The following use cases expect APIs to be executed in a particular order, managing cognito's view of what state the user is in.

Admin Creates a User

Scneario: The admin role creates a user with a random initial password, then forces the user to update their password.

Admin creates a new user. This sends a random initial password to this user's email. This will make certain the payload includes a valid email.
(broker native user API)
/up/v5/users
Once the user checks their email. Cognito should have automatically sent them a random temporary password. The user then signs in with that password. The response should include a "session" that will be needed in the next step.
(platform services API)
/auth/token/create
The user specifies a new password, providing the session from the previous call and their new password.
(platform services API)
/auth/user/newPassword
The user can now sign in normally using the new password.
/auth/token/create again)

Alternate Admin Creates a User

Scneario: The admin role creates a user with a random initial password, then forces the user to update their password.

As before, admin creates new user. Unlike before, the user's email doesn't technically need to be valid, as they don't need to receive the initial random password.
(broker native user API)
/up/v5/users
Thw admin changes the password on that user.
(broker native user API)
/up/v5/users/changePassword
The user can now sign in using that updated password.
(platform services API)
/auth/tokenc/create

Password reset

Scneario: The APIs here are all require a customer JWT to execute. Designing a system by which users can self-serve a password reset will require some additional work. For example, we might make /up/v5/users/forgotPassword and /up/v5/users/confirmForgotPassword unauthenticated.

The admin initiates a password reset email for the user. The user should receive an email from cognito with a reset code.
(broker native user API)
/up/v5/users/forgotPassword
The user provides that reset code to admin, and admin invokes the confirm forgot password API for the user. This takes the code the user got in their email, and the new password.
(broker native user API)
/up/v5/users/confirmForgotPassword
Afterwards, the user can now sign in using that updated password.
(platform services API)
/auth/tokenc/create

Browser not supported