aws-sdk-cognitoidentityprovider 1.25.0 → 1.26.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 74cff465fa0aeebde102b4edccf0c9e54b84bdc1
-  data.tar.gz: 9f1a5015e8555a33bafd0c177b1b6420a5760a20
+  metadata.gz: 0c5906299b829791fe8e49aaef1f0a50b5998908
+  data.tar.gz: 03e21f604cb9116c79d8e6528335e99d0874829f
 SHA512:
-  metadata.gz: 347dff212a43f899c955909873be61f38ca228b4f23b11dc9c7aa33007a7281e578351c2b3f61f656cac58e3ee732b1959fcae3e65f9f3eddccf3707c64cac28
-  data.tar.gz: 2e7c1139221d9aba1fb1f845b2b1a27d0e34f59ba5622c9e46fe830eaadd5d8ce7c915e0c2337319d168fb5ecf4a6e307c88d064989aca94d0fde9a82afa3d75
+  metadata.gz: 21382a5e0bb4cb021a3724c69a0a5b1a6b4c7ccee31de01422a4c7b677f1d21383726a4b4d3c8e189b96f1a0ec0b24d1ba53d1dec180d4173e61f1f3f5a4a0d3
+  data.tar.gz: 4cefe19ca0cf679878d5200260e24033ccd9b7efa16f96556a6402bf3f8d6cbd6d19fa7859aa8688bd1b5312e559313f738a5f5dd7681dde0e4cca3911544653

data/lib/aws-sdk-cognitoidentityprovider.rb

@@ -42,6 +42,6 @@ require_relative 'aws-sdk-cognitoidentityprovider/customizations'
 # @service
 module Aws::CognitoIdentityProvider
 
-  GEM_VERSION = '1.25.0'
+  GEM_VERSION = '1.26.0'
 
 end

data/lib/aws-sdk-cognitoidentityprovider/client.rb

@@ -309,7 +309,7 @@ module Aws::CognitoIdentityProvider
 
     # Adds the specified user to the specified group.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -342,7 +342,7 @@ module Aws::CognitoIdentityProvider
     # Confirms user registration as an admin without using a confirmation
     # code. Works on any user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for which you want to confirm user registration.
@@ -350,6 +350,43 @@ module Aws::CognitoIdentityProvider
     # @option params [required, String] :username
     #   The user name for which you want to confirm user registration.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   If your user pool configuration includes triggers, the
+    #   AdminConfirmSignUp API action invokes the AWS Lambda function that is
+    #   specified for the *post confirmation* trigger. When Amazon Cognito
+    #   invokes this function, it passes a JSON payload, which the function
+    #   receives as input. In this payload, the `clientMetadata` attribute
+    #   provides the data that you assigned to the ClientMetadata parameter in
+    #   your AdminConfirmSignUp request. In your function code in AWS Lambda,
+    #   you can process the ClientMetadata value to enhance your workflow for
+    #   your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -357,6 +394,9 @@ module Aws::CognitoIdentityProvider
     #   resp = client.admin_confirm_sign_up({
     #     user_pool_id: "UserPoolIdType", # required
     #     username: "UsernameType", # required
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminConfirmSignUp AWS API Documentation
@@ -483,6 +523,43 @@ module Aws::CognitoIdentityProvider
     #   Specify `"SMS"` if the phone number will be used. The default value is
     #   `"SMS"`. More than one value can be specified.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the AdminCreateUser API action, Amazon
+    #   Cognito invokes the function that is assigned to the *pre sign-up*
+    #   trigger. When Amazon Cognito invokes this function, it passes a JSON
+    #   payload, which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you assigned
+    #   to the ClientMetadata parameter in your AdminCreateUser request. In
+    #   your function code in AWS Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::AdminCreateUserResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::AdminCreateUserResponse#user #user} => Types::UserType
@@ -508,6 +585,9 @@ module Aws::CognitoIdentityProvider
     #     force_alias_creation: false,
     #     message_action: "RESEND", # accepts RESEND, SUPPRESS
     #     desired_delivery_mediums: ["SMS"], # accepts SMS, EMAIL
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -535,7 +615,7 @@ module Aws::CognitoIdentityProvider
 
