# Outbound Auth

Outbound Auth allows agents and the AgentCore Gateway to securely access AWS resources and third-party services on behalf of users who have been authenticated and authorized during Inbound Auth. To integrate authorization with an AWS resource or third-party service, it's necessary to configure both Inbound Auth and Outbound Auth.

With just-enough access and secure permission delegation supported by AgentCore Identity, agents can seamlessly and securely access AWS resources and third-party tools such as GitHub, Google, Salesforce, and Slack. Agents can perform actions on these services either on behalf of users or independently, provided there is pre-authorized user consent. Additionally, you can reduce consent fatigue using a secure token vault and create streamlined AI agent experiences.

## Outbound Authentication Configuration

First, you register your client application with third-party providers and then create an Outbound Auth. You specify how you want to validate access to the AWS resource or third-party service or AgentCore Gateway targets. You can use OAuth 2LO/3LO or API keys. With OAuth, you can select from providers that AgentCore Identity provides. In which case you enter the configuration details for the providers from AgentCore Identity. Alternatively, you can supply details for a custom provider. 

When a user wants access to an AWS resource or third-party service or AgentCore Gateway target, the Outbound Auth confirms that the access tokens provided by Incoming Auth are valid and if so, allows access to the resource.

<div style="text-align:center">
    <img src="images/outbound_auth.png" width="90%"/>
</div>

## Resource credential providers

This is a component that agent  uses to retrieve credentials of downstream resource servers (e.g., Google, GitHub) to access them, e.g., fetch private repos from Github.  It removes the heavy-lifting of agent developers implementing 2LO and 3LO OAuth2 orchestration flows across end-users, agent code, and external authorization servers. AgentCore provides both a custom OAuth2 credential provider and a list of built-in providers such Google, GitHub, Slack, Salesforce with authorization server endpoint and provider-specific parameters pre-filled.
  

Bedrock AgentCore Identity provides OAuth2 and API Key Credential Providers for agent developers to authenticate with external resources that support OAuth2 or API key. In the following example, we will walk you through configuring an API Key credential provider.  An agent can then use the API Key credential provider to retrieve the API key for any agent operations. Please refer to the documentation for the other credential providers.

 

Here are the various parameters you can use with the @require_access_token decorator.


| Parameter Name      | Description                                                              |
|:--------------------|:-------------------------------------------------------------------------|
| provider_name       | The credential provider name                                             |
| into                | Parameter name to inject the token into                                  |
| scopes              | OAuth2 scopes to request                                                 |
| on_auth_url	      | Callback for handling authorization URLs                                 |
| auth_flow           | Authentication flow type ("M2M" or "USER_FEDERATION")                    |
| callback_url        | OAuth2 callback URL                                                      |
| force_authentication| Force re-authentication                                                  |
| token_poller        | Custom token poller implementation                                       |

		


# Hosting Strands Agents in Amazon Bedrock AgentCore Runtime 

## Overview


In this tutorial we will develop a agent using Strands agents that can list the private repositories from the users gitHub repo's. We will configure a credential provider to help with credential management with Github. We can use the named provider for Github and modify our agent code to call the credential provider and use the access_token to get the list of private repositories from Github

### Tutorial Architecture

<div style="text-align:center">
    <img src="images/outbound_auth_3lo.png" width="90%"/>
</div>


### Tutorial Details

| Information         | Details                                                                  |
|:--------------------|:-------------------------------------------------------------------------|
| Tutorial type       | Conversational                                                           |
| Agent type          | Single                                                                   |
| Agentic Framework   | Strands Agents                                                           |
| LLM model           | Anthropic Claude Haiku 4.5                                              |
| Tutorial components | Hosting agent on AgentCore Runtime. Using Strands Agent and Claude Model |
| Tutorial vertical   | Cross-vertical                                                           |
| Example complexity  | Medium                                                                   |
| SDK used            | Amazon BedrockAgentCore Python SDK and boto3                             |
| Credential Provider | Type : OAuth2 - Github Provider                                          |


### Tutorial Key Features

* Hosting Agents on Amazon Bedrock AgentCore Runtime
* Using Claude models
* Using Strands Agents
* Using AgentCore egress Auth with OAuth2 Github credential provider.


## Prerequisites

To execute this tutorial you will need:
* Python 3.10+
* AWS credentials
* Amazon Bedrock AgentCore SDK
* Strands Agents
* Docker running

In [1]:
!pip install --force-reinstall -U -r requirements.txt --quiet

[31mERROR: pip's dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
autogluon-multimodal 1.4.0 requires nvidia-ml-py3<8.0,>=7.352.0, which is not installed.
dash 2.18.1 requires dash-core-components==2.0.0, which is not installed.
dash 2.18.1 requires dash-html-components==2.0.0, which is not installed.
dash 2.18.1 requires dash-table==5.0.0, which is not installed.
jupyter-ai 2.31.6 requires faiss-cpu!=1.8.0.post0,<2.0.0,>=1.8.0, which is not installed.
sagemaker-studio 1.1.1 requires pydynamodb>=0.7.4, which is not installed.
aiobotocore 2.22.0 requires botocore<1.37.4,>=1.37.2, but you have botocore 1.42.9 which is incompatible.
amazon-sagemaker-jupyter-ai-q-developer 1.2.8 requires numpy<=2.0.1, but you have numpy 2.3.5 which is incompatible.
amazon-sagemaker-sql-magic 0.1.4 requires numpy<2, but you have numpy 2.3.5 which is incompatible.
autogluon-common 1.4.0 requires 

##  Configure Inbound Auth with Cognito as the IDP

Lets provision a Cognito Userpool with an App client and one test user. We'll use Amazon Cognito to provide JWT tokens for accessing our deployed MCP server. To do so, we will use the `setup_cognito_user_pool` support function from our `utils` script.

Note: The Cognito access_token is valid for 2 hours only. If the access_token expires you can vend another access_token by using the `reauthenticate_user` method.

In [2]:
import sys
import os
from boto3.session import Session


# Get the current notebook's directory
current_dir = os.path.dirname(os.path.abspath('__file__' if '__file__' in globals() else '.'))

utils_dir = os.path.join(current_dir, '..')
utils_dir = os.path.abspath(utils_dir)

# Add to sys.path
sys.path.insert(0, utils_dir)
print("sys.path[0]:", sys.path[0])
from utils import setup_cognito_user_pool, reauthenticate_user

boto_session = Session()
region = boto_session.region_name
print(f"Region: {region}")

sys.path[0]: /home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples
Region: us-west-2


In [5]:
print("Setting up Amazon Cognito user pool...")
cognito_config = setup_cognito_user_pool("Cognito_3LO_Github")
print("Cognito setup completed ‚úì")

Setting up Amazon Cognito user pool...
Pool id: us-west-2_poRtqJeqU
Discovery URL: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_poRtqJeqU/.well-known/openid-configuration
Client ID: 7igt6d3vg2fnn0t5e9pf6o70ld
Bearer Token: eyJraWQiOiJ6N0RtcExjNWdXcEVyU2k1TUdtc3BQSndTbHh6UFo4NXdqSXFCR0NvdEowPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI3ODgxMzMyMC1lMGMxLTcwYTQtY2Q4My00MDQ5NDk1YmI4ZjUiLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0yLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMl9wb1J0cUplcVUiLCJjbGllbnRfaWQiOiI3aWd0NmQzdmcyZm5uMHQ1ZTlwZjZvNzBsZCIsIm9yaWdpbl9qdGkiOiI5ZmM3Y2JhNC1kMzE4LTQ1YmYtYTcxNC1iZTAwN2I4ZjYwMWYiLCJldmVudF9pZCI6ImY0ZDgzMTM4LWEzMjYtNGNjZi05ZDJlLWY1NzYzYzNhNTE1NyIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE3NjU2Mzk4NDEsImV4cCI6MTc2NTY0MzQ0MSwiaWF0IjoxNzY1NjM5ODQxLCJqdGkiOiI5NDNlOGNiNC1mOGU3LTRmOWEtYmQyNS1lYTk3MGM3YzhiNzgiLCJ1c2VybmFtZSI6InRlc3R1c2VyIn0.ZLHszulB0aseE2xbSSBKmfeqtlzQniRNEMpmKEKQuAyKUVrjbUrqA4JIPoQYm6FHuYbqCZGojdIt

## Configure Github for OAuth2. ( On behalf of user flow )

## Steps to Create an OAuth Client in GitHub (Retrieve client_id and client_secret)

Follow these steps to create an OAuth app in GitHub and retrieve the necessary credentials for use in other applications:

1. **Sign In to GitHub**
   - Go to [github.com](https://github.com) and log in to your account.

2. **Access Developer Settings**
   - Click your profile picture in the upper-right corner.
   - Select **Settings** from the dropdown.
   - In the left sidebar, scroll down and click **Developer settings**.

3. **Go to OAuth Apps**
   - In the left sidebar under Developer settings, click **OAuth Apps**.

4. **Register a New OAuth Application**
   - Click **New OAuth App** (or **Register a new application** if you have not created one before).
   - **Fill in required details:**
     - **Application Name**: Name your app.
     - **Homepage URL**: URL for your app‚Äôs homepage.<br>
        EXAMPLE : https://github.com/awslabs/amazon-bedrock-agentcore-samples/examplehomepage
     - **Application Description** (optional): Add a description for clarity.
     - **Authorization callback URL**: URL where users will be sent after authorization (used for OAuth flow in your application). <br>
        EXAMPLE : https://bedrock-agentcore.us-east-1.amazonaws.com/identities/oauth2/callback/tobeupdated <br>
      - Note: This has to be updated once the Actual CallBack URL is received in the step "Configure the Github OAuth2 credential provider"

     - Here is a screen grab showing the Github configuration.
     <div style="text-align:left">
      <img src="images/github_details.png" width="80%"/>
      </div>
   - Leave the **Enable Device Flow** unchecked, as shown in the image above.
   - After entering the details, click **Register application**.

5. **Retrieve Credentials**
   - Once the application is registered, you will be shown the **Client ID** right on the application summary page.
   - To generate the **Client Secret**, click on the available button or link. The secret will be displayed‚Äîcopy and save it securely; you‚Äôll use it in your application.
     - Note: The client secret is only revealed once or only a few times for security.

***

### Use of Credentials

- You will use the **client_id** and **client_secret** when configuring the Github credential provider.
- Never expose the client secret publicly or share it with users‚Äîtreat it like a password.

***


## OAuth2 Authorization URL Session Binding Process

The OAuth2 authorization URL session binding process is a critical security mechanism that ensures OAuth2 authorization sessions are properly associated with authenticated users in AgentCore Identity. This process prevents session hijacking and ensures that OAuth tokens are only granted to the intended user.

Ref : https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.html

### How session binding works
<div style="text-align:center">
    <img src="images/identity-session-binding.png" width="90%"/>
</div>

1. Invoke agent ‚Äì Your agent code invokes GetResourceOauth2Token API to retrieve an authorization URL, when an originating agent user wants to access some application or resource that he/she owns.

2. Generate authorization URL ‚Äì AgentCore Identity generates an authorization URL and session URI for the user to navigate to and consent access.

3. Authorize and obtain access token ‚Äì The user navigates to the authorization URL and grants consent for your agent to access his/her resource. After that, AgentCore Identity redirects the user's browser to your HTTPS application endpoint with information containing the originating user of the authorization request. At this point, your HTTPS application endpoint determines if the originating agent user is still the same as the currently logged in user of your application. If they match, your application endpoint invokes CompleteResourceTokenAuth so that AgentCore Identity can fetch and store the access token.

4. Re-invoke agent to obtain access token ‚Äì Once the application returns a valid response, your agent application will be able to retrieve the OAuth2.0 access tokens that were originally requested for the user. If the users do not match, your application simply does nothing or logs the attempt.

By allowing your application endpoint to verify the user identity, AgentCore Identity allows your agent application to ensure that it is always the same user who initiated the authorization request and the one who consented access.

### Overview of the OAuth2 Session Binding Flow in this sample

The OAuth2 session binding process involves several key steps that coordinate between your application, AgentCore Identity, external OAuth providers (like Github, Google, etc ), and a local callback server:

#### Step 1: Create Application Callback URL
- Create a publicly accessible HTTPS callback endpoint in your application
- This endpoint will handle OAuth redirects and validate user sessions
- Example: `https://myagentapp.com/callback`

#### Step 2: Update Workload Identity with Callback URL
- Register your callback URL as an `AllowedResourceOauth2ReturnUrl` in the workload identity
- This is accomplished using the `UpdateWorkloadIdentity` API
- **In this tutorial**: This step is handled automatically by the code below that updates the workload identity with the environment-aware callback server URL

#### Step 3: Create OAuth2 Credential Provider
- Configure the credential provider with external OAuth provider details (client ID, secret)
- AgentCore Identity returns a unique callback URL for the provider
- Register this callback URL with the external OAuth provider (e.g., GitHub Console)

#### Step 4: Implement Session Validation and Token Completion
- Your callback endpoint must validate the current user's session
- Call `CompleteResourceTokenAuth` API with the user identifier and session URI
- **In this tutorial**: The `oauth2_callback_server.py` handles this automatically

#### Step 5: OAuth Flow Execution
- User triggers OAuth flow through agent interaction
- User is redirected to external provider for authorization
- Provider redirects back to your callback with session information
- Session binding completes and OAuth tokens become available

### Environment-Aware OAuth2 Callback Server

This tutorial uses an environment-aware `oauth2_callback_server.py` that automatically adapts to different execution environments:

#### **Local Development:**
- **External Callback URL**: `http://localhost:9090/oauth2/callback` (browser-accessible)
- **Internal Communication**: `http://localhost:9090` (notebook ‚Üî server)
- **Server Binding**: `127.0.0.1` (localhost only, secure)

#### **SageMaker Workshop Studio:**
- **External Callback URL**: `https://<domain>.studio.<region>.sagemaker.aws/proxy/9090/oauth2/callback` (browser-accessible via proxy)
- **Internal Communication**: `http://localhost:9090` (notebook ‚Üî server in same container)
- **Server Binding**: `0.0.0.0` (allows SageMaker proxy to reach server)

The OAuth2 callback server automatically detects the environment by checking for `/opt/ml/metadata/resource-metadata.json` and configures itself accordingly.

### Features of oauth2_callback_server.py

1. **Runs a Local FastAPI Server** (port 9090)
   - Provides `/ping` endpoint for health checks
   - Provides `/userIdentifier/token` endpoint to store user tokens
   - Provides `/oauth2/callback` endpoint to handle OAuth redirects

2. **Manages User Token Storage**
   - Stores the user's JWT token from Cognito authentication
   - Associates OAuth sessions with the correct user identity

3. **Handles OAuth Callback Processing**
   - Receives OAuth redirects with `session_id` parameter
   - Calls `CompleteResourceTokenAuth` to bind the session
   - Validates user identity before completing the flow

4. **Provides Session Security**
   - Ensures OAuth sessions are bound to authenticated users
   - Prevents unauthorized access to OAuth tokens

5. **Environment Detection**
   - Automatically detects local vs SageMaker Studio environment
   - Configures URLs and server binding appropriately

### Integration with Workload Identity Update

The code performs a crucial step in the OAuth2 session binding process:

```python
if launch_result.agent_id:
    workload_name = launch_result.agent_id
    workload_identity = identity_client.get_workload_identity(name=workload_name)
    allowed_resource_oauth_2_return_urls = workload_identity.get("allowedResourceOauth2ReturnUrls") or []
    oauth2_callback_url = get_oauth2_callback_url()
    print(f"Updating workload {workload_name} with callback url {oauth2_callback_url}")

    updated_workload_identity = identity_client.update_workload_identity(
        name=workload_name,
        allowed_resource_oauth_2_return_urls=[*allowed_resource_oauth_2_return_urls, oauth2_callback_url],
    )
```

This code:
1. **Retrieves the Agent's Workload Identity**: Uses the agent ID from the runtime deployment
2. **Gets Current Allowed URLs**: Fetches existing `allowedResourceOauth2ReturnUrls`
3. **Adds Environment-Aware Callback URL**: 
   - Local: `http://localhost:9090/oauth2/callback`
   - SageMaker: `https://<domain>.studio.sagemaker.aws/proxy/9090/oauth2/callback`
4. **Updates Workload Identity**: Registers the callback URL with AgentCore Identity

This registration is essential because AgentCore Identity will only redirect OAuth callbacks to pre-registered URLs, providing an additional security layer.

