AWS bedrock-agentcore documentation change
Summary
Expanded Okta integration documentation to include both inbound and outbound configurations, added detailed steps for configuring Okta as an identity provider including discovery URL setup, audience validation, and client_id claim customization in access tokens
Security assessment
The changes add documentation about OAuth2/OIDC security features like token validation, audience claims, and client_id customization. While these are security-related configurations, there's no evidence they address a specific vulnerability or incident.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-idp-okta.md b/bedrock-agentcore/latest/devguide/identity-idp-okta.md index 166f87bc5..b93b260b2 100644 --- a//bedrock-agentcore/latest/devguide/identity-idp-okta.md +++ b//bedrock-agentcore/latest/devguide/identity-idp-okta.md @@ -5 +5 @@ -Outbound +InboundOutbound @@ -9 +9 @@ Outbound -Okta can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Okta's OAuth2 service and obtain access tokens for Okta API resources. +Okta can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Okta as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Okta. @@ -11 +11,7 @@ Okta can be configured as an AgentCore Identity credential provider for outbound -## Outbound +## Inbound + +To add Okta as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must: + + * Configure a discovery URL from your Okta tenant. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys. + + * Enter valid `aud` claims for the token. This helps validate the tokens coming from your IdP and allows access for tokens that contain expected claims. @@ -13 +18,0 @@ Okta can be configured as an AgentCore Identity credential provider for outbound -**Step 1** @@ -15 +19,0 @@ Okta can be configured as an AgentCore Identity credential provider for outbound -Use the following procedure to set up an Okta OAuth2 application and obtain the necessary client credentials for AgentCore Identity. @@ -17 +21,2 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the -###### To configure an Okta OAuth2 application + +###### To configure Okta for inbound authentication @@ -23 +28 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the - 3. Choose on **Create App Integration**. + 3. Choose **Create App Integration**. @@ -33,3 +38 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the - 8. For **Sign-in redirect URIs** add the following: - - https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback + 8. For **Sign-in redirect URIs** add your application endpoint that will receive the Okta token. @@ -41,3 +44 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the - 11. Record the client ID and client secret of your application, you'll need this information to configure the Okta resource provider in AgentCore Identity. - - 12. For Client credential flows the following must be performed (this can optionally be done for applications only being used for user federation): + 11. Create an Okta API to represent your application: @@ -47 +48 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the - * Open **API** and choose **Add Authorization Server**. + * Go to **API** and choose **Add Authorization Server**. @@ -51 +52 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the - * Once the authorization server has been created choose the **Access Policies** tab on the overview page to configure an appropriate access policy. + * Once the authorization server has been created, choose the **Access Policies** tab on the overview page to configure an appropriate access policy. @@ -54,0 +56,11 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the + 12. Construct the discovery URL for your Okta tenant: + + https://your-tenant.okta.com/oauth2/your-authorization-server + + 13. Configure Inbound Auth with the following values: + + * **Discovery URL:** The URL constructed in the previous step + + * **Allowed Audiences:** The audience value you provided when creating the API in step 11 + + @@ -56,0 +69 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the +For more details, refer to [Okta's documentation](https://developer.okta.com/docs/concepts/oauth-openid/). @@ -58 +71,22 @@ Use the following procedure to set up an Okta OAuth2 application and obtain the -For more details, refer to [Okta's OAuth and OpenID Connect documentation](https://developer.okta.com/docs/concepts/oauth-openid/). +### Add a client_id claim into access token claims + +Okta by default does not include `client_id` as a standard claim in their tokens. To populate the claim in the token, you need to customize the claims through the authorization server that you use to issue tokens. + +###### To add client_id claim to access tokens + + 1. In the left navigation bar, choose **Security**. Go to **API** and choose the authorization server that you intend to use for your application. + + 2. In the details page for the authorization server, choose the **Claims** tab and choose **Add Claim**. + + 3. Name the new claim **client_id** and set the value to **app.clientid**. + + 4. Set **Include in token type** to **Access Token**. + + 5. Choose **Save**. + + + + +For more details, refer to [Okta's documentation](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/main/). + +## Outbound @@ -60 +94 @@ For more details, refer to [Okta's OAuth and OpenID Connect documentation](https -**Step 2** +Follow the same steps for configuring Okta as an inbound provider; however, when configuring the **Sign-in redirect URIs** add the callback URL that is assigned to your provider when creating the provider in AgentCore Identity. @@ -62 +96 @@ For more details, refer to [Okta's OAuth and OpenID Connect documentation](https -To configure Okta as an outbound resource provider, use the following: +To configure Okta as an outbound resource provider in AgentCore Identity, use the following: