AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-01 · Documentation low

File: bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md

Summary

Restructured OAuth client configuration steps, added client authentication method selection, detailed on-behalf-of token exchange options, and updated private endpoint configuration terminology.

Security assessment

The changes enhance documentation of security features including client authentication methods, token exchange standards (RFC 7523/RFC 8693), and machine-to-machine authentication. No evidence addresses a specific vulnerability; rather, it expands configuration guidance for existing security mechanisms.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md b/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
index 7d0cb011e..bf4c18134 100644
--- a//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
+++ b//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
@@ -25 +25 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+      1. For **Client authentication method** , choose the client authentication method used to authenticate with identity provider token endpoint. For more information, see [Client authentication methods](./client-auth-methods.html).
@@ -27 +27 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      2. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+      2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
@@ -29 +29,3 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      3. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration.
+      3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+
+      4. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration.
@@ -33 +35,11 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+      1. For **Client authentication method** , choose the client authentication method used to authenticate with identity provider token endpoint. For more information, see [Client authentication methods](./client-auth-methods.html).
+
+      2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+
+      3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+
+      4. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity.
+
+      5. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow.
+
+      6. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process.
@@ -35 +47 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      2. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+      7. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow.
@@ -37 +49 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      3. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity.
+  6. (Optional) Expand **Additional configurations** to configure on-behalf-of token exchange. Choose one of the following Grant type modes:
@@ -39 +51 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      4. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow.
+    1. **None** : On-behalf-of token exchange is not supported
@@ -41 +53 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      5. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process.
+    2. **JWT authorization grant** : perform on-behalf-of token exchange using RFC 7523 syntax. Inbound identity is used as authorization grant to obtain access token
@@ -43 +55 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      6. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow.
+    3. **Token exchange** : perform on-behalf-of token exchange using RFC 8693 syntax. It is the most recent standard to capture the delegation relationship. You can customize the actor token using the following modes:
@@ -45 +57 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-  6. (Optional) Expand **Advanced configuration** to configure a private endpoint for connecting to an identity provider hosted inside your VPC. Choose one of the following modes:
+      1. **None** : Actor token will not be provided in the request
@@ -47 +59,9 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-    1. **Managed Lattice** : AgentCore creates and manages the VPC Lattice resource gateway and resource configuration on your behalf. This is the simpler option for in-account VPC connectivity.
+      2. **AWS IAM ID Token JWT** : Authenticate using a signed JWT issued by AWS IAM that represents calling AWS identity as actor token
+
+      3. **Machine to Machine (M2M)** : Authenticate using [machine-to-machine (M2M)](./common-use-cases.html#machine-to-machine-auth) access token as actor token
+
+        1. (Optional) Provide **Actor token scopes** to use as scope parameters when authenticating
+
+  7. (Optional) Expand **Additional configurations** to configure a private endpoint for connecting to an identity provider hosted inside your VPC. Choose one of the following modes:
+
+    1. **Managed VPC** : AgentCore creates and manages the VPC resources on your behalf. This is the simpler option for in-account VPC connectivity.
@@ -57,2 +76,0 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      5. (Optional) For **Routing domain** , enter a publicly resolvable domain to use for routing if your IdP domain is not publicly resolvable. For more information, see [Workaround for private DNS support: routing domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain).
-
@@ -65 +83 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-  7. Choose **Add OAuth Client**.
+  8. Choose **Add OAuth Client**.