### Security Considerations

The OAuth2 session binding process includes several security measures:
- **URL Validation**: Only pre-registered callback URLs are allowed
- **Session Verification**: User sessions must be validated before token completion
- **User Identity Binding**: OAuth sessions are explicitly bound to authenticated users
- **Token Isolation**: Each user's OAuth tokens are isolated and secure
- **Environment-Aware URLs**: Automatically uses appropriate URLs for each environment

This comprehensive approach ensures that OAuth2 flows are secure and properly attributed to the correct users in multi-user environments, whether running locally or in SageMaker Workshop Studio.

---

#### Configure the Github OAuth2 credential provider.

Modify the following code and replace the following :
1. <your-github-client-id> with the "client id" recorded from Step 5 above
2. <your-github-client-secret> with the "client secret" recorded from Step 5 above.

Important : Please ensure you replace the entire place holder string including the "<" and ">"


Once the client id and client secret are updated, run the below code to create a credentials provider for Github. <br>
Resource credential providers in AgentCore Identity act as intelligent intermediaries that manage the complex relationships between agents, identity providers, and resource servers. Each provider encapsulates the specific endpoint configuration required for a particular service or identity system. The service provides built-in providers for popular services including Google, GitHub, Slack, and Salesforce, with authorization server endpoints and provider-specific parameters pre-configured to reduce development effort. AgentCore Identity supports custom configurations through configurable OAuth2 credential providers that can be tailored to work with any OAuth2-compatible resource server.


In [3]:
from bedrock_agentcore.services.identity import IdentityClient
region = boto_session.region_name
identity_client = IdentityClient(region)

# Configure GitHub OAuth2 provider - On-Behalf-Of User
github_provider = identity_client.create_oauth2_credential_provider({
    "name": "github-provider",
    "credentialProviderVendor": "GithubOauth2",
    "oauth2ProviderConfigInput": {
        "githubOauth2ProviderConfig": {
            'clientId': "Ov23li8j6ZGkSEbn2aKo",
            'clientSecret': "925b5e09321ce2e1607354c1b6d331a96775e744"
        }
    }
})
print(github_provider)
print("\n")
print(f"callbackUrl: {github_provider['callbackUrl']}")

{'ResponseMetadata': {'RequestId': '7ec28d61-e45a-4bcb-b033-5b99e56db81b', 'HTTPStatusCode': 201, 'HTTPHeaders': {'date': 'Sat, 13 Dec 2025 15:28:23 GMT', 'content-type': 'application/json', 'content-length': '919', 'connection': 'keep-alive', 'x-amzn-requestid': '7ec28d61-e45a-4bcb-b033-5b99e56db81b', 'x-amzn-remapped-x-amzn-requestid': 'ff183a02-da18-4ab7-8490-8d00f65cb329', 'x-amzn-remapped-content-length': '919', 'x-amzn-remapped-connection': 'keep-alive', 'x-amz-apigw-id': 'ViHjvFNjPHcEVYg=', 'x-amzn-trace-id': 'Root=1-693d8617-439936bf3a31a2aa3de367e2', 'x-amzn-remapped-date': 'Sat, 13 Dec 2025 15:28:23 GMT'}, 'RetryAttempts': 0}, 'clientSecretArn': {'secretArn': 'arn:aws:secretsmanager:us-west-2:455933813601:secret:bedrock-agentcore-identity!default/oauth2/github-provider-MXyhAD'}, 'name': 'github-provider', 'credentialProviderArn': 'arn:aws:bedrock-agentcore:us-west-2:455933813601:token-vault/default/oauth2credentialprovider/github-provider', 'callbackUrl': 'https://bedrock-age

## Steps to Update the Authorization callback URL in GitHub

1. **Sign In to GitHub**
   - Go to [github.com](https://github.com) and log in to your account.

2. **Access Developer Settings**
   - Click your profile picture in the upper-right corner.
   - Select **Settings** from the dropdown.
   - In the left sidebar, scroll down and click **Developer settings**.

3. **Go to OAuth Apps**
   - In the left sidebar under Developer settings, click **OAuth Apps**.

4. **Click on the OAuth App**
   - Locate the OAuth App you created in the step earlier that we have to update.
   - Click on the name of the OAuth App to open its settings.

5. **Update the Authorization callback URL**
   - Scroll down to **Authorization callback URL**
   - Enter the callbackUrl: URL from above in the text box and click **Update application**.


In [6]:
# Get the OAuth2 callback URL based on the current environment (notebook/SageMaker)
# This is evaluated HERE in the notebook, not in the agent container
from oauth2_callback_server import get_oauth2_callback_url
oauth2_callback_url_for_agent = get_oauth2_callback_url()

print(f"Callback URL for agent (determined from notebook environment): {oauth2_callback_url_for_agent}")

# Write github_agent.py with the callback URL embedded as a string literal
github_agent_code = f'''
import asyncio
import json
import os
from typing import Optional

import httpx
from bedrock_agentcore import BedrockAgentCoreApp
from bedrock_agentcore.identity.auth import requires_access_token
from strands import Agent, tool

# Environment configuration
os.environ["STRANDS_OTEL_ENABLE_CONSOLE_EXPORT"] = "true"
os.environ["OTEL_PYTHON_EXCLUDED_URLS"] = "/ping,/invocations"

# Global token storage (could be improved with a proper state management solution)
github_access_token: Optional[str] = None

app = BedrockAgentCoreApp()


@tool
def inspect_github_repos() -> str:
    """Inspect and list the user's private GitHub repositories.

