Class CustomJwtConfiguration

Custom JWT authorizer configuration.

Inheritance
object
CustomJwtConfiguration
Inherited Members
Namespace: Amazon.CDK.AWS.BedrockAgentCore
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class CustomJwtConfiguration : ICustomJwtConfiguration
Syntax (vb)
Public Class CustomJwtConfiguration Implements ICustomJwtConfiguration
Remarks

ExampleMetadata: fixture=default infused

Examples
// Create a custom execution role
            var executionRole = new Role(this, "GatewayExecutionRole", new RoleProps {
                AssumedBy = new ServicePrincipal("bedrock-agentcore.amazonaws.com"),
                ManagedPolicies = new [] { ManagedPolicy.FromAwsManagedPolicyName("AmazonBedrockAgentCoreGatewayExecutionRolePolicy") }
            });

            // Create gateway with custom execution role
            var gateway = new Gateway(this, "MyGateway", new GatewayProps {
                GatewayName = "my-gateway",
                Description = "Gateway with custom execution role",
                ProtocolConfiguration = new McpProtocolConfiguration(new McpConfiguration {
                    Instructions = "Use this gateway to connect to external MCP tools",
                    SearchType = McpGatewaySearchType.SEMANTIC,
                    SupportedVersions = new [] { MCPProtocolVersion.MCP_2025_03_26 }
                }),
                AuthorizerConfiguration = GatewayAuthorizer.UsingCustomJwt(new CustomJwtConfiguration {
                    DiscoveryUrl = "https://auth.example.com/.well-known/openid-configuration",
                    AllowedAudience = new [] { "my-app" },
                    AllowedClients = new [] { "my-client-id" },
                    AllowedScopes = new [] { "read", "write" }
                }),
                Role = executionRole
            });

Synopsis

Constructors

CustomJwtConfiguration()

Custom JWT authorizer configuration.

Properties

AllowedAudience

Represents individual audience values that are validated in the incoming JWT token validation process.
AllowedClients

Represents individual client IDs that are validated in the incoming JWT token validation process.
AllowedScopes

Represents individual scopes that are validated in the incoming JWT token validation process.
CustomClaims

Custom claims for additional JWT token validation.
DiscoveryUrl

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Constructors

CustomJwtConfiguration()

Custom JWT authorizer configuration.

public CustomJwtConfiguration()
Remarks

ExampleMetadata: fixture=default infused

Examples
// Create a custom execution role
            var executionRole = new Role(this, "GatewayExecutionRole", new RoleProps {
                AssumedBy = new ServicePrincipal("bedrock-agentcore.amazonaws.com"),
                ManagedPolicies = new [] { ManagedPolicy.FromAwsManagedPolicyName("AmazonBedrockAgentCoreGatewayExecutionRolePolicy") }
            });

            // Create gateway with custom execution role
            var gateway = new Gateway(this, "MyGateway", new GatewayProps {
                GatewayName = "my-gateway",
                Description = "Gateway with custom execution role",
                ProtocolConfiguration = new McpProtocolConfiguration(new McpConfiguration {
                    Instructions = "Use this gateway to connect to external MCP tools",
                    SearchType = McpGatewaySearchType.SEMANTIC,
                    SupportedVersions = new [] { MCPProtocolVersion.MCP_2025_03_26 }
                }),
                AuthorizerConfiguration = GatewayAuthorizer.UsingCustomJwt(new CustomJwtConfiguration {
                    DiscoveryUrl = "https://auth.example.com/.well-known/openid-configuration",
                    AllowedAudience = new [] { "my-app" },
                    AllowedClients = new [] { "my-client-id" },
                    AllowedScopes = new [] { "read", "write" }
                }),
                Role = executionRole
            });

Properties

AllowedAudience

Represents individual audience values that are validated in the incoming JWT token validation process.

public string[]? AllowedAudience { get; set; }
Property Value

string[]

Remarks

Default: - No audience validation

AllowedClients

Represents individual client IDs that are validated in the incoming JWT token validation process.

public string[]? AllowedClients { get; set; }
Property Value

string[]

Remarks

Default: - No client ID validation

AllowedScopes

Represents individual scopes that are validated in the incoming JWT token validation process.

public string[]? AllowedScopes { get; set; }
Property Value

string[]

Remarks

Default: - No scope validation

CustomClaims

Custom claims for additional JWT token validation.

public GatewayCustomClaim[]? CustomClaims { get; set; }
Property Value

GatewayCustomClaim[]

Remarks

Allows you to validate additional fields in JWT tokens beyond the standard audience, client, and scope validations.

Default: - No custom claim validation

DiscoveryUrl

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

public string DiscoveryUrl { get; set; }
Property Value

string

Remarks

Pattern: .+/.well-known/openid-configuration Required: Yes

Implements