aws-sdk-verifiedpermissions 1.23.0 → 1.24.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9c5f4c00b98f6913e06959231c209202b8cabcc7fa2d1d4fe58ff98ff3c8ef45
-  data.tar.gz: 1fc4d59e1d9a64b1c449b266c6ae63fbf3bde1ae36d9b697dc1a1a78a34ad7a7
+  metadata.gz: b69f49e6604e5f5f826ecb8bda1e4db678f60d49fceadf6242ccb202404fc234
+  data.tar.gz: 23c5db13414cb84864b76f651a1c9e2401fb2214950fddb543adc537a26cd479
 SHA512:
-  metadata.gz: 6d8e29388fecd0a0d9d08679444c9502c88e8ad57a52883c75fc53d5e963bb08cf492b85c6cb42da205ea2f3c8ad5d25b87230c6c9c53ebcd8c5d6631d07a518
-  data.tar.gz: 726cbf8ce3143b6c608e08e7d161338b1715a9a095b39af7c928e816b46cf93160a7b03105ad2c68a758a1ed43a13195e4747a85dd7a5bdd2165f1e47ccaa420
+  metadata.gz: a7da4f6ab18c7c2688c3f9bd479fd74a6852c3deb39b44452572b73c5e67ce37b8899aff5a674d88c59cb238883a3eb35302717e5c70002ae3ec9b8dffba35e8
+  data.tar.gz: 4ece0fc584cd4ee08d316e31a8ecf6e6c1dc6255676f96dcf8a27539471cd9cc08045026efb29cd3e20586bd096a4338ddd94e4a1c34253e76a5ac1b86320287

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.24.0 (2024-06-07)
+------------------
+
+* Feature - This release adds OpenIdConnect (OIDC) configuration support for IdentitySources, allowing for external IDPs to be used in authorization requests.
+
 1.23.0 (2024-06-05)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.23.0
+1.24.0

data/lib/aws-sdk-verifiedpermissions/client.rb

@@ -689,37 +689,34 @@ module Aws::VerifiedPermissions
       req.send_request(options)
     end
 
