aws-cdk-lib 2.125.0__py3-none-any.whl → 2.127.0__py3-none-any.whl

aws_cdk/aws_cognito/__init__.py

@@ -492,6 +492,16 @@ userpool.add_trigger(cognito.UserPoolOperation.USER_MIGRATION, lambda_.Function(
 ))
 ```
 
+Additionally, only the pre token generation Lambda trigger supports trigger events with lambda version V2.0:
+
+```python
+# userpool: cognito.UserPool
+# pre_token_generation_fn: lambda.Function
+
+
+userpool.add_trigger(cognito.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, pre_token_generation_fn, cognito.LambdaVersion.V2_0)
+```
+
 The following table lists the set of triggers available, and their corresponding method to add it to the user pool.
 For more information on the function of these triggers and how to configure them, read [User Pool Workflows with
 Triggers](https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html).
@@ -1678,8 +1688,7 @@ class CfnIdentityPool(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''An identity pool ID in the format REGION:GUID.
-
+        '''
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -2934,10 +2943,10 @@ class CfnIdentityPoolRoleAttachment(
             identity_provider: typing.Optional[builtins.str] = None,
             rules_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentityPoolRoleAttachment.RulesConfigurationTypeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''``RoleMapping`` is a property of the `AWS::Cognito::IdentityPoolRoleAttachment <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html>`_ resource that defines the role-mapping attributes of an Amazon Cognito identity pool.
+            '''One of a set of ``RoleMappings`` , a property of the `AWS::Cognito::IdentityPoolRoleAttachment <https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-identitypoolroleattachment.html>`_ resource that defines the role-mapping attributes of an Amazon Cognito identity pool.
 
-            :param type: The role-mapping type. ``Token`` uses ``cognito:roles`` and ``cognito:preferred_role`` claims from the Amazon Cognito identity provider token to map groups to roles. ``Rules`` attempts to match claims from the token to map to a role. Valid values are ``Token`` or ``Rules`` .
-            :param ambiguous_role_resolution: Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no ``cognito:preferred_role`` claim and there are multiple ``cognito:roles`` matches for the Token type. If you specify Token or Rules as the Type, AmbiguousRoleResolution is required. Valid values are ``AuthenticatedRole`` or ``Deny`` .
+            :param type: The role mapping type. Token will use ``cognito:roles`` and ``cognito:preferred_role`` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.
+            :param ambiguous_role_resolution: If you specify Token or Rules as the ``Type`` , ``AmbiguousRoleResolution`` is required. Specifies the action to be taken if either no rules match the claim value for the ``Rules`` type, or there is no ``cognito:preferred_role`` claim and there are multiple ``cognito:roles`` matches for the ``Token`` type.
             :param identity_provider: Identifier for the identity provider for which the role is mapped. For example: ``graph.facebook.com`` or ``cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id (http://cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id)`` . This is the identity provider that is used by the user for authentication. If the identity provider property isn't provided, the key of the entry in the ``RoleMappings`` map is used as the identity provider.
             :param rules_configuration: The rules to be used for mapping users to roles. If you specify "Rules" as the role-mapping type, RulesConfiguration is required.
 
@@ -2984,11 +2993,9 @@ class CfnIdentityPoolRoleAttachment(
 
         @builtins.property
         def type(self) -> builtins.str:
-            '''The role-mapping type.
-
-            ``Token`` uses ``cognito:roles`` and ``cognito:preferred_role`` claims from the Amazon Cognito identity provider token to map groups to roles. ``Rules`` attempts to match claims from the token to map to a role.
+            '''The role mapping type.
 
-            Valid values are ``Token`` or ``Rules`` .
+            Token will use ``cognito:roles`` and ``cognito:preferred_role`` claims from the Cognito identity provider token to map groups to roles. Rules will attempt to match claims from the token to map to a role.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-type
             '''
@@ -2998,11 +3005,9 @@ class CfnIdentityPoolRoleAttachment(
 
         @builtins.property
         def ambiguous_role_resolution(self) -> typing.Optional[builtins.str]:
-            '''Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no ``cognito:preferred_role`` claim and there are multiple ``cognito:roles`` matches for the Token type.
+            '''If you specify Token or Rules as the ``Type`` , ``AmbiguousRoleResolution`` is required.
