- Newest
- Most votes
- Most comments
How about this:
-
Configure JWT Inbound Authentication To accept a user-provided access token, you need to configure your AgentCore runtime to support JWT bearer tokens. • Define an authorizer configuration during agent creation: o Discovery URL: Must match the OpenID Connect discovery pattern (e.g., https://auth.example.com/.well-known/openid-configuration) o Allowed audiences: Matches the aud claim in the token o Allowed clients: Matches the client_id claim
-
Include User Token in Request Header When calling the /mcp endpoint, include the token in the request header:
Authorization: Bearer <user-access-token>
X-Amzn-Bedrock-AgentCore-Runtime-User-Id: <user-id>
This allows the agent to associate the request with the correct user context. 3. Enable OAuth Outbound Access To use the token for outbound OAuth calls (e.g., accessing third-party APIs): • Configure your agent to use the token as part of its outbound request logic. • You can use AgentCore’s EZ Auth or custom logic to forward the token to external services.
I solved this by creating a interceptor. https://docs.aws.amazon.com/bedrock-agentcore-control/latest/APIReference/API_UpdateGateway.html#bedrockagentcorecontrol-UpdateGateway-request-authorizerConfiguration
Call this with AwsSdkCall in the cdk to add the interceptor lambda to the gateway. Then forwardward the token details from the interceptor to the tool. Works like a charm.
Can I get more info on how did you write the interceptor? I tried the following Lambda function but the token didn't propagate to the target.
def lambda_handler(event, context): mcp_data = event.get('mcp', {}) gateway_request = mcp_data.get('gatewayRequest', {}) headers = gateway_request.get('headers', {}) credentials = headers.get('authorization', '') or headers.get('Authorization', '') return { "interceptorOutputVersion": "1.0", "mcp": { "transformedGatewayRequest": { "headers": { "Authorization": credentials, }, "body": event['mcp']['gatewayRequest']['body'] } } }
Relevant content
- asked 7 months ago
- asked 5 months ago
Not sure if I got this part. Can I simply reuse the token from the inbound authentication? I understand that I can either configure a token or an access key... however, I can't get a new token from an IdP as I don't want to use a machine user or a key.
Running into the same issue here and have the same question. I'm able to authenticate via user token for inbound auth, but how are we supposed to pass the user token through? The only options currently available seem to be API Key & OAuth client.