AWS bedrock-agentcore documentation change
Summary
Restructured OAuth client configuration steps, added client authentication method selection, detailed on-behalf-of token exchange options, and updated private endpoint configuration terminology.
Security assessment
The changes enhance documentation of security features including client authentication methods, token exchange standards (RFC 7523/RFC 8693), and machine-to-machine authentication. No evidence addresses a specific vulnerability; rather, it expands configuration guidance for existing security mechanisms.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md b/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md index 7d0cb011e..bf4c18134 100644 --- a//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md +++ b//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md @@ -25 +25 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. + 1. For **Client authentication method** , choose the client authentication method used to authenticate with identity provider token endpoint. For more information, see [Client authentication methods](./client-auth-methods.html). @@ -27 +27 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 2. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. + 2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. @@ -29 +29,3 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 3. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration. + 3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. + + 4. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration. @@ -33 +35,11 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 1. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. + 1. For **Client authentication method** , choose the client authentication method used to authenticate with identity provider token endpoint. For more information, see [Client authentication methods](./client-auth-methods.html). + + 2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider. + + 3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. + + 4. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity. + + 5. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow. + + 6. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process. @@ -35 +47 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 2. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication. + 7. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow. @@ -37 +49 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 3. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity. + 6. (Optional) Expand **Additional configurations** to configure on-behalf-of token exchange. Choose one of the following Grant type modes: @@ -39 +51 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 4. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow. + 1. **None** : On-behalf-of token exchange is not supported @@ -41 +53 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 5. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process. + 2. **JWT authorization grant** : perform on-behalf-of token exchange using RFC 7523 syntax. Inbound identity is used as authorization grant to obtain access token @@ -43 +55 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 6. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow. + 3. **Token exchange** : perform on-behalf-of token exchange using RFC 8693 syntax. It is the most recent standard to capture the delegation relationship. You can customize the actor token using the following modes: @@ -45 +57 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 6. (Optional) Expand **Advanced configuration** to configure a private endpoint for connecting to an identity provider hosted inside your VPC. Choose one of the following modes: + 1. **None** : Actor token will not be provided in the request @@ -47 +59,9 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 1. **Managed Lattice** : AgentCore creates and manages the VPC Lattice resource gateway and resource configuration on your behalf. This is the simpler option for in-account VPC connectivity. + 2. **AWS IAM ID Token JWT** : Authenticate using a signed JWT issued by AWS IAM that represents calling AWS identity as actor token + + 3. **Machine to Machine (M2M)** : Authenticate using [machine-to-machine (M2M)](./common-use-cases.html#machine-to-machine-auth) access token as actor token + + 1. (Optional) Provide **Actor token scopes** to use as scope parameters when authenticating + + 7. (Optional) Expand **Additional configurations** to configure a private endpoint for connecting to an identity provider hosted inside your VPC. Choose one of the following modes: + + 1. **Managed VPC** : AgentCore creates and manages the VPC resources on your behalf. This is the simpler option for in-account VPC connectivity. @@ -57,2 +76,0 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 5. (Optional) For **Routing domain** , enter a publicly resolvable domain to use for routing if your IdP domain is not publicly resolvable. For more information, see [Workaround for private DNS support: routing domain](./vpc-egress-private-endpoints.html#lattice-vpc-egress-routing-domain). - @@ -65 +83 @@ Custom providers enable you to connect to any OAuth2-compatible resource server - 7. Choose **Add OAuth Client**. + 8. Choose **Add OAuth Client**.