AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-01 · Documentation low

File: bedrock-agentcore/latest/devguide/identity-idp-okta.md

Summary

Added configuration example for Okta OAuth 2.0 on-behalf-of token exchange using custom provider

Security assessment

The change adds documentation for token exchange configuration which is a security feature, but there's no evidence of addressing a specific vulnerability. It enhances security capabilities by documenting secure delegation patterns.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-okta.md b/bedrock-agentcore/latest/devguide/identity-idp-okta.md
index ac7533578..debfb5283 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-okta.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-okta.md
@@ -114,0 +115,28 @@ To configure Okta as an outbound resource provider in AgentCore Identity, use th
+To use [Okta OAuth 2.0 on-behalf-of token exchange](https://developer.okta.com/docs/guides/set-up-token-exchange/main/), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html).
+    
+    
+    {
+      "name": "Okta",
+      "credentialProviderVendor": "CustomOauth2",
+      "oauth2ProviderConfigInput": {
+        "customOauth2ProviderConfig": {
+          "clientAuthenticationMethod": "CLIENT_SECRET_BASIC",
+          "clientId": "your-client-id",
+          "clientSecret": "your-client-secret",
+          "oauthDiscovery": {
+            "authorizationServerMetadata": {
+              "authorizationEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/authorize",
+              "tokenEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/token",
+              "issuer": "https://your-tenant.okta.com/oauth2/your-authorization-server"
+            }
+          },
+          "onBehalfOfTokenExchangeConfig": {
+            "grantType": "TOKEN_EXCHANGE",
+            "tokenExchangeGrantTypeConfig": {
+              "actorTokenContent": "NONE"
+            }
+          }
+        }
+      }
+    }
+