    Returns:
        str: A JSON string containing the list of repositories and their details,
            or an authentication required message.
    """
    global github_access_token

    if not github_access_token:
        return json.dumps({{
            "auth_required": True,
            "message": "GitHub authentication is required. Please wait while we set up the authorization.",
            "events": []
        }})

    print(f"Using GitHub access token: {{github_access_token[:10]}}...")

    headers = {{"Authorization": f"Bearer {{github_access_token}}"}}

    try:
        with httpx.Client() as client:
            # Get user information
            user_response = client.get("https://api.github.com/user", headers=headers)
            user_response.raise_for_status()
            username = user_response.json().get("login", "Unknown")
            print(f"‚úÖ User: {{username}}")

            # Search for user's repositories
            repos_response = client.get(
                f"https://api.github.com/search/repositories?q=user:{{username}}",
                headers=headers
            )
            repos_response.raise_for_status()
            repos_data = repos_response.json()
            print(f"‚úÖ Found {{len(repos_data.get('items', []))}} repositories")

            repos = repos_data.get('items', [])
            if not repos:
                return f"No repositories found for {{username}}."

            # Format repository information
            response_lines = [f"GitHub repositories for {{username}}:\\n"]

            for repo in repos:
                repo_line = f"üìÅ {{repo['name']}}"
                if repo.get('language'):
                    repo_line += f" ({{repo['language']}})"
                repo_line += f" - ‚≠ê {{repo['stargazers_count']}}"
                response_lines.append(repo_line)

                if repo.get('description'):
                    response_lines.append(f"   {{repo['description']}}")
                response_lines.append("")  # Empty line for spacing

            return "\\n".join(response_lines)

    except httpx.HTTPStatusError as e:
        return f"GitHub API error: {{e.response.status_code}} - {{e.response.text}}"
    except Exception as e:
        return f"Error fetching GitHub repositories: {{str(e)}}"


class StreamingQueue:
    """Simple async queue for streaming responses."""

    def __init__(self):
        self._queue = asyncio.Queue()
        self._finished = False

    async def put(self, item: str) -> None:
        """Add an item to the queue."""
        await self._queue.put(item)

    async def finish(self) -> None:
        """Mark the queue as finished and add sentinel value."""
        self._finished = True
        await self._queue.put(None)

    async def stream(self):
        """Stream items from the queue until finished."""
        while True:
            item = await self._queue.get()
            if item is None and self._finished:
                break
            yield item


# Initialize streaming queue
queue = StreamingQueue()


async def on_auth_url(url: str) -> None:
    """Callback for authentication URL."""
    print(f"Authorization URL: {{url}}")
    await queue.put(f"Authorization URL: {{url}}")


def extract_response_text(response) -> str:
    """Extract text content from agent response."""
    if isinstance(response.message, dict):
        content = response.message.get('content', [])
        if isinstance(content, list):
            return "".join(
                item.get('text', '') for item in content
                if isinstance(item, dict) and 'text' in item
            )
    return str(response.message)


def needs_authentication(response_text: str) -> bool:
    """Check if response indicates authentication is required."""
    auth_keywords = [
        "authentication", "authorize", "authorization", "auth",
        "sign in", "login", "access", "permission", "credential",
        "need authentication", "requires authentication"
    ]
    return any(keyword.lower() in response_text.lower() for keyword in auth_keywords)


async def agent_task(user_message: str) -> None:
    """Execute agent task with authentication handling."""
    global github_access_token

    try:
        await queue.put("Begin agent execution")

        # Initial agent call
        response = agent(user_message)
        response_text = extract_response_text(response)

        # Check if authentication is needed
        if needs_authentication(response_text):
            await queue.put("Authentication required for GitHub access. Starting authorization flow...")

            try:
                github_access_token = await need_token_3LO_async(access_token='')
                await queue.put("Authentication successful! Retrying GitHub request...")

                # Retry with authentication
                response = agent(user_message)
            except Exception as auth_error:
                print(f"Authentication error: {{auth_error}}")
                await queue.put(f"Authentication failed: {{str(auth_error)}}")
                return

        await queue.put(response.message)
        await queue.put("End agent execution")

    except Exception as e:
        await queue.put(f"Error: {{str(e)}}")
    finally:
        await queue.finish()


@requires_access_token(
    provider_name="github-provider",
    scopes=["repo", "read:user"],
    auth_flow='USER_FEDERATION',
    on_auth_url=on_auth_url,
    force_authentication=False,  # ‚Üê Changed to False - will use cached token!
    callback_url="{oauth2_callback_url_for_agent}"  # ‚Üê Callback URL determined from notebook environment
)
async def need_token_3LO_async(*, access_token: str) -> str:
    """Handle 3LO authentication flow."""
    global github_access_token
    github_access_token = access_token
    return access_token


# Create agent instance
agent = Agent(
    model="global.anthropic.claude-haiku-4-5-20251001-v1:0",
    tools=[inspect_github_repos],
    system_prompt="""You are a GitHub assistant. Use the inspect_github_repos tool to fetch private repositories data.
    The inspect_github_repos tool handles token exchange and proper authentication with the GitHub API 
    to obtain private information for the user."""
)


@app.entrypoint
async def agent_invocation(payload):
    """Main entrypoint for agent invocation."""
    user_message = payload.get(
        "prompt",
        "No prompt found in input, please guide customer to create a JSON payload with prompt key"
    )

