AWS bedrock-agentcore documentation change
Summary
Added configuration examples for PingIdentity OAuth 2.0 token exchange (delegation and impersonation) using custom provider
Security assessment
Adds documentation for advanced token exchange security features but doesn't fix any specific vulnerability. Improves security posture by documenting secure token delegation/impersonation methods.
Diff
diff --git a/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md b/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md index dfde39f4c..00ec2c2d3 100644 --- a//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md +++ b//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md @@ -70,0 +71,56 @@ To configure PingOne as an outbound resource provider use the following: +To use [PingIdentity OAuth 2.0 token exchange for delegation](https://docs.pingidentity.com/pingone/use_cases/p1_oauth_2_token_exchange_delegation.html), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html). + + + { + "name": "PingOne", + "credentialProviderVendor": "CustomOauth2", + "oauth2ProviderConfigInput": { + "customOauth2ProviderConfig": { + "clientAuthenticationMethod": "CLIENT_SECRET_BASIC", + "clientId": "your-client-id", + "clientSecret": "your-client-secret", + "oauthDiscovery": { + "authorizationServerMetadata": { + "authorizationEndpoint": "https://auth.pingone.com/your-env-id/as/authorize", + "tokenEndpoint": "https://auth.pingone.com/your-env-id/as/token", + "issuer": "https://auth.pingone.com/your-env-id/as" + } + }, + "onBehalfOfTokenExchangeConfig": { + "grantType": "TOKEN_EXCHANGE", + "tokenExchangeGrantTypeConfig": { + "actorTokenContent": "M2M" + } + } + } + } + } + +To use [PingIdentity OAuth 2.0 token exchange for impersonation](https://docs.pingidentity.com/pingone/use_cases/p1_oauth_2_token_exchange_impersonation.html), use custom provider for advanced configuration. For details, see [On-behalf-of token exchange with AgentCore Identity](./on-behalf-of-token-exchange.html). + + + { + "name": "PingOne", + "credentialProviderVendor": "CustomOauth2", + "oauth2ProviderConfigInput": { + "customOauth2ProviderConfig": { + "clientAuthenticationMethod": "CLIENT_SECRET_BASIC", + "clientId": "your-client-id", + "clientSecret": "your-client-secret", + "oauthDiscovery": { + "authorizationServerMetadata": { + "authorizationEndpoint": "https://auth.pingone.com/your-env-id/as/authorize", + "tokenEndpoint": "https://auth.pingone.com/your-env-id/as/token", + "issuer": "https://auth.pingone.com/your-env-id/as" + } + }, + "onBehalfOfTokenExchangeConfig": { + "grantType": "TOKEN_EXCHANGE", + "tokenExchangeGrantTypeConfig": { + "actorTokenContent": "NONE" + } + } + } + } + } +