes a JSON payload, which the function
+    #   receives as input. In this payload, the `clientMetadata` attribute
+    #   provides the data that you assigned to the ClientMetadata parameter
+    #   in your AdminConfirmSignUp request. In your function code in Lambda,
+    #   you can process the ClientMetadata value to enhance your workflow
+    #   for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -299,10 +299,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -532,16 +532,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the AdminCreateUser API action,
-    #   Amazon Cognito invokes the function that is assigned to the *pre
-    #   sign-up* trigger. When Amazon Cognito invokes this function, it
-    #   passes a JSON payload, which the function receives as input. This
-    #   payload contains a `clientMetadata` attribute, which provides the
-    #   data that you assigned to the ClientMetadata parameter in your
-    #   AdminCreateUser request. In your function code in AWS Lambda, you
-    #   can process the `clientMetadata` value to enhance your workflow for
-    #   your specific needs.
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the AdminCreateUser API action, Amazon
+    #   Cognito invokes the function that is assigned to the *pre sign-up*
+    #   trigger. When Amazon Cognito invokes this function, it passes a JSON
+    #   payload, which the function receives as input. This payload contains
+    #   a `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your AdminCreateUser
+    #   request. In your function code in Lambda, you can process the
+    #   `clientMetadata` value to enhance your workflow for your specific
+    #   needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -550,10 +550,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -705,7 +705,7 @@ module Aws::CognitoIdentityProvider
     #
     class AdminDisableProviderForUserResponse < Aws::EmptyStructure; end
 
-    # Represents the request to disable any user as an administrator.
+    # Represents the request to disable the user as an administrator.
     #
     # @note When making an API call, you may pass AdminDisableUserRequest
     #   data as a hash:
@@ -1068,11 +1068,11 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   certain custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the AdminInitiateAuth API action,
-    #   Amazon Cognito invokes the AWS Lambda functions that are specified
-    #   for various triggers. The ClientMetadata value is passed as input to
-    #   the functions for only the following triggers:
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the AdminInitiateAuth API action, Amazon
+    #   Cognito invokes the Lambda functions that are specified for various
+    #   triggers. The ClientMetadata value is passed as input to the
+    #   functions for only the following triggers:
     #
     #   * Pre signup
     #
@@ -1084,9 +1084,9 @@ module Aws::CognitoIdentityProvider
     #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `validationData` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   AdminInitiateAuth request. In your function code in AWS Lambda, you
-    #   can process the `validationData` value to enhance your workflow for
-    #   your specific needs.
+    #   AdminInitiateAuth request. In your function code in Lambda, you can
+    #   process the `validationData` value to enhance your workflow for your
+    #   specific needs.
     #
     #   When you use the AdminInitiateAuth API action, Amazon Cognito also
     #   invokes the functions for the following triggers, but it does not
@@ -1111,10 +1111,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -1191,10 +1191,22 @@ module Aws::CognitoIdentityProvider
     #     with `USERNAME` and `PASSWORD` directly. An app client must be
     #     enabled to use this flow.
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: For users which are required to change
+    #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
     #     their passwords after successful first login. This challenge
     #     should be passed with `NEW_PASSWORD` and any other required
     #     attributes.
+    #
+    #   * `MFA_SETUP`\: For users who are required to setup an MFA factor
+    #     before they can sign-in. The MFA types enabled for the user pool
+    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #
+    #     To setup software token MFA, use the session returned here from
+    #     `InitiateAuth` as an input to `AssociateSoftwareToken`, and use
+    #     the session returned by `VerifySoftwareToken` as an input to
+    #     `RespondToAuthChallenge` with challenge name `MFA_SETUP` to
+    #     complete sign-in. To setup SMS MFA, users will need help from an
+    #     administrator to add a phone number to their account and then call
+    #     `InitiateAuth` again to restart sign-in.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -1550,16 +1562,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the AdminResetUserPassword API
-    #   action, Amazon Cognito invokes the function that is assigned to the
-    #   *custom message* trigger. When Amazon Cognito invokes this function,
-    #   it passes a JSON payload, which the function receives as input. This
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the AdminResetUserPassword API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   AdminResetUserPassword request. In your function code in AWS Lambda,
-    #   you can process the `clientMetadata` value to enhance your workflow
-    #   for your specific needs.
+    #   AdminResetUserPassword request. In your function code in Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -1568,10 +1580,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -1671,6 +1683,10 @@ module Aws::CognitoIdentityProvider
     #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
     #     with client secret).
     #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session`
+    #     parameter.
+    #
     #   The value of the `USERNAME` attribute must be the user's actual
     #   username, not an alias (such as email address or phone number). To
     #   make this easier, the `AdminInitiateAuth` response includes the
@@ -1702,8 +1718,8 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the AdminRespondToAuthChallenge API
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the AdminRespondToAuthChallenge API
     #   action, Amazon Cognito invokes any functions that are assigned to
     #   the following triggers: *pre sign-up*, *custom message*, *post
     #   authentication*, *user migration*, *pre token generation*, *define
@@ -1712,7 +1728,7 @@ module Aws::CognitoIdentityProvider
     #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   AdminRespondToAuthChallenge request. In your function code in AWS
+    #   AdminRespondToAuthChallenge request. In your function code in
     #   Lambda, you can process the `clientMetadata` value to enhance your
     #   workflow for your specific needs.
     #
@@ -1723,10 +1739,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -2064,16 +2080,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the AdminUpdateUserAttributes API
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the AdminUpdateUserAttributes API
     #   action, Amazon Cognito invokes the function that is assigned to the
     #   *custom message* trigger. When Amazon Cognito invokes this function,
     #   it passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   AdminUpdateUserAttributes request. In your function code in AWS
-    #   Lambda, you can process the `clientMetadata` value to enhance your
-    #   workflow for your specific needs.
+    #   AdminUpdateUserAttributes request. In your function code in Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -2082,10 +2098,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -2722,16 +2738,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the ConfirmForgotPassword API
-    #   action, Amazon Cognito invokes the function that is assigned to the
-    #   *post confirmation* trigger. When Amazon Cognito invokes this
-    #   function, it passes a JSON payload, which the function receives as
-    #   input. This payload contains a `clientMetadata` attribute, which
-    #   provides the data that you assigned to the ClientMetadata parameter
-    #   in your ConfirmForgotPassword request. In your function code in AWS
-    #   Lambda, you can process the `clientMetadata` value to enhance your
-    #   workflow for your specific needs.
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the ConfirmForgotPassword API action,
+    #   Amazon Cognito invokes the function that is assigned to the *post
+    #   confirmation* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   ConfirmForgotPassword request. In your function code in Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -2740,10 +2756,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -2845,14 +2861,14 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the ConfirmSignUp API action,
-    #   Amazon Cognito invokes the function that is assigned to the *post
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the ConfirmSignUp API action, Amazon
+    #   Cognito invokes the function that is assigned to the *post
     #   confirmation* trigger. When Amazon Cognito invokes this function, it
     #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   ConfirmSignUp request. In your function code in AWS Lambda, you can
+    #   ConfirmSignUp request. In your function code in Lambda, you can
     #   process the `clientMetadata` value to enhance your workflow for your
     #   specific needs.
     #
@@ -2863,10 +2879,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -3294,6 +3310,7 @@ module Aws::CognitoIdentityProvider
     #           user_data_shared: false,
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
+    #         enable_token_revocation: false,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -3456,8 +3473,8 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_scopes
     #   The allowed OAuth scopes. Possible values provided by OAuth are:
     #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by AWS are: `aws.cognito.signin.user.admin`. Custom scopes created
-    #   in Resource Servers are also supported.
+    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
+    #   scopes created in Resource Servers are also supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -3502,6 +3519,18 @@ module Aws::CognitoIdentityProvider
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] enable_token_revocation
+    #   Enables or disables token revocation. For more information about
+    #   revoking tokens, see [RevokeToken][1].
+    #
+    #   If you don't include this parameter, token revocation is
+    #   automatically enabled for the new user pool client.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/CreateUserPoolClientRequest AWS API Documentation
     #
     class CreateUserPoolClientRequest < Struct.new(
@@ -3523,7 +3552,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
-      :prevent_user_existence_errors)
+      :prevent_user_existence_errors,
+      :enable_token_revocation)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3735,7 +3765,7 @@ module Aws::CognitoIdentityProvider
     #    For more information on using the Lambda API to add permission, see
     #   [ AddPermission ][1].
     #
-    #    For adding permission using the AWS CLI, see [ add-permission ][2].
+    #    For adding permission using the CLI, see [ add-permission ][2].
     #
     #    </note>
     #
@@ -3906,7 +3936,7 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] certificate_arn
-    #   The Amazon Resource Name (ARN) of an AWS Certificate Manager SSL
+    #   The Amazon Resource Name (ARN) of an Certificate Manager SSL
     #   certificate. You use this certificate for the subdomain of your
     #   custom domain.
     #   @return [String]
@@ -4550,7 +4580,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] aws_account_id
-    #   The AWS account ID for the user pool owner.
+    #   The account ID for the user pool owner.
     #   @return [String]
     #
     # @!attribute [rw] domain
@@ -4700,7 +4730,7 @@ module Aws::CognitoIdentityProvider
     #     configuration. Amazon Cognito calls Amazon SES on your behalf to
     #     send email from your verified email address. When you use this
     #     option, the email delivery limits are the same limits that apply
-    #     to your Amazon SES verified email address in your AWS account.
+    #     to your Amazon SES verified email address in your account.
     #
     #     If you use this option, you must provide the ARN of an Amazon SES
     #     verified email address for the `SourceArn` parameter.
@@ -4708,7 +4738,7 @@ module Aws::CognitoIdentityProvider
     #     Before Amazon Cognito can email your users, it requires additional
     #     permissions to call Amazon SES on your behalf. When you update
     #     your user pool with this option, Amazon Cognito creates a
-    #     *service-linked role*, which is a type of IAM role, in your AWS
+    #     *service-linked role*, which is a type of IAM role, in your
     #     account. This role contains the permissions that allow Amazon
     #     Cognito to access Amazon SES and send email messages with your
     #     address. For more information about the service-linked role that
@@ -4739,7 +4769,7 @@ module Aws::CognitoIdentityProvider
     #   * Event publishing – Amazon SES can track the number of send,
     #     delivery, open, click, bounce, and complaint events for each email
     #     sent. Use event publishing to send information about these events
-    #     to other AWS services such as SNS and CloudWatch.
+    #     to other Amazon Web Services services such as SNS and CloudWatch.
     #
     #   * IP pool management – When leasing dedicated IP addresses with
     #     Amazon SES, you can create groups of IP addresses, called
@@ -4949,17 +4979,17 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the ForgotPassword API action,
-    #   Amazon Cognito invokes any functions that are assigned to the
-    #   following triggers: *pre sign-up*, *custom message*, and *user
-    #   migration*. When Amazon Cognito invokes any of these functions, it
-    #   passes a JSON payload, which the function receives as input. This
-    #   payload contains a `clientMetadata` attribute, which provides the
-    #   data that you assigned to the ClientMetadata parameter in your
-    #   ForgotPassword request. In your function code in AWS Lambda, you can
-    #   process the `clientMetadata` value to enhance your workflow for your
-    #   specific needs.
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the ForgotPassword API action, Amazon
+    #   Cognito invokes any functions that are assigned to the following
+    #   triggers: *pre sign-up*, *custom message*, and *user migration*.
+    #   When Amazon Cognito invokes any of these functions, it passes a JSON
+    #   payload, which the function receives as input. This payload contains
+    #   a `clientMetadata` attribute, which provides the data that you
+    #   assigned to the ClientMetadata parameter in your ForgotPassword
+    #   request. In your function code in Lambda, you can process the
+    #   `clientMetadata` value to enhance your workflow for your specific
+    #   needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -4968,10 +4998,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -5272,17 +5302,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the
-    #   GetUserAttributeVerificationCode API action, Amazon Cognito invokes
-    #   the function that is assigned to the *custom message* trigger. When
-    #   Amazon Cognito invokes this function, it passes a JSON payload,
-    #   which the function receives as input. This payload contains a
-    #   `clientMetadata` attribute, which provides the data that you
-    #   assigned to the ClientMetadata parameter in your
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the GetUserAttributeVerificationCode API
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
     #   GetUserAttributeVerificationCode request. In your function code in
-    #   AWS Lambda, you can process the `clientMetadata` value to enhance
-    #   your workflow for your specific needs.
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -5291,10 +5320,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -5648,8 +5677,6 @@ module Aws::CognitoIdentityProvider
     #     * jwks\_uri *if not available from discovery URL specified by
     #       oidc\_issuer key*
     #
-    #     * authorize\_scopes
-    #
     #   * For SAML providers:
     #
     #     * MetadataFile OR MetadataURL
@@ -5772,10 +5799,10 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   certain custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the InitiateAuth API action, Amazon
-    #   Cognito invokes the AWS Lambda functions that are specified for
-    #   various triggers. The ClientMetadata value is passed as input to the
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the InitiateAuth API action, Amazon
+    #   Cognito invokes the Lambda functions that are specified for various
+    #   triggers. The ClientMetadata value is passed as input to the
     #   functions for only the following triggers:
     #
     #   * Pre signup
@@ -5788,7 +5815,7 @@ module Aws::CognitoIdentityProvider
     #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `validationData` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   InitiateAuth request. In your function code in AWS Lambda, you can
+    #   InitiateAuth request. In your function code in Lambda, you can
     #   process the `validationData` value to enhance your workflow for your
     #   specific needs.
     #
@@ -5815,10 +5842,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -5889,10 +5916,22 @@ module Aws::CognitoIdentityProvider
     #   * `DEVICE_PASSWORD_VERIFIER`\: Similar to `PASSWORD_VERIFIER`, but
     #     for devices only.
     #
-    #   * `NEW_PASSWORD_REQUIRED`\: For users which are required to change
+    #   * `NEW_PASSWORD_REQUIRED`\: For users who are required to change
     #     their passwords after successful first login. This challenge
     #     should be passed with `NEW_PASSWORD` and any other required
     #     attributes.
+    #
+    #   * `MFA_SETUP`\: For users who are required to setup an MFA factor
+    #     before they can sign-in. The MFA types enabled for the user pool
+    #     will be listed in the challenge parameters `MFA_CAN_SETUP` value.
+    #
+    #     To setup software token MFA, use the session returned here from
+    #     `InitiateAuth` as an input to `AssociateSoftwareToken`, and use
+    #     the session returned by `VerifySoftwareToken` as an input to
+    #     `RespondToAuthChallenge` with challenge name `MFA_SETUP` to
+    #     complete sign-in. To setup SMS MFA, users will need help from an
+    #     administrator to add a phone number to their account and then call
+    #     `InitiateAuth` again to restart sign-in.
     #   @return [String]
     #
     # @!attribute [rw] session
@@ -5964,11 +6003,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # This exception is thrown when the Amazon Cognito service encounters an
-    # invalid AWS Lambda response.
+    # invalid Lambda response.
     #
     # @!attribute [rw] message
     #   The message returned when the Amazon Cognito service throws an
-    #   invalid AWS Lambda response exception.
+    #   invalid Lambda response exception.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/InvalidLambdaResponseException AWS API Documentation
@@ -6042,7 +6081,7 @@ module Aws::CognitoIdentityProvider
 
     # This exception is thrown when the trust relationship is invalid for
     # the role provided for SMS configuration. This can happen if you do not
-    # trust **cognito-idp.amazonaws.com** or the external ID provided in the
+    # trust `cognito-idp.amazonaws.com` or the external ID provided in the
     # role does not match what is provided in the SMS configuration for the
     # user pool.
     #
@@ -6073,7 +6112,7 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
-    # Specifies the configuration for AWS Lambda triggers.
+    # Specifies the configuration for Lambda triggers.
     #
     # @note When making an API call, you may pass LambdaConfigType
     #   data as a hash:
@@ -6101,23 +6140,23 @@ module Aws::CognitoIdentityProvider
     #       }
     #
     # @!attribute [rw] pre_sign_up
-    #   A pre-registration AWS Lambda trigger.
+    #   A pre-registration Lambda trigger.
     #   @return [String]
     #
     # @!attribute [rw] custom_message
-    #   A custom Message AWS Lambda trigger.
+    #   A custom Message Lambda trigger.
     #   @return [String]
     #
     # @!attribute [rw] post_confirmation
-    #   A post-confirmation AWS Lambda trigger.
+    #   A post-confirmation Lambda trigger.
     #   @return [String]
     #
     # @!attribute [rw] pre_authentication
-    #   A pre-authentication AWS Lambda trigger.
+    #   A pre-authentication Lambda trigger.
     #   @return [String]
     #
     # @!attribute [rw] post_authentication
-    #   A post-authentication AWS Lambda trigger.
+    #   A post-authentication Lambda trigger.
     #   @return [String]
     #
     # @!attribute [rw] define_auth_challenge
@@ -6141,11 +6180,11 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] custom_sms_sender
-    #   A custom SMS sender AWS Lambda trigger.
+    #   A custom SMS sender Lambda trigger.
     #   @return [Types::CustomSMSLambdaVersionConfigType]
     #
     # @!attribute [rw] custom_email_sender
-    #   A custom email sender AWS Lambda trigger.
+    #   A custom email sender Lambda trigger.
     #   @return [Types::CustomEmailLambdaVersionConfigType]
     #
     # @!attribute [rw] kms_key_id
@@ -6176,7 +6215,7 @@ module Aws::CognitoIdentityProvider
     end
 
     # This exception is thrown when a user exceeds the limit for a requested
-    # AWS resource.
+    # Amazon Web Services resource.
     #
     # @!attribute [rw] message
     #   The message returned when Amazon Cognito throws a limit exceeded
@@ -7260,16 +7299,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the ResendConfirmationCode API
-    #   action, Amazon Cognito invokes the function that is assigned to the
-    #   *custom message* trigger. When Amazon Cognito invokes this function,
-    #   it passes a JSON payload, which the function receives as input. This
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the ResendConfirmationCode API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   ResendConfirmationCode request. In your function code in AWS Lambda,
-    #   you can process the `clientMetadata` value to enhance your workflow
-    #   for your specific needs.
+    #   ResendConfirmationCode request. In your function code in Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -7278,10 +7317,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -7467,6 +7506,10 @@ module Aws::CognitoIdentityProvider
     #
     #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
     #     `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
+    #
+    #   * `MFA_SETUP` requires `USERNAME`, plus you need to use the session
+    #     value returned by `VerifySoftwareToken` in the `Session`
+    #     parameter.
     #   @return [Hash<String,String>]
     #
     # @!attribute [rw] analytics_metadata
@@ -7484,18 +7527,18 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the RespondToAuthChallenge API
-    #   action, Amazon Cognito invokes any functions that are assigned to
-    #   the following triggers: *post authentication*, *pre token
-    #   generation*, *define auth challenge*, *create auth challenge*, and
-    #   *verify auth challenge*. When Amazon Cognito invokes any of these
-    #   functions, it passes a JSON payload, which the function receives as
-    #   input. This payload contains a `clientMetadata` attribute, which
-    #   provides the data that you assigned to the ClientMetadata parameter
-    #   in your RespondToAuthChallenge request. In your function code in AWS
-    #   Lambda, you can process the `clientMetadata` value to enhance your
-    #   workflow for your specific needs.
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the RespondToAuthChallenge API action,
+    #   Amazon Cognito invokes any functions that are assigned to the
+    #   following triggers: *post authentication*, *pre token generation*,
+    #   *define auth challenge*, *create auth challenge*, and *verify auth
+    #   challenge*. When Amazon Cognito invokes any of these functions, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the
+    #   data that you assigned to the ClientMetadata parameter in your
+    #   RespondToAuthChallenge request. In your function code in Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -7504,10 +7547,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -7578,6 +7621,42 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass RevokeTokenRequest
+    #   data as a hash:
+    #
+    #       {
+    #         token: "TokenModelType", # required
+    #         client_id: "ClientIdType", # required
+    #         client_secret: "ClientSecretType",
+    #       }
+    #
+    # @!attribute [rw] token
+    #   The token that you want to revoke.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_id
+    #   The client ID for the token that you want to revoke.
+    #   @return [String]
+    #
+    # @!attribute [rw] client_secret
+    #   The secret for the client ID. This is required only if the client ID
+    #   has a secret.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RevokeTokenRequest AWS API Documentation
+    #
+    class RevokeTokenRequest < Struct.new(
+      :token,
+      :client_id,
+      :client_secret)
+      SENSITIVE = [:token, :client_id, :client_secret]
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/RevokeTokenResponse AWS API Documentation
+    #
+    class RevokeTokenResponse < Aws::EmptyStructure; end
+
     # The risk configuration type.
     #
     # @!attribute [rw] user_pool_id
@@ -8017,7 +8096,11 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::SoftwareTokenMfaConfigType]
     #
     # @!attribute [rw] mfa_configuration
-    #   The MFA configuration. Valid values include:
+    #   The MFA configuration. Users who don't have an MFA factor set up
+    #   won't be able to sign-in if you set the MfaConfiguration value to
+    #   ‘ON’. See [Adding Multi-Factor Authentication (MFA) to a User
+    #   Pool](cognito/latest/developerguide/user-pool-settings-mfa.html) to
+    #   learn more. Valid values include:
     #
     #   * `OFF` MFA will not be used for any users.
     #
@@ -8183,17 +8266,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the SignUp API action, Amazon
-    #   Cognito invokes any functions that are assigned to the following
-    #   triggers: *pre sign-up*, *custom message*, and *post confirmation*.
-    #   When Amazon Cognito invokes any of these functions, it passes a JSON
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the SignUp API action, Amazon Cognito
+    #   invokes any functions that are assigned to the following triggers:
+    #   *pre sign-up*, *custom message*, and *post confirmation*. When
+    #   Amazon Cognito invokes any of these functions, it passes a JSON
     #   payload, which the function receives as input. This payload contains
     #   a `clientMetadata` attribute, which provides the data that you
     #   assigned to the ClientMetadata parameter in your SignUp request. In
-    #   your function code in AWS Lambda, you can process the
-    #   `clientMetadata` value to enhance your workflow for your specific
-    #   needs.
+    #   your function code in Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -8202,10 +8284,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -8264,9 +8346,9 @@ module Aws::CognitoIdentityProvider
 
     # The SMS configuration type that includes the settings the Cognito User
     # Pool needs to call for the Amazon SNS service to send an SMS message
-    # from your AWS account. The Cognito User Pool makes the request to the
-    # Amazon SNS Service by using an AWS IAM role that you provide for your
-    # AWS account.
+    # from your account. The Cognito User Pool makes the request to the
+    # Amazon SNS Service by using an IAM role that you provide for your
+    # account.
     #
     # @note When making an API call, you may pass SmsConfigurationType
     #   data as a hash:
@@ -8278,7 +8360,7 @@ module Aws::CognitoIdentityProvider
     #
     # @!attribute [rw] sns_caller_arn
     #   The Amazon Resource Name (ARN) of the Amazon Simple Notification
-    #   Service (SNS) caller. This is the ARN of the IAM role in your AWS
+    #   Service (SNS) caller. This is the ARN of the IAM role in your
     #   account which Cognito will use to send SMS messages. SMS messages
     #   are subject to a [spending limit][1].
     #
@@ -8297,6 +8379,14 @@ module Aws::CognitoIdentityProvider
     #   role for SMS MFA, Cognito will create a role with the required
     #   permissions and a trust policy that demonstrates use of the
     #   `ExternalId`.
+    #
+    #   For more information about the `ExternalId` of a role, see [How to
+    #   use an external ID when granting access to your Amazon Web Services
+    #   resources to a third party][1]
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/SmsConfigurationType AWS API Documentation
@@ -8672,12 +8762,26 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # This exception is thrown when the request is not authorized. This can
+    # happen due to an invalid access token in the request.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UnauthorizedException AWS API Documentation
+    #
+    class UnauthorizedException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # This exception is thrown when the Amazon Cognito service encounters an
-    # unexpected exception with the AWS Lambda service.
+    # unexpected exception with the Lambda service.
     #
     # @!attribute [rw] message
     #   The message returned when the Amazon Cognito service returns an
-    #   unexpected AWS Lambda exception.
+    #   unexpected Lambda exception.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UnexpectedLambdaException AWS API Documentation
@@ -8702,6 +8806,34 @@ module Aws::CognitoIdentityProvider
       include Aws::Structure
     end
 
+    # This exception is thrown when you attempt to perform an operation that
+    # is not enabled for the user pool client.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UnsupportedOperationException AWS API Documentation
+    #
+    class UnsupportedOperationException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # This exception is thrown when an unsupported token is passed to an
+    # operation.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UnsupportedTokenTypeException AWS API Documentation
+    #
+    class UnsupportedTokenTypeException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The request failed because the user is in an unsupported state.
     #
     # @!attribute [rw] message
@@ -9040,16 +9172,16 @@ module Aws::CognitoIdentityProvider
     #   A map of custom key-value pairs that you can provide as input for
     #   any custom workflows that this action triggers.
     #
-    #   You create custom workflows by assigning AWS Lambda functions to
-    #   user pool triggers. When you use the UpdateUserAttributes API
-    #   action, Amazon Cognito invokes the function that is assigned to the
-    #   *custom message* trigger. When Amazon Cognito invokes this function,
-    #   it passes a JSON payload, which the function receives as input. This
+    #   You create custom workflows by assigning Lambda functions to user
+    #   pool triggers. When you use the UpdateUserAttributes API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
     #   payload contains a `clientMetadata` attribute, which provides the
     #   data that you assigned to the ClientMetadata parameter in your
-    #   UpdateUserAttributes request. In your function code in AWS Lambda,
-    #   you can process the `clientMetadata` value to enhance your workflow
-    #   for your specific needs.
+    #   UpdateUserAttributes request. In your function code in Lambda, you
+    #   can process the `clientMetadata` value to enhance your workflow for
+    #   your specific needs.
     #
     #   For more information, see [Customizing User Pool Workflows with
     #   Lambda Triggers][1] in the *Amazon Cognito Developer Guide*.
@@ -9058,10 +9190,10 @@ module Aws::CognitoIdentityProvider
     #   ClientMetadata parameter:
     #
     #    * Amazon Cognito does not store the ClientMetadata value. This data
-    #     is available only to AWS Lambda triggers that are assigned to a
-    #     user pool to support custom workflows. If your user pool
-    #     configuration does not include triggers, the ClientMetadata
-    #     parameter serves no purpose.
+    #     is available only to Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
     #
     #   * Amazon Cognito does not validate the ClientMetadata value.
     #
@@ -9136,6 +9268,7 @@ module Aws::CognitoIdentityProvider
     #           user_data_shared: false,
     #         },
     #         prevent_user_existence_errors: "LEGACY", # accepts LEGACY, ENABLED
+    #         enable_token_revocation: false,
     #       }
     #
     # @!attribute [rw] user_pool_id
@@ -9281,8 +9414,8 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_scopes
     #   The allowed OAuth scopes. Possible values provided by OAuth are:
     #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by AWS are: `aws.cognito.signin.user.admin`. Custom scopes created
-    #   in Resource Servers are also supported.
+    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
+    #   scopes created in Resource Servers are also supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -9327,6 +9460,15 @@ module Aws::CognitoIdentityProvider
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] enable_token_revocation
+    #   Enables or disables token revocation. For more information about
+    #   revoking tokens, see [RevokeToken][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UpdateUserPoolClientRequest AWS API Documentation
     #
     class UpdateUserPoolClientRequest < Struct.new(
@@ -9348,7 +9490,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
-      :prevent_user_existence_errors)
+      :prevent_user_existence_errors,
+      :enable_token_revocation)
       SENSITIVE = [:client_id]
       include Aws::Structure
     end
@@ -9528,8 +9671,8 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::UserPoolPolicyType]
     #
     # @!attribute [rw] lambda_config
-    #   The AWS Lambda configuration information from the request to update
-    #   the user pool.
+    #   The Lambda configuration information from the request to update the
+    #   user pool.
     #   @return [Types::LambdaConfigType]
     #
     # @!attribute [rw] auto_verified_attributes
@@ -9564,10 +9707,16 @@ module Aws::CognitoIdentityProvider
     #     user registration.
     #
     #   * `ON` - MFA tokens are required for all user registrations. You can
-    #     only specify required when you are initially creating a user pool.
