Skip to content

feat(auth): add Okta-authenticated MCP server on AgentCore Runtime#1564

Open
arslan70 wants to merge 4 commits into
awslabs:mainfrom
arslan70:feat/okta-mcp-runtime-sample
Open

feat(auth): add Okta-authenticated MCP server on AgentCore Runtime#1564
arslan70 wants to merge 4 commits into
awslabs:mainfrom
arslan70:feat/okta-mcp-runtime-sample

Conversation

@arslan70

@arslan70 arslan70 commented May 23, 2026

Copy link
Copy Markdown

Amazon Bedrock AgentCore Samples Pull Request

Issue number: #1563

Concise description of the PR

Adds a new sample under 05-authenticate-and-authorize/05-okta-mcp-runtime/
demonstrating how to deploy a FastMCP server on AgentCore Runtime with Okta JWT
validation via customJWTAuthorizer. The MCP server wraps a Bedrock Knowledge
Base and exposes a read-only query_knowledge_base tool.

User experience

Users can configure Okta env vars and a Bedrock Knowledge Base ID, then run a
single script to deploy, test (PKCE OAuth flow + MCP JSON-RPC calls), and clean
up. The README includes MCP client config snippets for Claude Code and Cursor.

Checklist

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset? (No)
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
  • I agree to resolve any issues created for this example in the future.
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Acknowledgment

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.

arslan70 and others added 2 commits May 23, 2026 13:31
Add a sample demonstrating how to deploy a FastMCP server on AgentCore
Runtime with Okta JWT validation via customJWTAuthorizer. The MCP server
wraps a Bedrock Knowledge Base and exposes a query_knowledge_base tool.

Includes deploy/invoke/cleanup orchestration, PKCE OAuth flow for testing,
Okta admin setup guide, and MCP client configuration instructions.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown

Latest scan for commit: f53f2b1 | Updated: 2026-06-03 15:07:22 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-06-03T15:07:07+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 2 0 0 5 0 807ms 2 FAILED MED (g)
cdk-nag 0 0 0 0 0 0 29.0s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 8ms 0 PASSED MED (g)
checkov 0 1 0 0 0 0 4.6s 1 FAILED MED (g)
detect-secrets 0 0 0 0 0 0 772ms 0 PASSED MED (g)
grype 0 0 0 0 0 0 47.5s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 177ms 0 PASSED MED (g)
opengrep 0 0 0 0 0 0 <1ms 0 SKIPPED MED (g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED (g)
syft 0 0 0 0 0 0 2.0s 0 PASSED MED (g)

Detailed Findings

Show 3 actionable findings

Finding 1: B104

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B104
  • Location: 01-features/05-authenticate-and-authorize/05-okta-mcp-runtime/mcp_server.py:23-25

Description:
Possible binding to all interfaces.

Code Snippet:

"Knowledge Base MCP",
    host="0.0.0.0",
    stateless_http=True,

Finding 2: B310

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B310
  • Location: 01-features/05-authenticate-and-authorize/05-okta-mcp-runtime/okta_mcp_runtime.py:480-482

Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Code Snippet:

try:
        resp = urllib.request.urlopen(req).read().decode()
    except urllib.error.HTTPError as e:

Finding 3: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: 01-features/05-authenticate-and-authorize/05-okta-mcp-runtime/Dockerfile:1-16

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim-trixie
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

WORKDIR /app
ENV UV_SYSTEM_PYTHON=1 UV_COMPILE_BYTECODE=1 UV_NO_PROGRESS=1 PYTHONUNBUFFERED=1

COPY requirements.txt requirements.txt
RUN uv pip install -r requirements.txt
RUN uv pip install aws-opentelemetry-distro==0.12.2

RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 9000 8000 8080
COPY mcp_server.py .
CMD ["opentelemetry-instrument", "python", "-m", "mcp_server"]

Report generated by Automated Security Helper (ASH) at 2026-06-03T15:07:01+00:00

arslan70 and others added 2 commits June 5, 2026 10:54
Remove unused locals (model_arn, audience) and strip f-string prefixes
from log statements with no placeholders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop `stateless_http=True` and `json_response=True` from FastMCP so a single
  AgentCore Runtime container handles multiple tool calls per session instead
  of cold-starting per call.
- Update the test client to capture the `Mcp-Session-Id` header on
  `initialize`, send `notifications/initialized`, thread the session id
  through `tools/list` and `tools/call`, and parse SSE-framed responses.
- README: note the stateful session contract for MCP clients.
- Suppress ASH scan findings with the same rationale used by sibling samples
  (bandit B104/B310 + checkov CKV_DOCKER_2).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant