AWS Security ChangesHomeSearch

AWS signin documentation change

Service: signin · 2026-07-10 · Documentation low

File: signin/latest/userguide/reference-signin-condition-keys.md

Summary

Added documentation for new OAuth condition keys including signin:OAuthClientId, signin:OAuthRedirectUri, signin:OAuthGrantType, signin:OAuthClientAuthentication, and signin:OAuthTokenType. Expanded the condition key availability table to include these new keys and additional actions.

Security assessment

The changes document new OAuth-specific condition keys that enable granular control over OAuth authorization flows, client authentication methods, token management, and redirect URI validation. While these features enhance security by allowing administrators to restrict OAuth client behavior and prevent misconfigurations (e.g., open redirects or unauthorized token issuance), there's no evidence this addresses a specific existing vulnerability. The changes purely add documentation for new security controls.

Diff

diff --git a/signin/latest/userguide/reference-signin-condition-keys.md b/signin/latest/userguide/reference-signin-condition-keys.md
index 7f5e2020f..2c75a7ff8 100644
--- a//signin/latest/userguide/reference-signin-condition-keys.md
+++ b//signin/latest/userguide/reference-signin-condition-keys.md
@@ -7 +7 @@
-Network-based condition keysIdentity-based condition keysService-specific condition key: signin:PrincipalArnCondition key availability by actionRelated information
+Network-based condition keysIdentity-based condition keysService-specific condition key: signin:PrincipalArnOAuth condition keysCondition key availability by actionRelated information
@@ -127 +127,5 @@ This policy denies console access from outside the `203.0.113.0/24` IP range, ex
-## Condition key availability by action
+## OAuth condition keys
+
+AWS Sign-In provides OAuth-specific condition keys that you can use in IAM policies to control how applications obtain OAuth authorization and OAuth tokens. These condition keys allow you to restrict which OAuth clients can connect, which redirect URIs are trusted, which OAuth authorization flows are permitted, how OAuth clients authenticate, and which OAuth tokens can be managed.
+
+OAuth condition keys can be used in IAM identity policies, service control policies (SCPs), resource control policies (RCPs), and other IAM policy types that support AWS Sign-In actions.
@@ -129 +133,3 @@ This policy denies console access from outside the `203.0.113.0/24` IP range, ex
-Condition key availability by action Condition key | signin:Authenticate | signin:AuthorizeOAuth2Access | signin:CreateOAuth2Token  
+The following OAuth condition keys are available.
+
+Condition key | Type | Description | Applicable actions  
@@ -131,8 +137,240 @@ Condition key availability by action Condition key | signin:Authenticate | signi
-`aws:SourceIp` | Yes | Yes | Yes  
-`aws:SourceVpc` | Yes | Yes | Yes  
-`aws:SourceVpce` | Yes | Yes | Yes  
-`aws:VpcSourceIp` | Yes | Yes | Yes  
-`aws:RequestedRegion` | Yes | Yes | Yes  
-`aws:PrincipalArn` | – | Yes | Yes  
-`aws:PrincipalAccount` | – | Yes | Yes  
-`signin:PrincipalArn` | Yes | – | –  
+`signin:OAuthClientId` | String | Restricts authorization to approved OAuth clients. | `signin:AuthorizeOAuth2Access`, `signin:CreateOAuth2Token`, `signin:IntrospectOAuth2Token`  
+`signin:OAuthRedirectUri` | String | Restricts OAuth authorization to approved redirect URIs. | `signin:AuthorizeOAuth2Access`, `signin:CreateOAuth2Token`, `signin:CreateOAuth2PublicClient`  
+`signin:OAuthGrantType` | String | Controls which OAuth grant types are permitted. Values: `authorization_code`, `refresh_token`, `client_credentials`. | `signin:CreateOAuth2Token`  
+`signin:OAuthClientAuthentication` | String | Controls permitted OAuth client authentication methods. | `signin:CreateOAuth2Token`  
