Skip to content

/AWS1/CL_BDOCUSTOMJWTAUTHRCONF

Configuration for inbound JWT-based authorization, specifying how incoming requests should be authenticated.

CONSTRUCTOR

IMPORTING

Required arguments:

iv_discoveryurl TYPE /AWS1/BDODISCOVERYURL /AWS1/BDODISCOVERYURL

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Optional arguments:

it_allowedaudience TYPE /AWS1/CL_BDOALWEDAUDIENCELST_W=>TT_ALLOWEDAUDIENCELIST TT_ALLOWEDAUDIENCELIST

Represents individual audience values that are validated in the incoming JWT token validation process.

it_allowedclients TYPE /AWS1/CL_BDOALLOWEDCLISLIST_W=>TT_ALLOWEDCLIENTSLIST TT_ALLOWEDCLIENTSLIST

Represents individual client IDs that are validated in the incoming JWT token validation process.

it_allowedscopes TYPE /AWS1/CL_BDOALWDSCOPESTYPE_W=>TT_ALLOWEDSCOPESTYPE TT_ALLOWEDSCOPESTYPE

An array of scopes that are allowed to access the token.

it_advertisedscopemapping TYPE /AWS1/CL_BDOADVTDSCOPMAPTYPE_W=>TT_ADVERTISEDSCOPEMAPPINGTYPE TT_ADVERTISEDSCOPEMAPPINGTYPE

A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

it_customclaims TYPE /AWS1/CL_BDOCUSTCLAIMVLDTNTYPE=>TT_CUSTOMCLAIMVALIDATIONSTYPE TT_CUSTOMCLAIMVALIDATIONSTYPE

An array of objects that define a custom claim validation name, value, and operation

io_privateendpoint TYPE REF TO /AWS1/CL_BDOPRIVATEENDPOINT /AWS1/CL_BDOPRIVATEENDPOINT

The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

it_privateendpointoverrides TYPE /AWS1/CL_BDOPRIVATEENDPTOVRD=>TT_PRIVATEENDPOINTOVERRIDES TT_PRIVATEENDPOINTOVERRIDES

The private endpoint overrides for the custom JWT authorizer configuration.

io_allowedworkloadconf TYPE REF TO /AWS1/CL_BDOALLOWEDWKLDCONF /AWS1/CL_BDOALLOWEDWKLDCONF

The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.


Queryable Attributes

discoveryUrl

This URL is used to fetch OpenID Connect configuration or authorization server metadata for validating incoming tokens.

Accessible with the following methods

Method Description
GET_DISCOVERYURL() Getter for DISCOVERYURL, with configurable default
ASK_DISCOVERYURL() Getter for DISCOVERYURL w/ exceptions if field has no value
HAS_DISCOVERYURL() Determine if DISCOVERYURL has a value

allowedAudience

Represents individual audience values that are validated in the incoming JWT token validation process.

Accessible with the following methods

Method Description
GET_ALLOWEDAUDIENCE() Getter for ALLOWEDAUDIENCE, with configurable default
ASK_ALLOWEDAUDIENCE() Getter for ALLOWEDAUDIENCE w/ exceptions if field has no val
HAS_ALLOWEDAUDIENCE() Determine if ALLOWEDAUDIENCE has a value

allowedClients

Represents individual client IDs that are validated in the incoming JWT token validation process.

Accessible with the following methods

Method Description
GET_ALLOWEDCLIENTS() Getter for ALLOWEDCLIENTS, with configurable default
ASK_ALLOWEDCLIENTS() Getter for ALLOWEDCLIENTS w/ exceptions if field has no valu
HAS_ALLOWEDCLIENTS() Determine if ALLOWEDCLIENTS has a value

allowedScopes

An array of scopes that are allowed to access the token.

Accessible with the following methods

Method Description
GET_ALLOWEDSCOPES() Getter for ALLOWEDSCOPES, with configurable default
ASK_ALLOWEDSCOPES() Getter for ALLOWEDSCOPES w/ exceptions if field has no value
HAS_ALLOWEDSCOPES() Determine if ALLOWEDSCOPES has a value

advertisedScopeMapping

A map that associates each scope in allowedScopes with a corresponding advertised scope value. The advertised scope appears in OAuth protected resource metadata and WWW-Authenticate response headers. Use this parameter when the scope that clients request from your identity provider differs from the scope in the validated token. Each key is a scope from allowedScopes that the service uses for token validation. Each value is the corresponding scope that the service advertises to clients. Scopes without a mapping entry appear unchanged to clients.

Accessible with the following methods

Method Description
GET_ADVERTISEDSCOPEMAPPING() Getter for ADVERTISEDSCOPEMAPPING, with configurable default
ASK_ADVERTISEDSCOPEMAPPING() Getter for ADVERTISEDSCOPEMAPPING w/ exceptions if field has
HAS_ADVERTISEDSCOPEMAPPING() Determine if ADVERTISEDSCOPEMAPPING has a value

customClaims

An array of objects that define a custom claim validation name, value, and operation

Accessible with the following methods

Method Description
GET_CUSTOMCLAIMS() Getter for CUSTOMCLAIMS, with configurable default
ASK_CUSTOMCLAIMS() Getter for CUSTOMCLAIMS w/ exceptions if field has no value
HAS_CUSTOMCLAIMS() Determine if CUSTOMCLAIMS has a value

privateEndpoint

The private endpoint configuration for a gateway target. Defines how the gateway connects to private resources in your VPC.

Accessible with the following methods

Method Description
GET_PRIVATEENDPOINT() Getter for PRIVATEENDPOINT

privateEndpointOverrides

The private endpoint overrides for the custom JWT authorizer configuration.

Accessible with the following methods

Method Description
GET_PRIVATEENDPOINTOVERRIDES() Getter for PRIVATEENDPOINTOVERRIDES, with configurable defau
ASK_PRIVATEENDPOINTOVERRIDES() Getter for PRIVATEENDPOINTOVERRIDES w/ exceptions if field h
HAS_PRIVATEENDPOINTOVERRIDES() Determine if PRIVATEENDPOINTOVERRIDES has a value

allowedWorkloadConfiguration

The configuration that restricts which workloads in the request's identity chain are allowed to invoke the target, identified by their hosting environments and workload identities. At launch, this is supported only for AgentCore Runtime targets, and the allowed workloads are AgentCore Gateways.

Accessible with the following methods

Method Description
GET_ALLOWEDWORKLOADCONF() Getter for ALLOWEDWORKLOADCONFIGURATION