-    # Creates a reference to an Amazon Cognito user pool as an external
-    # identity provider (IdP).
+    # Adds an identity source to a policy store–an Amazon Cognito user pool
+    # or OpenID Connect (OIDC) identity provider (IdP).
     #
     # After you create an identity source, you can use the identities
     # provided by the IdP as proxies for the principal in authorization
-    # queries that use the [IsAuthorizedWithToken][1] operation. These
-    # identities take the form of tokens that contain claims about the user,
-    # such as IDs, attributes and group memberships. Amazon Cognito provides
-    # both identity tokens and access tokens, and Verified Permissions can
-    # use either or both. Any combination of identity and access tokens
-    # results in the same Cedar principal. Verified Permissions
-    # automatically translates the information about the identities into the
-    # standard Cedar attributes that can be evaluated by your policies.
-    # Because the Amazon Cognito identity and access tokens can contain
-    # different information, the tokens you choose to use determine which
-    # principal attributes are available to access when evaluating Cedar
-    # policies.
-    #
-    # If you delete a Amazon Cognito user pool or user, tokens from that
-    # deleted pool or that deleted user continue to be usable until they
-    # expire.
+    # queries that use the [IsAuthorizedWithToken][1] or
+    # [BatchIsAuthorizedWithToken][2] API operations. These identities take
+    # the form of tokens that contain claims about the user, such as IDs,
+    # attributes and group memberships. Identity sources provide identity
+    # (ID) tokens and access tokens. Verified Permissions derives
+    # information about your user and session from token claims. Access
+    # tokens provide action `context` to your policies, and ID tokens
+    # provide principal `Attributes`.
+    #
+    # Tokens from an identity source user continue to be usable until they
+    # expire. Token revocation and resource deletion have no effect on the
+    # validity of a token in your policy store
     #
     # <note markdown="1"> To reference a user from this identity source in your Cedar policies,
-    # use the following syntax.
+    # refer to the following syntax examples.
     #
-    #  *IdentityType::"&lt;CognitoUserPoolIdentifier&gt;\|&lt;CognitoClientId&gt;*
+    #  * Amazon Cognito user pool: `Namespace::[Entity type]::[User pool
+    #   ID]|[user principal attribute]`, for example
+    #   `MyCorp::User::us-east-1_EXAMPLE|a1b2c3d4-5678-90ab-cdef-EXAMPLE11111`.
     #
-    #  Where `IdentityType` is the string that you provide to the
-    # `PrincipalEntityType` parameter for this operation. The
-    # `CognitoUserPoolId` and `CognitoClientId` are defined by the Amazon
-    # Cognito user pool.
+    # * OpenID Connect (OIDC) provider: `Namespace::[Entity
+    #   type]::[principalIdClaim]|[user principal attribute]`, for example
+    #   `MyCorp::User::MyOIDCProvider|a1b2c3d4-5678-90ab-cdef-EXAMPLE22222`.
     #
     #  </note>
     #
@@ -734,6 +731,7 @@ module Aws::VerifiedPermissions
     #
     #
     # [1]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_IsAuthorizedWithToken.html
+    # [2]: https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_BatchIsAuthorizedWithToken.html
     #
     # @option params [String] :client_token
     #   Specifies a unique, case-sensitive ID that you provide to ensure the
@@ -771,13 +769,6 @@ module Aws::VerifiedPermissions
     #   Specifies the details required to communicate with the identity
     #   provider (IdP) associated with this identity source.
     #
-    #   <note markdown="1"> At this time, the only valid member of this structure is a Amazon
-    #   Cognito user pool configuration.
-    #
-    #    You must specify a `UserPoolArn`, and optionally, a `ClientId`.
-    #
-    #    </note>
-    #
     # @option params [String] :principal_entity_type
     #   Specifies the namespace and data type of the principals generated for
     #   identities authenticated by the new identity source.
@@ -802,6 +793,24 @@ module Aws::VerifiedPermissions
     #           group_entity_type: "GroupEntityType", # required
     #         },
     #       },
+    #       open_id_connect_configuration: {
+    #         issuer: "Issuer", # required
+    #         entity_id_prefix: "EntityIdPrefix",
+    #         group_configuration: {
+    #           group_claim: "Claim", # required
+    #           group_entity_type: "GroupEntityType", # required
+    #         },
+    #         token_selection: { # required
+    #           access_token_only: {
+    #             principal_id_claim: "Claim",
+    #             audiences: ["Audience"],
+    #           },
+    #           identity_token_only: {
+    #             principal_id_claim: "Claim",
+    #             client_ids: ["ClientId"],
+    #           },
+    #         },
+    #       },
     #     },
     #     principal_entity_type: "PrincipalEntityType",
     #   })
@@ -1298,6 +1307,16 @@ module Aws::VerifiedPermissions
     #   resp.configuration.cognito_user_pool_configuration.client_ids[0] #=> String
     #   resp.configuration.cognito_user_pool_configuration.issuer #=> String
     #   resp.configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String
+    #   resp.configuration.open_id_connect_configuration.issuer #=> String
+    #   resp.configuration.open_id_connect_configuration.entity_id_prefix #=> String
+    #   resp.configuration.open_id_connect_configuration.group_configuration.group_claim #=> String
+    #   resp.configuration.open_id_connect_configuration.group_configuration.group_entity_type #=> String
+    #   resp.configuration.open_id_connect_configuration.token_selection.access_token_only.principal_id_claim #=> String
+    #   resp.configuration.open_id_connect_configuration.token_selection.access_token_only.audiences #=> Array
+    #   resp.configuration.open_id_connect_configuration.token_selection.access_token_only.audiences[0] #=> String
+    #   resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.principal_id_claim #=> String
+    #   resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids #=> Array
+    #   resp.configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids[0] #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/GetIdentitySource AWS API Documentation
     #
@@ -1610,9 +1629,9 @@ module Aws::VerifiedPermissions
     # Verified Permissions validates each token that is specified in a
     # request by checking its expiration date and its signature.
     #
-    # If you delete a Amazon Cognito user pool or user, tokens from that
-    # deleted pool or that deleted user continue to be usable until they
-    # expire.
+    # Tokens from an identity source user continue to be usable until they
+    # expire. Token revocation and resource deletion have no effect on the
+    # validity of a token in your policy store
     #
     #
     #
@@ -1806,6 +1825,16 @@ module Aws::VerifiedPermissions
     #   resp.identity_sources[0].configuration.cognito_user_pool_configuration.client_ids[0] #=> String
     #   resp.identity_sources[0].configuration.cognito_user_pool_configuration.issuer #=> String
     #   resp.identity_sources[0].configuration.cognito_user_pool_configuration.group_configuration.group_entity_type #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.issuer #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.entity_id_prefix #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.group_configuration.group_claim #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.group_configuration.group_entity_type #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.principal_id_claim #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.audiences #=> Array
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.access_token_only.audiences[0] #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.principal_id_claim #=> String
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids #=> Array
+    #   resp.identity_sources[0].configuration.open_id_connect_configuration.token_selection.identity_token_only.client_ids[0] #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/verifiedpermissions-2021-12-01/ListIdentitySources AWS API Documentation
     #
@@ -2090,7 +2119,7 @@ module Aws::VerifiedPermissions
     end
 
