Refactor MCP Cognito app clients: rename and consolidate

[tomron-aws]

• Rename ExternalAppClient to User-Authorized-MCP-Client (3-legged OAuth)
• Rename MCPConnectorClient to Machine-Authorized-MCP-Client (2-legged OAuth)
• Add EnableTokenRevocation and PreventUserExistenceErrors to MCPConnectorClient
• Remove duplicate QuickM2MClient resource and outputs
• Update stack output descriptions with OAuth flow types

Description of changes:
While testing in my environment I found that the names and descriptions were confusing to those trying to integrate the MCP server into downstream clients. I though I was missing certain resources but they were there. Just renaming things and also adding to security recommendations from our internal security scanner to the M2M cognito app client.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[webarch-ai]

Thanks for the rename, distinguishing user-authorized vs machine-authorized clients is a good clarity improvement. A few items to consider:

1. BREAKING CHANGE

Any existing deployment using the current credentials (MCP Connector instances, QuickSight integrations, external apps) will break after a stack update and will need to be reconfigured with the new credentials.

• Add a callout to the CHANGELOG.md
• Include upgrade instructions (e.g., "After updating, retrieve new client IDs and secrets from CloudFormation outputs and update your MCP Connector and external app configurations")

2. NAMING CONVENTION

Other Cognito and resource identifiers use lowercase-kebab-case

Suggested fix:

• "User-Authorized-MCP-Client" -> "user-authorized-mcp-client"
• "Machine-Authorized-MCP-Client" -> "machine-authorized-mcp-client"

3. DOCUMENTATION UPDATE

The old client names ("external-app-client" and "mcp-connector-client") are referenced in multiple doc files not updated in this MR. These should be updated in the same MR to avoid a mismatch between the AWS console and the documentation.

Files needing updates:

• docs/mcp-server.md — Client name tables, configuration sections, and usage notes (6+ occurrences of old names)
• docs/mcp-connector.md — Setup instructions and environment variable tables
• docs/govcloud-deployment.md — Resource listing references ExternalAppClient with old context

5. OUTPUT DESCRIPTIONS

The previous MCPClientId/MCPClientSecret descriptions mentioned Amazon QuickSight explicitly, which helped users know which client to use. Consider appending the use case back. E.g.

"Cognito client ID for user-based authentication with the IDP MCP server (user-authorized-mcp-client). Used by QuickSight and other external apps requiring user login."

[rstrahan]

@tomron-aws Do you expect to update PR today - if so I can include in tomorrow's release. Tx!

[rstrahan]

@tomron-aws - Closing due to inactivity. Please reopen when ready. Many tx.