feat(bedrock-agentcore-alpha): add support for custom claims and scopes to runtime/gateway authorizers

[krokoko]

Issue # (if applicable)

Add support for allowed audience to runtime and gateway JWT authorizers

see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/inbound-jwt-authorizer.html, as well as https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-runtime-customjwtauthorizerconfiguration.html and https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-bedrockagentcore-gateway-customjwtauthorizerconfiguration.html

Reason for this change

Coverage of missing features

Description of changes

Add missing properties to existing code

Describe any new or updated permissions being added

No changes in perms

Description of how you validated changes

Added unit tests
Updated an integ test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	24 ran	24 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

[alvazjor]

@krokoko added some suggestions

[alvazjor]

Since value is an open string(s), lets do an initial validation to check if it is a token

[krokoko]

done in 003c6e3

[alvazjor]

To avoid this duplication of enums, I think is ok to have a single type called CustomClaimValueType and CustomClaimOperator and reuse both on the gatways and runtime. Just dont include that shared file in the index.ts so it wont be exposed as part of the public api

[krokoko]

That is fine for ClaimValueType, but the operator needs to be exposed since users can provide it, for instance:

agentcore.GatewayCustomClaim.withStringArrayValue('roles', ['admin'], agentcore.GatewayCustomClaimOperator.CONTAINS)

Should I re-export it from runtime and gateway ? Something like:

export { CustomClaimOperator as RuntimeCustomClaimOperator } from '../../common/types';

and under common/types:

/**
 * Custom claim match operator.
 * Shared by Runtime and Gateway custom claim implementations.
 * @internal
 */
export enum CustomClaimOperator {
  /** Equals operator - used for STRING type claims */
  EQUALS = 'EQUALS',
  /** Contains operator - used for STRING_ARRAY type claims. Checks if the claim array contains a specific string value. */
  CONTAINS = 'CONTAINS',
  /** ContainsAny operator - used for STRING_ARRAY type claims. Checks if the claim array contains any of the provided string values. */
  CONTAINS_ANY = 'CONTAINS_ANY',
}

[alvazjor]

What I dont like is the duplication part, so would it be a problem if we just keep a generic one? are we expecting them to differ at some point or do we have some knowledge at this time of some condition that justifies having an exact copy just with diff enum names?

[krokoko]

No, we can keep a generic one ! I will just need to export it publicly. So if I export the common/types file above, does that work ?

[alvazjor]

btw, I think tthe re-export part will also be ok and will work, I just want to avoid potential JSII problems by doing that, but it seems safe, based on the initial research I did

[alvazjor]

No, we can keep a generic one ! I will just need to export it publicly. So if I export the common/types file above, does that work ?

Yep, that works

[krokoko]

ok thanks ! I'll do the changes, that will also remove the re-export

[krokoko]

done in 003c6e3

Pull request has been modified.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

✅ The pull request has been merged at 46a55bf

This pull request spent 29 minutes 14 seconds in the queue, including 29 minutes 6 seconds running CI.
The checks were run in-place.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(bedrock-agentcore-alpha): add support for custom claims and scopes to runtime/gateway authorizers #36810
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(bedrock-agentcore-alpha): add support for custom claims and scopes to runtime/gateway authorizers #36810
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.