    # Create and start the agent task
    task = asyncio.create_task(agent_task(user_message))

    async def stream_with_task():
        """Stream results while ensuring task completion."""
        async for item in queue.stream():
            yield item
        await task  # Ensure task completes

    return stream_with_task()


if __name__ == "__main__":
    app.run()
'''

# Write the file
with open("github_agent.py", "w") as f:
    f.write(github_agent_code)

print("‚úÖ github_agent.py written successfully with embedded callback URL")

Callback URL for agent (determined from notebook environment): https://2tsypbyep8wxkc3.studio.us-west-2.sagemaker.aws/jupyterlab/default/proxy/9090/oauth2/callback
‚úÖ github_agent.py written successfully with embedded callback URL


## Deploying the agent to AgentCore Runtime
The CreateAgentRuntime operation supports comprehensive configuration options, letting you specify container images, environment variables and encryption settings. You can also configure protocol settings (HTTP, MCP) and authorization mechanisms to control how your clients communicate with the agent.

Note: Operations best practice is to package code as container and push to ECR using CI/CD pipelines and IaC

In this tutorial can will the Amazon Bedrock AgentCode Python SDK to easily package your artifacts and deploy them to AgentCore runtime.

In [7]:
from bedrock_agentcore_starter_toolkit import Runtime
from boto3.session import Session

boto_session = Session()
region = boto_session.region_name
print(f"Region: {region}")

discovery_url = cognito_config.get("discovery_url")
client_id = cognito_config.get("client_id")

agentcore_runtime = Runtime()

response = agentcore_runtime.configure(
    entrypoint="github_agent.py",
    auto_create_execution_role=True,
    auto_create_ecr=True,
    requirements_file="requirements.txt",
    region=region,
    agent_name="strands_agent_github",
    authorizer_configuration={
        "customJWTAuthorizer": {
            "discoveryUrl": discovery_url,
            "allowedClients": [client_id]
        }
    }
)
response

Entrypoint parsed: file=/home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/github_agent.py, bedrock_agentcore_name=github_agent
Memory disabled - agent will be stateless
Configuring BedrockAgentCore agent: strands_agent_github
Memory disabled
Network mode: PUBLIC


Region: us-west-2


Generated Dockerfile: Dockerfile
Generated .dockerignore: /home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/.dockerignore
Setting 'strands_agent_github' as default agent
Bedrock AgentCore configured: /home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/.bedrock_agentcore.yaml


ConfigureResult(config_path=PosixPath('/home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/.bedrock_agentcore.yaml'), dockerfile_path=PosixPath('/home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/Dockerfile'), dockerignore_path=PosixPath('/home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/.dockerignore'), runtime='Docker', runtime_type=None, region='us-west-2', account_id='455933813601', execution_role=None, ecr_repository=None, auto_create_ecr=True, s3_path=None, auto_create_s3=False, memory_id=None, network_mode='PUBLIC', network_subnets=None, network_security_groups=None, network_vpc_id=None)

## Review the AgentCore configuration

In [8]:
!cat .bedrock_agentcore.yaml

default_agent: strands_agent_github
agents:
  strands_agent_github:
    name: strands_agent_github
    entrypoint: /home/sagemaker-user/amazon-bedrock-agentcore-workshop/strand-agent-samples/13-AgentCore-identity/06-Outbound_Auth_Github/github_agent.py
    deployment_type: container
    runtime_type: null
    platform: linux/arm64
    container_runtime: docker
    source_path: null
    aws:
      execution_role: null
      execution_role_auto_create: true
      account: '455933813601'
      region: us-west-2
      ecr_repository: null
      ecr_auto_create: true
      s3_path: null
      s3_auto_create: false
      network_configuration:
        network_mode: PUBLIC
        network_mode_config: null
      protocol_configuration:
        server_protocol: HTTP
      observability:
        enabled: true
      lifecycle_configuration:
        idle_runtime_session_timeout: null
        max_lifetime: null
    bedrock_agentcore:
      agent_id: null
      agent_arn: null
      agent_session_i

### Launching agent to AgentCore Runtime

Now that we've got a docker file, let's launch the agent to the AgentCore Runtime. This will create the Amazon ECR repository and the AgentCore Runtime

<div style="text-align:left">
    <img src="images/launch.png" width="75%"/>
</div>

In [9]:
from oauth2_callback_server import get_oauth2_callback_url

# Deploy the agent to AgentCore Runtime and get deployment details
launch_result = agentcore_runtime.launch()
print(launch_result)

if launch_result.agent_id:
    # Extract the workload name from the deployed agent's ID for identity management
    workload_name = launch_result.agent_id
    # Retrieve the current workload identity configuration from AgentCore Identity
    workload_identity = identity_client.get_workload_identity(name=workload_name)
    # Extract existing OAuth2 callback URLs that are already registered for this workload
    allowed_resource_oauth_2_return_urls = workload_identity.get("allowedResourceOauth2ReturnUrls") or []
    # Get the local OAuth2 callback server URL for session binding (localhost:9090/oauth2/callback)
    oauth2_callback_url = get_oauth2_callback_url()
    print(f"Updating workload {workload_name} with callback url {oauth2_callback_url}")

    # Register the local callback URL with the workload identity to enable OAuth2 session binding
    updated_workload_identity = identity_client.update_workload_identity(
        name=workload_name,
        allowed_resource_oauth_2_return_urls=[*allowed_resource_oauth_2_return_urls, oauth2_callback_url],
    )
    print(updated_workload_identity)

