Understanding OAuth Authentication in Amazon Bedrock AgentCore: A Deep Dive
Introduction
Amazon Bedrock AgentCore introduces a sophisticated authentication pattern that enables AI agents to securely access external services on behalf of users. This architecture implements a dual authentication pattern that separates inbound authentication (who can call your agent) from outbound authentication (how your agent accesses external services).
In this post, we’ll explore how this OAuth flow works, why it’s designed this way, and walk through a complete authentication cycle with detailed diagrams.
The Dual Authentication Pattern
Traditional applications typically implement authentication in one direction: users authenticate to access the application. But AI agents introduce a new challenge: the agent itself needs to authenticate to external services on behalf of the user.
Bedrock AgentCore solves this with two separate authentication layers:
1. Inbound Authentication (User → Agent)
Controls who can invoke your agent runtime. Uses JWT tokens validated against a Cognito User Pool.
2. Outbound Authentication (Agent → External Services)
Controls how your agent accesses external services. Uses OAuth 2.0 with user federation to act on behalf of the authenticated user.
graph LR
subgraph Inbound["Inbound Authentication"]
direction TB
U[User] -->|JWT Token| R[Agent Runtime]
R -->|Validates against| C1[Runtime Cognito Pool]
R -.->|Executes| A[Agent Code]
end
Inbound ~~~ Outbound
subgraph Outbound["Outbound Authentication"]
direction TB
A -->|Needs external access| TV[Token Vault]
TV -->|OAuth 2.0| C2[Identity Provider]
C2 -->|Returns token| TV
TV -->|Cached token| A
end
style U fill:#4dabf7
style R fill:#51cf66
style A fill:#fab005
style TV fill:#7950f2
style C1 fill:#4dabf7
style C2 fill:#fab005
Architecture Overview
Two Cognito Pools: Why?
At first glance, using two separate Cognito User Pools might seem like unnecessary complexity. However, this architectural decision is fundamental to implementing secure, scalable AI agents that can access external services on behalf of users. The key insight is that authenticating who can invoke your agent is conceptually different from authenticating which external services your agent can access. By separating these concerns into two distinct authentication layers, we achieve better security isolation, clearer audit trails, and the flexibility to integrate with multiple identity providers without coupling them together. Think of it as having two separate security checkpoints: one at the entrance to your building (who can use the agent) and another at specific rooms inside (which external services the agent can access).
The architecture uses two separate Cognito User Pools, each serving a distinct purpose:
Runtime Pool (Inbound Authentication):
- Purpose: Authenticate callers who invoke the agent
- Users: Application users
- Flow: User → JWT Token → Runtime validates token
- Think of it as: “Who can talk to my agent?”
Identity Pool (Outbound Authentication):
- Purpose: Store credentials for external services
- Users: Service accounts
- Flow: Agent → Request token → External service validates
- Think of it as: “What can my agent access?”
graph TB
subgraph "InboundAuth Cognito Pool"
R1[Cognito Pool - InboundAuth]
R2[Authenticates: Callers]
R4[Validates: Inbound JWT tokens]
end
subgraph "OutboundAuth Cognito Pool"
I1[Cognito Pool - OutboundAuth]
I2[Authenticates: External Services]
I4[Provides: OAuth tokens for agents]
end
User[End User] -->|Authenticate| R1
R1 -->|JWT| Runtime[Agent Runtime]
Runtime -->|Execute| Agent[Agent Code]
Agent -->|Need token| Vault[Token Vault]
Vault -->|OAuth flow| I1
I1 -->|Access token| Vault
style R1 fill:#4dabf7
style I1 fill:#fab005
style Runtime fill:#51cf66
This separation provides several benefits:
- Security: Compromising user credentials doesn’t expose service credentials providing isolation
- Scalability: Different user pools can scale independently of each other
- Flexibility: Can integrate multiple external identity providers if you choose to do so
- Audit: Clear separation between user actions and service actions
The Complete OAuth Flow
Let’s walk through a complete authentication cycle, from initial invocation to cached token usage.
