Skip to content

fix(gateway): add missing validation for custom JWT claim values#644

Merged
aidandaly24 merged 1 commit intoaws:mainfrom
aidandaly24:fix/custom-claims-validation
Mar 25, 2026
Merged

fix(gateway): add missing validation for custom JWT claim values#644
aidandaly24 merged 1 commit intoaws:mainfrom
aidandaly24:fix/custom-claims-validation

Conversation

@aidandaly24
Copy link
Copy Markdown
Contributor

@aidandaly24 aidandaly24 commented Mar 25, 2026
edited
Loading

Description

Add missing Zod validation for custom JWT claim values to catch invalid input at CLI time instead of failing at deploy time.

  • matchValueString and matchValueStringList items lacked regex validation, allowing characters (e.g. /, :) that the API rejects. Added [A-Za-z0-9_.-]+ pattern and max(255) per the ClaimMatchValueType API docs.
  • inboundTokenClaimName: Added max(255) length constraint and a blocklist for client_id — a server-side reserved claim name that the API rejects but doesn't document in its schema.
  • Fixed stale mcp.json comment references → agentcore.json.

Related Issue

Documentation PR

N/A — no user-facing doc changes needed.

Type of Change

  • Bug fix
  • New feature
  • Breaking change
  • Documentation update
  • Other (please describe):

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

Companion CDK PR: https://github.com/aws/agentcore-l3-cdk-constructs/pull/107

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the
terms of your choice.

@aidandaly24 aidandaly24 requested a review from a team March 25, 2026 17:05
@github-actions github-actions bot added the size/s PR size: S label Mar 25, 2026
@aidandaly24
fix(gateway): add missing validation for custom JWT claim values
b1d0358 
matchValueString and matchValueStringList items lacked regex validation,
allowing characters (e.g. / :) that the API rejects at deploy time.
Also blocks 'client_id' as a reserved custom claim name (server-side
business rule) and fixes stale mcp.json references in comments.

Validation constraints sourced from the ClaimMatchValueType and
CustomClaimValidationType API reference documentation.

- matchValueString: added regex [A-Za-z0-9_.-]+ and max(255)
- matchValueStringList items: same regex and max(255) per item
- inboundTokenClaimName: added max(255) and reserved name blocklist
- Updated stale mcp.json comment references to agentcore.json
@aidandaly24 aidandaly24 force-pushed the fix/custom-claims-validation branch from 71c1d09 to b1d0358 Compare March 25, 2026 17:30
@github-actions github-actions bot added size/s PR size: S and removed size/s PR size: S labels Mar 25, 2026
notgitika
notgitika approved these changes Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@notgitika notgitika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks for adding this validation!

@aidandaly24 aidandaly24 merged commit acd300d into aws:main Mar 25, 2026
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@notgitika notgitika notgitika approved these changes

Assignees

No one assigned

Labels

size/s PR size: S

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidandaly24 @notgitika