     # Deletes a user as an administrator. Works on any user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to delete the user.
@@ -564,7 +644,7 @@ module Aws::CognitoIdentityProvider
     # Deletes the user attributes in a user pool as an administrator. Works
     # on any user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to delete user
@@ -663,9 +743,9 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Disables the specified user as an administrator. Works on any user.
+    # Disables the specified user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to disable the user.
@@ -693,7 +773,7 @@ module Aws::CognitoIdentityProvider
 
     # Enables the specified user as an administrator. Works on any user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to enable the user.
@@ -721,7 +801,7 @@ module Aws::CognitoIdentityProvider
 
     # Forgets the device, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -753,7 +833,7 @@ module Aws::CognitoIdentityProvider
 
     # Gets the device, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :device_key
     #   The device key.
@@ -798,7 +878,7 @@ module Aws::CognitoIdentityProvider
     # Gets the specified user by user name in a user pool as an
     # administrator. Works on any user.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to get information
@@ -854,7 +934,7 @@ module Aws::CognitoIdentityProvider
 
     # Initiates the authentication flow, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The ID of the Amazon Cognito user pool.
@@ -916,9 +996,67 @@ module Aws::CognitoIdentityProvider
     #     client is configured with client secret), `DEVICE_KEY`
     #
     # @option params [Hash<String,String>] :client_metadata
-    #   This is a random key-value pair map which can contain any key and will
-    #   be passed to your PreAuthentication Lambda trigger as-is. It can be
-    #   used to implement additional validations around authentication.
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the AdminInitiateAuth API action, Amazon
+    #   Cognito invokes the AWS Lambda functions that are specified for
+    #   various triggers. The ClientMetadata value is passed as input to the
+    #   functions for only the following triggers:
+    #
+    #   * Pre signup
+    #
+    #   * Pre authentication
+    #
+    #   * User migration
+    #
+    #   When Amazon Cognito invokes the functions for these triggers, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `validationData` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   AdminInitiateAuth request. In your function code in AWS Lambda, you
+    #   can process the `validationData` value to enhance your workflow for
+    #   your specific needs.
+    #
+    #   When you use the AdminInitiateAuth API action, Amazon Cognito also
+    #   invokes the functions for the following triggers, but it does not
+    #   provide the ClientMetadata value as input:
+    #
+    #   * Post authentication
+    #
+    #   * Custom message
+    #
+    #   * Pre token generation
+    #
+    #   * Create auth challenge
+    #
+    #   * Define auth challenge
+    #
+    #   * Verify auth challenge
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
     #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The analytics metadata for collecting Amazon Pinpoint metrics for
@@ -1085,7 +1223,7 @@ module Aws::CognitoIdentityProvider
 
     # Lists devices, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -1136,7 +1274,7 @@ module Aws::CognitoIdentityProvider
 
     # Lists the groups that the user belongs to.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :username
     #   The username for the user.
@@ -1249,7 +1387,7 @@ module Aws::CognitoIdentityProvider
 
     # Removes the specified user from the specified group.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -1293,7 +1431,7 @@ module Aws::CognitoIdentityProvider
     # in sending a message to the end user with the code to change their
     # password.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to reset the user's
@@ -1302,6 +1440,44 @@ module Aws::CognitoIdentityProvider
     # @option params [required, String] :username
     #   The user name of the user whose password you wish to reset.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the AdminResetUserPassword API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it passes
+    #   a JSON payload, which the function receives as input. This payload
+    #   contains a `clientMetadata` attribute, which provides the data that
+    #   you assigned to the ClientMetadata parameter in your
+    #   AdminResetUserPassword request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -1309,6 +1485,9 @@ module Aws::CognitoIdentityProvider
     #   resp = client.admin_reset_user_password({
     #     user_pool_id: "UserPoolIdType", # required
     #     username: "UsernameType", # required
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminResetUserPassword AWS API Documentation
@@ -1322,7 +1501,7 @@ module Aws::CognitoIdentityProvider
 
     # Responds to an authentication challenge, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The ID of the Amazon Cognito user pool.
@@ -1374,6 +1553,47 @@ module Aws::CognitoIdentityProvider
     #   location used for evaluating the risk of an unexpected event by Amazon
     #   Cognito advanced security.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the AdminRespondToAuthChallenge API
+    #   action, Amazon Cognito invokes any functions that are assigned to the
+    #   following triggers: *pre sign-up*, *custom message*, *post
+    #   authentication*, *user migration*, *pre token generation*, *define
+    #   auth challenge*, *create auth challenge*, and *verify auth challenge
+    #   response*. When Amazon Cognito invokes any of these functions, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   AdminRespondToAuthChallenge request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::AdminRespondToAuthChallengeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::AdminRespondToAuthChallengeResponse#challenge_name #challenge_name} => String
@@ -1406,6 +1626,9 @@ module Aws::CognitoIdentityProvider
     #       ],
     #       encoded_data: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -1431,7 +1654,12 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Sets the user's multi-factor authentication (MFA) preference.
+    # Sets the user's multi-factor authentication (MFA) preference,
+    # including which MFA options are enabled and if any are preferred. Only
+    # one factor can be set as preferred. The preferred MFA factor will be
+    # used to authenticate a user if multiple factors are enabled. If
+    # multiple options are enabled and no preference is set, a challenge to
+    # choose an MFA option will be returned during sign in.
     #
     # @option params [Types::SMSMfaSettingsType] :sms_mfa_settings
     #   The SMS text message MFA settings.
@@ -1471,13 +1699,32 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
+    # Sets the specified user's password in a user pool as an
+    # administrator. Works on any user.
+    #
+    # The password can be temporary or permanent. If it is temporary, the
+    # user status will be placed into the `FORCE_CHANGE_PASSWORD` state.
+    # When the user next tries to sign in, the
+    # InitiateAuth/AdminInitiateAuth response will contain the
+    # `NEW_PASSWORD_REQUIRED` challenge. If the user does not sign in before
+    # it expires, the user will not be able to sign in and their password
+    # will need to be reset by an administrator.
+    #
+    # Once the user has set a new password, or the password is permanent,
+    # the user status will be set to `Confirmed`.
+    #
     # @option params [required, String] :user_pool_id
+    #   The user pool ID for the user pool where you want to set the user's
+    #   password.
     #
     # @option params [required, String] :username
+    #   The user name of the user whose password you wish to set.
     #
     # @option params [required, String] :password
+    #   The password for the user.
     #
     # @option params [Boolean] :permanent
+    #   `True` if the password is permanent, `False` if it is temporary.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1499,20 +1746,21 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Sets all the user settings for a specified user name. Works on any
-    # user.
-    #
-    # Requires developer credentials.
+    # *This action is no longer supported.* You can use it to configure only
+    # SMS MFA. You can't use it to configure TOTP software token MFA. To
+    # configure either type of MFA, use the AdminSetUserMFAPreference action
+    # instead.
     #
     # @option params [required, String] :user_pool_id
-    #   The user pool ID for the user pool where you want to set the user's
-    #   settings, such as MFA options.
+    #   The ID of the user pool that contains the user that you are setting
+    #   options for.
     #
     # @option params [required, String] :username
-    #   The user name of the user for whom you wish to set user settings.
+    #   The user name of the user that you are setting options for.
     #
     # @option params [required, Array<Types::MFAOptionType>] :mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   You can use this parameter only to set an SMS configuration that uses
+    #   SMS for delivery.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -1577,7 +1825,7 @@ module Aws::CognitoIdentityProvider
 
     # Updates the device status as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -1620,7 +1868,7 @@ module Aws::CognitoIdentityProvider
     # In addition to updating user attributes, this API can also be used to
     # mark phone and email as verified.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool where you want to update user
@@ -1635,6 +1883,44 @@ module Aws::CognitoIdentityProvider
     #   For custom attributes, you must prepend the `custom:` prefix to the
     #   attribute name.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the AdminUpdateUserAttributes API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it passes
+    #   a JSON payload, which the function receives as input. This payload
+    #   contains a `clientMetadata` attribute, which provides the data that
+    #   you assigned to the ClientMetadata parameter in your
+    #   AdminUpdateUserAttributes request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -1648,6 +1934,9 @@ module Aws::CognitoIdentityProvider
     #         value: "AttributeValueType",
     #       },
     #     ],
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/AdminUpdateUserAttributes AWS API Documentation
@@ -1661,7 +1950,7 @@ module Aws::CognitoIdentityProvider
 
     # Signs out users from all devices, as an administrator.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -1831,6 +2120,44 @@ module Aws::CognitoIdentityProvider
     #   location used for evaluating the risk of an unexpected event by Amazon
     #   Cognito advanced security.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the ConfirmForgotPassword API action,
+    #   Amazon Cognito invokes the functions that are assigned to the *post
+    #   confirmation* and *pre mutation* triggers. When Amazon Cognito invokes
+    #   either of these functions, it passes a JSON payload, which the
+    #   function receives as input. This payload contains a `clientMetadata`
+    #   attribute, which provides the data that you assigned to the
+    #   ClientMetadata parameter in your ConfirmForgotPassword request. In
+    #   your function code in AWS Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -1847,6 +2174,9 @@ module Aws::CognitoIdentityProvider
     #     user_context_data: {
     #       encoded_data: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmForgotPassword AWS API Documentation
@@ -1894,6 +2224,44 @@ module Aws::CognitoIdentityProvider
     #   location used for evaluating the risk of an unexpected event by Amazon
     #   Cognito advanced security.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the ConfirmSignUp API action, Amazon
+    #   Cognito invokes the function that is assigned to the *post
+    #   confirmation* trigger. When Amazon Cognito invokes this function, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   ConfirmSignUp request. In your function code in AWS Lambda, you can
+    #   process the `clientMetadata` value to enhance your workflow for your
+    #   specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
     # @example Request syntax with placeholder values
@@ -1910,6 +2278,9 @@ module Aws::CognitoIdentityProvider
     #     user_context_data: {
     #       encoded_data: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/ConfirmSignUp AWS API Documentation
@@ -1923,7 +2294,7 @@ module Aws::CognitoIdentityProvider
 
     # Creates a new group in the specified user pool.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :group_name
     #   The name of the group. Must be unique.
@@ -2519,7 +2890,9 @@ module Aws::CognitoIdentityProvider
     #
     # @option params [Array<String>] :allowed_o_auth_scopes
     #   A list of allowed `OAuth` scopes. Currently supported values are
-    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
+    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
+    #   these values, custom scopes created in Resource Servers are also
+    #   supported.
     #
     # @option params [Boolean] :allowed_o_auth_flows_user_pool_client
     #   Set to `True` if the client is allowed to follow the OAuth protocol
@@ -2651,7 +3024,7 @@ module Aws::CognitoIdentityProvider
 
     # Deletes a group. Currently only groups with no members can be deleted.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :group_name
     #   The name of the group.
@@ -3289,6 +3662,44 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics metadata for collecting metrics for
     #   `ForgotPassword` calls.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the ForgotPassword API action, Amazon
+    #   Cognito invokes any functions that are assigned to the following
+    #   triggers: *pre sign-up*, *custom message*, and *user migration*. When
+    #   Amazon Cognito invokes any of these functions, it passes a JSON
+    #   payload, which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you assigned
+    #   to the ClientMetadata parameter in your ForgotPassword request. In
+    #   your function code in AWS Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::ForgotPasswordResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ForgotPasswordResponse#code_delivery_details #code_delivery_details} => Types::CodeDeliveryDetailsType
@@ -3305,6 +3716,9 @@ module Aws::CognitoIdentityProvider
     #     analytics_metadata: {
     #       analytics_endpoint_id: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -3395,7 +3809,7 @@ module Aws::CognitoIdentityProvider
 
