AWS cli documentation change
Summary
Added documentation for 'advertisedScopeMapping' parameter in OAuth configuration, which maps internal scopes to externally advertised values for token validation and client communication.
Security assessment
The change documents a new security feature for OAuth scope mapping that enhances security by decoupling internal validation scopes from externally advertised values. This prevents exposure of internal scope names in metadata/headers, reducing information leakage. No vulnerability fix is indicated.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-gateway.md b/cli/latest/reference/bedrock-agentcore-control/create-gateway.md index acfce28fd..2dd683b62 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-gateway.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-gateway.md @@ -15 +15 @@ - * [AWS CLI 2.35.16 Command Reference](../../index.html) » + * [AWS CLI 2.35.19 Command Reference](../../index.html) » @@ -331,0 +332,31 @@ JSON Syntax: +>> +>> advertisedScopeMapping -> (map) +>> +>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `50` +>>> + +>>> +>>> key -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + +>>> +>>> value -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + @@ -768,0 +800,2 @@ JSON Syntax: + "advertisedScopeMapping": {"string": "string" + ...}, @@ -1444,0 +1478,31 @@ authorizerConfiguration -> (tagged union structure) +>> +>> advertisedScopeMapping -> (map) +>> +>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `50` +>>> + +>>> +>>> key -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + +>>> +>>> value -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + @@ -2109 +2173 @@ wafConfiguration -> (structure) - * [AWS CLI 2.35.16 Command Reference](../../index.html) » + * [AWS CLI 2.35.19 Command Reference](../../index.html) »