üöÄ Launching Bedrock AgentCore (cloud mode - RECOMMENDED)...
   ‚Ä¢ Deploy Python code directly to runtime
   ‚Ä¢ No Docker required (DEFAULT behavior)
   ‚Ä¢ Production-ready deployment

üí° Deployment options:
   ‚Ä¢ runtime.launch()                ‚Üí Cloud (current)
   ‚Ä¢ runtime.launch(local=True)      ‚Üí Local development
Memory disabled - skipping memory creation
Starting CodeBuild ARM64 deployment for agent 'strands_agent_github' to account 455933813601 (us-west-2)
Setting up AWS resources (ECR repository, execution roles)...
Getting or creating ECR repository for agent: strands_agent_github
ECR repository available: 455933813601.dkr.ecr.us-west-2.amazonaws.com/bedrock-agentcore-strands_agent_github
Getting or creating execution role for agent: strands_agent_github
Using AWS region: us-west-2, account ID: 455933813601
Role name: AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd


Repository doesn't exist, creating new ECR repository: bedrock-agentcore-strands_agent_github


Role doesn't exist, creating new execution role: AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd
Starting execution role creation process for agent: strands_agent_github
‚úì Role creating: AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd
Creating IAM role: AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd
‚úì Role created: arn:aws:iam::455933813601:role/AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd
‚úì Execution policy attached: BedrockAgentCoreRuntimeExecutionPolicy-strands_agent_github
Role creation complete and ready for use with Bedrock AgentCore
Execution role available: arn:aws:iam::455933813601:role/AmazonBedrockAgentCoreSDKRuntime-us-west-2-fdd34a21fd
Preparing CodeBuild project and uploading source...
Getting or creating CodeBuild execution role for agent: strands_agent_github
Role name: AmazonBedrockAgentCoreSDKCodeBuild-us-west-2-fdd34a21fd
CodeBuild role doesn't exist, creating new role: AmazonBedrockAgentCoreSDKCodeBuild-us-west-2-fdd34a21fd
Creating

mode='codebuild' tag='bedrock_agentcore-strands_agent_github:latest' env_vars=None port=None runtime=None ecr_uri='455933813601.dkr.ecr.us-west-2.amazonaws.com/bedrock-agentcore-strands_agent_github' agent_id='strands_agent_github-cXlE1gHIR8' agent_arn='arn:aws:bedrock-agentcore:us-west-2:455933813601:runtime/strands_agent_github-cXlE1gHIR8' codebuild_id='bedrock-agentcore-strands_agent_github-builder:5e2da43f-bf74-4c66-b42c-076010a6c553' build_output=None
Updating workload strands_agent_github-cXlE1gHIR8 with callback url https://2tsypbyep8wxkc3.studio.us-west-2.sagemaker.aws/jupyterlab/default/proxy/9090/oauth2/callback
{'ResponseMetadata': {'RequestId': 'e8c9004a-72d0-4085-a42a-e3e443495d22', 'HTTPStatusCode': 200, 'HTTPHeaders': {'date': 'Sat, 13 Dec 2025 15:33:02 GMT', 'content-type': 'application/json', 'content-length': '406', 'connection': 'keep-alive', 'x-amzn-requestid': 'e8c9004a-72d0-4085-a42a-e3e443495d22'}, 'RetryAttempts': 0}, 'name': 'strands_agent_github-cXlE1gHIR8', '

#### Add extra required policies to auto-created role

If you are using this on a new account where model has not been accessed before, you will need to add extra required policies to the auto-created role to allow the agent to access the model.

In [10]:
import json
import boto3
agentcore_control_client = boto3.client(
    'bedrock-agentcore-control',
    region_name=region
)

runtime_response = agentcore_control_client.get_agent_runtime(
    agentRuntimeId=launch_result.agent_id
)
runtime_role = runtime_response['roleArn']

policies_to_add = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "BedrockModelAccess",
            "Effect": "Allow",
            "Action": [
                "aws-marketplace:ViewSubscriptions",
                "aws-marketplace:Subscribe"
            ],
            "Resource": "*"
        }
    ]
}
iam_client = boto3.client(
    'iam',
    region_name=region
)

response = iam_client.put_role_policy(
    PolicyDocument=json.dumps(policies_to_add),
    PolicyName="outbound_policies",
    RoleName=runtime_role.split("/")[1],
)

### Checking for the AgentCore Runtime Status
Now that we've deployed the AgentCore Runtime, let's check for it's deployment status

In [11]:
import time

status_response = agentcore_runtime.status()
status = status_response.endpoint['status']
end_status = ['READY', 'CREATE_FAILED', 'DELETE_FAILED', 'UPDATE_FAILED']
while status not in end_status:
    time.sleep(10)
    status_response = agentcore_runtime.status()
    status = status_response.endpoint['status']
    print(status)
print(f"Final status: {status}")

Retrieved Bedrock AgentCore status for: strands_agent_github


Final status: READY


### Invoking AgentCore Runtime

Finally, we can invoke our AgentCore Runtime with a payload

You will notice that the agent calls the "inspect_github_repos" tool and triggers the 3 Legged Outh flow. You will be presented with the Authorization Url. Click on the Authorization url Or copy/paste it in a new browser session/tab to complete the user consent flow.
Once the Authorization completes, The credential provider "github-provider" will fetch the access_token from GitHub and complete the tool execution to fetch the private repos from your GitHub Account.

<div style="text-align:left">
    <img src="images/invoke.png" width=75%"/>
</div>

In [12]:
import subprocess
from oauth2_callback_server import store_token_in_oauth2_callback_server, wait_for_oauth2_server_to_be_ready

bearer_token = reauthenticate_user(cognito_config.get("client_id"))

oauth2_callback_server_cmd = [sys.executable, "oauth2_callback_server.py", "--region", region]
oauth2_callback_server_process = subprocess.Popen(oauth2_callback_server_cmd)

try:
    # Start the OAuth2 callback server
    successfully_started_oauth2_server = wait_for_oauth2_server_to_be_ready()
    if not successfully_started_oauth2_server:
        print("Failed to start OAuth2 callback server to handle session binding "
              "(https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/oauth2-authorization-url-session-binding.html)")
    else:
        store_token_in_oauth2_callback_server(bearer_token)
        invoke_response = agentcore_runtime.invoke(
            {"prompt": "What are my private repositories?"},
            bearer_token=bearer_token
        )
        print(invoke_response)
finally:
    oauth2_callback_server_process.terminate()

INFO:     Started server process [43780]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:9090 (Press CTRL+C to quit)
Using JWT authentication


INFO:     127.0.0.1:33176 - "GET /ping HTTP/1.1" 200 OK
INFO:     127.0.0.1:33186 - "POST /userIdentifier/token HTTP/1.1" 200 OK


INFO:     127.0.0.1:53066 - "GET /oauth2/callback?session_id=urn%3Aietf%3Aparams%3Aoauth%3Arequest_uri%3AM2U0ZjBlZjQtMDg4My00NzU2LTliMDMtOGY1OTI5MGU5NzE4 HTTP/1.1" 200 OK


Failed to invoke agent endpoint: HTTPSConnectionPool(host='bedrock-agentcore.us-west-2.amazonaws.com', port=443): Read timed out.
INFO:     Shutting down
INFO:     Waiting for application shutdown.
INFO:     Application shutdown complete.
INFO:     Finished server process [43780]


ConnectionError: HTTPSConnectionPool(host='bedrock-agentcore.us-west-2.amazonaws.com', port=443): Read timed out.

## Optional - Test the agent using a Streamlit App

You can test your deployed agent using a Streamlit web application that provides a nice chat interface. The `chatbot_app_cognito.py` file in this directory creates a web-based chatbot that:

- Automatically reads configuration from `.bedrock_agentcore.yaml`
- Provides Cognito authentication
- Shows a modern chat interface with streaming responses
- Handles the 3LO OAuth flow for GitHub access

### Running the Streamlit App

You can run the Streamlit app in several ways:

#### Option 1: Run from Jupyter Notebook (Current Directory)
- Run the cell below to start the Streamlit app directly from this notebook:
- Login: Use the credentials testuser / MyPassword123! (the default test user created by the Cognito setup)
- Test some simple prompts like "Tell me a joke"
- Test with a prompt that will trigger the `inspect_github_repos` tool like "What are my private repositories?".
- You will see the Authorization url returned. Click on the url or copy/paste the url to a new browser tab/window to complete the user consent flow.

In [None]:
import subprocess
from chatbot_app_cognito import get_streamlit_url

# Change to the current directory where the chatbot_app_cognito.py file is located
notebook_dir = os.getcwd()

# Start the Streamlit app
print("Starting Streamlit app...")

oauth2_callback_server_cmd = [sys.executable, "oauth2_callback_server.py", "--region", region]
oauth2_callback_server_process = subprocess.Popen(oauth2_callback_server_cmd)

try:
    wait_for_oauth2_server_to_be_ready()

    # Run streamlit in the current directory
    process = subprocess.Popen([
        sys.executable, "-m", "streamlit", "run", "chatbot_app_cognito.py",
        "--server.port=8501", "--server.showEmailPrompt=false"
    ],
        cwd=notebook_dir,
        stdout=subprocess.PIPE,
        stderr=subprocess.STDOUT,
        text=True
    )

    # Print the output as it comes
    for line in iter(process.stdout.readline, ''):
        if line:
            if "8501" in line:
                print("\nüéâ Streamlit app is ready!")
                streamlit_url = get_streamlit_url()
                print(f'\nüöÄ Streamlit Application URL:\n{streamlit_url}\n')
                print("‚ö†Ô∏è To stop the app, interrupt the kernel or press Ctrl+C in the terminal")
                break

except KeyboardInterrupt:
    print("\nStreamlit app stopped.")
    oauth2_callback_server_process.terminate()
    process.terminate()
except Exception as e:
    print(f"Error starting Streamlit app: {e}")

## Cleanup (Optional)

Let's now clean up the AgentCore Runtime created

In [None]:
# agentcore_control_client = boto3.client(
#     'bedrock-agentcore-control',
#     region_name=region
# )
# ecr_client = boto3.client(
#     'ecr',
#     region_name=region
    
# )

# iam_client = boto3.client('iam')

# runtime_delete_response = agentcore_control_client.delete_agent_runtime(
#     agentRuntimeId=launch_result.agent_id
# )

# response = ecr_client.delete_repository(
#     repositoryName=launch_result.ecr_uri.split('/')[1],
#     force=True
# )

# policies = iam_client.list_role_policies(
#     RoleName=agentcore_iam_role['Role']['RoleName'],
#     MaxItems=100
# )

# for policy_name in policies['PolicyNames']:
#     iam_client.delete_role_policy(
#         RoleName=agentcore_iam_role['Role']['RoleName'],
#         PolicyName=policy_name
#     )
# iam_response = iam_client.delete_role(
#     RoleName=agentcore_role_name
# )