AWS bedrock-agentcore documentation change
Summary
Added configuration example for Okta OAuth 2.0 on-behalf-of token exchange using custom provider
Security assessment
The change adds documentation for token exchange configuration which is a security feature, but there's no evidence of addressing a specific vulnerability. It enhances security capabilities by documenting secure delegation patterns.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-idp-okta.md b/bedrock-agentcore/latest/devguide/identity-idp-okta.md index ac7533578..debfb5283 100644 --- a//bedrock-agentcore/latest/devguide/identity-idp-okta.md +++ b//bedrock-agentcore/latest/devguide/identity-idp-okta.md @@ -114,0 +115,28 @@ To configure Okta as an outbound resource provider in AgentCore Identity, use th +To use [Okta OAuth 2.0 on-behalf-of token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html). + + + { + "name": "Okta", + "credentialProviderVendor": "CustomOauth2", + "oauth2ProviderConfigInput": { + "customOauth2ProviderConfig": { + "clientAuthenticationMethod": "CLIENT_SECRET_BASIC", + "clientId": "your-client-id", + "clientSecret": "your-client-secret", + "oauthDiscovery": { + "authorizationServerMetadata": { + "authorizationEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/authorize", + "tokenEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/token", + "issuer": "https://your-tenant.okta.com/oauth2/your-authorization-server" + } + }, + "onBehalfOfTokenExchangeConfig": { + "grantType": "TOKEN_EXCHANGE", + "tokenExchangeGrantTypeConfig": { + "actorTokenContent": "NONE" + } + } + } + } + } +