     # Updates the specified identity source to use a new identity provider
-    # (IdP) source, or to change the mapping of identities from the IdP to a
+    # (IdP), or to change the mapping of identities from the IdP to a
     # different principal entity type.
     #
     # <note markdown="1"> Verified Permissions is <i> <a
@@ -2143,6 +2172,24 @@ module Aws::VerifiedPermissions
     #           group_entity_type: "GroupEntityType", # required
     #         },
     #       },
+    #       open_id_connect_configuration: {
+    #         issuer: "Issuer", # required
+    #         entity_id_prefix: "EntityIdPrefix",
+    #         group_configuration: {
+    #           group_claim: "Claim", # required
+    #           group_entity_type: "GroupEntityType", # required
+    #         },
+    #         token_selection: { # required
+    #           access_token_only: {
+    #             principal_id_claim: "Claim",
+    #             audiences: ["Audience"],
+    #           },
+    #           identity_token_only: {
+    #             principal_id_claim: "Claim",
+    #             client_ids: ["ClientId"],
+    #           },
+    #         },
+    #       },
     #     },
     #     principal_entity_type: "PrincipalEntityType",
     #   })
@@ -2441,7 +2488,7 @@ module Aws::VerifiedPermissions
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-verifiedpermissions'
-      context[:gem_version] = '1.23.0'
+      context[:gem_version] = '1.24.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-verifiedpermissions/client_api.rb