     # Gets a group.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :group_name
     #   The name of the group.
@@ -3598,6 +4012,44 @@ module Aws::CognitoIdentityProvider
     #   The attribute name returned by the server response to get the user
     #   attribute verification code.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the GetUserAttributeVerificationCode API
+    #   action, Amazon Cognito invokes the function that is assigned to the
+    #   *custom message* trigger. When Amazon Cognito invokes this function,
+    #   it passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   GetUserAttributeVerificationCode request. In your function code in AWS
+    #   Lambda, you can process the `clientMetadata` value to enhance your
+    #   workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::GetUserAttributeVerificationCodeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::GetUserAttributeVerificationCodeResponse#code_delivery_details #code_delivery_details} => Types::CodeDeliveryDetailsType
@@ -3607,6 +4059,9 @@ module Aws::CognitoIdentityProvider
     #   resp = client.get_user_attribute_verification_code({
     #     access_token: "TokenModelType", # required
     #     attribute_name: "AttributeNameType", # required
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -3730,9 +4185,67 @@ module Aws::CognitoIdentityProvider
     #     client is configured with client secret), `DEVICE_KEY`
     #
     # @option params [Hash<String,String>] :client_metadata
-    #   This is a random key-value pair map which can contain any key and will
-    #   be passed to your PreAuthentication Lambda trigger as-is. It can be
-    #   used to implement additional validations around authentication.
+    #   A map of custom key-value pairs that you can provide as input for
+    #   certain custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the InitiateAuth API action, Amazon
+    #   Cognito invokes the AWS Lambda functions that are specified for
+    #   various triggers. The ClientMetadata value is passed as input to the
+    #   functions for only the following triggers:
+    #
+    #   * Pre signup
+    #
+    #   * Pre authentication
+    #
+    #   * User migration
+    #
+    #   When Amazon Cognito invokes the functions for these triggers, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `validationData` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your InitiateAuth
+    #   request. In your function code in AWS Lambda, you can process the
+    #   `validationData` value to enhance your workflow for your specific
+    #   needs.
+    #
+    #   When you use the InitiateAuth API action, Amazon Cognito also invokes
+    #   the functions for the following triggers, but it does not provide the
+    #   ClientMetadata value as input:
+    #
+    #   * Post authentication
+    #
+    #   * Custom message
+    #
+    #   * Pre token generation
+    #
+    #   * Create auth challenge
+    #
+    #   * Define auth challenge
+    #
+    #   * Verify auth challenge
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
     #
     # @option params [required, String] :client_id
     #   The app client ID.
@@ -3842,7 +4355,7 @@ module Aws::CognitoIdentityProvider
 
     # Lists the groups associated with a user pool.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -4231,8 +4744,8 @@ module Aws::CognitoIdentityProvider
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
-    #   [2]: http://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-using-listusers-api
+    #   [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/how-to-manage-user-accounts.html#cognito-user-pools-searching-for-users-listusers-api-examples
     #
     # @return [Types::ListUsersResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -4276,7 +4789,7 @@ module Aws::CognitoIdentityProvider
 
