#24 AgentCore Identity integration support#48
#24 AgentCore Identity integration support#48MatejNedic wants to merge 6 commits intospring-ai-community:mainfrom
Conversation
MatejNedic
changed the title
| * @param context which holds headers. | ||
| * @return conversationId based on userId and sessionId from header | ||
| */ | ||
| default String resolveConversationId(AgentCoreContext context) { |
There was a problem hiding this comment.
I am not sure tbh if we should have default method. I took this from example Yuriy Bezsonov provided
|
|
||
| @Bean | ||
| @ConditionalOnMissingBean | ||
| public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { |
There was a problem hiding this comment.
I would move this to user provided configuration with documenting recommended config tho.
I have introduced in PR so we can comment over how solution would look.
| @Bean | ||
| @ConditionalOnMissingBean | ||
| public AgentCorePrincipalProvider agentCorePrincipalProvider() { | ||
| return new JwtAgentCorePrincipalProvider(); |
There was a problem hiding this comment.
As I understand, for JwtAgentCorePrincipalProvider to work, users must configure SecurityFilterChain with oauth2ResourceServer().jwt() in their own code. This creates a split
responsibility where part of the security setup is hidden in the starter while the rest must be implemented by the user.
This partial abstraction can be confusing - users may not realize the starter's JWT support won't work without their own configuration.
Proposal: Extract all Spring Security-related functionality into a separate spring-ai-agentcore-security-starter that:
- Depends on the base spring-ai-agentcore-runtime-starter
- Provides complete, working security configuration (including SecurityFilterChain)
- Makes the security dependency explicit and opt-in
This would:
- Keep the core starter lightweight (no Spring Security dependencies)
- Provide a complete, working solution for users who need JWT authentication
- Make the security requirements explicit rather than implicit
- Follow Spring Boot's pattern of separate security starters"
| <groupId>org.springframework.boot</groupId> | ||
| <artifactId>spring-boot-starter-oauth2-resource-server</artifactId> | ||
| <optional>true</optional> | ||
| </dependency> |
There was a problem hiding this comment.
I am not very happy with this dependency in runtime starter, as suggested: perhaps move all spring security related code to separate security starter will be cleaner
| * @param workloadName the workloadName | ||
| * @return the opaque workload access token | ||
| */ | ||
| public String getWorkloadAccessToken(String jwt, String workloadName) { |
There was a problem hiding this comment.
It is nice to have an opportunity to get workload token, but calling AgentCore client from the agent code is quite rarely use case from my perspective. I think it is also candidate for separate security starter / utiity
| * | ||
| * @author Matej Nedic | ||
| */ | ||
| public class HeaderAgentCorePrincipalProvider implements AgentCorePrincipalProvider { |
There was a problem hiding this comment.
I would keep this one (the header based) in basic runtime starter and move spring security related in special one
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content; | ||
| import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status; | ||
|
|
||
| @SpringBootTest(classes = { IdentityAgentServiceIT.TestApp.class, IdentityAgentServiceIT.TestConfig.class }) |
There was a problem hiding this comment.
Would be nice to add two examples:
- with AgentCore Identity inbound authorizer
- without without AgentCore Identity inbound authorizer
into examples subfloder
2 participants
I have introduced integration test to showcase how it would look on user side.
Implements #24