AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-10-28 · Documentation medium

File: cognito/latest/developerguide/authorization-endpoint.md

Summary

Added 'resource' parameter documentation and example for access token audience binding

Security assessment

Documents new security control to bind access tokens to specific resource servers via audience claim. Improves API security posture but doesn't fix an existing vulnerability.

Diff

diff --git a/cognito/latest/developerguide/authorization-endpoint.md b/cognito/latest/developerguide/authorization-endpoint.md
index b95de3bef..c277a209e 100644
--- a//cognito/latest/developerguide/authorization-endpoint.md
+++ b//cognito/latest/developerguide/authorization-endpoint.md
@@ -5 +5 @@
-GET /oauth2/authorizeExample: authorization code grantExample: authorization code grant with PKCEExample: require re-authentication with prompt=loginExample: silent authentication with prompt=noneExample: Token (implicit) grant without openid scopeExample: Token (implicit) grant with openid scopeError responses
+GET /oauth2/authorizeExample: authorization code grantExample: authorization code grant with PKCEExample: require re-authentication with prompt=loginExample: silent authentication with prompt=noneExample: authorization code grant with resource bindingExample: Token (implicit) grant without openid scopeExample: Token (implicit) grant with openid scopeError responses
@@ -196,0 +197,9 @@ When you omit the `prompt` parameter from your request, managed login follows th
+**`resource`**
+    
+
+Optional.
+
+The identifier of a resource that you want to bind to the access token in the `aud` claim. When you include this parameter, Amazon Cognito validates that the value is a URL and sets the audience of the resulting access token to the requested resource. You can request a user pool [resource server](./cognito-user-pools-define-resource-servers.html) with an identifier in a URL format, or a URL of your choosing. Values for this parameter must begin with `https://`, `http://localhost`, or a custom URL scheme like `myapp://`.
+
+Resource binding is defined in [RFC 8707](https://www.rfc-editor.org/rfc/rfc8707.html). For more information about resource servers and resource binding, see [Resource binding](./cognito-user-pools-define-resource-servers.html#cognito-user-pools-resource-binding).
+
@@ -281,0 +291,18 @@ When a valid session exists, the authorization server returns an authorization c
+    HTTP/1.1 302 Found Location: https://www.example.com?code=AUTHORIZATION_CODE&state=abcdefg
+
+## Example: authorization code grant with resource binding
+
+The following request adds a `resource` parameter to bind the access token to a specific resource server. The resulting access token creates the conditions for the target API to validate that it is the intended audience of the authenticated user's request.
+    
+    
+    GET https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/authorize?
+    response_type=code&
+    client_id=1example23456789&
+    redirect_uri=https://www.example.com&
+    state=abcdefg&
+    scope=solar-system-data-api.example.com/asteroids.add&
+    resource=https://solar-system-data-api.example.com
+
+The authorization server returns an authorization code that results in an access token with an `aud` claim of `https://solar-system-data-api.example.com`.
+    
+