aws-sdk-cognitoidentityprovider 1.86.0 → 1.87.0

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -3037,8 +3037,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -3084,12 +3084,15 @@ module Aws::CognitoIdentityProvider
 
     # Changes the password for a specified user in a user pool.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -3127,20 +3130,25 @@ module Aws::CognitoIdentityProvider
     end
 
     # Confirms tracking of the device. This API call is the call that begins
-    # device tracking.
+    # device tracking. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -3191,8 +3199,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -3330,8 +3338,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][3].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][3].
     #
     #  </note>
     #
@@ -3531,7 +3539,8 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Creates an IdP for a user pool.
+    # Adds a configuration and trust relationship between a third-party
+    # identity provider (IdP) and a user pool.
     #
     # <note markdown="1"> Amazon Cognito evaluates Identity and Access Management (IAM) policies
     # in requests for this API operation. For this operation, you must use
@@ -3561,74 +3570,123 @@ module Aws::CognitoIdentityProvider
     #   The IdP type.
     #
     # @option params [required, Hash<String,String>] :provider_details
-    #   The IdP details. The following list describes the provider detail keys
-    #   for each IdP type.
-    #
-    #   * For Google and Login with Amazon:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #   * For Facebook:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * authorize\_scopes
-    #
-    #     * api\_version
-    #
-    #   * For Sign in with Apple:
-    #
-    #     * client\_id
-    #
-    #     * team\_id
-    #
-    #     * key\_id
-    #
-    #     * private\_key
-    #
-    #     * authorize\_scopes
-    #
-    #   * For OpenID Connect (OIDC) providers:
-    #
-    #     * client\_id
-    #
-    #     * client\_secret
-    #
-    #     * attributes\_request\_method
-    #
-    #     * oidc\_issuer
-    #
-    #     * authorize\_scopes
-    #
-    #     * The following keys are only present if Amazon Cognito didn't
-    #       discover them at the `oidc_issuer` URL.
-    #
-    #       * authorize\_url
-    #
-    #       * token\_url
-    #
-    #       * attributes\_url
-    #
-    #       * jwks\_uri
-    #
-    #     * Amazon Cognito sets the value of the following keys automatically.
-    #       They are read-only.
-    #
-    #       * attributes\_url\_add\_attributes
-    #
-    #       ^
-    #
-    #   * For SAML providers:
-    #
-    #     * MetadataFile or MetadataURL
-    #
-    #     * IDPSignout *optional*
+    #   The scopes, URLs, and identifiers for your external identity provider.
+    #   The following examples describe the provider detail keys for each IdP
+    #   type. These values and their schema are subject to change. Social IdP
+    #   `authorize_scopes` values must match the values listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm":
+    #     "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata document
+    #     with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes": "email
+    #     profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email name", "client_id": "com.example.cognito", "private_key":
+    #     "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes": "email
+    #     name", "authorize_url": "https://appleid.apple.com/auth/authorize",
+    #     "client_id": "com.example.cognito", "key_id": "1EXAMPLE",
+    #     "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #
     # @option params [Hash<String,String>] :attribute_mapping
     #   A mapping of IdP attributes to standard and custom user pool
@@ -4525,11 +4583,11 @@ module Aws::CognitoIdentityProvider
     #       create_auth_challenge: "ArnType",
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
+    #       user_migration: "ArnType",
     #       pre_token_generation_config: {
     #         lambda_version: "V1_0", # required, accepts V1_0, V2_0
     #         lambda_arn: "ArnType", # required
     #       },
-    #       user_migration: "ArnType",
     #       custom_sms_sender: {
     #         lambda_version: "V1_0", # required, accepts V1_0
     #         lambda_arn: "ArnType", # required
@@ -4640,9 +4698,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.create_auth_challenge #=> String
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
+    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -4957,7 +5015,9 @@ module Aws::CognitoIdentityProvider
     #   [1]: https://tools.ietf.org/html/rfc6749#section-3.1.2
     #
     # @option params [Array<String>] :allowed_o_auth_flows
-    #   The allowed OAuth flows.
+    #   The OAuth grant types that you want your app client to generate. To
+    #   create an app client that generates client credentials grants, you
+    #   must add `client_credentials` as the only allowed OAuth flow.
     #
     #   code
     #
@@ -5436,12 +5496,15 @@ module Aws::CognitoIdentityProvider
 
     # Allows a user to delete their own user profile.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -5472,12 +5535,15 @@ module Aws::CognitoIdentityProvider
 
