AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-04 · Documentation low

File: bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md

Summary

Added documentation about unique OAuth2 callback URLs for session binding protection and restructured configuration steps

Security assessment

The change explicitly documents how unique callback URLs prevent cross-provider replay and CSRF attacks during OAuth2 authorization-code exchange. While this describes a security feature, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md b/bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
index 00ec2c2d3..4a08126f8 100644
--- a//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
+++ b//bedrock-agentcore/latest/devguide/identity-idp-pingidentity.md
@@ -19 +19,3 @@ You can only configure a PingOne OAuth2 application as either a user federation
-**Step 1**
+###### Note
+
+AgentCore Identity issues a unique OAuth2 callback URL for each credential provider you create. The unique callback URL enables session binding, which protects the OAuth2 authorization-code exchange against cross-provider replay and CSRF-style attacks by ensuring an authorization response can only be redeemed against the specific credential provider that initiated it. Because the URL is unique per provider, you won’t know it until **after** you call `CreateOauth2CredentialProvider`. Create your PingOne OAuth2 application first, then return to the PingOne admin console to register the callback URL once AgentCore Identity has issued it.
@@ -21 +23,3 @@ You can only configure a PingOne OAuth2 application as either a user federation
-Use the following procedure to set up a PingOne OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
+**Step 1: Create the Ping Identity OAuth2 application**
+
+Use the following procedure to set up a PingOne OAuth2 application and obtain the necessary client credentials for AgentCore Identity. If you are configuring a user federation client, you will register the redirect URI in Step 3, after AgentCore Identity issues the unique callback URL.
@@ -46,0 +51,2 @@ Use the following procedure to set up a PingOne OAuth2 application and obtain th
+     * Leave the redirect URI list empty for now — you will add the unique callback URL in Step 3.
+
@@ -52 +58 @@ For more details, refer to [Ping Identity’s PingOne API documentation](https:/
-**Step 2**
+**Step 2: Create the AgentCore Identity credential provider**
@@ -126,0 +133,19 @@ To use [PingIdentity OAuth 2.0 token exchange for impersonation](https://docs.pi
+The [CreateOauth2CredentialProvider](https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_CreateOauth2CredentialProvider.html) response includes a `callbackUrl` field. This URL is unique to this credential provider and looks like: `https://bedrock-agentcore.us-east-1.amazonaws.com/identities/oauth2/callback/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX`. Save this value for the next step.
+
+###### Note
+
+The unique callback URL only applies to user federation clients. If you configured PingOne as an M2M client, no callback URL registration is required.
+
+**Step 3: Register the unique callback URL with PingOne**
+
+Return to the PingOne admin console and add the unique callback URL to your user federation application’s redirect URI list.
+
+  1. Sign in to the PingOne admin console and open the application you created in Step 1.
+
+  2. Add the `callbackUrl` value returned by `CreateOauth2CredentialProvider` to the application’s redirect URI configuration.
+
+  3. Save your changes.
+
+
+
+