AWS cli documentation change
Summary
Added documentation for 'advertisedScopeMapping' parameter in harness configuration, enabling mapping between internal token validation scopes and externally advertised OAuth scopes.
Security assessment
Documents a security enhancement for OAuth implementations that allows separation of internal and external scope names. This improves security by preventing internal scope naming conventions from being exposed in client-facing metadata, but doesn't address a specific vulnerability.
Diff
diff --git a/cli/latest/reference/bedrock-agentcore-control/create-harness.md b/cli/latest/reference/bedrock-agentcore-control/create-harness.md index ae42709e9..8aeea88ca 100644 --- a//cli/latest/reference/bedrock-agentcore-control/create-harness.md +++ b//cli/latest/reference/bedrock-agentcore-control/create-harness.md @@ -15 +15 @@ - * [AWS CLI 2.35.16 Command Reference](../../index.html) » + * [AWS CLI 2.35.19 Command Reference](../../index.html) » @@ -529,0 +530,31 @@ JSON Syntax: +>> +>> advertisedScopeMapping -> (map) +>> +>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients. +>>> +>>> Constraints: +>>> +>>> * min: `1` +>>> * max: `50` +>>> + +>>> +>>> key -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + +>>> +>>> value -> (string) +>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `255` +>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>> + @@ -966,0 +998,2 @@ JSON Syntax: + "advertisedScopeMapping": {"string": "string" + ...}, @@ -3298,0 +3332,31 @@ harness -> (structure) +>>> +>>> advertisedScopeMapping -> (map) +>>> +>>>> A map that associates each scope in `allowedScopes` with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and `WWW-Authenticate` response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from `allowedScopes` that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients. +>>>> +>>>> Constraints: +>>>> +>>>> * min: `1` +>>>> * max: `50` +>>>> + +>>>> +>>>> key -> (string) +>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `255` +>>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>>> + +>>>> +>>>> value -> (string) +>>>> +>>>>> Constraints: +>>>>> +>>>>> * min: `1` +>>>>> * max: `255` +>>>>> * pattern: `[\x21\x23-\x5B\x5D-\x7E]+` +>>>>> + @@ -3868 +3932 @@ harness -> (structure) - * [AWS CLI 2.35.16 Command Reference](../../index.html) » + * [AWS CLI 2.35.19 Command Reference](../../index.html) »