sequenceDiagram
participant User
participant Browser
participant CLI as AgentCore CLI
participant Runtime as Bedrock AgentCore
Runtime
participant Agent as Agent Code
(agent.py)
participant TokenVault as Identity Token Vault
participant RuntimeCognito as Cognito Pool - InboundAuth
participant IdentityCognito as Cognito Pool - OutboundAuth
rect rgb(200, 230, 255)
Note over User,RuntimeCognito: PHASE 1: INBOUND AUTHENTICATION
User->>CLI: 1. Get authentication token
CLI->>RuntimeCognito: 2. Username/Password
RuntimeCognito-->>CLI: 3. JWT Access Token
Note right of CLI: Token contains:
• client_id
• username
• scopes
• expiry
CLI->>User: 4. Return JWT token
end
rect rgb(255, 230, 200)
Note over User,Runtime: PHASE 2: INVOKE AGENT
User->>CLI: 5. Invoke agent with JWT
CLI->>Runtime: 6. InvokeAgentRuntime API call
Runtime->>RuntimeCognito: 7. Validate JWT against OIDC discovery
RuntimeCognito-->>Runtime: 8. ✅ Token Valid
Runtime->>Agent: 9. Execute agent code
end
rect rgb(230, 255, 230)
Note over Agent,IdentityCognito: PHASE 3A: OUTBOUND AUTH - FIRST CALL
Agent->>Agent: 10. Function with @requires_access_token
Note right of Agent: Decorator parameters:
• provider_name
• callback_url
• auth_flow: USER_FEDERATION
• scopes: [openid]
Agent->>TokenVault: 11. Request token for provider
TokenVault->>TokenVault: 12. Check cache → Not found
TokenVault->>IdentityCognito: 13. Initiate OAuth authorization
IdentityCognito-->>TokenVault: 14. Authorization URL
TokenVault-->>Agent: 15. Return auth URL
Agent->>Agent: 16. on_auth_url callback fires
Agent-->>Runtime: 17. Response: "Authorization Required"
Runtime-->>CLI: 18. Forward response
CLI-->>User: 19. Display authorization URL
end
rect rgb(255, 240, 230)
Note over User,IdentityCognito: PHASE 3B: USER AUTHORIZATION
User->>Browser: 20. Opens authorization URL
Browser->>TokenVault: 21. GET authorization endpoint
TokenVault->>IdentityCognito: 22. Redirect to Cognito login
User->>Browser: 23. Enter credentials
Browser->>IdentityCognito: 24. Submit authentication
IdentityCognito->>IdentityCognito: 25. Validate credentials
IdentityCognito->>IdentityCognito: 26. Generate authorization code
IdentityCognito->>Browser: 27. Redirect with auth code
Browser->>TokenVault: 28. Callback with code
end
rect rgb(240, 230, 255)
Note over TokenVault,IdentityCognito: PHASE 3C: TOKEN EXCHANGE
TokenVault->>IdentityCognito: 29. Exchange code for tokens
Note right of TokenVault: Grant Type: authorization_code
Client credentials included
IdentityCognito-->>TokenVault: 30. Return tokens
Note right of IdentityCognito: Returns:
• access_token
• id_token
• refresh_token
TokenVault->>TokenVault: 31. Cache tokens by session_id
TokenVault->>Browser: 32. Redirect to callback_url
end
rect rgb(230, 255, 255)
Note over User,IdentityCognito: PHASE 4: SUBSEQUENT CALLS (Cached)
User->>CLI: 33. Invoke agent again (same session)
CLI->>Runtime: 34. InvokeAgentRuntime with JWT
Runtime->>Runtime: 35. Validate JWT (cached)
Runtime->>Agent: 36. Execute agent code
Agent->>TokenVault: 37. Request token
TokenVault->>TokenVault: 38. Check cache → ✅ Found!
TokenVault-->>Agent: 39. Return cached access_token
Note right of Agent: Decorator injects token
directly into function
Agent->>Agent: 40. Execute function with token
Agent-->>Runtime: 41. Success response
Runtime-->>CLI: 42. Forward response
CLI-->>User: 43. Display result
end
Understanding the Flow: A Simplified Walkthrough
The sequence diagram above shows the complete technical flow, but let’s break it down into simple, digestible steps. Think of this as a story with four chapters: getting your ticket to use the agent, using the agent, getting permission for external access, and then enjoying fast subsequent access.
Chapter 1: Getting Your Ticket to Talk to the Agent (Steps 1-4)
Before you can ask your agent to do anything, you need to prove who you are. This is the inbound authentication step.
Step 1: You ask for credentials
You run a command like agentcore identity get-cognito-inbound-token. Think of this as walking up to a ticket booth and asking for admission.