@@ -19,6 +19,8 @@ module Aws::VerifiedPermissions
     ActionIdentifierList = Shapes::ListShape.new(name: 'ActionIdentifierList')
     ActionType = Shapes::StringShape.new(name: 'ActionType')
     AttributeValue = Shapes::UnionShape.new(name: 'AttributeValue')
+    Audience = Shapes::StringShape.new(name: 'Audience')
+    Audiences = Shapes::ListShape.new(name: 'Audiences')
     BatchIsAuthorizedInput = Shapes::StructureShape.new(name: 'BatchIsAuthorizedInput')
     BatchIsAuthorizedInputItem = Shapes::StructureShape.new(name: 'BatchIsAuthorizedInputItem')
     BatchIsAuthorizedInputList = Shapes::ListShape.new(name: 'BatchIsAuthorizedInputList')
@@ -33,6 +35,7 @@ module Aws::VerifiedPermissions
     BatchIsAuthorizedWithTokenOutputList = Shapes::ListShape.new(name: 'BatchIsAuthorizedWithTokenOutputList')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
     BooleanAttribute = Shapes::BooleanShape.new(name: 'BooleanAttribute')
+    Claim = Shapes::StringShape.new(name: 'Claim')
     ClientId = Shapes::StringShape.new(name: 'ClientId')
     ClientIds = Shapes::ListShape.new(name: 'ClientIds')
     CognitoGroupConfiguration = Shapes::StructureShape.new(name: 'CognitoGroupConfiguration')
@@ -70,6 +73,7 @@ module Aws::VerifiedPermissions
     EntitiesDefinition = Shapes::UnionShape.new(name: 'EntitiesDefinition')
     EntityAttributes = Shapes::MapShape.new(name: 'EntityAttributes')
     EntityId = Shapes::StringShape.new(name: 'EntityId')
+    EntityIdPrefix = Shapes::StringShape.new(name: 'EntityIdPrefix')
     EntityIdentifier = Shapes::StructureShape.new(name: 'EntityIdentifier')
     EntityItem = Shapes::StructureShape.new(name: 'EntityItem')
     EntityList = Shapes::ListShape.new(name: 'EntityList')
@@ -116,6 +120,21 @@ module Aws::VerifiedPermissions
     Namespace = Shapes::StringShape.new(name: 'Namespace')
     NamespaceList = Shapes::ListShape.new(name: 'NamespaceList')
     NextToken = Shapes::StringShape.new(name: 'NextToken')
+    OpenIdConnectAccessTokenConfiguration = Shapes::StructureShape.new(name: 'OpenIdConnectAccessTokenConfiguration')
+    OpenIdConnectAccessTokenConfigurationDetail = Shapes::StructureShape.new(name: 'OpenIdConnectAccessTokenConfigurationDetail')
+    OpenIdConnectAccessTokenConfigurationItem = Shapes::StructureShape.new(name: 'OpenIdConnectAccessTokenConfigurationItem')
+    OpenIdConnectConfiguration = Shapes::StructureShape.new(name: 'OpenIdConnectConfiguration')
+    OpenIdConnectConfigurationDetail = Shapes::StructureShape.new(name: 'OpenIdConnectConfigurationDetail')
+    OpenIdConnectConfigurationItem = Shapes::StructureShape.new(name: 'OpenIdConnectConfigurationItem')
+    OpenIdConnectGroupConfiguration = Shapes::StructureShape.new(name: 'OpenIdConnectGroupConfiguration')
+    OpenIdConnectGroupConfigurationDetail = Shapes::StructureShape.new(name: 'OpenIdConnectGroupConfigurationDetail')
+    OpenIdConnectGroupConfigurationItem = Shapes::StructureShape.new(name: 'OpenIdConnectGroupConfigurationItem')
+    OpenIdConnectIdentityTokenConfiguration = Shapes::StructureShape.new(name: 'OpenIdConnectIdentityTokenConfiguration')
+    OpenIdConnectIdentityTokenConfigurationDetail = Shapes::StructureShape.new(name: 'OpenIdConnectIdentityTokenConfigurationDetail')
+    OpenIdConnectIdentityTokenConfigurationItem = Shapes::StructureShape.new(name: 'OpenIdConnectIdentityTokenConfigurationItem')
+    OpenIdConnectTokenSelection = Shapes::UnionShape.new(name: 'OpenIdConnectTokenSelection')
+    OpenIdConnectTokenSelectionDetail = Shapes::UnionShape.new(name: 'OpenIdConnectTokenSelectionDetail')
+    OpenIdConnectTokenSelectionItem = Shapes::UnionShape.new(name: 'OpenIdConnectTokenSelectionItem')
     OpenIdIssuer = Shapes::StringShape.new(name: 'OpenIdIssuer')
     ParentList = Shapes::ListShape.new(name: 'ParentList')
     PolicyDefinition = Shapes::UnionShape.new(name: 'PolicyDefinition')
@@ -166,6 +185,11 @@ module Aws::VerifiedPermissions
     UpdateConfiguration = Shapes::UnionShape.new(name: 'UpdateConfiguration')
     UpdateIdentitySourceInput = Shapes::StructureShape.new(name: 'UpdateIdentitySourceInput')
     UpdateIdentitySourceOutput = Shapes::StructureShape.new(name: 'UpdateIdentitySourceOutput')
+    UpdateOpenIdConnectAccessTokenConfiguration = Shapes::StructureShape.new(name: 'UpdateOpenIdConnectAccessTokenConfiguration')
+    UpdateOpenIdConnectConfiguration = Shapes::StructureShape.new(name: 'UpdateOpenIdConnectConfiguration')
+    UpdateOpenIdConnectGroupConfiguration = Shapes::StructureShape.new(name: 'UpdateOpenIdConnectGroupConfiguration')
+    UpdateOpenIdConnectIdentityTokenConfiguration = Shapes::StructureShape.new(name: 'UpdateOpenIdConnectIdentityTokenConfiguration')
+    UpdateOpenIdConnectTokenSelection = Shapes::UnionShape.new(name: 'UpdateOpenIdConnectTokenSelection')
     UpdatePolicyDefinition = Shapes::UnionShape.new(name: 'UpdatePolicyDefinition')
     UpdatePolicyInput = Shapes::StructureShape.new(name: 'UpdatePolicyInput')
     UpdatePolicyOutput = Shapes::StructureShape.new(name: 'UpdatePolicyOutput')
@@ -206,6 +230,8 @@ module Aws::VerifiedPermissions
     AttributeValue.add_member_subclass(:unknown, Types::AttributeValue::Unknown)
     AttributeValue.struct_class = Types::AttributeValue
 
+    Audiences.member = Shapes::ShapeRef.new(shape: Audience)
+
     BatchIsAuthorizedInput.add_member(:policy_store_id, Shapes::ShapeRef.new(shape: PolicyStoreId, required: true, location_name: "policyStoreId"))
     BatchIsAuthorizedInput.add_member(:entities, Shapes::ShapeRef.new(shape: EntitiesDefinition, location_name: "entities"))
     BatchIsAuthorizedInput.add_member(:requests, Shapes::ShapeRef.new(shape: BatchIsAuthorizedInputList, required: true, location_name: "requests"))
@@ -285,20 +311,26 @@ module Aws::VerifiedPermissions
     CognitoUserPoolConfigurationItem.struct_class = Types::CognitoUserPoolConfigurationItem
 
     Configuration.add_member(:cognito_user_pool_configuration, Shapes::ShapeRef.new(shape: CognitoUserPoolConfiguration, location_name: "cognitoUserPoolConfiguration"))
+    Configuration.add_member(:open_id_connect_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectConfiguration, location_name: "openIdConnectConfiguration"))
     Configuration.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
     Configuration.add_member_subclass(:cognito_user_pool_configuration, Types::Configuration::CognitoUserPoolConfiguration)
+    Configuration.add_member_subclass(:open_id_connect_configuration, Types::Configuration::OpenIdConnectConfiguration)
     Configuration.add_member_subclass(:unknown, Types::Configuration::Unknown)
     Configuration.struct_class = Types::Configuration
 
     ConfigurationDetail.add_member(:cognito_user_pool_configuration, Shapes::ShapeRef.new(shape: CognitoUserPoolConfigurationDetail, location_name: "cognitoUserPoolConfiguration"))
+    ConfigurationDetail.add_member(:open_id_connect_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectConfigurationDetail, location_name: "openIdConnectConfiguration"))
     ConfigurationDetail.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
     ConfigurationDetail.add_member_subclass(:cognito_user_pool_configuration, Types::ConfigurationDetail::CognitoUserPoolConfiguration)
+    ConfigurationDetail.add_member_subclass(:open_id_connect_configuration, Types::ConfigurationDetail::OpenIdConnectConfiguration)
     ConfigurationDetail.add_member_subclass(:unknown, Types::ConfigurationDetail::Unknown)
     ConfigurationDetail.struct_class = Types::ConfigurationDetail
 
     ConfigurationItem.add_member(:cognito_user_pool_configuration, Shapes::ShapeRef.new(shape: CognitoUserPoolConfigurationItem, location_name: "cognitoUserPoolConfiguration"))
+    ConfigurationItem.add_member(:open_id_connect_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectConfigurationItem, location_name: "openIdConnectConfiguration"))
     ConfigurationItem.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
     ConfigurationItem.add_member_subclass(:cognito_user_pool_configuration, Types::ConfigurationItem::CognitoUserPoolConfiguration)
+    ConfigurationItem.add_member_subclass(:open_id_connect_configuration, Types::ConfigurationItem::OpenIdConnectConfiguration)
     ConfigurationItem.add_member_subclass(:unknown, Types::ConfigurationItem::Unknown)
     ConfigurationItem.struct_class = Types::ConfigurationItem
 
@@ -587,6 +619,84 @@ module Aws::VerifiedPermissions
 
     NamespaceList.member = Shapes::ShapeRef.new(shape: Namespace)
 