 
-            If you specify Token or Rules as the Type, AmbiguousRoleResolution is required.
-
-            Valid values are ``AuthenticatedRole`` or ``Deny`` .
+            Specifies the action to be taken if either no rules match the claim value for the ``Rules`` type, or there is no ``cognito:preferred_role`` claim and there are multiple ``cognito:roles`` matches for the ``Token`` type.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypoolroleattachment-rolemapping.html#cfn-cognito-identitypoolroleattachment-rolemapping-ambiguousroleresolution
             '''
@@ -4999,7 +5004,7 @@ class CfnUserPool(
             :param pre_authentication: A pre-authentication AWS Lambda trigger.
             :param pre_sign_up: A pre-registration AWS Lambda trigger.
             :param pre_token_generation: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. Set this parameter for legacy purposes. If you also set an ARN in ``PreTokenGenerationConfig`` , its value must be identical to ``PreTokenGeneration`` . For new instances of pre token generation triggers, set the ``LambdaArn`` of ``PreTokenGenerationConfig`` . You can set ``
-            :param pre_token_generation_config: 
+            :param pre_token_generation_config: The detailed configuration of a pre token generation trigger. If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
             :param user_migration: The user migration Lambda config type.
             :param verify_auth_challenge_response: Verifies the authentication challenge response.
 
@@ -5197,7 +5202,10 @@ class CfnUserPool(
         def pre_token_generation_config(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnUserPool.PreTokenGenerationConfigProperty"]]:
-            '''
+            '''The detailed configuration of a pre token generation trigger.
+
+            If you also set an ARN in ``PreTokenGeneration`` , its value must be identical to ``PreTokenGenerationConfig`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-lambdaconfig.html#cfn-cognito-userpool-lambdaconfig-pretokengenerationconfig
             '''
             result = self._values.get("pre_token_generation_config")
@@ -5530,9 +5538,10 @@ class CfnUserPool(
             lambda_arn: typing.Optional[builtins.str] = None,
             lambda_version: typing.Optional[builtins.str] = None,
         ) -> None:
-            '''
-            :param lambda_arn: 
-            :param lambda_version: 
+            '''The properties of a pre token generation Lambda trigger.
+
+            :param lambda_arn: The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger. This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
+            :param lambda_version: The user pool trigger version of the request that Amazon Cognito sends to your Lambda function. Higher-numbered versions add fields that support new features.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html
             :exampleMetadata: fixture=_generated
@@ -5560,7 +5569,10 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_arn(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The Amazon Resource Name (ARN) of the function that you want to assign to your Lambda trigger.
+
+            This parameter and the ``PreTokenGeneration`` property of ``LambdaConfig`` have the same value. For new instances of pre token generation triggers, set ``LambdaArn`` .
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html#cfn-cognito-userpool-pretokengenerationconfig-lambdaarn
             '''
             result = self._values.get("lambda_arn")
@@ -5568,7 +5580,10 @@ class CfnUserPool(
 
         @builtins.property
         def lambda_version(self) -> typing.Optional[builtins.str]:
-            '''
+            '''The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
+
+            Higher-numbered versions add fields that support new features.
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-pretokengenerationconfig.html#cfn-cognito-userpool-pretokengenerationconfig-lambdaversion
             '''
             result = self._values.get("lambda_version")
@@ -6545,7 +6560,8 @@ class CfnUserPoolClient(
     @builtins.property
     @jsii.member(jsii_name="attrClientId")
     def attr_client_id(self) -> builtins.str:
-        '''
+        '''The ID of the app client, for example ``1example23456789`` .