     # Lists the users in the specified group.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID for the user pool.
@@ -4355,6 +4868,44 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Pinpoint analytics metadata for collecting metrics for
     #   `ResendConfirmationCode` calls.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the ResendConfirmationCode API action,
+    #   Amazon Cognito invokes the function that is assigned to the *custom
+    #   message* trigger. When Amazon Cognito invokes this function, it passes
+    #   a JSON payload, which the function receives as input. This payload
+    #   contains a `clientMetadata` attribute, which provides the data that
+    #   you assigned to the ClientMetadata parameter in your
+    #   ResendConfirmationCode request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::ResendConfirmationCodeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ResendConfirmationCodeResponse#code_delivery_details #code_delivery_details} => Types::CodeDeliveryDetailsType
@@ -4371,6 +4922,9 @@ module Aws::CognitoIdentityProvider
     #     analytics_metadata: {
     #       analytics_endpoint_id: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -4410,16 +4964,27 @@ module Aws::CognitoIdentityProvider
     #   The challenge responses. These are inputs corresponding to the value
     #   of `ChallengeName`, for example:
     #
-    #   * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`, `SECRET_HASH` (if app client
-    #     is configured with client secret).
+    #   <note markdown="1"> `SECRET_HASH` (if app client is configured with client secret) applies
+    #   to all inputs below (including `SOFTWARE_TOKEN_MFA`).
+    #
+    #    </note>
+    #
+    #   * `SMS_MFA`\: `SMS_MFA_CODE`, `USERNAME`.
     #
     #   * `PASSWORD_VERIFIER`\: `PASSWORD_CLAIM_SIGNATURE`,
-    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`,
-    #     `SECRET_HASH` (if app client is configured with client secret).
+    #     `PASSWORD_CLAIM_SECRET_BLOCK`, `TIMESTAMP`, `USERNAME`.
     #
     #   * `NEW_PASSWORD_REQUIRED`\: `NEW_PASSWORD`, any other required
-    #     attributes, `USERNAME`, `SECRET_HASH` (if app client is configured
-    #     with client secret).
+    #     attributes, `USERNAME`.
+    #
+    #   * `SOFTWARE_TOKEN_MFA`\: `USERNAME` and `SOFTWARE_TOKEN_MFA_CODE` are
+    #     required attributes.
+    #
+    #   * `DEVICE_SRP_AUTH` requires `USERNAME`, `DEVICE_KEY`, `SRP_A` (and
+    #     `SECRET_HASH`).
+    #
+    #   * `DEVICE_PASSWORD_VERIFIER` requires everything that
+    #     `PASSWORD_VERIFIER` requires plus `DEVICE_KEY`.
     #
     # @option params [Types::AnalyticsMetadataType] :analytics_metadata
     #   The Amazon Pinpoint analytics metadata for collecting metrics for
@@ -4430,6 +4995,46 @@ module Aws::CognitoIdentityProvider
     #   location used for evaluating the risk of an unexpected event by Amazon
     #   Cognito advanced security.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the RespondToAuthChallenge API action,
+    #   Amazon Cognito invokes any functions that are assigned to the
+    #   following triggers: *post authentication*, *pre token generation*,
+    #   *define auth challenge*, *create auth challenge*, and *verify auth
+    #   challenge*. When Amazon Cognito invokes any of these functions, it
+    #   passes a JSON payload, which the function receives as input. This
+    #   payload contains a `clientMetadata` attribute, which provides the data
+    #   that you assigned to the ClientMetadata parameter in your
+    #   RespondToAuthChallenge request. In your function code in AWS Lambda,
+    #   you can process the `clientMetadata` value to enhance your workflow
+    #   for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::RespondToAuthChallengeResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::RespondToAuthChallengeResponse#challenge_name #challenge_name} => String
@@ -4452,6 +5057,9 @@ module Aws::CognitoIdentityProvider
     #     user_context_data: {
     #       encoded_data: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -4664,7 +5272,12 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Set the user's multi-factor authentication (MFA) method preference.
+    # Set the user's multi-factor authentication (MFA) method preference,
+    # including which MFA factors are enabled and if any are preferred. Only
+    # one factor can be set as preferred. The preferred MFA factor will be
+    # used to authenticate a user if multiple factors are enabled. If
+    # multiple options are enabled and no preference is set, a challenge to
+    # choose an MFA option will be returned during sign in.
     #
     # @option params [Types::SMSMfaSettingsType] :sms_mfa_settings
     #   The SMS text message multi-factor authentication (MFA) settings.
@@ -4673,7 +5286,7 @@ module Aws::CognitoIdentityProvider
     #   The time-based one-time password software token MFA settings.
     #
     # @option params [required, String] :access_token
-    #   The access token.
+    #   The access token for the user.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -4700,7 +5313,7 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Set the user pool MFA configuration.
+    # Set the user pool multi-factor authentication (MFA) configuration.
     #
     # @option params [required, String] :user_pool_id
     #   The user pool ID.
@@ -4712,7 +5325,14 @@ module Aws::CognitoIdentityProvider
     #   The software token MFA configuration.
     #
     # @option params [String] :mfa_configuration
-    #   The MFA configuration.
+    #   The MFA configuration. Valid values include:
+    #
+    #   * `OFF` MFA will not be used for any users.
+    #
+    #   * `ON` MFA is required for all users to sign in.
+    #
+    #   * `OPTIONAL` MFA will be required only for individual users who have
+    #     an MFA factor enabled.
     #
     # @return [Types::SetUserPoolMfaConfigResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -4754,16 +5374,17 @@ module Aws::CognitoIdentityProvider
       req.send_request(options)
     end
 
