feat(gateway): add custom claims validation and TUI wizard for JWT auth#599
Merged
Merged
Conversation
16 tasks
077b557 to
af1ddac
Compare
Contributor
Code reviewFound 2 issues:
agentcore-cli/src/cli/primitives/GatewayPrimitive.ts Lines 427 to 431 in af1ddac
agentcore-cli/src/cli/tui/screens/policy/AddPolicyScreen.tsx Lines 189 to 191 in af1ddac |
tejaskash
previously approved these changes
Mar 23, 2026
tejaskash
left a comment
Contributor
There was a problem hiding this comment.
Review comments addressed: CLIENT_ID env var restored, inline import moved to top-level.
d932c77 to
1cf5cdb
Compare
1cf5cdb to
7b62c1a
Compare
7b62c1a to
0e288c9
Compare
0e288c9 to
25ead06
Compare
25ead06 to
6a43e44
Compare
6a43e44 to
78221f7
Compare
Add custom JWT claims validation support and a full TUI wizard flow for configuring Custom JWT gateway authorization. Schema: - Add ClaimMatchOperator, ClaimMatchValue, InboundTokenClaimValueType, and CustomClaimValidation schemas with strict validation - Add customClaims to CustomJwtAuthorizerConfigSchema and deployed-state - Add --custom-claims CLI flag with JSON parsing and validation TUI Wizard: - Expand JWT config flow with custom claims manager (add/edit/done) - Add claim name, operator, value, and value type sub-steps - Show human-readable claim summary in confirm review - Make client credentials optional (skip with empty Enter) Testing: - Add AddGatewayJwtConfig.test.tsx — full TUI component tests - Add finishJwtConfig.test.ts — unit tests for config assembly - Extend useAddGatewayWizard.test.tsx with JWT + custom claims flows - Add GatewayPrimitive.test.ts for custom claims round-trip - Extend validate.test.ts with custom claims validation cases - Add TUI integration test (add-gateway-jwt.test.ts) Constraint: Stacked on fix/inbound-auth-hardening (aws#598) Confidence: high Scope-risk: moderate
Enter now advances to the next field instead of immediately submitting, and up/down arrow keys navigate between fields for a more intuitive form experience.
When a text field is empty, the cursor now appears before the placeholder hint instead of after it, matching expected input behavior.
The test expected Enter to immediately submit and show a validation error, but Enter now advances to the next field. Updated the test to press Enter through all fields before expecting the submission validation error.
Restore writing both CLIENT_ID and CLIENT_SECRET to .env in createManagedOAuthCredential, matching main branch behavior. Move dynamic import of policyEnginePrimitive to a static top-level import per AGENTS.md conventions.
Run prettier on 3 files and add missing existingPolicyEngines prop to AddGatewayJwtConfig test defaults.
78221f7 to
d27c124
Compare
tejaskash
approved these changes
Mar 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds custom JWT claims validation and a full TUI wizard flow for configuring Custom JWT gateway authorization.
TUI Wizard Screenshots
1. Authorizer Type Selection

2. JWT Constraint Picker

3. Constraints Selected (Allowed Clients + Custom Claims)

4. Custom Claims Form

Custom Claims Schema
ClaimMatchOperatorSchema— operators:Equals,StartsWith,Contains,NotEqualsClaimMatchValueSchema— string value with 1-256 char limitInboundTokenClaimValueTypeSchema—String,Number,Boolean,ArrayCustomClaimValidationSchema— strict object withclaimName,operator,matchValue,valueTypeCustomJwtAuthorizerConfigSchemaas optionalcustomClaimsarraydeployed-state.tsfor deployment state trackingCLI Support
--custom-claimsflag accepting JSON array (e.g.,--custom-claims '[{"claimName":"dept","operator":"Equals","matchValue":"engineering","valueType":"String"}]')GatewayPrimitivepasses custom claims through to authorizer configurationTUI Wizard
Testing (comprehensive)
AddGatewayJwtConfig.test.tsx— TUI component tests covering the full JWT wizard flowfinishJwtConfig.test.ts— unit tests for config assembly helperuseAddGatewayWizard.test.tsx— extended with JWT + custom claims wizard flowsGatewayPrimitive.test.ts— custom claims round-trip through primitivevalidate.test.ts— custom claims CLI validation casesmcp.test.ts— schema-level custom claims testsadd-gateway-jwt.test.ts— TUI integration test via harnessRelated Issue
Extracted from #596 (replaces it together with #597 and #598)
Documentation PR
N/A
Type of Change
Testing
How have you tested the change?
npm run test:unitandnpm run test:integnpm run typechecknpm run lintsrc/assets/, I rannpm run test:update-snapshotsand committed the updated snapshotsChecklist
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.