+
         :cloudformationAttribute: ClientId
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrClientId"))
@@ -7764,7 +7780,8 @@ class CfnUserPoolDomain(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The resource ID.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -8298,14 +8315,14 @@ class CfnUserPoolIdentityProvider(
         # provider_details: Any
         
         cfn_user_pool_identity_provider = cognito.CfnUserPoolIdentityProvider(self, "MyCfnUserPoolIdentityProvider",
-            provider_details=provider_details,
             provider_name="providerName",
             provider_type="providerType",
             user_pool_id="userPoolId",
         
             # the properties below are optional
             attribute_mapping=attribute_mapping,
-            idp_identifiers=["idpIdentifiers"]
+            idp_identifiers=["idpIdentifiers"],
+            provider_details=provider_details
         )
     '''
 
@@ -8314,34 +8331,34 @@ class CfnUserPoolIdentityProvider(
         scope: _constructs_77d1e7e8.Construct,
         id: builtins.str,
         *,
-        provider_details: typing.Any,
         provider_name: builtins.str,
         provider_type: builtins.str,
         user_pool_id: builtins.str,
         attribute_mapping: typing.Any = None,
         idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        provider_details: typing.Any = None,
     ) -> None:
         '''
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
-        :param provider_details: The IdP details. The following list describes the provider detail keys for each IdP type. - For Google and Login with Amazon: - client_id - client_secret - authorize_scopes - For Facebook: - client_id - client_secret - authorize_scopes - api_version - For Sign in with Apple: - client_id - team_id - key_id - private_key - authorize_scopes - For OpenID Connect (OIDC) providers: - client_id - client_secret - attributes_request_method - oidc_issuer - authorize_scopes - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL. - authorize_url - token_url - attributes_url - jwks_uri - Amazon Cognito sets the value of the following keys automatically. They are read-only. - attributes_url_add_attributes - For SAML providers: - MetadataFile or MetadataURL - IDPSignout *optional*
         :param provider_name: The IdP name.
         :param provider_type: The IdP type.
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f606483634)
             check_type(argname="argument scope", value=scope, expected_type=type_hints["scope"])
             check_type(argname="argument id", value=id, expected_type=type_hints["id"])
         props = CfnUserPoolIdentityProviderProps(
-            provider_details=provider_details,
             provider_name=provider_name,
             provider_type=provider_type,
             user_pool_id=user_pool_id,
             attribute_mapping=attribute_mapping,
             idp_identifiers=idp_identifiers,
+            provider_details=provider_details,
         )
 
         jsii.create(self.__class__, self, [scope, id, props])
@@ -8379,7 +8396,8 @@ class CfnUserPoolIdentityProvider(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The resource ID.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -8389,22 +8407,6 @@ class CfnUserPoolIdentityProvider(
     def _cfn_properties(self) -> typing.Mapping[builtins.str, typing.Any]:
         return typing.cast(typing.Mapping[builtins.str, typing.Any], jsii.get(self, "cfnProperties"))
 
-    @builtins.property
-    @jsii.member(jsii_name="providerDetails")
-    def provider_details(self) -> typing.Any:
-        '''The IdP details.
-
-        The following list describes the provider detail keys for each IdP type.
-        '''
-        return typing.cast(typing.Any, jsii.get(self, "providerDetails"))
-
-    @provider_details.setter
-    def provider_details(self, value: typing.Any) -> None:
-        if __debug__:
-            type_hints = typing.get_type_hints(_typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299)
-            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
-        jsii.set(self, "providerDetails", value)
-
     @builtins.property
     @jsii.member(jsii_name="providerName")
     def provider_name(self) -> builtins.str:
@@ -8473,38 +8475,51 @@ class CfnUserPoolIdentityProvider(
             check_type(argname="argument value", value=value, expected_type=type_hints["value"])
         jsii.set(self, "idpIdentifiers", value)
 
+    @builtins.property
+    @jsii.member(jsii_name="providerDetails")
+    def provider_details(self) -> typing.Any:
+        '''The scopes, URLs, and identifiers for your external identity provider.'''
+        return typing.cast(typing.Any, jsii.get(self, "providerDetails"))
+
+    @provider_details.setter
+    def provider_details(self, value: typing.Any) -> None:
+        if __debug__:
+            type_hints = typing.get_type_hints(_typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299)
+            check_type(argname="argument value", value=value, expected_type=type_hints["value"])
+        jsii.set(self, "providerDetails", value)
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_cognito.CfnUserPoolIdentityProviderProps",
     jsii_struct_bases=[],
     name_mapping={
-        "provider_details": "providerDetails",
         "provider_name": "providerName",
         "provider_type": "providerType",
         "user_pool_id": "userPoolId",
         "attribute_mapping": "attributeMapping",
         "idp_identifiers": "idpIdentifiers",
+        "provider_details": "providerDetails",
     },
 )
 class CfnUserPoolIdentityProviderProps:
     def __init__(
         self,
         *,
-        provider_details: typing.Any,
         provider_name: builtins.str,
         provider_type: builtins.str,
         user_pool_id: builtins.str,
         attribute_mapping: typing.Any = None,
         idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+        provider_details: typing.Any = None,
     ) -> None:
         '''Properties for defining a ``CfnUserPoolIdentityProvider``.
