AWS agent-toolkit documentation change
Summary
Added documentation for OAuth condition keys in AWS Sign-in including OAuthClientId, OAuthRedirectUri, OAuthGrantType, and OAuthClientAuthentication keys with usage guidance
Security assessment
The change introduces new OAuth-specific condition keys for fine-grained access control but provides no evidence of addressing a specific vulnerability. It proactively documents security features for OAuth authentication flows.
Diff
diff --git a/agent-toolkit/latest/userguide/security_iam_service-with-iam.md b/agent-toolkit/latest/userguide/security_iam_service-with-iam.md index 1d1e60d72..e80d35758 100644 --- a//agent-toolkit/latest/userguide/security_iam_service-with-iam.md +++ b//agent-toolkit/latest/userguide/security_iam_service-with-iam.md @@ -7 +7 @@ -Authorization flowMCP condition context keysIdentity-based policiesTemporary credentialsDeprecated actions +Authorization flowMCP condition context keysOAuth condition keysIdentity-based policiesTemporary credentialsDeprecated actions @@ -58,0 +59,48 @@ For more information about global condition context keys, see [IAM condition con +## OAuth condition keys for AWS Sign-in + +When you use OAuth authentication with AWS MCP Server through AWS Sign-in, the following service-specific condition keys are available in the `signin:` namespace. Use these keys in IAM policies and SCPs to govern how OAuth is used within your organization. + +`signin:OAuthClientId` + + +The ARN of the OAuth client making the request. Use this key to allow only approved OAuth clients to access AWS MCP Server. + +Type: String (ARN) + +Applies to: `signin:AuthorizeOAuth2Access`, `signin:CreateOAuth2Token` + +`signin:OAuthRedirectUri` + + +The redirect URI used in the authorization request. Use this key to restrict token delivery to trusted redirect URIs such as localhost or corporate domains. + +Type: String + +Applies to: `signin:AuthorizeOAuth2Access` + +`signin:OAuthGrantType` + + +The OAuth grant type being used. Use this key to control which OAuth authorization flows are permitted. + +Type: String + +Example values: `authorization_code`, `refresh_token`, `client_credentials` + +Applies to: `signin:CreateOAuth2Token` + +`signin:OAuthClientAuthentication` + + +The client authentication method used. Use this key to require specific authentication methods. + +Type: String + +Example values: `none`, `client_secret_basic`, `client_secret_post` + +Applies to: `signin:CreateOAuth2Token` + +OAuth access tokens carry the `aws:SignInSessionArn` global condition key. This key contains the unique ARN of the AWS Sign-in session. + +For more information about OAuth condition keys, see [OAuth condition keys reference](https://docs.aws.amazon.com/signin/latest/userguide/reference-signin-condition-keys.html) in the _AWS Sign-in User Guide_. For OAuth authentication setup and governance examples, see [OAuth 2.1 authentication for AWS MCP Server](./oauth-authentication.html). +