fix M2M

Author: mazyu36

packages/@aws-cdk/aws-bedrock-agentcore-alpha/lib/gateway/gateway.ts

@@ -389,6 +389,16 @@ export class Gateway extends GatewayBase {
    */
   public userPoolClient?: cognito.IUserPoolClient;
 
+  /**
+   * The Cognito User Pool Domain created for the gateway (if using default Cognito authorizer)
+   */
+  public userPoolDomain?: cognito.UserPoolDomain;
+
+  /**
+   * The Cognito Resource Server created for the gateway (if using default Cognito authorizer)
+   */
+  public resourceServer?: cognito.UserPoolResourceServer;
+
   constructor(scope: Construct, id: string, props: GatewayProps) {
     super(scope, id);
     // Enhanced CDK Analytics Telemetry
@@ -669,19 +679,68 @@ export class Gateway extends GatewayBase {
 
   /**
    * Creates a default Cognito authorizer for the gateway
-   * Provisions a Cognito User Pool and configures JWT authentication
+   * Provisions a Cognito User Pool and configures M2M (machine-to-machine) JWT authentication
+   * using OAuth 2.0 client credentials grant flow
+   * @see https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity-idp-cognito.html
    * @internal
    */
   private createDefaultCognitoAuthorizerConfig(): IGatewayAuthorizerConfig {
+    // Create User Pool for M2M authentication
     const userPool = new cognito.UserPool(this, 'UserPool', {
       userPoolName: `${this.name}-gw-userpool`,
       signInCaseSensitive: false,
     });
+
+    const resourceServer = userPool.addResourceServer('ResourceServer', {
+      identifier: `${this.name}-gateway-resource-server`,
+      userPoolResourceServerName: `${this.name}-GatewayResourceServer`,
+      scopes: [
+        {
+          scopeName: 'read',
+          scopeDescription: 'Read access to gateway tools',
+        },
+        {
+          scopeName: 'write',
+          scopeDescription: 'Write access to gateway tools',
+        },
+      ],
+    });
+
     const userPoolClient = userPool.addClient('DefaultClient', {
       userPoolClientName: `${this.name}-gw-client`,
+      generateSecret: true,
+      oAuth: {
+        flows: {
+          clientCredentials: true,
+        },
+        scopes: [
+          cognito.OAuthScope.resourceServer(resourceServer, {
+            scopeName: 'read',
+            scopeDescription: 'Read access to gateway tools',
+          }),
+          cognito.OAuthScope.resourceServer(resourceServer, {
+            scopeName: 'write',
+            scopeDescription: 'Write access to gateway tools',
+          }),
+        ],
+      },
     });
+
+    // Create Cognito Domain for OAuth2 token endpoint
+    // Use gateway name as domain prefix (already validated to be alphanumeric with hyphens/underscores)
+    // Replace underscores with hyphens and convert to lowercase for Cognito domain requirements
+    const domainPrefix = `${this.name}-gw`.replace(/_/g, '-').toLowerCase();
+    const userPoolDomain = userPool.addDomain('Domain', {
+      cognitoDomain: {
+        domainPrefix: domainPrefix,
+      },
+    });
+
     this.userPool = userPool;
     this.userPoolClient = userPoolClient;
+    this.userPoolDomain = userPoolDomain;
+    this.resourceServer = resourceServer;
+
     return GatewayAuthorizer.usingCognito({
       userPool: userPool,
       allowedClients: [userPoolClient],

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/gateway-agent/Dockerfile

@@ -0,0 +1,13 @@
+# Minimal test application for Gateway integration
+FROM public.ecr.aws/docker/library/python:3.12-slim
+
+WORKDIR /app
+
+# Copy application code
+COPY app.py .
+
+# Expose port for AgentCore Runtime
+EXPOSE 8080
+
+# Run the application
+CMD ["python", "app.py"]

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/gateway-agent/app.py

@@ -0,0 +1,83 @@
+import json
+import os
+import base64
+import urllib.request
+from http.server import HTTPServer, BaseHTTPRequestHandler
+
+
+def get_token():
+    """Get M2M access token from Cognito"""
+    credentials = f"{os.environ['CLIENT_ID']}:{os.environ['CLIENT_SECRET']}"
+    auth = base64.b64encode(credentials.encode()).decode()
+    
+    req = urllib.request.Request(
+        os.environ['TOKEN_ENDPOINT'],
+        data=f"grant_type=client_credentials&scope={os.environ['SCOPE']}".encode(),
+        headers={
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Authorization': f'Basic {auth}'
+        }
+    )
+    
+    with urllib.request.urlopen(req) as response:
+        return json.loads(response.read())['access_token']
+
+
+def call_tool(url, token):
+    """Call Gateway tool via MCP"""
+    if not url.endswith('/mcp'):
+        url = f"{url.rstrip('/')}/mcp"
+    
+    req = urllib.request.Request(
+        url,
+        data=json.dumps({
+            'jsonrpc': '2.0',
+            'method': 'tools/call',
+            'params': {'name': 'test-tools___hello', 'arguments': {}},
+            'id': 1
+        }).encode(),
+        headers={
+            'Content-Type': 'application/json',
+            'Authorization': f'Bearer {token}'
+        }
+    )
+    
+    with urllib.request.urlopen(req) as response:
+        return json.loads(response.read())['result']
+
+
+class Handler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        if self.path == '/ping':
+            self.send_response(200)
+            self.send_header('Content-Type', 'application/json')
+            self.end_headers()
+            self.wfile.write(json.dumps({'status': 'healthy'}).encode())
+    
+    def do_POST(self):
+        if self.path == '/invocations':
+            try:
+                token = get_token()
+                result = call_tool(os.environ['GATEWAY_URL'], token)
+                
+                self.send_response(200)
+                self.send_header('Content-Type', 'application/json')
+                self.end_headers()
+                self.wfile.write(json.dumps({
+                    'output': {
+                        'message': 'Gateway M2M authentication successful',
+                        'result': result
+                    }
+                }).encode())
+            except Exception as e:
+                self.send_response(500)
+                self.send_header('Content-Type', 'application/json')
+                self.end_headers()
+                self.wfile.write(json.dumps({'error': str(e)}).encode())
+    
+    def log_message(self, format, *args):
+        pass
+
+
+if __name__ == '__main__':
+    HTTPServer(('', 8080), Handler).serve_forever()

packages/@aws-cdk/aws-bedrock-agentcore-alpha/test/agentcore/gateway/gateway-agent/requirements.txt

@@ -0,0 +1 @@
+# No external dependencies required for minimal test application