     # Deletes the attributes for a user.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -5828,9 +5894,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pool.lambda_config.create_auth_challenge #=> String
     #   resp.user_pool.lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pool.lambda_config.pre_token_generation #=> String
+    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pool.lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pool.lambda_config.user_migration #=> String
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pool.lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pool.lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -6032,20 +6098,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Forgets the specified device.
+    # Forgets the specified device. For more information about device
+    # authentication, see [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -6090,8 +6161,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][3].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][3].
     #
     #  </note>
     #
@@ -6256,20 +6327,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Gets the device.
+    # Gets the device. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -6502,12 +6578,15 @@ module Aws::CognitoIdentityProvider
 
     # Gets the user attributes and metadata for a user.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6559,12 +6638,15 @@ module Aws::CognitoIdentityProvider
     # attribute name. Sends a message to a user with a code that they must
     # return in a VerifyUserAttribute request.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6728,12 +6810,15 @@ module Aws::CognitoIdentityProvider
     #
     # Other requests might be valid until your user's token expires.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -6773,8 +6858,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -7029,20 +7114,25 @@ module Aws::CognitoIdentityProvider
     end
 
     # Lists the sign-in devices that Amazon Cognito has registered to the
-    # current user.
+    # current user. For more information about device authentication, see
+    # [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose list
@@ -7519,9 +7609,9 @@ module Aws::CognitoIdentityProvider
     #   resp.user_pools[0].lambda_config.create_auth_challenge #=> String
     #   resp.user_pools[0].lambda_config.verify_auth_challenge_response #=> String
     #   resp.user_pools[0].lambda_config.pre_token_generation #=> String
+    #   resp.user_pools[0].lambda_config.user_migration #=> String
     #   resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_version #=> String, one of "V1_0", "V2_0"
     #   resp.user_pools[0].lambda_config.pre_token_generation_config.lambda_arn #=> String
-    #   resp.user_pools[0].lambda_config.user_migration #=> String
     #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_version #=> String, one of "V1_0"
     #   resp.user_pools[0].lambda_config.custom_sms_sender.lambda_arn #=> String
     #   resp.user_pools[0].lambda_config.custom_email_sender.lambda_version #=> String, one of "V1_0"
@@ -7858,8 +7948,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -8003,8 +8093,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -8255,8 +8345,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -8537,12 +8627,15 @@ module Aws::CognitoIdentityProvider
     # based on the assessed risk level of sign-in attempts, deactivate MFA
     # for users and turn on Adaptive Authentication for the user pool.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -8686,12 +8779,15 @@ module Aws::CognitoIdentityProvider
     # (TOTP) software token MFA. To configure either type of MFA, use
     # [SetUserMFAPreference][1] instead.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -8738,8 +8834,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9087,8 +9183,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9140,20 +9236,25 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Updates the device status.
+    # Updates the device status. For more information about device
+    # authentication, see [Working with user devices in your user pool][1].
+    #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
     #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
     #
     #
-    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
+    # [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-device-tracking.html
+    # [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pools-API-operations.html
     #
     # @option params [required, String] :access_token
     #   A valid access token that Amazon Cognito issued to the user whose
@@ -9286,8 +9387,123 @@ module Aws::CognitoIdentityProvider
     #   The IdP name.
     #
     # @option params [Hash<String,String>] :provider_details
-    #   The IdP details to be updated, such as `MetadataURL` and
-    #   `MetadataFile`.
+    #   The scopes, URLs, and identifiers for your external identity provider.
+    #   The following examples describe the provider detail keys for each IdP
+    #   type. These values and their schema are subject to change. Social IdP
+    #   `authorize_scopes` values must match the values listed here.
+    #
+    #   OpenID Connect (OIDC)
+    #
+    #   : Amazon Cognito accepts the following elements when it can't
+    #     discover endpoint URLs from `oidc_issuer`: `attributes_url`,
+    #     `authorize_url`, `jwks_uri`, `token_url`.
+    #
+    #     Create or update request: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo", "authorize_scopes": "openid
+    #     profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_request_method": "GET", "attributes_url":
+    #     "https://auth.example.com/userInfo",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "openid profile email", "authorize_url":
+    #     "https://auth.example.com/authorize", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "jwks_uri": "https://auth.example.com/.well-known/jwks.json",
+    #     "oidc_issuer": "https://auth.example.com", "token_url":
+    #     "https://example.com/token" \}`
+    #
+    #   SAML