+`signin:OAuthTokenType` | String | Controls operations performed on OAuth access and refresh tokens. Values: `access_token`, `refresh_token`. | `signin:RevokeOAuth2Token`, `signin:IntrospectOAuth2Token`  
+  
+### signin:OAuthClientId
+
+Use `signin:OAuthClientId` to allow or deny OAuth authorization based on the registered OAuth client requesting access.
+
+OAuth client IDs are represented as AWS Sign-In Dynamic Client Registration (DCR) ARNs.
+
+For the non-interactive (client credentials) flow, the implicit client ID is `arn:aws:signin:::client-credentials/sigv4`.
+
+Applicable actions
+    
+
+  * `signin:AuthorizeOAuth2Access`
+
+  * `signin:CreateOAuth2Token`
+
+  * `signin:IntrospectOAuth2Token`
+
+
+
+
+**Example – Allow only a specific registered OAuth client:**
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "signin:AuthorizeOAuth2Access",
+            "signin:CreateOAuth2Token"
+          ],
+          "Resource": "arn:aws:signin:*:*:service-principal/aws-mcp.amazonaws.com",
+          "Condition": {
+            "StringEquals": {
+              "signin:OAuthClientId": "arn:aws:signin:us-east-1::external-client/dcr/081e0aeb-e779-4dfe-9648-bd5bf6e6afa4"
+            }
+          }
+        }
+      ]
+    }
+
+### signin:OAuthRedirectUri
+
+Use `signin:OAuthRedirectUri` to restrict where OAuth authorization responses are delivered.
+
+This is commonly used to ensure OAuth authorization responses are returned only to trusted redirect URIs, such as localhost during development.
+
+For the `signin:CreateOAuth2PublicClient` action, this condition key only applies in VPC endpoint (VPCE) policy evaluation.
+
+Applicable actions
+    
+
+  * `signin:AuthorizeOAuth2Access`
+
+  * `signin:CreateOAuth2Token`
+
+  * `signin:CreateOAuth2PublicClient`
+
+
+
+
+**Example – Allow browser-based authorization only for localhost redirect URIs and only for interactive OAuth flows:**
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": [
+            "signin:AuthorizeOAuth2Access",
+            "signin:CreateOAuth2Token"
+          ],
+          "Resource": "arn:aws:signin:*:*:service-principal/aws-mcp.amazonaws.com",
+          "Condition": {
+            "StringLike": {
+              "signin:OAuthRedirectUri": "http://localhost:*"
+            },
+            "StringEquals": {
+              "signin:OAuthGrantType": [
+                "authorization_code",
+                "refresh_token"
+              ]
+            }
+          }
+        }
+      ]
+    }
+
+### signin:OAuthGrantType
+
+Use `signin:OAuthGrantType` to control which OAuth grant types applications are allowed to use.
+
+Supported values include:
+
+  * `authorization_code`
+
+  * `refresh_token`
+
+  * `client_credentials`
+
+
+
+
+Applicable actions
+    
+
+  * `signin:CreateOAuth2Token`
+
+
+
+
+**Example – Allow only browser-based OAuth authorization while preventing applications from using the Client Credentials Grant:**
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Allow",
+          "Action": "signin:CreateOAuth2Token",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "signin:OAuthGrantType": [
+                "authorization_code",
+                "refresh_token"
+              ]
+            }
+          }
+        }
+      ]
+    }
+
+### signin:OAuthClientAuthentication
+
+Use `signin:OAuthClientAuthentication` to control which client authentication methods OAuth clients can use when requesting access tokens.
+
+Currently supported value:
+
+  * `none`
+
+
+
+
+Applicable actions
+    
+
+  * `signin:CreateOAuth2Token`
+
+
+
+
+**Example – Deny public clients for OAuth operations:**
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Effect": "Deny",
+          "Action": "signin:CreateOAuth2Token",
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {