feat(auth): add Okta-authenticated MCP server on AgentCore Runtime#1564
feat(auth): add Okta-authenticated MCP server on AgentCore Runtime#1564arslan70 wants to merge 4 commits into
Conversation
Add a sample demonstrating how to deploy a FastMCP server on AgentCore Runtime with Okta JWT validation via customJWTAuthorizer. The MCP server wraps a Bedrock Knowledge Base and exposes a query_knowledge_base tool. Includes deploy/invoke/cleanup orchestration, PKCE OAuth flow for testing, Okta admin setup guide, and MCP client configuration instructions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Latest scan for commit: Security Scan ResultsScan Metadata
SummaryScanner ResultsThe table below shows findings by scanner, with status based on severity thresholds and dependencies: Column Explanations: Severity Levels (S/C/H/M/L/I):
Other Columns:
Scanner Results:
Severity Thresholds (Thresh Column):
Threshold Source: Values in parentheses indicate where the threshold is configured:
Statistics calculation:
Detailed FindingsShow 3 actionable findingsFinding 1: B104
Description: Code Snippet: Finding 2: B310
Description: Code Snippet: Finding 3: CKV_DOCKER_2
Description: Code Snippet: Report generated by Automated Security Helper (ASH) at 2026-06-03T15:07:01+00:00 |
Remove unused locals (model_arn, audience) and strip f-string prefixes from log statements with no placeholders. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Drop `stateless_http=True` and `json_response=True` from FastMCP so a single AgentCore Runtime container handles multiple tool calls per session instead of cold-starting per call. - Update the test client to capture the `Mcp-Session-Id` header on `initialize`, send `notifications/initialized`, thread the session id through `tools/list` and `tools/call`, and parse SSE-framed responses. - README: note the stateful session contract for MCP clients. - Suppress ASH scan findings with the same rationale used by sibling samples (bandit B104/B310 + checkov CKV_DOCKER_2). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Amazon Bedrock AgentCore Samples Pull Request
Issue number: #1563
Concise description of the PR
Adds a new sample under
05-authenticate-and-authorize/05-okta-mcp-runtime/demonstrating how to deploy a FastMCP server on AgentCore Runtime with Okta JWT
validation via
customJWTAuthorizer. The MCP server wraps a Bedrock KnowledgeBase and exposes a read-only
query_knowledge_basetool.User experience
Users can configure Okta env vars and a Bedrock Knowledge Base ID, then run a
single script to deploy, test (PKCE OAuth flow + MCP JSON-RPC calls), and clean
up. The README includes MCP client config snippets for Claude Code and Cursor.
Checklist
Acknowledgment
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.