 
-        :param provider_details: The IdP details. The following list describes the provider detail keys for each IdP type. - For Google and Login with Amazon: - client_id - client_secret - authorize_scopes - For Facebook: - client_id - client_secret - authorize_scopes - api_version - For Sign in with Apple: - client_id - team_id - key_id - private_key - authorize_scopes - For OpenID Connect (OIDC) providers: - client_id - client_secret - attributes_request_method - oidc_issuer - authorize_scopes - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL. - authorize_url - token_url - attributes_url - jwks_uri - Amazon Cognito sets the value of the following keys automatically. They are read-only. - attributes_url_add_attributes - For SAML providers: - MetadataFile or MetadataURL - IDPSignout *optional*
         :param provider_name: The IdP name.
         :param provider_type: The IdP type.
         :param user_pool_id: The user pool ID.
         :param attribute_mapping: A mapping of IdP attributes to standard and custom user pool attributes.
         :param idp_identifiers: A list of IdP identifiers.
+        :param provider_details: The scopes, URLs, and identifiers for your external identity provider. The following examples describe the provider detail keys for each IdP type. These values and their schema are subject to change. Social IdP ``authorize_scopes`` values must match the values listed here. - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` . Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }`` - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }`` Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }`` The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes. Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }`` - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"`` Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }`` - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }`` - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }`` Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }`` - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }`` Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html
         :exampleMetadata: fixture=_generated
@@ -8519,26 +8534,25 @@ class CfnUserPoolIdentityProviderProps:
             # provider_details: Any
             
             cfn_user_pool_identity_provider_props = cognito.CfnUserPoolIdentityProviderProps(
-                provider_details=provider_details,
                 provider_name="providerName",
                 provider_type="providerType",
                 user_pool_id="userPoolId",
             
                 # the properties below are optional
                 attribute_mapping=attribute_mapping,
-                idp_identifiers=["idpIdentifiers"]
+                idp_identifiers=["idpIdentifiers"],
+                provider_details=provider_details
             )
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__41106943fcdd509be0174e1e1c8a8c320bd77587c77e22cfc1c1b7378dfb42ec)
-            check_type(argname="argument provider_details", value=provider_details, expected_type=type_hints["provider_details"])
             check_type(argname="argument provider_name", value=provider_name, expected_type=type_hints["provider_name"])
             check_type(argname="argument provider_type", value=provider_type, expected_type=type_hints["provider_type"])
             check_type(argname="argument user_pool_id", value=user_pool_id, expected_type=type_hints["user_pool_id"])
             check_type(argname="argument attribute_mapping", value=attribute_mapping, expected_type=type_hints["attribute_mapping"])
             check_type(argname="argument idp_identifiers", value=idp_identifiers, expected_type=type_hints["idp_identifiers"])
+            check_type(argname="argument provider_details", value=provider_details, expected_type=type_hints["provider_details"])
         self._values: typing.Dict[builtins.str, typing.Any] = {
-            "provider_details": provider_details,
             "provider_name": provider_name,
             "provider_type": provider_type,
             "user_pool_id": user_pool_id,
@@ -8547,48 +8561,8 @@ class CfnUserPoolIdentityProviderProps:
             self._values["attribute_mapping"] = attribute_mapping
         if idp_identifiers is not None:
             self._values["idp_identifiers"] = idp_identifiers
-
-    @builtins.property
-    def provider_details(self) -> typing.Any:
-        '''The IdP details. The following list describes the provider detail keys for each IdP type.
-
-        - For Google and Login with Amazon:
-        - client_id
-        - client_secret
-        - authorize_scopes
-        - For Facebook:
-        - client_id
-        - client_secret
-        - authorize_scopes
-        - api_version
-        - For Sign in with Apple:
-        - client_id
-        - team_id
-        - key_id
-        - private_key
-        - authorize_scopes
-        - For OpenID Connect (OIDC) providers:
-        - client_id
-        - client_secret
-        - attributes_request_method
-        - oidc_issuer
-        - authorize_scopes
-        - The following keys are only present if Amazon Cognito didn't discover them at the ``oidc_issuer`` URL.
-        - authorize_url
-        - token_url
-        - attributes_url
-        - jwks_uri
-        - Amazon Cognito sets the value of the following keys automatically. They are read-only.
-        - attributes_url_add_attributes
-        - For SAML providers:
-        - MetadataFile or MetadataURL
-        - IDPSignout *optional*
-
-        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
-        '''
-        result = self._values.get("provider_details")
-        assert result is not None, "Required property 'provider_details' is missing"
-        return typing.cast(typing.Any, result)
+        if provider_details is not None:
+            self._values["provider_details"] = provider_details
 
     @builtins.property
     def provider_name(self) -> builtins.str:
@@ -8638,6 +8612,50 @@ class CfnUserPoolIdentityProviderProps:
         result = self._values.get("idp_identifiers")
         return typing.cast(typing.Optional[typing.List[builtins.str]], result)
 
+    @builtins.property
+    def provider_details(self) -> typing.Any:
+        '''The scopes, URLs, and identifiers for your external identity provider.
+
+        The following
+        examples describe the provider detail keys for each IdP type. These values and their
+        schema are subject to change. Social IdP ``authorize_scopes`` values must match
+        the values listed here.
+
+        - **OpenID Connect (OIDC)** - Amazon Cognito accepts the following elements when it can't discover endpoint URLs from ``oidc_issuer`` : ``attributes_url`` , ``authorize_url`` , ``jwks_uri`` , ``token_url`` .
+
+        Create or update request: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_request_method": "GET", "attributes_url": "https://auth.example.com/userInfo", "attributes_url_add_attributes": "false", "authorize_scopes": "openid profile email", "authorize_url": "https://auth.example.com/authorize", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "jwks_uri": "https://auth.example.com/.well-known/jwks.json", "oidc_issuer": "https://auth.example.com", "token_url": "https://example.com/token" }``
+
+        - **SAML** - Create or update request with Metadata URL: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256" }``
+
+        Create or update request with Metadata file: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "MetadataFile": "[metadata XML]", "RequestSigningAlgorithm": "rsa-sha256" }``
+
+        The value of ``MetadataFile`` must be the plaintext metadata document with all quote (") characters escaped by backslashes.
+
+        Describe response: ``"ProviderDetails": { "IDPInit": "true", "IDPSignout": "true", "EncryptedResponses" : "true", "ActiveEncryptionCertificate": "[certificate]", "MetadataURL": "https://auth.example.com/sso/saml/metadata", "RequestSigningAlgorithm": "rsa-sha256", "SLORedirectBindingURI": "https://auth.example.com/slo/saml", "SSORedirectBindingURI": "https://auth.example.com/sso/saml" }``
+
+        - **LoginWithAmazon** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "profile postal_code", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret"``
+
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://api.amazon.com/user/profile", "attributes_url_add_attributes": "false", "authorize_scopes": "profile postal_code", "authorize_url": "https://www.amazon.com/ap/oa", "client_id": "amzn1.application-oa2-client.1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "POST", "token_url": "https://api.amazon.com/auth/o2/token" }``
+
+        - **Google** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email profile openid", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_url": "https://people.googleapis.com/v1/people/me?personFields=", "attributes_url_add_attributes": "true", "authorize_scopes": "email profile openid", "authorize_url": "https://accounts.google.com/o/oauth2/v2/auth", "client_id": "1example23456789.apps.googleusercontent.com", "client_secret": "provider-app-client-secret", "oidc_issuer": "https://accounts.google.com", "token_request_method": "POST", "token_url": "https://www.googleapis.com/oauth2/v4/token" }``
+
+        - **SignInWithApple** - Create or update request: ``"ProviderDetails": { "authorize_scopes": "email name", "client_id": "com.example.cognito", "private_key": "1EXAMPLE", "key_id": "2EXAMPLE", "team_id": "3EXAMPLE" }``
+
+        Describe response: ``"ProviderDetails": { "attributes_url_add_attributes": "false", "authorize_scopes": "email name", "authorize_url": "https://appleid.apple.com/auth/authorize", "client_id": "com.example.cognito", "key_id": "1EXAMPLE", "oidc_issuer": "https://appleid.apple.com", "team_id": "2EXAMPLE", "token_request_method": "POST", "token_url": "https://appleid.apple.com/auth/token" }``
+
+        - **Facebook** - Create or update request: ``"ProviderDetails": { "api_version": "v17.0", "authorize_scopes": "public_profile, email", "client_id": "1example23456789", "client_secret": "provider-app-client-secret" }``
+