+    #
+    #   : Create or update request with Metadata URL: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256" \}`
+    #
+    #     Create or update request with Metadata file: `"ProviderDetails": \{
+    #     "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" :
+    #     "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm":
+    #     "rsa-sha256" \}`
+    #
+    #     The value of `MetadataFile` must be the plaintext metadata document
+    #     with all quote (") characters escaped by backslashes.
+    #
+    #     Describe response: `"ProviderDetails": \{ "IDPInit": "true",
+    #     "IDPSignout": "true", "EncryptedResponses" : "true",
+    #     "ActiveEncryptionCertificate": "[certificate]", "MetadataURL":
+    #     "https://auth.example.com/sso/saml/metadata",
+    #     "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI":
+    #     "https://auth.example.com/slo/saml", "SSORedirectBindingURI":
+    #     "https://auth.example.com/sso/saml" \}`
+    #
+    #   LoginWithAmazon
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "profile postal_code", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret"`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://api.amazon.com/user/profile",
+    #     "attributes_url_add_attributes": "false", "authorize_scopes":
+    #     "profile postal_code", "authorize_url":
+    #     "https://www.amazon.com/ap/oa", "client_id":
+    #     "amzn1.application-oa2-client.1example23456789", "client_secret":
+    #     "provider-app-client-secret", "token_request_method": "POST",
+    #     "token_url": "https://api.amazon.com/auth/o2/token" \}`
+    #
+    #   Google
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email profile openid", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "attributes_url":
+    #     "https://people.googleapis.com/v1/people/me?personFields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes": "email
+    #     profile openid", "authorize_url":
+    #     "https://accounts.google.com/o/oauth2/v2/auth", "client_id":
+    #     "1example23456789.apps.googleusercontent.com", "client_secret":
+    #     "provider-app-client-secret", "oidc_issuer":
+    #     "https://accounts.google.com", "token_request_method": "POST",
+    #     "token_url": "https://www.googleapis.com/oauth2/v4/token" \}`
+    #
+    #   SignInWithApple
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "authorize_scopes":
+    #     "email name", "client_id": "com.example.cognito", "private_key":
+    #     "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" \}`
+    #
+    #     Describe response: `"ProviderDetails": \{
+    #     "attributes_url_add_attributes": "false", "authorize_scopes": "email
+    #     name", "authorize_url": "https://appleid.apple.com/auth/authorize",
+    #     "client_id": "com.example.cognito", "key_id": "1EXAMPLE",
+    #     "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE",
+    #     "token_request_method": "POST", "token_url":
+    #     "https://appleid.apple.com/auth/token" \}`
+    #
+    #   Facebook
+    #
+    #   : Create or update request: `"ProviderDetails": \{ "api_version":
+    #     "v17.0", "authorize_scopes": "public_profile, email", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret"
+    #     \}`
+    #
+    #     Describe response: `"ProviderDetails": \{ "api_version": "v17.0",
+    #     "attributes_url": "https://graph.facebook.com/v17.0/me?fields=",
+    #     "attributes_url_add_attributes": "true", "authorize_scopes":
+    #     "public_profile, email", "authorize_url":
+    #     "https://www.facebook.com/v17.0/dialog/oauth", "client_id":
+    #     "1example23456789", "client_secret": "provider-app-client-secret",
+    #     "token_request_method": "GET", "token_url":
+    #     "https://graph.facebook.com/v17.0/oauth/access_token" \}`
     #
     # @option params [Hash<String,String>] :attribute_mapping
     #   The IdP attribute mapping to be changed.
@@ -9414,12 +9630,15 @@ module Aws::CognitoIdentityProvider
     # submit the attribute in your API request with a blank value. Custom
     # attribute values in this request must include the `custom:` prefix.
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -9754,11 +9973,11 @@ module Aws::CognitoIdentityProvider
     #       create_auth_challenge: "ArnType",
     #       verify_auth_challenge_response: "ArnType",
     #       pre_token_generation: "ArnType",
+    #       user_migration: "ArnType",
     #       pre_token_generation_config: {
     #         lambda_version: "V1_0", # required, accepts V1_0, V2_0
     #         lambda_arn: "ArnType", # required
     #       },
-    #       user_migration: "ArnType",
     #       custom_sms_sender: {
     #         lambda_version: "V1_0", # required, accepts V1_0
     #         lambda_arn: "ArnType", # required
@@ -10376,8 +10595,8 @@ module Aws::CognitoIdentityProvider
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][1].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][1].
     #
     #  </note>
     #
@@ -10439,12 +10658,15 @@ module Aws::CognitoIdentityProvider
     # attribute to its pending value. For more information, see [
     # UserAttributeUpdateSettingsType][1].
     #
+    # Authorize this action with a signed-in user's access token. It must
+    # include the scope `aws.cognito.signin.user.admin`.
+    #
     # <note markdown="1"> Amazon Cognito doesn't evaluate Identity and Access Management (IAM)
     # policies in requests for this API operation. For this operation, you
     # can't use IAM credentials to authorize requests, and you can't grant
     # IAM permissions in policies. For more information about authorization
-    # models in Amazon Cognito, see [Using the Amazon Cognito native and
-    # OIDC APIs][2].
+    # models in Amazon Cognito, see [Using the Amazon Cognito user pools API
+    # and user pool endpoints][2].
     #
     #  </note>
     #
@@ -10495,7 +10717,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.86.0'
+      context[:gem_version] = '1.87.0'
       Seahorse::Client::Request.new(handlers, context)
     end