AWS Security ChangesHomeSearch

AWS quick medium security documentation change

Service: quick · 2026-07-10 · Security-related medium

File: quick/latest/userguide/desktop-enterprise-setup.md

Summary

Restructured enterprise setup documentation by removing detailed identity provider-specific configuration steps and consolidating them into separate linked pages. Added network access requirements for restricted environments.

Security assessment

Added explicit requirement for network allow lists to include Amazon Quick and identity provider domains in restricted environments. This addresses security-related network configuration needs to ensure secure communication channels.

Diff

diff --git a/quick/latest/userguide/desktop-enterprise-setup.md b/quick/latest/userguide/desktop-enterprise-setup.md
index 7e130db3c..7cdb714dc 100644
--- a//quick/latest/userguide/desktop-enterprise-setup.md
+++ b//quick/latest/userguide/desktop-enterprise-setup.md
@@ -7 +7 @@
-How enterprise sign-in worksPrerequisitesStep 1: Create an OIDC application in your identity providerStep 2: Configure the extension access in the Amazon Quick management consoleStep 3: Download and distribute the desktop applicationTroubleshooting
+How enterprise sign-in worksPrerequisitesSetup process
@@ -23,13 +22,0 @@ If you are using a Free or Plus account, this section does not apply to you. Con
-The setup involves the following steps, in order:
-
-  1. Create an OIDC application in your IdP.
-
-  2. Configure the extension access in the Amazon Quick management console.
-
-  3. Distribute the desktop application to your users.
-
-
-
-
-This guide provides IdP-specific instructions for Microsoft Entra ID, Google Workspace, Okta, and Ping Identity (PingFederate and PingOne). See instructions for your specific identity provider below.
-
@@ -52,87 +39 @@ Before you begin, verify that you have the following:
-
-
-
-###### Important
-
-Amazon Quick on desktop is available for Enterprise accounts in AWS Regions that support the full Amazon Quick feature set. Regions that support Amazon Quick Sight capabilities only do not include desktop. For the full list, see [Supported AWS Regions for Amazon Quick](./regions.html#regions-qs).
-
-## Step 1: Create an OIDC application in your identity provider
-
-Register a public OIDC client application in your IdP. The Amazon Quick desktop application uses this client to authenticate users through the authorization code flow with PKCE. No client secret is required.
-
-The desktop application requires refresh tokens to maintain long-lived sessions. How refresh tokens are configured depends on your IdP:
-
-  * **Microsoft Entra ID** – The `offline_access` scope must be granted. Without it, users must re-authenticate frequently.
-
-  * **Google Workspace** – Include the `access_type=offline` parameter in the authorization request. Google issues a refresh token on the first authorization. No additional scope or grant type configuration is required.
-
-  * **Okta** – The Refresh Token grant type must be enabled on the application, and the `offline_access` scope must be granted.
-
-  * **Ping Identity** – The Refresh Token grant type must be enabled, and the `offline_access` scope must be granted. For PingFederate, the **Return ID Token On Refresh Grant** setting must also be enabled in the OIDC policy.
-
-
-
-
-Choose the instructions for your identity provider.
-
-### Microsoft Entra ID
-
-For detailed instructions, see [Register an application](https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app) in the Microsoft Entra documentation.
-
-###### To create the Entra ID app registration
-
-  1. In the Azure portal, navigate to **Microsoft Entra ID → App registrations → New registration**.
-
-  2. Configure the following settings:
-
-Setting | Value  
----|---  
-Name | `Amazon Quick Desktop`  
-Supported account types | Accounts in this organizational directory only (Single tenant)  
-Redirect URI platform | Public client/native (mobile & desktop)  
-Redirect URI | `http://localhost:18080`  
-  
-  3. Choose **Register**.
-
-  4. On the **Overview** page, note the **Application (client) ID** and **Directory (tenant) ID**. You need these values in later steps.
-
-
-
-
-This is a public client registration. PKCE is enforced automatically by Entra ID for public clients.
-
-###### To configure API permissions
-
-  1. In the app registration, navigate to **API permissions → Add a permission → Microsoft Graph → Delegated permissions**.
-
-  2. Add the following permissions: `openid`, `email`, `profile`, `offline_access`.
-
-  3. Choose **Add permissions**.
-
-  4. If your organization requires it, choose **Grant admin consent for [your organization]**.
-
-
-
-
-###### To configure authentication settings
-
-  1. In the app registration, navigate to **Authentication**.
-
-  2. Under **Advanced settings** , set **Allow public client flows** to **Yes**.
-
-  3. Verify that `http://localhost:18080` is listed under **Mobile and desktop applications**.
-
-  4. Choose **Save**.
-
-
-
-
-###### To configure token claims
-
-  1. In the app registration, navigate to **Token configuration**.
-
-  2. Choose **Add optional claim**.
-
-  3. Select token type: **ID**.
-
-  4. Select the `email` claim and choose **Add**.
+  * In restricted network environments, the ability to reach the required Amazon Quick and identity provider domains. For the list of domains to add to your allow list, see [Network access and required domains](./desktop-security.html#desktop-network-access).
@@ -145,326 +46 @@ This is a public client registration. PKCE is enforced automatically by Entra ID
-This step is required. Without the `email` optional claim, Microsoft Entra ID does not include the user's email address in the ID token, and Amazon Quick cannot map the token to a user. Additionally, each user who signs in must have their **Mail** attribute populated in their Entra ID profile (under **Contact Information**). The User Principal Name (UPN) alone is not sufficient — the Mail attribute must contain a value.
-
-Your OIDC endpoints use the following format. Replace `<TENANT_ID>` with your Directory (tenant) ID.
-
-###### Important
-
-The Issuer URL must include the `/v2.0` path suffix. Do not use the "Authority URL" shown in the Entra ID Endpoints panel, which omits this suffix. If the `/v2.0` suffix is missing, token validation fails with an "Invalid issuer" error at sign-in time.
-
-Field | Value  
----|---  
-Issuer URL | `https://login.microsoftonline.com/<TENANT_ID>/v2.0`  
-Authorization endpoint | `https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/authorize`  
-Token endpoint | `https://login.microsoftonline.com/<TENANT_ID>/oauth2/v2.0/token`  
-JWKS URI | `https://login.microsoftonline.com/<TENANT_ID>/discovery/v2.0/keys`  
-  
-###### Tip
-
-The JWKS URI is not displayed in the Microsoft Entra ID **Endpoints** panel. You can find it by opening the **OpenID Connect metadata document** URL from the Endpoints panel and locating the `jwks_uri` field in the JSON response. Alternatively, construct it using the format shown in the preceding table.
-
-### Google Workspace
-
-For detailed instructions, see [OAuth 2.0 for Mobile & Desktop Apps](https://developers.google.com/identity/protocols/oauth2/native-app) in the Google for Developers documentation.
-
-###### To create the Google OAuth client
-
-  1. In the Google Cloud Console, navigate to **APIs & Services → Credentials → Create Credentials → OAuth client ID**.
-
-  2. Configure the following settings:
-
-Setting | Value  
----|---  
-Application type | Desktop app  
-Name | `Amazon Quick Desktop`  
-  
-  3. Choose **Create**.
-
-  4. Note the **Client ID** and **Client secret**. You need these values in later steps.
-
-
-
-
-###### To configure the OAuth consent screen
-
-  1. In the Google Cloud Console, navigate to **Google Auth Platform → Branding**.
-
-  2. Set the **User type** to **Internal**. This restricts sign-in to users in your Google Workspace organization.
-
-  3. Fill in the required app information and choose **Save**.
-
-
-
-
-###### To configure scopes
-
-  1. In the Google Cloud Console, navigate to **Google Auth Platform → Data Access**.
-
-  2. Add the following scopes: `openid`, `email`, `profile`.
-
-  3. Choose **Save**.
-
-
-
-
-Google supports PKCE for desktop applications. Refresh tokens are issued automatically when the `access_type=offline` parameter is included in the authorization request. No additional configuration is required.
-
-Your OIDC endpoints are as follows:
-
-Field | Value  
----|---  
-Issuer URL | `https://accounts.google.com`  
-Authorization endpoint | `https://accounts.google.com/o/oauth2/v2/auth`  
-Token endpoint | `https://oauth2.googleapis.com/token?client_secret=<CLIENT_SECRET>`  
-JWKS URI | `https://www.googleapis.com/oauth2/v3/certs`  
-  
-###### Note
-
-Append your client secret to the token endpoint as a `client_secret` query parameter so that token exchange succeeds—for example, `https://oauth2.googleapis.com/token?client_secret=<CLIENT_SECRET>`. Replace `<CLIENT_SECRET>` with the client secret generated for your OAuth client.
-
-### Okta
-
-For detailed instructions, see [Create OpenID Connect app integrations](https://help.okta.com/en-us/content/topics/apps/apps_app_integration_wizard_oidc.htm) in the Okta documentation.
-
-###### To create the Okta OIDC Native Application
-
-  1. In the Okta Admin Console, navigate to **Applications → Applications → Create App Integration**.
-
-  2. Select **OIDC - OpenID Connect** as the sign-in method.
-
-  3. Select **Native Application** as the application type, then choose **Next**.