AWS mcp-sap documentation change
Summary
Updated supported authentication flows to include 'ON_BEHALF_OF_TOKEN_EXCHANGE' and added prerequisites for token exchange pattern
Security assessment
The modifications document a new security feature (token exchange authentication) without referencing any vulnerability fixes. It enhances security documentation by explaining proper setup for delegated authentication flows.
Diff
diff --git a/mcp-sap/latest/awsforsapmcp/getting-started.md b/mcp-sap/latest/awsforsapmcp/getting-started.md index 12b3f5cbf..6923f12c6 100644 --- a//mcp-sap/latest/awsforsapmcp/getting-started.md +++ b//mcp-sap/latest/awsforsapmcp/getting-started.md @@ -95 +95 @@ Inbound authentication requires a JSON Web Token (JWT) compatible identity provi -AWS for SAP MCP Server supports Basic Auth and OAuth2 (M2M and User Federation). +AWS for SAP MCP Server supports Basic Auth and OAuth2 (M2M, User Federation, and On-Behalf-Of Token Exchange). @@ -171,0 +172,19 @@ Additionally, SAP and IdP related OAuth2/OIDC/SAML configuration are required as +#### On-Behalf-Of Token Exchange + +**Pattern: External IdP (Entra ID) with token exchange** + + * Same as M2M Pattern 2 (External IdP with OIDC) prerequisites, plus: + + * Two Entra ID app registrations are required: an inbound app (for user authentication) and an outbound app (for the token exchange). + + * The outbound app must authorize the inbound app as a client. + + * User consent (or admin consent) granted to the outbound app in Entra ID. + + * The AgentCore callback URL must be registered as a redirect URI in the outbound app’s configuration. This URL is auto-generated during deployment. + + * Certain MCP Clients might need a Three App setup. Three Entra ID app registrations include a Client app (for user authentication), a Resource app (representing AgentCore for token validation), and an Outbound app (for the token exchange to SAP). The Resource app performs the OBO exchange using its own credentials to obtain a token scoped to the Outbound app. + + + +