AWS AWSCloudFormation high security documentation change
Summary
Added OnBehalfOfTokenExchangeConfig property for OAuth2 token exchange flows and modified ClientId/ClientSecret from required to optional
Security assessment
The addition of OnBehalfOfTokenExchangeConfig enables RFC 8693/RFC 7523 security protocols for authentication flows. Changing ClientId/ClientSecret to optional suggests fundamental authentication changes with security implications.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md index 15cafb559..43a3265a2 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md @@ -23 +23,2 @@ To declare this entity in your CloudFormation template, use the following syntax - "OauthDiscovery" : [Oauth2Discovery](./aws-properties-bedrockagentcore-oauth2credentialprovider-oauth2discovery.html) + "OauthDiscovery" : [Oauth2Discovery](./aws-properties-bedrockagentcore-oauth2credentialprovider-oauth2discovery.html), + "OnBehalfOfTokenExchangeConfig" : [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html) @@ -33,0 +35,2 @@ To declare this entity in your CloudFormation template, use the following syntax + OnBehalfOfTokenExchangeConfig: + [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html) @@ -43 +46 @@ The client ID for the custom OAuth2 provider. -_Required_ : Yes +_Required_ : No @@ -58 +61 @@ The client secret for the custom OAuth2 provider. -_Required_ : Yes +_Required_ : No @@ -78,0 +82,11 @@ _Required_ : Yes +`OnBehalfOfTokenExchangeConfig` + + +The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants. + +_Required_ : No + + _Type_ : [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html) + + _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) +