AWS mcp-sap documentation change
Summary
Expanded OAuth configuration parameters and validation rules to include 'ON_BEHALF_OF_TOKEN_EXCHANGE' authentication flow
Security assessment
The change adds documentation for a new authentication method (token exchange flow) but shows no evidence of addressing a specific vulnerability. It enhances security documentation by describing proper configuration for additional OAuth flows.
Diff
diff --git a/mcp-sap/latest/awsforsapmcp/configuration-reference.md b/mcp-sap/latest/awsforsapmcp/configuration-reference.md index 5ebdcfa5f..cbe6ea119 100644 --- a//mcp-sap/latest/awsforsapmcp/configuration-reference.md +++ b//mcp-sap/latest/awsforsapmcp/configuration-reference.md @@ -39,2 +39,2 @@ Variable | Description | Example -`MCP_SERVER_OAUTH_PROVIDER` | Bedrock AgentCore Identity Provider Name. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M` or `USER_FEDERATION`. | `sap-oauth-provider` -`MCP_SERVER_SAP_OAUTH_SCOPES` | OAuth scopes for SAP access. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M` or `USER_FEDERATION`. | `ZAPI_SALES_ORDER_SRV_0001` +`MCP_SERVER_OAUTH_PROVIDER` | Bedrock AgentCore Identity Provider Name. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. | `sap-oauth-provider` +`MCP_SERVER_SAP_OAUTH_SCOPES` | OAuth scopes for SAP access. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. | `ZAPI_SALES_ORDER_SRV_0001` @@ -314 +314 @@ The server enforces the following cross-validation rules at startup. If any rule - 3. **OAuth provider validated at startup.** When the authentication flow is `M2M` or `USER_FEDERATION`, the server validates the `MCP_SERVER_SAP_OAUTH_PROVIDER` value against Bedrock AgentCore Identity during startup. + 3. **OAuth provider validated at startup.** When the authentication flow is `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`, the server validates the `MCP_SERVER_SAP_OAUTH_PROVIDER` value against Bedrock AgentCore Identity during startup.