AWS cli documentation change
Summary
Updated OAuth2 credential provider configuration to support additional discovery endpoints, token exchange flows, and client authentication methods. Added on-behalf-of token exchange configuration (RFC 8693/JWT grants), made clientId/clientSecret optional, and expanded discovery endpoint pattern matching.
Security assessment
The changes add documentation for new security features (token exchange flows and additional authentication methods) but don't address any specific vulnerability. The pattern expansion for discovery endpoints and optional credentials support enhanced functionality without evidence of security fixes.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md b/cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md index d68a28005..da7658225 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-oauth2-credential-provider.md @@ -15 +15 @@ - * [AWS CLI 2.34.38 Command Reference](../../index.html) » + * [AWS CLI 2.34.40 Command Reference](../../index.html) » @@ -168 +168 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -213 +213 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> clientId -> (string) [required] +>> clientId -> (string) @@ -219 +219 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -224 +224 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->> clientSecret -> (string) [required] +>> clientSecret -> (string) @@ -230 +230 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc ->>> * min: `1` +>>> * min: `0` @@ -511,0 +512,56 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/bedroc +>> +>> onBehalfOfTokenExchangeConfig -> (structure) +>> +>>> The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants. +>>> +>>> grantType -> (string) [required] +>>> +>>>> The grant type for the on-behalf-of token exchange. +>>>> +>>>> Possible values: +>>>> +>>>> * `TOKEN_EXCHANGE` +>>>> * `JWT_AUTHORIZATION_GRANT` +>>>> + +>>> +>>> tokenExchangeGrantTypeConfig -> (structure) +>>> +>>>> Configuration specific to TOKEN_EXCHANGE grant type (RFC 8693) +>>>> +>>>> actorTokenContent -> (string) [required] +>>>> +>>>>> The content type for the actor token in the token exchange. +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `NONE` +>>>>> * `M2M` +>>>>> * `AWS_IAM_ID_TOKEN_JWT` +>>>>> + +>>>> +>>>> actorTokenScopes -> (list) +>>>> +>>>>> Only valid when actorTokenContent is M2M +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `128` +>>>>>> + +>> +>> clientAuthenticationMethod -> (string) +>> +>>> The client authentication method to use when authenticating with the token endpoint. +>>> +>>> Possible values: +>>> +>>> * `CLIENT_SECRET_BASIC` +>>> * `CLIENT_SECRET_POST` +>>> * `AWS_IAM_ID_TOKEN_JWT` +>>> + @@ -794 +850,9 @@ JSON Syntax: - ] + ], + "onBehalfOfTokenExchangeConfig": { + "grantType": "TOKEN_EXCHANGE"|"JWT_AUTHORIZATION_GRANT", + "tokenExchangeGrantTypeConfig": { + "actorTokenContent": "NONE"|"M2M"|"AWS_IAM_ID_TOKEN_JWT", + "actorTokenScopes": ["string", ...] + } + }, + "clientAuthenticationMethod": "CLIENT_SECRET_BASIC"|"CLIENT_SECRET_POST"|"AWS_IAM_ID_TOKEN_JWT" @@ -1058 +1122 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1390,0 +1455,56 @@ oauth2ProviderConfigOutput -> (tagged union structure) +>> +>> onBehalfOfTokenExchangeConfig -> (structure) +>> +>>> The configuration for on-behalf-of token exchange. +>>> +>>> grantType -> (string) [required] +>>> +>>>> The grant type for the on-behalf-of token exchange. +>>>> +>>>> Possible values: +>>>> +>>>> * `TOKEN_EXCHANGE` +>>>> * `JWT_AUTHORIZATION_GRANT` +>>>> + +>>> +>>> tokenExchangeGrantTypeConfig -> (structure) +>>> +>>>> Configuration specific to TOKEN_EXCHANGE grant type (RFC 8693) +>>>> +>>>> actorTokenContent -> (string) [required] +>>>> +>>>>> The content type for the actor token in the token exchange. +>>>>> +>>>>> Possible values: +>>>>> +>>>>> * `NONE` +>>>>> * `M2M` +>>>>> * `AWS_IAM_ID_TOKEN_JWT` +>>>>> + +>>>> +>>>> actorTokenScopes -> (list) +>>>> +>>>>> Only valid when actorTokenContent is M2M +>>>>> +>>>>> (string) +>>>>> +>>>>>> Constraints: +>>>>>> +>>>>>> * min: `1` +>>>>>> * max: `128` +>>>>>> + +>> +>> clientAuthenticationMethod -> (string) +>> +>>> The client authentication method used when authenticating with the token endpoint. +>>> +>>> Possible values: +>>> +>>> * `CLIENT_SECRET_BASIC` +>>> * `CLIENT_SECRET_POST` +>>> * `AWS_IAM_ID_TOKEN_JWT` +>>> + @@ -1410 +1530 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1484 +1604 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1558 +1678 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1632 +1752 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1706 +1826 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1780 +1900 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1854 +1974 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -1928 +2048 @@ oauth2ProviderConfigOutput -> (tagged union structure) ->>>> * pattern: `.+/\.well-known/openid-configuration` +>>>> * pattern: `.+/\.well-known/(openid-configuration|oauth-authorization-server)` @@ -2010 +2130 @@ status -> (string) - * [AWS CLI 2.34.38 Command Reference](../../index.html) » + * [AWS CLI 2.34.40 Command Reference](../../index.html) »