AWS bedrock-agentcore documentation change
Summary
Enhanced JWT configuration documentation with allowed scopes and required custom claims validation details
Security assessment
Adds documentation about security controls (scope validation and custom claims checks) for JWT token handling, improving security documentation but not addressing a specific vulnerability.
Diff
diff --git a/bedrock-agentcore/latest/devguide/runtime-oauth.md b/bedrock-agentcore/latest/devguide/runtime-oauth.md index 11d0119af..9af2579c1 100644 --- a//bedrock-agentcore/latest/devguide/runtime-oauth.md +++ b//bedrock-agentcore/latest/devguide/runtime-oauth.md @@ -43 +43 @@ You can configure your agent runtime to accept JWT bearer tokens by providing au -This configuration requires: +This configuration includes: @@ -50,0 +51,4 @@ This configuration requires: + * Allowed scopes - A list of permitted scopes that will be validated against the scope claim in the JWT token. The `allowedScopes` authorization field will be configured as a list of strings. + + * Required custom claims - A list of required claims that will be validated against the claim name and value contained in the incoming JWT token. For details on configuring the authorizer, see [Configure inbound JWT authorizer](./inbound-jwt-authorizer.html) +