+        Describe response: ``"ProviderDetails": { "api_version": "v17.0", "attributes_url": "https://graph.facebook.com/v17.0/me?fields=", "attributes_url_add_attributes": "true", "authorize_scopes": "public_profile, email", "authorize_url": "https://www.facebook.com/v17.0/dialog/oauth", "client_id": "1example23456789", "client_secret": "provider-app-client-secret", "token_request_method": "GET", "token_url": "https://graph.facebook.com/v17.0/oauth/access_token" }``
+
+        :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolidentityprovider.html#cfn-cognito-userpoolidentityprovider-providerdetails
+        '''
+        result = self._values.get("provider_details")
+        return typing.cast(typing.Any, result)
+
     def __eq__(self, rhs: typing.Any) -> builtins.bool:
         return isinstance(rhs, self.__class__) and rhs._values == self._values
 
@@ -8988,7 +9006,8 @@ class CfnUserPoolProps:
     def deletion_protection(self) -> typing.Optional[builtins.str]:
         '''When active, ``DeletionProtection`` prevents accidental deletion of your user pool.
 
-        Before you can delete a user pool that you have protected against deletion, you must deactivate this feature.
+        Before you can delete a user pool that you have protected against deletion, you
+        must deactivate this feature.
 
         When you try to delete a protected user pool in a ``DeleteUserPool`` API request, Amazon Cognito returns an ``InvalidParameterException`` error. To delete a protected user pool, send a new ``DeleteUserPool`` request after you deactivate deletion protection in an ``UpdateUserPool`` API request.
 
@@ -9350,7 +9369,8 @@ class CfnUserPoolResourceServer(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The resource ID.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -9763,7 +9783,8 @@ class CfnUserPoolRiskConfigurationAttachment(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The resource ID.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -10903,7 +10924,8 @@ class CfnUserPoolUICustomizationAttachment(
     @builtins.property
     @jsii.member(jsii_name="attrId")
     def attr_id(self) -> builtins.str:
-        '''
+        '''The resource ID.
+
         :cloudformationAttribute: Id
         '''
         return typing.cast(builtins.str, jsii.get(self, "attrId"))
@@ -11102,7 +11124,7 @@ class CfnUserPoolUser(
         :param scope: Scope in which this resource is defined.
         :param id: Construct identifier for this resource (unique in its scope).
         :param user_pool_id: The user pool ID for the user pool where the user will be created.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you create a ``UserPoolUser`` resource and include the ``ClientMetadata`` property, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata property. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing User Pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: Take the following limitations into consideration when you use the ClientMetadata parameter: - Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. - Amazon Cognito does not validate the ClientMetadata value. - Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following: - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose. - Validate the ClientMetadata value. - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
@@ -11180,7 +11202,7 @@ class CfnUserPoolUser(
     def client_metadata(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
-        '''A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger.'''
+        '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.'''
         return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]], jsii.get(self, "clientMetadata"))
 
     @client_metadata.setter
@@ -11390,7 +11412,7 @@ class CfnUserPoolUserProps:
         '''Properties for defining a ``CfnUserPoolUser``.
 
         :param user_pool_id: The user pool ID for the user pool where the user will be created.
-        :param client_metadata: A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you create a ``UserPoolUser`` resource and include the ``ClientMetadata`` property, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata property. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing User Pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: Take the following limitations into consideration when you use the ClientMetadata parameter: - Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. - Amazon Cognito does not validate the ClientMetadata value. - Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
+        :param client_metadata: A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers. You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs. For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* . .. epigraph:: When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following: - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose. - Validate the ClientMetadata value. - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
         :param desired_delivery_mediums: Specify ``"EMAIL"`` if email will be used to send the welcome message. Specify ``"SMS"`` if the phone number will be used. The default value is ``"SMS"`` . You can specify more than one value.