-    # Sets the user settings like multi-factor authentication (MFA). If MFA
-    # is to be removed for a particular attribute pass the attribute with
-    # code delivery as null. If null list is passed, all MFA options are
-    # removed.
+    # *This action is no longer supported.* You can use it to configure only
+    # SMS MFA. You can't use it to configure TOTP software token MFA. To
+    # configure either type of MFA, use the SetUserMFAPreference action
+    # instead.
     #
     # @option params [required, String] :access_token
     #   The access token for the set user settings request.
     #
     # @option params [required, Array<Types::MFAOptionType>] :mfa_options
-    #   Specifies the options for MFA (e.g., email or phone number).
+    #   You can use this parameter only to set an SMS configuration that uses
+    #   SMS for delivery.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
     #
@@ -4823,6 +5444,44 @@ module Aws::CognitoIdentityProvider
     #   location used for evaluating the risk of an unexpected event by Amazon
     #   Cognito advanced security.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the SignUp API action, Amazon Cognito
+    #   invokes any functions that are assigned to the following triggers:
+    #   *pre sign-up*, *custom message*, and *post confirmation*. When Amazon
+    #   Cognito invokes any of these functions, it passes a JSON payload,
+    #   which the function receives as input. This payload contains a
+    #   `clientMetadata` attribute, which provides the data that you assigned
+    #   to the ClientMetadata parameter in your SignUp request. In your
+    #   function code in AWS Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::SignUpResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::SignUpResponse#user_confirmed #user_confirmed} => Boolean
@@ -4854,6 +5513,9 @@ module Aws::CognitoIdentityProvider
     #     user_context_data: {
     #       encoded_data: "StringType",
     #     },
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -4986,7 +5648,7 @@ module Aws::CognitoIdentityProvider
     # @option params [required, String] :resource_arn
     #   The Amazon Resource Name (ARN) of the user pool to assign the tags to.
     #
-    # @option params [Hash<String,String>] :tags
+    # @option params [required, Hash<String,String>] :tags
     #   The tags to assign to the user pool.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
@@ -4995,7 +5657,7 @@ module Aws::CognitoIdentityProvider
     #
     #   resp = client.tag_resource({
     #     resource_arn: "ArnType", # required
-    #     tags: {
+    #     tags: { # required
     #       "TagKeysType" => "TagValueType",
     #     },
     #   })
@@ -5016,7 +5678,7 @@ module Aws::CognitoIdentityProvider
     #   The Amazon Resource Name (ARN) of the user pool that the tags are
     #   assigned to.
     #
-    # @option params [Array<String>] :tag_keys
+    # @option params [required, Array<String>] :tag_keys
     #   The keys of the tags to remove from the user pool.
     #
     # @return [Struct] Returns an empty {Seahorse::Client::Response response}.
@@ -5025,7 +5687,7 @@ module Aws::CognitoIdentityProvider
     #
     #   resp = client.untag_resource({
     #     resource_arn: "ArnType", # required
-    #     tag_keys: ["TagKeysType"],
+    #     tag_keys: ["TagKeysType"], # required
     #   })
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/cognito-idp-2016-04-18/UntagResource AWS API Documentation
@@ -5110,7 +5772,7 @@ module Aws::CognitoIdentityProvider
 