Step 2: System checks your identity
Your username and password are sent to the Runtime Cognito Pool. This is like showing your ID to the ticket seller.
Step 3: System gives you a JWT token
If your credentials are valid, you receive a JWT (JSON Web Token). This token is like a concert ticket or an all-access pass - it proves you’re allowed to invoke the agent. The token contains important information:
- Your client ID (which application you’re using)
- Your username (who you are)
- Scopes (what you’re allowed to do)
- Expiry time (typically 1 hour)
Step 4: You hold onto your ticket
You’ll use this JWT token every time you talk to the agent. you’ll need it for every invocation.
Chapter 2: Talking to the Agent (Steps 5-9)
Now that you have your JWT ticket, you can actually invoke the agent. This is still part of inbound authentication - proving you have the right to use the agent.
Step 5: You show your ticket and make a request
You run: agentcore invoke '{"prompt": "Check my external account"}' --bearer-token <JWT>
You’re essentially saying: “Here’s my ticket, please do this task for me.”
Step 6: Ticket gets validated
The Bedrock AgentCore Runtime receives your JWT and needs to verify it’s legitimate. Just like a bouncer at a concert scanning your ticket.
Step 7: Runtime calls the ticket office
The Runtime asks the Runtime Cognito Pool: “Is this JWT token real? Is it still valid? Has it expired?”
This happens by checking against the OIDC discovery endpoint configured in your agent.
Step 8: Cognito confirms
✅ “Yes, this token is valid. This user is authorized to invoke the agent.”
The signature is valid, the token hasn’t expired, and it was issued by the correct authority.
Step 9: Agent begins execution
With authentication confirmed, the agent code starts executing with your request. Your prompt is passed to the agent, and it begins processing.
Chapter 3A: Agent Needs External Access - First Time (Steps 10-19)
Now we switch to outbound authentication. Your agent needs to access an external service on your behalf, but it doesn’t have permission yet.
Step 10: Agent encounters a protected function
Your agent code calls a function decorated with @requires_access_token. This decorator is the key to the OAuth flow.
Step 11: Agent asks the Token Vault
The decorator automatically asks: “Do I have an access token for this external service provider for this session?”
The Token Vault is a secure storage system that caches OAuth tokens by session ID.
Step 12: Vault checks its cache
The Token Vault looks up: Session ID → Provider → Token
Result: ❌ “No token found. This is the first time this session is accessing this provider.”
Step 13: Vault initiates OAuth flow
Since there’s no cached token, the Token Vault starts the OAuth 2.0 authorization code flow with the Identity Cognito Pool.
Step 14: External service creates authorization URL
The Identity Provider (Identity Cognito) generates a special authorization URL. This URL contains:
- Encrypted state (including your session ID)
- Requested scopes (what permissions you’re asking for)
- Callback URL (where to redirect after authorization)
- Client ID (which application is requesting access)
Step 15: Vault returns the authorization URL to the agent
Instead of a token, the Vault returns: “Authorization required - here’s the URL”
Step 16: Agent’s callback hook fires
The on_auth_url callback you specified in the decorator triggers. This gives your code a chance to handle the authorization URL appropriately.
Step 17-19: Agent tells you authorization is needed
The agent responds with a message like:
“🔐 Authorization Required - Please open this URL in your browser to authorize: [URL]”
The Runtime forwards this response, and you see it in your CLI. The ball is now in your court - you need to authorize the access.
Chapter 3B: You Grant Permission (Steps 20-28)
This is where you (the user) explicitly grant permission for the agent to access the external service on your behalf. This is the heart of USER_FEDERATION - you’re in control.
Step 20: You open the authorization URL
You click the link (or copy-paste it into your browser). This opens the OAuth authorization flow in your web browser.
Step 21: Browser navigates to the authorization endpoint
Your browser makes a GET request to the Token Vault’s authorization endpoint.
Step 22: Redirected to the login page
The Token Vault redirects you to the Identity Cognito Pool login page. This is where you’ll authenticate to the external service.
Step 23: You enter your credentials
You type in your username and password for the external service. In this demo, that’s the Identity Cognito user (like externaluser24a901fd).
Important: These are different credentials from your Runtime Cognito credentials! You’re now proving you own the external account.
Step 24: You submit the login form
Browser sends your credentials to the Identity Cognito Pool.
Step 25: Identity Cognito validates your credentials
The external service checks: “Is this the correct password for this user?” If valid, it proceeds.