         :param force_alias_creation: This parameter is used only if the ``phone_number_verified`` or ``email_verified`` attribute is set to ``True`` . Otherwise, it is ignored. If this parameter is set to ``True`` and the phone number or email address specified in the UserAttributes parameter already exists as an alias with a different user, the API call will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. If this parameter is set to ``False`` , the API throws an ``AliasExistsException`` error if the alias already exists. The default value is ``False`` .
         :param message_action: Set to ``RESEND`` to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to ``SUPPRESS`` to suppress sending the message. You can specify only one value.
@@ -11470,18 +11492,18 @@ class CfnUserPoolUserProps:
     def client_metadata(
         self,
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, builtins.str]]]:
-        '''A map of custom key-value pairs that you can provide as input for the custom workflow that is invoked by the *pre sign-up* trigger.
+        '''A map of custom key-value pairs that you can provide as input for any custom workflows that this action triggers.
 
-        You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you create a ``UserPoolUser`` resource and include the ``ClientMetadata`` property, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata property. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
+        You create custom workflows by assigning AWS Lambda functions to user pool triggers. When you use the AdminCreateUser API action, Amazon Cognito invokes the function that is assigned to the *pre sign-up* trigger. When Amazon Cognito invokes this function, it passes a JSON payload, which the function receives as input. This payload contains a ``clientMetadata`` attribute, which provides the data that you assigned to the ClientMetadata parameter in your AdminCreateUser request. In your function code in AWS Lambda , you can process the ``clientMetadata`` value to enhance your workflow for your specific needs.
 
-        For more information, see `Customizing User Pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* .
+        For more information, see `Customizing user pool Workflows with Lambda Triggers <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html>`_ in the *Amazon Cognito Developer Guide* .
         .. epigraph::
 
-           Take the following limitations into consideration when you use the ClientMetadata parameter:
+           When you use the ClientMetadata parameter, remember that Amazon Cognito won't do the following:
 
-           - Amazon Cognito does not store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose.
-           - Amazon Cognito does not validate the ClientMetadata value.
-           - Amazon Cognito does not encrypt the the ClientMetadata value, so don't use it to provide sensitive information.
+           - Store the ClientMetadata value. This data is available only to AWS Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration doesn't include triggers, the ClientMetadata parameter serves no purpose.
+           - Validate the ClientMetadata value.
+           - Encrypt the ClientMetadata value. Don't use Amazon Cognito to provide sensitive information.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpooluser.html#cfn-cognito-userpooluser-clientmetadata
         '''
@@ -12958,6 +12980,30 @@ class KeepOriginalAttrs:
         )
 
 
+@jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.LambdaVersion")
+class LambdaVersion(enum.Enum):
+    '''The user pool trigger version of the request that Amazon Cognito sends to your Lambda function.
+
+    :exampleMetadata: infused
+
+    Example::
+
+        # userpool: cognito.UserPool
+        # pre_token_generation_fn: lambda.Function
+        
+        
+        userpool.add_trigger(cognito.UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, pre_token_generation_fn, cognito.LambdaVersion.V2_0)
+    '''
+
+    V1_0 = "V1_0"
+    '''V1_0 trigger.'''
+    V2_0 = "V2_0"
+    '''V2_0 trigger.
+
+    This is supported only for PRE_TOKEN_GENERATION trigger.
+    '''
+
+
 @jsii.enum(jsii_type="aws-cdk-lib.aws_cognito.Mfa")
 class Mfa(enum.Enum):
     '''The different ways in which a user pool's MFA enforcement can be configured.
@@ -15761,11 +15807,13 @@ class UserPool(
         self,
         operation: "UserPoolOperation",
         fn: _IFunction_6adb0ab8,
+        lambda_version: typing.Optional[LambdaVersion] = None,
     ) -> None:
         '''Add a lambda trigger to a user pool operation.
