AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-04 · Documentation medium

File: bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md

Summary

Restructured OAuth client configuration steps: added Secrets Manager integration for client secrets, reordered parameters, and expanded endpoint details.

Security assessment

The change introduces AWS Secrets Manager as a secure method for storing client secrets, replacing direct secret input. This promotes better secret management practices but doesn't address any specific vulnerability. No evidence of patching a security incident exists.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md b/bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
index bf4c18134..bdc867786 100644
--- a//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
+++ b//bedrock-agentcore/latest/devguide/identity-add-oauth-client-custom.md
@@ -27 +27 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+      2. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration.
@@ -29 +29 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+      3. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
@@ -31 +31,11 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      4. For **Discovery URL** , enter the URL where your provider publishes its OpenID Connect configuration. Discovery URLs must end with `.well-known/openid-configuration` . For example, https:// `example.com` /.well-known/openid-configuration.
+      4. For **Client secret selection method** , choose one of the following options:
+
+        1. **Provide Client secret** – Enter the client secret value directly.
+
+          1. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+
+        2. **Provide Client secret via Secrets Manager** – Reference a secret stored in AWS Secrets Manager instead of entering the value directly.
+
+          1. For **Secrets Manager** , enter or select the ARN of the Secrets Manager secret that contains your client secret.
+
+          2. For **JSON key** , enter the JSON key in your Secrets Manager secret that contains the client secret value for your OAuth client.
@@ -37 +47,11 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      2. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+      2. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity.
+
+      3. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow.
+
+      4. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process.
+
+      5. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow.
+
+      6. For **Client ID** , enter the unique identifier you received when registering your application with the identity provider.
+
+      7. For **Client secret selection method** , choose one of the following options:
@@ -39 +59 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      3. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
+        1. **Provide Client secret** – Enter the client secret value directly.
@@ -41 +61 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      4. For **Issuer** , enter the base URL that identifies your authorization server. This value appears in the `iss` claim of issued tokens and helps verify token authenticity.
+          1. For **Client secret** , enter the confidential key associated with your client ID that AgentCore Identity securely stores for authentication.
@@ -43 +63 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      5. For **Authorization endpoint** , enter the URL where users will be directed to grant permission to your application. This is the entry point for the OAuth authorization flow.
+        2. **Provide Client secret via Secrets Manager** – Reference a secret stored in AWS Secrets Manager instead of entering the value directly.
@@ -45 +65 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      6. For **Token endpoint** , enter the URL where your agent exchanges authorization codes for access tokens. This endpoint handles the credential exchange process.
+          1. For **Secrets Manager** , enter or select the ARN of the Secrets Manager secret that contains your client secret.
@@ -47 +67 @@ Custom providers enable you to connect to any OAuth2-compatible resource server
-      7. (Optional) In the **Response types** section, configure how your OAuth client receives authentication responses by choosing **Add response type** and selecting the token formats your provider should return. Common types include `code` for authorization code flow or `token` for implicit flow.
+          2. For **JSON key** , enter the JSON key in your Secrets Manager secret that contains the client secret value for your OAuth client.