Step 26: Identity Cognito generates an authorization code
Instead of giving you the actual access token directly, OAuth uses an intermediate step: an authorization code. This is a short-lived, one-time-use code that can be exchanged for tokens.
Why a code? Security! The code is sent via the browser (less secure channel), but the actual tokens are exchanged server-to-server (more secure).
Step 27: Browser redirected with the authorization code
Identity Cognito redirects your browser back to the Token Vault callback URL, including the authorization code in the URL parameters.
Step 28: Token Vault receives the code
The Token Vault’s callback endpoint receives the authorization code. Now it’s ready for the final exchange.
Chapter 3C: Authorization Code Becomes Real Access (Steps 29-32)
The Token Vault now exchanges the temporary authorization code for real, usable access tokens. This happens server-to-server, away from the browser.
Step 29: Vault exchanges code for tokens
The Token Vault makes a server-to-server call to Identity Cognito:
“Here’s the authorization code. Please give me access tokens. Here’s my client secret to prove I’m authorized.”
This exchange uses the authorization_code grant type and includes:
- The authorization code (from step 27)
- Client ID (identifies your application)
- Client secret (proves your application is legitimate)
- Redirect URI (must match the original request)
Step 30: Identity Cognito returns three tokens
The Identity Provider responds with a token bundle:
-
access_token: This is the golden ticket! Your agent uses this to make API calls to the external service. It’s typically valid for 1 hour.
-
id_token: A JWT containing claims about the user’s identity (who they are, when they logged in, etc.). Useful for displaying user information.
-
refresh_token: A long-lived token used to obtain new access tokens when they expire. The agent can use this automatically to refresh access without asking you to re-authorize.
Step 31: Vault caches the tokens
The Token Vault stores all three tokens in its cache, indexed by:
- Session ID (e.g.,
demo_session_ABC123)
- Provider name (e.g.,
ExternalServiceProvider)
This cache means future requests in the same session won’t need re-authorization!
Step 32: Browser redirected to callback URL
Your browser is redirected to the callback_url specified in the decorator (e.g., https://example.com/oauth/callback).
In this demo, it’s a dummy URL that does nothing. In production, this would be your application’s URL that handles post-authorization logic (like showing a success message or closing the auth window).
Chapter 4: Subsequent Calls Are Lightning Fast! (Steps 33-43)
This is where you see the real benefit of OAuth token caching. The second time you invoke the agent in the same session, everything is already set up.
Step 33: You invoke the agent again
You run the same command: agentcore invoke '{"prompt": "Check my account"}' --bearer-token <JWT>
Crucially, you’re using the same session ID as before.
Step 34: JWT validation (same as before)
The Runtime still validates your JWT token - you still need to prove you’re authorized to invoke the agent.
Step 35: Validation is cached/fast
The Runtime may have cached the JWT validation results, making this step very quick.
Step 36: Agent code executes
Your agent code runs, and again encounters the function with @requires_access_token.
Step 37: Agent asks Token Vault for the token
The decorator asks: “Do I have an access token for this provider and session?”
Step 38: Vault checks cache - SUCCESS!
✅ The Token Vault finds the cached token from Phase 3C:
“Found it! Session demo_session_ABC123 → Provider ExternalServiceProvider → access_token: eyJraWQi...”
Step 39: Vault returns the cached access token
The Token Vault immediately returns the access token. No authorization URL, no user interaction needed!
Step 40: Function executes with the token
The decorator automatically injects the token into your function’s access_token parameter. Your function code runs with the token available:
async def get_identity_token(*, access_token: str) -> str:
# access_token is already here! No OAuth flow needed!
return access_token
Step 41: Agent completes successfully
Your agent logic executes, possibly making API calls to the external service using the access token. It returns a success response.
Step 42: Runtime forwards the response
The Bedrock AgentCore Runtime sends the response back to the CLI.
Step 43: You see the result
You see: “✅ Authenticated to external service. Token length: 847 characters. Status: Active and cached for this session”
The entire flow from step 33 to 43 takes just milliseconds because everything is cached!
Why This Two-Step Process?
Now that we’ve walked through all four chapters of the OAuth flow, you can see how the architecture elegantly handles both authentication challenges. The first time through requires user interaction and multiple network calls, taking several seconds to complete. But subsequent invocations in the same session are blazingly fast because everything is cached - the JWT validation is quick, and the OAuth token is retrieved from memory rather than requiring another authorization flow. This pattern strikes a perfect balance between security (explicit user authorization) and user experience (fast, seamless subsequent operations). The question naturally arises: why go through this two-step process at all? Why not use a single token for everything? The answer lies in the fundamental separation of concerns between who can invoke your agent versus what your agent can access on your behalf.