 
         :param operation: -
         :param fn: -
+        :param lambda_version: -
 
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html
         '''
@@ -15773,7 +15821,8 @@ class UserPool(
             type_hints = typing.get_type_hints(_typecheckingstub__dfd8cf59863da2ffc97b2db24d9948006aacfebdfb5beb2d1ae6fcabb21a90b7)
             check_type(argname="argument operation", value=operation, expected_type=type_hints["operation"])
             check_type(argname="argument fn", value=fn, expected_type=type_hints["fn"])
-        return typing.cast(None, jsii.invoke(self, "addTrigger", [operation, fn]))
+            check_type(argname="argument lambda_version", value=lambda_version, expected_type=type_hints["lambda_version"])
+        return typing.cast(None, jsii.invoke(self, "addTrigger", [operation, fn, lambda_version]))
 
     @jsii.member(jsii_name="grant")
     def grant(
@@ -18159,10 +18208,23 @@ class UserPoolOperation(
     def PRE_TOKEN_GENERATION(cls) -> "UserPoolOperation":
         '''Add or remove attributes in Id tokens.
 
+        Set this parameter for legacy purposes.
+        If you also set an ARN in PreTokenGenerationConfig, its value must be identical to PreTokenGeneration.
+        For new instances of pre token generation triggers, set the LambdaArn of PreTokenGenerationConfig.
+
         :see: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
         '''
         return typing.cast("UserPoolOperation", jsii.sget(cls, "PRE_TOKEN_GENERATION"))
 
+    @jsii.python.classproperty
+    @jsii.member(jsii_name="PRE_TOKEN_GENERATION_CONFIG")
+    def PRE_TOKEN_GENERATION_CONFIG(cls) -> "UserPoolOperation":
+        '''Add or remove attributes in Id tokens.
+
+        :see: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
+        '''
+        return typing.cast("UserPoolOperation", jsii.sget(cls, "PRE_TOKEN_GENERATION_CONFIG"))
+
     @jsii.python.classproperty
     @jsii.member(jsii_name="USER_MIGRATION")
     def USER_MIGRATION(cls) -> "UserPoolOperation":
@@ -20518,6 +20580,7 @@ __all__ = [
     "IUserPoolIdentityProvider",
     "IUserPoolResourceServer",
     "KeepOriginalAttrs",
+    "LambdaVersion",
     "Mfa",
     "MfaSecondFactor",
     "NumberAttribute",
@@ -21684,12 +21747,12 @@ def _typecheckingstub__759e90505ceb64aa7002be11d4da4a87090102263927799f662a83f60
     scope: _constructs_77d1e7e8.Construct,
     id: builtins.str,
     *,
-    provider_details: typing.Any,
     provider_name: builtins.str,
     provider_type: builtins.str,
     user_pool_id: builtins.str,
     attribute_mapping: typing.Any = None,
     idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    provider_details: typing.Any = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -21706,12 +21769,6 @@ def _typecheckingstub__7ff11acc316d5d73192edfeab5a5d7fb2aa7891c069fce7ccaa876300
     """Type checking stubs"""
     pass
 
-def _typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299(
-    value: typing.Any,
-) -> None:
-    """Type checking stubs"""
-    pass
-
 def _typecheckingstub__03fef1ca3436f487bdb2ac4c72e914ca702f01a40d12470aaa64c77a0f7e15a2(
     value: builtins.str,
 ) -> None:
@@ -21742,14 +21799,20 @@ def _typecheckingstub__7662247fd2cd01f6776c3a84fedff308a45861e95cabe426cb256482a
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__dd9b80463fd736be9b8b32bf8d2368b0c44578e3b056d45e068ca1e5fdfdb299(
+    value: typing.Any,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__41106943fcdd509be0174e1e1c8a8c320bd77587c77e22cfc1c1b7378dfb42ec(
     *,
-    provider_details: typing.Any,
     provider_name: builtins.str,
     provider_type: builtins.str,
     user_pool_id: builtins.str,
     attribute_mapping: typing.Any = None,
     idp_identifiers: typing.Optional[typing.Sequence[builtins.str]] = None,
+    provider_details: typing.Any = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -22585,6 +22648,7 @@ def _typecheckingstub__15a655e8061891a027a61815d064f6a0d9d429f80e33f0c0c98213485
 def _typecheckingstub__dfd8cf59863da2ffc97b2db24d9948006aacfebdfb5beb2d1ae6fcabb21a90b7(
     operation: UserPoolOperation,
     fn: _IFunction_6adb0ab8,
+    lambda_version: typing.Optional[LambdaVersion] = None,
 ) -> None:
     """Type checking stubs"""
     pass