AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2025-06-22 · Documentation medium

File: singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.md

Summary

Updated API description to clarify token scopes and downscoping capabilities

Security assessment

The change documents security-focused downscoping capabilities for token permissions, improving clarity about least-privilege access but does not indicate a specific vulnerability fix.

Diff

diff --git a/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.md b/singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.md
index 7ce5bb426..3dbee8929 100644
--- a//singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.md
+++ b//singlesignon/latest/OIDCAPIReference/API_CreateTokenWithIAM.md
@@ -9 +9 @@ Request SyntaxURI Request ParametersRequest BodyResponse SyntaxResponse Elements
-Creates and returns access and refresh tokens for clients and applications that are authenticated using IAM entities. An IAM entity can be any IAM entity like a service role or user. The access token can be used to fetch short-lived credentials for the assigned AWS accounts or to access application APIs using `bearer` authentication.
+Creates and returns access and refresh tokens for authorized client applications that are authenticated using any IAM entity, such as a service role or user. These tokens might contain defined scopes that specify permissions such as `read:profile` or `write:data`. Through downscoping, you can use the scopes parameter to request tokens with reduced permissions compared to the original client application's permissions or, if applicable, the refresh token's scopes. The access token can be used to fetch short-lived credentials for the assigned AWS accounts or to access application APIs using `bearer` authentication.