+    OpenIdConnectAccessTokenConfiguration.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectAccessTokenConfiguration.add_member(:audiences, Shapes::ShapeRef.new(shape: Audiences, location_name: "audiences"))
+    OpenIdConnectAccessTokenConfiguration.struct_class = Types::OpenIdConnectAccessTokenConfiguration
+
+    OpenIdConnectAccessTokenConfigurationDetail.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectAccessTokenConfigurationDetail.add_member(:audiences, Shapes::ShapeRef.new(shape: Audiences, location_name: "audiences"))
+    OpenIdConnectAccessTokenConfigurationDetail.struct_class = Types::OpenIdConnectAccessTokenConfigurationDetail
+
+    OpenIdConnectAccessTokenConfigurationItem.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectAccessTokenConfigurationItem.add_member(:audiences, Shapes::ShapeRef.new(shape: Audiences, location_name: "audiences"))
+    OpenIdConnectAccessTokenConfigurationItem.struct_class = Types::OpenIdConnectAccessTokenConfigurationItem
+
+    OpenIdConnectConfiguration.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, required: true, location_name: "issuer"))
+    OpenIdConnectConfiguration.add_member(:entity_id_prefix, Shapes::ShapeRef.new(shape: EntityIdPrefix, location_name: "entityIdPrefix"))
+    OpenIdConnectConfiguration.add_member(:group_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectGroupConfiguration, location_name: "groupConfiguration"))
+    OpenIdConnectConfiguration.add_member(:token_selection, Shapes::ShapeRef.new(shape: OpenIdConnectTokenSelection, required: true, location_name: "tokenSelection"))
+    OpenIdConnectConfiguration.struct_class = Types::OpenIdConnectConfiguration
+
+    OpenIdConnectConfigurationDetail.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, required: true, location_name: "issuer"))
+    OpenIdConnectConfigurationDetail.add_member(:entity_id_prefix, Shapes::ShapeRef.new(shape: EntityIdPrefix, location_name: "entityIdPrefix"))
+    OpenIdConnectConfigurationDetail.add_member(:group_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectGroupConfigurationDetail, location_name: "groupConfiguration"))
+    OpenIdConnectConfigurationDetail.add_member(:token_selection, Shapes::ShapeRef.new(shape: OpenIdConnectTokenSelectionDetail, required: true, location_name: "tokenSelection"))
+    OpenIdConnectConfigurationDetail.struct_class = Types::OpenIdConnectConfigurationDetail
+
+    OpenIdConnectConfigurationItem.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, required: true, location_name: "issuer"))
+    OpenIdConnectConfigurationItem.add_member(:entity_id_prefix, Shapes::ShapeRef.new(shape: EntityIdPrefix, location_name: "entityIdPrefix"))
+    OpenIdConnectConfigurationItem.add_member(:group_configuration, Shapes::ShapeRef.new(shape: OpenIdConnectGroupConfigurationItem, location_name: "groupConfiguration"))
+    OpenIdConnectConfigurationItem.add_member(:token_selection, Shapes::ShapeRef.new(shape: OpenIdConnectTokenSelectionItem, required: true, location_name: "tokenSelection"))
+    OpenIdConnectConfigurationItem.struct_class = Types::OpenIdConnectConfigurationItem
+
+    OpenIdConnectGroupConfiguration.add_member(:group_claim, Shapes::ShapeRef.new(shape: Claim, required: true, location_name: "groupClaim"))
+    OpenIdConnectGroupConfiguration.add_member(:group_entity_type, Shapes::ShapeRef.new(shape: GroupEntityType, required: true, location_name: "groupEntityType"))
+    OpenIdConnectGroupConfiguration.struct_class = Types::OpenIdConnectGroupConfiguration
+
+    OpenIdConnectGroupConfigurationDetail.add_member(:group_claim, Shapes::ShapeRef.new(shape: Claim, required: true, location_name: "groupClaim"))
+    OpenIdConnectGroupConfigurationDetail.add_member(:group_entity_type, Shapes::ShapeRef.new(shape: GroupEntityType, required: true, location_name: "groupEntityType"))
+    OpenIdConnectGroupConfigurationDetail.struct_class = Types::OpenIdConnectGroupConfigurationDetail
+
+    OpenIdConnectGroupConfigurationItem.add_member(:group_claim, Shapes::ShapeRef.new(shape: Claim, required: true, location_name: "groupClaim"))
+    OpenIdConnectGroupConfigurationItem.add_member(:group_entity_type, Shapes::ShapeRef.new(shape: GroupEntityType, required: true, location_name: "groupEntityType"))
+    OpenIdConnectGroupConfigurationItem.struct_class = Types::OpenIdConnectGroupConfigurationItem
+
+    OpenIdConnectIdentityTokenConfiguration.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectIdentityTokenConfiguration.add_member(:client_ids, Shapes::ShapeRef.new(shape: ClientIds, location_name: "clientIds"))
+    OpenIdConnectIdentityTokenConfiguration.struct_class = Types::OpenIdConnectIdentityTokenConfiguration
+
+    OpenIdConnectIdentityTokenConfigurationDetail.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectIdentityTokenConfigurationDetail.add_member(:client_ids, Shapes::ShapeRef.new(shape: ClientIds, location_name: "clientIds"))
+    OpenIdConnectIdentityTokenConfigurationDetail.struct_class = Types::OpenIdConnectIdentityTokenConfigurationDetail
+
+    OpenIdConnectIdentityTokenConfigurationItem.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    OpenIdConnectIdentityTokenConfigurationItem.add_member(:client_ids, Shapes::ShapeRef.new(shape: ClientIds, location_name: "clientIds"))
+    OpenIdConnectIdentityTokenConfigurationItem.struct_class = Types::OpenIdConnectIdentityTokenConfigurationItem
+
+    OpenIdConnectTokenSelection.add_member(:access_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectAccessTokenConfiguration, location_name: "accessTokenOnly"))
+    OpenIdConnectTokenSelection.add_member(:identity_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectIdentityTokenConfiguration, location_name: "identityTokenOnly"))
+    OpenIdConnectTokenSelection.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
+    OpenIdConnectTokenSelection.add_member_subclass(:access_token_only, Types::OpenIdConnectTokenSelection::AccessTokenOnly)
+    OpenIdConnectTokenSelection.add_member_subclass(:identity_token_only, Types::OpenIdConnectTokenSelection::IdentityTokenOnly)
+    OpenIdConnectTokenSelection.add_member_subclass(:unknown, Types::OpenIdConnectTokenSelection::Unknown)
+    OpenIdConnectTokenSelection.struct_class = Types::OpenIdConnectTokenSelection
+
+    OpenIdConnectTokenSelectionDetail.add_member(:access_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectAccessTokenConfigurationDetail, location_name: "accessTokenOnly"))
+    OpenIdConnectTokenSelectionDetail.add_member(:identity_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectIdentityTokenConfigurationDetail, location_name: "identityTokenOnly"))
+    OpenIdConnectTokenSelectionDetail.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
+    OpenIdConnectTokenSelectionDetail.add_member_subclass(:access_token_only, Types::OpenIdConnectTokenSelectionDetail::AccessTokenOnly)
+    OpenIdConnectTokenSelectionDetail.add_member_subclass(:identity_token_only, Types::OpenIdConnectTokenSelectionDetail::IdentityTokenOnly)
+    OpenIdConnectTokenSelectionDetail.add_member_subclass(:unknown, Types::OpenIdConnectTokenSelectionDetail::Unknown)
+    OpenIdConnectTokenSelectionDetail.struct_class = Types::OpenIdConnectTokenSelectionDetail
+
+    OpenIdConnectTokenSelectionItem.add_member(:access_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectAccessTokenConfigurationItem, location_name: "accessTokenOnly"))
+    OpenIdConnectTokenSelectionItem.add_member(:identity_token_only, Shapes::ShapeRef.new(shape: OpenIdConnectIdentityTokenConfigurationItem, location_name: "identityTokenOnly"))
+    OpenIdConnectTokenSelectionItem.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
+    OpenIdConnectTokenSelectionItem.add_member_subclass(:access_token_only, Types::OpenIdConnectTokenSelectionItem::AccessTokenOnly)
+    OpenIdConnectTokenSelectionItem.add_member_subclass(:identity_token_only, Types::OpenIdConnectTokenSelectionItem::IdentityTokenOnly)
+    OpenIdConnectTokenSelectionItem.add_member_subclass(:unknown, Types::OpenIdConnectTokenSelectionItem::Unknown)
+    OpenIdConnectTokenSelectionItem.struct_class = Types::OpenIdConnectTokenSelectionItem
+
     ParentList.member = Shapes::ShapeRef.new(shape: EntityIdentifier)
 
