AWS cli documentation change
Summary
Expanded OAuth2 provider support with new configurations (Atlassian, LinkedIn, etc.), added token endpoint auth method constraints, and updated CLI version reference.
Security assessment
Added constraints for tokenEndpointAuthMethods (enforcing client_secret_post/client_secret_basic patterns) and clientSecret length validations improve security documentation. No evidence of patching a specific vulnerability.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md index 5a68caf27..e5b21a0c9 100644 --- a//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/update-oauth2-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.31.13 Command Reference](../../index.html) » + * [AWS CLI 2.31.16 Command Reference](../../index.html) » @@ -117,0 +118,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +> * `AtlassianOauth2` +> * `LinkedinOauth2` +> * `XOauth2` +> * `OktaOauth2` +> * `OneLoginOauth2` +> * `PingOneOauth2` +> * `FacebookOauth2` +> * `YandexOauth2` +> * `RedditOauth2` +> * `ZoomOauth2` +> * `TwitchOauth2` +> * `SpotifyOauth2` +> * `DropboxOauth2` +> * `NotionOauth2` +> * `HubspotOauth2` +> * `CyberArkOauth2` +> * `FusionAuthOauth2` +> * `Auth0Oauth2` +> * `CognitoOauth2` @@ -127 +146 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc -> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`. +> This is a Tagged Union structure. Only one of the following top level keys can be set: `customOauth2ProviderConfig`, `googleOauth2ProviderConfig`, `githubOauth2ProviderConfig`, `slackOauth2ProviderConfig`, `salesforceOauth2ProviderConfig`, `microsoftOauth2ProviderConfig`, `atlassianOauth2ProviderConfig`, `linkedinOauth2ProviderConfig`, `includedOauth2ProviderConfig`. @@ -171,0 +191,19 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>>>> +>>>> tokenEndpointAuthMethods -> (list) +>>>> +>>>>> The authentication methods supported by the token endpoint. This specifies how clients can authenticate when requesting tokens from the authorization server. +>>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `2` +>>>>> + +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * pattern: `(client_secret_post|client_secret_basic)` +>>>>>> + @@ -323,0 +362,101 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> tenantId -> (string) +>> +>>> The Microsoft Entra ID (formerly Azure AD) tenant ID for your organization. This identifies the specific tenant within Microsoft’s identity platform where your application is registered. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> atlassianOauth2ProviderConfig -> (structure) +> +>> Configuration settings for Atlassian OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the Atlassian OAuth2 provider. This identifier is assigned by Atlassian when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the Atlassian OAuth2 provider. This secret is assigned by Atlassian and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> linkedinOauth2ProviderConfig -> (structure) +> +>> Configuration settings for LinkedIn OAuth2 provider integration. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the LinkedIn OAuth2 provider. This identifier is assigned by LinkedIn when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the LinkedIn OAuth2 provider. This secret is assigned by LinkedIn and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +> +> includedOauth2ProviderConfig -> (structure) +> +>> The configuration for a non-custom OAuth2 provider. This includes settings for supported OAuth2 providers that have built-in integration support. +>> +>> clientId -> (string) [required] +>> +>>> The client ID for the supported OAuth2 provider. This identifier is assigned by the OAuth2 provider when you register your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `256` +>>> + +>> +>> clientSecret -> (string) [required] +>> +>>> The client secret for the supported OAuth2 provider. This secret is assigned by the OAuth2 provider and used along with the client ID to authenticate your application. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `2048` +>>> + +>> +>> issuer -> (string) +>> +>>> Token issuer of your isolated OAuth2 application tenant. This URL identifies the authorization server that issues tokens for this provider. +>> +>> authorizationEndpoint -> (string) +>> +>>> OAuth2 authorization endpoint for your isolated OAuth2 application tenant. This is where users are redirected to authenticate and authorize access to their resources. +>> +>> tokenEndpoint -> (string) +>> +>>> OAuth2 token endpoint for your isolated OAuth2 application tenant. This is where authorization codes are exchanged for access tokens. @@ -336 +475,2 @@ JSON Syntax: - "responseTypes": ["string", ...] + "responseTypes": ["string", ...], + "tokenEndpointAuthMethods": ["string", ...] @@ -358,0 +499,9 @@ JSON Syntax: + "clientId": "string", + "clientSecret": "string", + "tenantId": "string" + }, + "atlassianOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string" + }, + "linkedinOauth2ProviderConfig": { @@ -360,0 +510,7 @@ JSON Syntax: + }, + "includedOauth2ProviderConfig": { + "clientId": "string", + "clientSecret": "string", + "issuer": "string", + "authorizationEndpoint": "string", + "tokenEndpoint": "string" @@ -501,0 +658,19 @@ credentialProviderVendor -> (string) +> * `AtlassianOauth2` +> * `LinkedinOauth2` +> * `XOauth2` +> * `OktaOauth2` +> * `OneLoginOauth2` +> * `PingOneOauth2` +> * `FacebookOauth2` +> * `YandexOauth2` +> * `RedditOauth2` +> * `ZoomOauth2` +> * `TwitchOauth2` +> * `SpotifyOauth2` +> * `DropboxOauth2` +> * `NotionOauth2` +> * `HubspotOauth2` +> * `CyberArkOauth2` +> * `FusionAuthOauth2` +> * `Auth0Oauth2` +> * `CognitoOauth2` @@ -514,0 +690,4 @@ credentialProviderArn -> (string) +callbackUrl -> (string) + +> Callback URL to register on the OAuth2 credential provider as an allowed callback URL. This URL is where the OAuth2 authorization server redirects users after they complete the authorization flow. + @@ -521 +700 @@ oauth2ProviderConfigOutput -> (tagged union structure)