Add Okta three-tier auth end-to-end demo with BedrockAgentCore Agent+AgentCore Gateway Interceptor+ Agent Runtime MCP Server#1158
Open
himallik wants to merge 1 commit intoawslabs:mainfrom
Conversation
|
Check out this pull request on See visual diffs & provide feedback on Jupyter Notebooks. Powered by ReviewNB |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Concise description of the PR
Adds a new end-to-end use case demonstrating three-tier Okta OAuth2 authentication
with Amazon Bedrock AgentCore (User → Agent Runtime → Gateway → MCP Server).
Each tier independently validates inbound JWTs and fetches its own scoped Okta token,
ensuring complete token isolation. Includes end-to-end custom security header propagation
(user ID, department, role) via Interceptor Lambda _meta injection.
User experience
Before: No sample exists showing how to integrate Okta as an external identity provider across all three AgentCore tiers (Runtime, Gateway, Runtime) with per-tier token isolation and end-to-end security header propagation.
After: Users get a self-contained Jupyter notebook that deploys the full three-tier architecture with:
MCP Server (Tier 3) with ASGI security header middleware and 3 real estate demo tools
AgentCore Gateway (Tier 2) with Okta OAuth2 Credential Provider and Interceptor Lambda for token exchange + security header injection
Agent Runtime (Tier 1) that proxies tool calls through the Gateway with security header forwarding
Test cells verifying token isolation (each tier rejects wrong-scoped tokens) and security header propagation
Complete cleanup cell that tears down all AWS resources
Okta setup reference with screenshots for all configuration steps
Files added (under 02-use-cases/okta-auth-three-tier-end-to-end-demo/):
okta-auth-three-tier-end-to-end-demo.ipynb — Main deployment notebook
mcp_server.py — MCP Server with security header middleware
requirements.txt — MCP Server container dependencies
agent_server.py
— Agent Runtime (Tier 1)
requirements.txt
— Agent Runtime dependencies
README.md — Architecture, setup guide, key learnings
.env.example — Environment variable template
.gitignore — Excludes auto-generated files
images/ — Architecture diagram and 7 Okta setup screenshots
Checklist
Yes- I have reviewed the contributing guidelines
Yes - Add your name to CONTRIBUTORS.md
Yes - Have you checked to ensure there aren't other open Pull Requests for the same update/change?
No - Are you uploading a dataset?
Yes - Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and
Yes in notebook - Clean Up steps in your example README?
Yes - I agree to resolve any issues created for this example in the future.
Yes - I have performed a self-review of this change
Yes - Changes have been tested-
Yes - Changes are documented
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.