AWS bedrock-agentcore documentation change
Summary
Restructured Auth0 integration documentation with clearer inbound/outbound configuration steps, updated OAuth2 provider configuration syntax, and improved procedural guidance.
Security assessment
The changes enhance documentation about Auth0 authentication/authorization workflows (e.g., token validation via 'aud' claims, OAuth2 endpoint configuration) but do not address a specific disclosed vulnerability. Updates to credential provider configuration (changing from CustomOauth2 to Auth0Oauth2) improve accuracy of security-related implementation guidance.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-idp-auth0.md b/bedrock-agentcore/latest/devguide/identity-idp-auth0.md index bcded1485..2c75c4f77 100644 --- a//bedrock-agentcore/latest/devguide/identity-idp-auth0.md +++ b//bedrock-agentcore/latest/devguide/identity-idp-auth0.md @@ -7,2 +6,0 @@ InboundOutbound -Amazon Bedrock AgentCore is in preview release and is subject to change. - @@ -11 +9,3 @@ Amazon Bedrock AgentCore is in preview release and is subject to change. -Auth0 by Okta can be set up as an inbound provider or as an outbound provider. +Auth0 can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Auth0 as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Auth0. + +## Inbound @@ -13 +13 @@ Auth0 by Okta can be set up as an inbound provider or as an outbound provider. -To add Auth0 as an identity provider for accessing AgentCore Gateway and Runtime, you must: +To add Auth0 as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must: @@ -17 +17 @@ To add Auth0 as an identity provider for accessing AgentCore Gateway and Runtime - * Provide valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain expected claims. + * Enter valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain expected claims. @@ -22 +22 @@ To add Auth0 as an identity provider for accessing AgentCore Gateway and Runtime -## Inbound +Use the following procedure to set up Auth0 and obtain the necessary configuration values for Gateway authentication. @@ -24 +24 @@ To add Auth0 as an identity provider for accessing AgentCore Gateway and Runtime -Follow these steps to set up Auth0 and obtain the necessary configuration values for Gateway authentication: +###### To configure Auth0 for inbound authentication @@ -28 +28 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Log in to your Auth0 dashboard. + 1. Sign in to your Auth0 dashboard. @@ -30 +30 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Navigate to "APIs" and click "Create API". + 2. Open **APIs** and choose **Create API**. @@ -32 +32 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Provide a name and identifier for your API (e.g., "gateway-api"). + 3. Enter a name and identifier for your API (e.g., "gateway-api"). @@ -34 +34 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Select the signing algorithm (RS256 recommended). + 4. Select the signing algorithm (RS256 recommended). @@ -36 +36 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Click "Create". + 5. Choose **Create**. @@ -40 +40 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * In the API settings, go to the "Scopes" tab. + 1. In the API settings, go to the **Scopes** tab. @@ -42 +42 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Add scopes such as "invoke:gateway" and "read:gateway". + 2. Add scopes such as "invoke:gateway" and "read:gateway". @@ -46 +46 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Navigate to "Applications" and click "Create Application". + 1. Open **Applications** and choose **Create Application**. @@ -48 +48 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Select "Machine to Machine Application". + 2. Select **Machine to Machine Application**. @@ -50 +50 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Select the API you created in step 1. + 3. Select the API you created in step 1. @@ -52 +52 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Authorize the application for the scopes you created. + 4. Authorize the application for the scopes you created. @@ -54 +54 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - * Click "Create". + 5. Choose **Create**. @@ -56 +56 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - 4. Note the client ID and client secret from the application settings. + 4. Record the client ID and client secret from the application settings. You'll need these values to configure the Auth0 provider in AgentCore Identity. @@ -60 +60 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values - https://<your-domain>/.well-known/openid-configuration + https://your-domain/.well-known/openid-configuration @@ -62 +62 @@ Follow these steps to set up Auth0 and obtain the necessary configuration values -Where `<your-domain>` is your Auth0 tenant domain (e.g., "dev-example.us.auth0.com"). +Where ``your-domain`` is your Auth0 tenant domain (e.g., "dev-example.us.auth0.com"). @@ -66 +66 @@ Where `<your-domain>` is your Auth0 tenant domain (e.g., "dev-example.us.auth0.c - * **Discovery URL** : The URL constructed in the previous step + 1. **Discovery URL** : The URL constructed in the previous step @@ -68 +68 @@ Where `<your-domain>` is your Auth0 tenant domain (e.g., "dev-example.us.auth0.c - * **Allowed audiences** : The API identifier you created in step 1 + 2. **Allowed audiences** : The API identifier you created in step 1 @@ -80 +80 @@ To configure Auth0 as an outbound resource provider, use the following: - "credentialProviderVendor": "CustomOauth2", + "credentialProviderVendor": "Auth0Oauth2", @@ -82 +82 @@ To configure Auth0 as an outbound resource provider, use the following: - "customOauth2ProviderConfig": { + "includedOauth2ProviderConfig": { @@ -85,3 +85,3 @@ To configure Auth0 as an outbound resource provider, use the following: - "oauthDiscovery": { - "discoveryUrl": "https://{your-auth0-tenant}.auth0.com/.well-known/openid-configuration" - } + "authorizeEndpoint": "https://your-auth0-tenant.auth0.com/authorize", + "tokenEndpoint": "https://your-auth0-tenant.auth0.com/oauth/token", + "issuer": "https://your-auth0-tenant.auth0.com" @@ -98 +98 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Microsoft +Amazon Cognito @@ -100 +100 @@ Microsoft -GitHub +Atlassian