     # Updates the specified group with the specified attributes.
     #
-    # Requires developer credentials.
+    # Calling this action requires developer credentials.
     #
     # @option params [required, String] :group_name
     #   The name of the group.
@@ -5283,6 +5945,44 @@ module Aws::CognitoIdentityProvider
     # @option params [required, String] :access_token
     #   The access token for the request to update user attributes.
     #
+    # @option params [Hash<String,String>] :client_metadata
+    #   A map of custom key-value pairs that you can provide as input for any
+    #   custom workflows that this action triggers.
+    #
+    #   You create custom workflows by assigning AWS Lambda functions to user
+    #   pool triggers. When you use the UpdateUserAttributes API action,
+    #   Amazon Cognito invokes the functions that are assigned to the *custom
+    #   message* and *pre mutation* triggers. When Amazon Cognito invokes
+    #   either of these functions, it passes a JSON payload, which the
+    #   function receives as input. This payload contains a `clientMetadata`
+    #   attribute, which provides the data that you assigned to the
+    #   ClientMetadata parameter in your UpdateUserAttributes request. In your
+    #   function code in AWS Lambda, you can process the `clientMetadata`
+    #   value to enhance your workflow for your specific needs.
+    #
+    #   For more information, see [Customizing User Pool Workflows with Lambda
+    #   Triggers][1] in the *Amazon Cognito Developer Guide*.
+    #
+    #   <note markdown="1"> Take the following limitations into consideration when you use the
+    #   ClientMetadata parameter:
+    #
+    #    * Amazon Cognito does not store the ClientMetadata value. This data is
+    #     available only to AWS Lambda triggers that are assigned to a user
+    #     pool to support custom workflows. If your user pool configuration
+    #     does not include triggers, the ClientMetadata parameter serves no
+    #     purpose.
+    #
+    #   * Amazon Cognito does not validate the ClientMetadata value.
+    #
+    #   * Amazon Cognito does not encrypt the the ClientMetadata value, so
+    #     don't use it to provide sensitive information.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
+    #
     # @return [Types::UpdateUserAttributesResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateUserAttributesResponse#code_delivery_details_list #code_delivery_details_list} => Array&lt;Types::CodeDeliveryDetailsType&gt;
@@ -5297,6 +5997,9 @@ module Aws::CognitoIdentityProvider
     #       },
     #     ],
     #     access_token: "TokenModelType", # required
+    #     client_metadata: {
+    #       "StringType" => "StringType",
+    #     },
     #   })
     #
     # @example Response structure
@@ -5548,7 +6251,9 @@ module Aws::CognitoIdentityProvider
     #
     # @option params [Array<String>] :allowed_o_auth_scopes
     #   A list of allowed `OAuth` scopes. Currently supported values are
-    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`.
+    #   `"phone"`, `"email"`, `"openid"`, and `"Cognito"`. In addition to
+    #   these values, custom scopes created in Resource Servers are also
+    #   supported.
     #
     # @option params [Boolean] :allowed_o_auth_flows_user_pool_client
     #   Set to TRUE if the client is allowed to follow the OAuth protocol when
@@ -5795,7 +6500,7 @@ module Aws::CognitoIdentityProvider
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-cognitoidentityprovider'
-      context[:gem_version] = '1.25.0'
+      context[:gem_version] = '1.26.0'
       Seahorse::Client::Request.new(handlers, context)
     end