     PolicyDefinition.add_member(:static, Shapes::ShapeRef.new(shape: StaticPolicyDefinition, location_name: "static"))
@@ -730,8 +840,10 @@ module Aws::VerifiedPermissions
     UpdateCognitoUserPoolConfiguration.struct_class = Types::UpdateCognitoUserPoolConfiguration
 
     UpdateConfiguration.add_member(:cognito_user_pool_configuration, Shapes::ShapeRef.new(shape: UpdateCognitoUserPoolConfiguration, location_name: "cognitoUserPoolConfiguration"))
+    UpdateConfiguration.add_member(:open_id_connect_configuration, Shapes::ShapeRef.new(shape: UpdateOpenIdConnectConfiguration, location_name: "openIdConnectConfiguration"))
     UpdateConfiguration.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
     UpdateConfiguration.add_member_subclass(:cognito_user_pool_configuration, Types::UpdateConfiguration::CognitoUserPoolConfiguration)
+    UpdateConfiguration.add_member_subclass(:open_id_connect_configuration, Types::UpdateConfiguration::OpenIdConnectConfiguration)
     UpdateConfiguration.add_member_subclass(:unknown, Types::UpdateConfiguration::Unknown)
     UpdateConfiguration.struct_class = Types::UpdateConfiguration
 
