AWS Security ChangesHomeSearch

AWS AWSCloudFormation high security documentation change

Service: AWSCloudFormation · 2026-05-10 · Security-related high

File: AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md

Summary

Added OnBehalfOfTokenExchangeConfig property for OAuth2 token exchange flows and modified ClientId/ClientSecret from required to optional

Security assessment

The addition of OnBehalfOfTokenExchangeConfig enables RFC 8693/RFC 7523 security protocols for authentication flows. Changing ClientId/ClientSecret to optional suggests fundamental authentication changes with security implications.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md
index 15cafb559..43a3265a2 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput.md
@@ -23 +23,2 @@ To declare this entity in your CloudFormation template, use the following syntax
-      "OauthDiscovery" : [Oauth2Discovery](./aws-properties-bedrockagentcore-oauth2credentialprovider-oauth2discovery.html)
+      "OauthDiscovery" : [Oauth2Discovery](./aws-properties-bedrockagentcore-oauth2credentialprovider-oauth2discovery.html),
+      "OnBehalfOfTokenExchangeConfig" : [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html)
@@ -33,0 +35,2 @@ To declare this entity in your CloudFormation template, use the following syntax
+      OnBehalfOfTokenExchangeConfig: 
+        [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html)
@@ -43 +46 @@ The client ID for the custom OAuth2 provider.
-_Required_ : Yes
+_Required_ : No
@@ -58 +61 @@ The client secret for the custom OAuth2 provider.
-_Required_ : Yes
+_Required_ : No
@@ -78,0 +82,11 @@ _Required_ : Yes
+`OnBehalfOfTokenExchangeConfig`
+    
+
+The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants.
+
+_Required_ : No
+
+ _Type_ : [OnBehalfOfTokenExchangeConfig](./aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.html)
+
+ _Update requires_ : [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)
+