AWS Security ChangesHomeSearch

AWS mcp-sap documentation change

Service: mcp-sap · 2026-06-25 · Documentation low

File: mcp-sap/latest/awsforsapmcp/getting-started.md

Summary

Updated supported authentication flows to include 'ON_BEHALF_OF_TOKEN_EXCHANGE' and added prerequisites for token exchange pattern

Security assessment

The modifications document a new security feature (token exchange authentication) without referencing any vulnerability fixes. It enhances security documentation by explaining proper setup for delegated authentication flows.

Diff

diff --git a/mcp-sap/latest/awsforsapmcp/getting-started.md b/mcp-sap/latest/awsforsapmcp/getting-started.md
index 12b3f5cbf..6923f12c6 100644
--- a//mcp-sap/latest/awsforsapmcp/getting-started.md
+++ b//mcp-sap/latest/awsforsapmcp/getting-started.md
@@ -95 +95 @@ Inbound authentication requires a JSON Web Token (JWT) compatible identity provi
-AWS for SAP MCP Server supports Basic Auth and OAuth2 (M2M and User Federation).
+AWS for SAP MCP Server supports Basic Auth and OAuth2 (M2M, User Federation, and On-Behalf-Of Token Exchange).
@@ -171,0 +172,19 @@ Additionally, SAP and IdP related OAuth2/OIDC/SAML configuration are required as
+#### On-Behalf-Of Token Exchange
+
+**Pattern: External IdP (Entra ID) with token exchange**
+
+  * Same as M2M Pattern 2 (External IdP with OIDC) prerequisites, plus:
+
+    * Two Entra ID app registrations are required: an inbound app (for user authentication) and an outbound app (for the token exchange).
+
+    * The outbound app must authorize the inbound app as a client.
+
+    * User consent (or admin consent) granted to the outbound app in Entra ID.
+
+    * The AgentCore callback URL must be registered as a redirect URI in the outbound app’s configuration. This URL is auto-generated during deployment.
+
+    * Certain MCP Clients might need a Three App setup. Three Entra ID app registrations include a Client app (for user authentication), a Resource app (representing AgentCore for token validation), and an Outbound app (for the token exchange to SAP). The Resource app performs the OBO exchange using its own credentials to obtain a token scoped to the Outbound app.
+
+
+
+