AWS singlesignon high security documentation change
Summary
Modified scope parameter documentation to state it has no effect - access tokens always include all registered client scopes
Security assessment
This change fixes potentially dangerous documentation that previously suggested clients could limit scopes. The correction prevents misuse by enforcing full scope inclusion, addressing a potential authorization bypass risk.
Diff
diff --git a/singlesignon/latest/OIDCAPIReference/API_CreateToken.md b/singlesignon/latest/OIDCAPIReference/API_CreateToken.md index 1b3a5e72e..8581c7929 100644 --- a//singlesignon/latest/OIDCAPIReference/API_CreateToken.md +++ b//singlesignon/latest/OIDCAPIReference/API_CreateToken.md @@ -120 +120 @@ Required: No -The list of scopes for which authorization is requested. The access token that is issued is limited to the scopes that are granted. If this value is not specified, IAM Identity Center authorizes all scopes that are configured for the client during the call to [RegisterClient](./API_RegisterClient.html). +The list of scopes for which authorization is requested. This parameter has no effect; the access token will always include all scopes configured during client registration.