AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-01 · Documentation low

File: bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md

Summary

Added configuration examples for PingIdentity OAuth 2.0 token exchange (delegation and impersonation) using custom provider

Security assessment

Adds documentation for advanced token exchange security features but doesn't fix any specific vulnerability. Improves security posture by documenting secure token delegation/impersonation methods.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md b/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
index dfde39f4c..00ec2c2d3 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
@@ -70,0 +71,56 @@ To configure PingOne as an outbound resource provider use the following:
+To use [PingIdentity OAuth 2.0 token exchange for delegation](https://docs.pingidentity.com/pingone/use_cases/p1_oauth_2_token_exchange_delegation.html), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html).
+    
+    
+    {
+      "name": "PingOne",
+      "credentialProviderVendor": "CustomOauth2",
+      "oauth2ProviderConfigInput": {
+        "customOauth2ProviderConfig": {
+          "clientAuthenticationMethod": "CLIENT_SECRET_BASIC",
+          "clientId": "your-client-id",
+          "clientSecret": "your-client-secret",
+          "oauthDiscovery": {
+            "authorizationServerMetadata": {
+              "authorizationEndpoint": "https://auth.pingone.com/your-env-id/as/authorize",
+              "tokenEndpoint": "https://auth.pingone.com/your-env-id/as/token",
+              "issuer": "https://auth.pingone.com/your-env-id/as"
+            }
+          },
+          "onBehalfOfTokenExchangeConfig": {
+            "grantType": "TOKEN_EXCHANGE",
+            "tokenExchangeGrantTypeConfig": {
+              "actorTokenContent": "M2M"
+            }
+          }
+        }
+      }
+    }
+
+To use [PingIdentity OAuth 2.0 token exchange for impersonation](https://docs.pingidentity.com/pingone/use_cases/p1_oauth_2_token_exchange_impersonation.html), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html).
+    
+    
+    {
+      "name": "PingOne",
+      "credentialProviderVendor": "CustomOauth2",
+      "oauth2ProviderConfigInput": {
+        "customOauth2ProviderConfig": {
+          "clientAuthenticationMethod": "CLIENT_SECRET_BASIC",
+          "clientId": "your-client-id",
+          "clientSecret": "your-client-secret",
+          "oauthDiscovery": {
+            "authorizationServerMetadata": {
+              "authorizationEndpoint": "https://auth.pingone.com/your-env-id/as/authorize",
+              "tokenEndpoint": "https://auth.pingone.com/your-env-id/as/token",
+              "issuer": "https://auth.pingone.com/your-env-id/as"
+            }
+          },
+          "onBehalfOfTokenExchangeConfig": {
+            "grantType": "TOKEN_EXCHANGE",
+            "tokenExchangeGrantTypeConfig": {
+              "actorTokenContent": "NONE"
+            }
+          }
+        }
+      }
+    }
+