AWS bedrock-agentcore documentation change
Summary
Added 'Token exchange (On-behalf-of)' section with OAuth configuration details and security note about parameter requirements
Security assessment
The change documents secure token exchange patterns but doesn't address any specific vulnerability. It enhances authentication documentation with implementation details.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md b/bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md index e403ba84f..1b322b2c4 100644 --- a//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md +++ b//bedrock-agentcore/latest/devguide/gateway-building-adding-targets-authorization.md @@ -70,0 +71,2 @@ The structure of the [OAuthCredentialProvider](https://docs.aws.amazon.com/bedro + * If you set up on-behalf-of token exchange to propagate an authenticated user’s identity to a downstream service, follow the structure in the **Token exchange (On-behalf-of)** tab. + @@ -130,0 +133,29 @@ To learn more about 3LO authentication, see [OAuth 2.0 authorization URL session +Token exchange (On-behalf-of) + + + 1. Specify the `grantType` as `TOKEN_EXCHANGE`. The gateway exchanges the inbound user’s access token for a target-scoped token via the credential provider. Include any IdP-specific parameters in `customParameters`. For more information about configuring the credential provider, see [On-behalf-of token exchange](./on-behalf-of-token-exchange.html). + + { + "credentialProviderType": "OAUTH", + "credentialProvider": { + "oauthCredentialProvider": { + "providerArn": "string", + "grantType": "TOKEN_EXCHANGE", + "scopes": [ + "string", + ... + ], + "customParameters": { + "subject_token_type": "urn:ietf:params:oauth:token-type:access_token" + } + } + } + } + +###### Note + +The `customParameters` field passes values directly to the identity provider’s token endpoint. Required parameters vary by provider. For example, Okta requires an `audience` parameter in addition to `subject_token_type`. See your identity provider’s documentation and [On-behalf-of token exchange](./on-behalf-of-token-exchange.html) for details. + + + +