-
Security Isolation: Compromising your inbound JWT doesn’t expose your external service credentials, and vice versa.
-
Different Lifetimes: Your JWT and OAuth tokens can expire independently and be refreshed separately.
-
Principle of Least Privilege: The agent only gets access to external services when you explicitly grant it.
-
Auditability: Clear separation between “who invoked the agent” (JWT) and “what external services were accessed” (OAuth).
-
Flexibility: You can revoke external service access without revoking agent access, or the other way around.
Why Cache Tokens?
Another design decision that might seem obvious in retrospect but is critical to understand is the token caching mechanism. Without caching, every single agent invocation would require a complete OAuth authorization flow - you’d need to click an authorization link, log in, and grant permission every time you ask your agent a simple question. This would make the system practically unusable. Token caching solves this by storing the OAuth access tokens (and refresh tokens) in memory, indexed by session ID and provider name. When your agent needs to access an external service, it first checks the cache: if a valid token exists, it’s used immediately; if not, the OAuth flow kicks in. This approach transforms the user experience from “authorize every request” to “authorize once per session,” while maintaining security through session isolation and token expiration. Let’s examine why this caching strategy is so important:
The caching in Phase 4 is crucial for user experience:
-
Performance: Token exchange is slow (involves multiple network calls and redirects). Caching makes subsequent calls 10-100x faster.
-
User Experience: Imagine having to click an authorization link every single time you ask your agent a question! Caching means you authorize once per session.
-
Rate Limiting: Many OAuth providers have rate limits on token exchanges. Caching reduces the number of authorization flows.
-
Security: Tokens are cached per session ID, ensuring isolation between different users and contexts.
Session Isolation: Why It Matters
A subtle but powerful aspect of the token caching architecture is session-based isolation. You might wonder: why not cache tokens globally per user, so that once you authorize, all future agent invocations by that user across any session can use the same token? While this would be more convenient, it would also create significant security risks. By tying tokens to specific session IDs rather than user identities, the system ensures that each invocation context is isolated from others. This means that if a session is compromised, only that session’s tokens are at risk - not all of the user’s access across all sessions. It also enables fine-grained control: you can revoke access for a specific session without affecting other active sessions, and audit logs can precisely track which session performed which action. Session isolation is the foundation that makes the entire caching mechanism both performant and secure.
Session-Based Token Caching
Token caching is tied to session IDs, not user IDs. This provides important security and isolation benefits:
graph TB
subgraph "Session A: demo_session_ABC123"
A1[First Invocation] -->|No token| A2[User authorizes]
A2 --> A3[Token cached for Session A]
A3 --> A4[Second Invocation]
A4 -->|Token found| A5[✅ Use cached token]
A5 --> A6[Subsequent calls fast]
end
subgraph "Session B: demo_session_XYZ789"
B1[First Invocation] -->|Different session
No token| B2[User must authorize again]
B2 --> B3[Token cached for Session B]
B3 --> B4[Isolated from Session A]
end
subgraph "Token Vault Cache"
Cache[Session → Token Map]
Cache -.->|Lookup| A3
Cache -.->|Lookup| B3
end
style A3 fill:#51cf66
style A5 fill:#51cf66
style B4 fill:#fab005
Notice that tokens are tied to your session ID (e.g., demo_session_ABC123). This is a critical security feature:
-
Different session = Different tokens: If you start a new session (new session ID), you’ll need to re-authorize. The previous session’s tokens aren’t accessible.
-
Multi-user safety: In a shared environment, User A’s tokens never leak to User B because they have different session IDs.
-
Granular control: You can invalidate a single session’s access without affecting other sessions.
-
Audit trail: Every action is tied to a specific session, making it easy to trace who did what.
Conclusion
AWS Bedrock AgentCore’s dual authentication pattern represents a thoughtful approach to one of the most challenging problems in AI agent development: how to enable agents to securely access external services on behalf of users while maintaining strong security boundaries, excellent user experience, and clear auditability. By separating inbound authentication (who can invoke your agent) from outbound authentication (what external services your agent can access), the architecture achieves the right balance between security and usability.
]]>
