AWS Security ChangesHomeSearch

AWS mcp-sap documentation change

Service: mcp-sap · 2026-06-25 · Documentation low

File: mcp-sap/latest/awsforsapmcp/configuration-reference.md

Summary

Expanded OAuth configuration parameters and validation rules to include 'ON_BEHALF_OF_TOKEN_EXCHANGE' authentication flow

Security assessment

The change adds documentation for a new authentication method (token exchange flow) but shows no evidence of addressing a specific vulnerability. It enhances security documentation by describing proper configuration for additional OAuth flows.

Diff

diff --git a/mcp-sap/latest/awsforsapmcp/configuration-reference.md b/mcp-sap/latest/awsforsapmcp/configuration-reference.md
index 5ebdcfa5f..cbe6ea119 100644
--- a//mcp-sap/latest/awsforsapmcp/configuration-reference.md
+++ b//mcp-sap/latest/awsforsapmcp/configuration-reference.md
@@ -39,2 +39,2 @@ Variable | Description | Example
-`MCP_SERVER_OAUTH_PROVIDER` |  Bedrock AgentCore Identity Provider Name. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M` or `USER_FEDERATION`. |  `sap-oauth-provider`  
-`MCP_SERVER_SAP_OAUTH_SCOPES` |  OAuth scopes for SAP access. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M` or `USER_FEDERATION`. |  `ZAPI_SALES_ORDER_SRV_0001`  
+`MCP_SERVER_OAUTH_PROVIDER` |  Bedrock AgentCore Identity Provider Name. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. |  `sap-oauth-provider`  
+`MCP_SERVER_SAP_OAUTH_SCOPES` |  OAuth scopes for SAP access. Required when `MCP_SERVER_SAP_OAUTH_FLOW` is set to `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`. |  `ZAPI_SALES_ORDER_SRV_0001`  
@@ -314 +314 @@ The server enforces the following cross-validation rules at startup. If any rule
-  3. **OAuth provider validated at startup.** When the authentication flow is `M2M` or `USER_FEDERATION`, the server validates the `MCP_SERVER_SAP_OAUTH_PROVIDER` value against Bedrock AgentCore Identity during startup.
+  3. **OAuth provider validated at startup.** When the authentication flow is `M2M`, `USER_FEDERATION`, or `ON_BEHALF_OF_TOKEN_EXCHANGE`, the server validates the `MCP_SERVER_SAP_OAUTH_PROVIDER` value against Bedrock AgentCore Identity during startup.