@@ -747,6 +859,32 @@ module Aws::VerifiedPermissions
     UpdateIdentitySourceOutput.add_member(:policy_store_id, Shapes::ShapeRef.new(shape: PolicyStoreId, required: true, location_name: "policyStoreId"))
     UpdateIdentitySourceOutput.struct_class = Types::UpdateIdentitySourceOutput
 
+    UpdateOpenIdConnectAccessTokenConfiguration.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    UpdateOpenIdConnectAccessTokenConfiguration.add_member(:audiences, Shapes::ShapeRef.new(shape: Audiences, location_name: "audiences"))
+    UpdateOpenIdConnectAccessTokenConfiguration.struct_class = Types::UpdateOpenIdConnectAccessTokenConfiguration
+
+    UpdateOpenIdConnectConfiguration.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, required: true, location_name: "issuer"))
+    UpdateOpenIdConnectConfiguration.add_member(:entity_id_prefix, Shapes::ShapeRef.new(shape: EntityIdPrefix, location_name: "entityIdPrefix"))
+    UpdateOpenIdConnectConfiguration.add_member(:group_configuration, Shapes::ShapeRef.new(shape: UpdateOpenIdConnectGroupConfiguration, location_name: "groupConfiguration"))
+    UpdateOpenIdConnectConfiguration.add_member(:token_selection, Shapes::ShapeRef.new(shape: UpdateOpenIdConnectTokenSelection, required: true, location_name: "tokenSelection"))
+    UpdateOpenIdConnectConfiguration.struct_class = Types::UpdateOpenIdConnectConfiguration
+
+    UpdateOpenIdConnectGroupConfiguration.add_member(:group_claim, Shapes::ShapeRef.new(shape: Claim, required: true, location_name: "groupClaim"))
+    UpdateOpenIdConnectGroupConfiguration.add_member(:group_entity_type, Shapes::ShapeRef.new(shape: GroupEntityType, required: true, location_name: "groupEntityType"))
+    UpdateOpenIdConnectGroupConfiguration.struct_class = Types::UpdateOpenIdConnectGroupConfiguration
+
+    UpdateOpenIdConnectIdentityTokenConfiguration.add_member(:principal_id_claim, Shapes::ShapeRef.new(shape: Claim, location_name: "principalIdClaim"))
+    UpdateOpenIdConnectIdentityTokenConfiguration.add_member(:client_ids, Shapes::ShapeRef.new(shape: ClientIds, location_name: "clientIds"))
+    UpdateOpenIdConnectIdentityTokenConfiguration.struct_class = Types::UpdateOpenIdConnectIdentityTokenConfiguration
+
+    UpdateOpenIdConnectTokenSelection.add_member(:access_token_only, Shapes::ShapeRef.new(shape: UpdateOpenIdConnectAccessTokenConfiguration, location_name: "accessTokenOnly"))
+    UpdateOpenIdConnectTokenSelection.add_member(:identity_token_only, Shapes::ShapeRef.new(shape: UpdateOpenIdConnectIdentityTokenConfiguration, location_name: "identityTokenOnly"))
+    UpdateOpenIdConnectTokenSelection.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
+    UpdateOpenIdConnectTokenSelection.add_member_subclass(:access_token_only, Types::UpdateOpenIdConnectTokenSelection::AccessTokenOnly)
+    UpdateOpenIdConnectTokenSelection.add_member_subclass(:identity_token_only, Types::UpdateOpenIdConnectTokenSelection::IdentityTokenOnly)
+    UpdateOpenIdConnectTokenSelection.add_member_subclass(:unknown, Types::UpdateOpenIdConnectTokenSelection::Unknown)
+    UpdateOpenIdConnectTokenSelection.struct_class = Types::UpdateOpenIdConnectTokenSelection
+
     UpdatePolicyDefinition.add_member(:static, Shapes::ShapeRef.new(shape: UpdateStaticPolicyDefinition, location_name: "static"))
     UpdatePolicyDefinition.add_member(:unknown, Shapes::ShapeRef.new(shape: nil, location_name: 'unknown'))
     UpdatePolicyDefinition.add_member_subclass(:static, Types::UpdatePolicyDefinition::Static)