+    #     only specify ON when you are initially creating a user pool. You
+    #     can use the [SetUserPoolMfaConfig][1] API operation to turn MFA
+    #     "ON" for existing user pools.
     #
     #   * `OPTIONAL` - Users have the option when registering to create an
     #     MFA token.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SetUserPoolMfaConfig.html
     #   @return [String]
     #
     # @!attribute [rw] device_configuration
@@ -9778,11 +9927,11 @@ module Aws::CognitoIdentityProvider
     end
 
     # This exception is thrown when the Amazon Cognito service encounters a
-    # user validation exception with the AWS Lambda service.
+    # user validation exception with the Lambda service.
     #
     # @!attribute [rw] message
     #   The message returned when the Amazon Cognito service returns a user
-    #   validation exception with the AWS Lambda service.
+    #   validation exception with the Lambda service.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserLambdaValidationException AWS API Documentation
@@ -10037,8 +10186,8 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] allowed_o_auth_scopes
     #   The allowed OAuth scopes. Possible values provided by OAuth are:
     #   `phone`, `email`, `openid`, and `profile`. Possible values provided
-    #   by AWS are: `aws.cognito.signin.user.admin`. Custom scopes created
-    #   in Resource Servers are also supported.
+    #   by Amazon Web Services are: `aws.cognito.signin.user.admin`. Custom
+    #   scopes created in Resource Servers are also supported.
     #   @return [Array<String>]
     #
     # @!attribute [rw] allowed_o_auth_flows_user_pool_client
@@ -10082,6 +10231,17 @@ module Aws::CognitoIdentityProvider
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] enable_token_revocation
+    #   Indicates whether token revocation is enabled for the user pool
+    #   client. When you create a new user pool client, token revocation is
+    #   enabled by default. For more information about revoking tokens, see
+    #   [RevokeToken][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RevokeToken.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UserPoolClientType AWS API Documentation
     #
     class UserPoolClientType < Struct.new(
@@ -10106,7 +10266,8 @@ module Aws::CognitoIdentityProvider
       :allowed_o_auth_scopes,
       :allowed_o_auth_flows_user_pool_client,
       :analytics_configuration,
-      :prevent_user_existence_errors)
+      :prevent_user_existence_errors,
+      :enable_token_revocation)
       SENSITIVE = [:client_id, :client_secret]
       include Aws::Structure
     end
@@ -10122,7 +10283,7 @@ module Aws::CognitoIdentityProvider
     #   @return [String]
     #
     # @!attribute [rw] lambda_config
-    #   The AWS Lambda configuration information in a user pool description.
+    #   The Lambda configuration information in a user pool description.
     #   @return [Types::LambdaConfigType]
     #
     # @!attribute [rw] status
@@ -10207,7 +10368,7 @@ module Aws::CognitoIdentityProvider
     #   @return [Types::UserPoolPolicyType]
     #
     # @!attribute [rw] lambda_config
-    #   The AWS Lambda triggers associated with the user pool.
+    #   The Lambda triggers associated with the user pool.
     #   @return [Types::LambdaConfigType]
     #
     # @!attribute [rw] status
@@ -10298,6 +10459,24 @@ module Aws::CognitoIdentityProvider
     # @!attribute [rw] sms_configuration_failure
     #   The reason why the SMS configuration cannot send the messages to
     #   your users.
+    #
+    #   This message might include comma-separated values to describe why
+    #   your SMS configuration can't send messages to user pool end users.
+    #
+    #   * InvalidSmsRoleAccessPolicyException - The IAM role which Cognito
+    #     uses to send SMS messages is not properly configured. For more
+    #     information, see [SmsConfigurationType][1].
+    #
+    #   * SNSSandbox - The account is in SNS Sandbox and messages won’t
+    #     reach unverified end users. This parameter won’t get populated
+    #     with SNSSandbox if the IAM user creating the user pool doesn’t
+    #     have SNS permissions. To learn how to move your account out of the
+    #     sandbox, see [Moving out of the SMS sandbox][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_SmsConfigurationType.html
+    #   [2]: https://docs.aws.amazon.com/sns/latest/dg/sns-sms-sandbox-moving-to-production.html
     #   @return [String]
     #
     # @!attribute [rw] email_configuration_failure