AWS cli high security documentation change
Summary
Added callbackUrl documentation explaining OAuth2 authorization flow security
Security assessment
Documented security-critical callback URL registration to prevent open redirect vulnerabilities, which is essential for proper OAuth2 implementation security
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md index 5e3b1f2cb..2b1c6e26b 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.31.13 Command Reference](../../index.html) » + * [AWS CLI 2.31.16 Command Reference](../../index.html) » @@ -69,0 +70 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc + [--tags <value>] @@ -117,0 +119,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +> * `AtlassianOauth2` +> * `LinkedinOauth2` +> * `XOauth2` +> * `OktaOauth2` +> * `OneLoginOauth2` +> * `PingOneOauth2` +> * `FacebookOauth2` +> * `YandexOauth2` +> * `RedditOauth2` +> * `ZoomOauth2` +> * `TwitchOauth2` +> * `SpotifyOauth2` +> * `DropboxOauth2` +> * `NotionOauth2` +> * `HubspotOauth2` +> * `CyberArkOauth2` +> * `FusionAuthOauth2` +> * `Auth0Oauth2` +> * `CognitoOauth2` @@ -127 +147 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc -> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`. +> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`, `atlassianOauth2ProviderConfig`, `linkedinOauth2ProviderConfig`, `includedOauth2ProviderConfig`. @@ -171,0 +192,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>>> +>>>> tokenEndpointAuthMethods -> (list) +>>>> +>>>>> The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `(client_secret_post|client_secret_basic)` +>>>>>> + @@ -323,0 +363,101 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> tenantId -> (string) +>> +>>> The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft’s identity platform where your application is registered. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> atlassianOauth2ProviderConfig -> (structure) +> +>> Configuration settings for Atlassian OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> linkedinOauth2ProviderConfig -> (structure) +> +>> Configuration settings for LinkedIn OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> includedOauth2ProviderConfig -> (structure) +> +>> The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +>> +>> issuer -> (string) +>> +>>> Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider. +>> +>> authorizationEndpoint -> (string) +>> +>>> OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources. +>> +>> tokenEndpoint -> (string) +>> +>>> OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens. @@ -336 +476,2 @@ JSON Syntax: - "responseTypes": ["string", ...] + "responseTypes": ["string", ...], + "tokenEndpointAuthMethods": ["string", ...] @@ -358,0 +500,9 @@ JSON Syntax: + "clientId": "string", + "clientSecret": "string", + "tenantId": "string" + }, + "atlassianOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string" + }, + "linkedinOauth2ProviderConfig": { @@ -360,0 +511,7 @@ JSON Syntax: + }, + "includedOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string", + "issuer": "string", + "authorizationEndpoint": "string", + "tokenEndpoint": "string" @@ -364,0 +522,44 @@ JSON Syntax: +`--tags` (map) + +> A map of tag keys and values to assign to the OAuth2 credential provider. Tags enable you to categorize your resources in different ways, for example, by purpose, owner, or environment. +> +> Constraints: +> +> * min: `0` +> * max: `50` +> + +> +> key -> (string) +> +>> Constraints: +>> +>> * min: `1` +>> * max: `128` +>> * pattern: `[a-zA-Z0-9\s._:/=+@-]*` +>> + +> +> value -> (string) +>