This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::BedrockAgentCore::OAuth2CredentialProvider CustomOauth2ProviderConfigInput Input configuration for a custom OAuth2 provider. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[ClientAuthenticationMethod](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientauthenticationmethod)" : {{String}}, "[ClientId](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientid)" : {{String}}, "[ClientSecret](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecret)" : {{String}}, "[ClientSecretConfig](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecretconfig)" : {{SecretReference}}, "[ClientSecretSource](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecretsource)" : {{String}}, "[OauthDiscovery](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-oauthdiscovery)" : {{Oauth2Discovery}}, "[OnBehalfOfTokenExchangeConfig](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-onbehalfoftokenexchangeconfig)" : {{OnBehalfOfTokenExchangeConfig}} } ``` ### YAML ``` [ClientAuthenticationMethod](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientauthenticationmethod): {{String}} [ClientId](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientid): {{String}} [ClientSecret](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecret): {{String}} [ClientSecretConfig](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecretconfig): {{ SecretReference}} [ClientSecretSource](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-clientsecretsource): {{String}} [OauthDiscovery](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-oauthdiscovery): {{ Oauth2Discovery}} [OnBehalfOfTokenExchangeConfig](#cfn-bedrockagentcore-oauth2credentialprovider-customoauth2providerconfiginput-onbehalfoftokenexchangeconfig): {{ OnBehalfOfTokenExchangeConfig}} ``` ## Properties `ClientAuthenticationMethod` The client authentication method to use when authenticating with the token endpoint. *Required*: No *Type*: String *Allowed values*: `CLIENT_SECRET_BASIC | CLIENT_SECRET_POST | AWS_IAM_ID_TOKEN_JWT` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientId` The client ID for the custom OAuth2 provider. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `256` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientSecret` The client secret for the custom OAuth2 provider. *Required*: No *Type*: String *Minimum*: `1` *Maximum*: `2048` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientSecretConfig` A reference to the AWS Secrets Manager secret that stores the client secret. This includes the secret ID and the JSON key used to extract the client secret value from the secret. Required when `clientSecretSource` is set to `EXTERNAL`. *Required*: No *Type*: [SecretReference](aws-properties-bedrockagentcore-oauth2credentialprovider-secretreference.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `ClientSecretSource` The source type of the client secret. Use `MANAGED` if the secret is managed by the service, or `EXTERNAL` if you manage the secret yourself in AWS Secrets Manager. *Required*: No *Type*: String *Allowed values*: `MANAGED | EXTERNAL` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OauthDiscovery` The OAuth2 discovery information for the custom provider. *Required*: Yes *Type*: [Oauth2Discovery](aws-properties-bedrockagentcore-oauth2credentialprovider-oauth2discovery.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `OnBehalfOfTokenExchangeConfig` The configuration for on-behalf-of token exchange. This enables authentication flows that use RFC 8693 token exchange or RFC 7523 JWT authorization grants. *Required*: No *Type*: [OnBehalfOfTokenExchangeConfig](aws-properties-bedrockagentcore-oauth2credentialprovider-onbehalfoftokenexchangeconfig.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)