Description
Add a new Gateway tutorial demonstrating how to connect AgentCore Gateway to OAuth-protected MCP servers using Authorization Code Grant (3LO) for outbound authentication.
What this covers
- Inbound auth: Two methods — PKCE (browser login, no client secret) and agent-mediated (AgentCore Identity federated token via
USER_FEDERATION)
- Outbound auth: 3LO flow with GitHub MCP server as the example target
- Gateway config:
allowedClients authorizer with Cognito as the IdP
- Session binding:
complete-resource-token-auth callback handling for 3LO consent
- Multi-provider support: Gateway configuration examples for Cognito, Okta, Microsoft Entra, and Auth0
Proposed files
01-tutorials/02-AgentCore-gateway/17-oauth-protected-mcp-server-targets/
├── 01-pkce-github.ipynb # PKCE flow (no client secret)
├── 02-agent-mediated-github.ipynb # Agent-mediated flow (AgentCore Identity)
├── oauth2_callback_server.py # Shared callback server for 3LO binding
├── requirements.txt
└── README.md
Related
- Extends
13-outbound-auth-code-grant (LinkedIn/OpenAPI) to cover MCP server targets
- Demonstrates both PKCE and agent-mediated inbound auth patterns
Description
Add a new Gateway tutorial demonstrating how to connect AgentCore Gateway to OAuth-protected MCP servers using Authorization Code Grant (3LO) for outbound authentication.
What this covers
USER_FEDERATION)allowedClientsauthorizer with Cognito as the IdPcomplete-resource-token-authcallback handling for 3LO consentProposed files
01-tutorials/02-AgentCore-gateway/17-oauth-protected-mcp-server-targets/
├── 01-pkce-github.ipynb # PKCE flow (no client secret)
├── 02-agent-mediated-github.ipynb # Agent-mediated flow (AgentCore Identity)
├── oauth2_callback_server.py # Shared callback server for 3LO binding
├── requirements.txt
└── README.md
Related
13-outbound-auth-code-grant(LinkedIn/OpenAPI) to cover MCP server targets