Skip to content

Comments

feat: add OAuth credential support to add identity and outbound auth CLI flags#416

Merged
aidandaly24 merged 4 commits intoaws:feat/gateway-integrationfrom
aidandaly24:feat/batch-4-add-identity-oauth
Feb 24, 2026
Merged

feat: add OAuth credential support to add identity and outbound auth CLI flags#416
aidandaly24 merged 4 commits intoaws:feat/gateway-integrationfrom
aidandaly24:feat/batch-4-add-identity-oauth

Conversation

@aidandaly24
Copy link
Contributor

@aidandaly24 aidandaly24 commented Feb 24, 2026
edited
Loading

Description

Users need to configure outbound authentication when connecting gateway targets to external MCP servers that require credentials. Previously, the only way to create credentials was API keys through add identity, and there was no way to specify outbound auth when creating gateway targets via CLI flags.

This PR adds two things:

OAuth credential support in add identity. createCredential now handles both API keys and OAuth credentials. For OAuth, it writes the OAuthCredentialProvider config to agentcore.json and stores CLIENT_ID/CLIENT_SECRET in .env.local. Users can now run:

agentcore add identity --name my-oauth --type oauth \
 --discovery-url https://auth.example.com/.well-known/openid-configuration \
 --client-id abc123 --client-secret xyz789

Outbound auth CLI flags on add gateway-target. Users can reference an existing credential or create one inline:

# Reference existing credential
agentcore add gateway-target --outbound-auth oauth --credential-name my-oauth ...

# Create credential inline (auto-generates credential named {target}-oauth)
agentcore add gateway-target --outbound-auth oauth \
 --oauth-client-id abc --oauth-client-secret xyz \
 --oauth-discovery-url https://auth.example.com ...

Validation rejects conflicting configurations (e.g. --outbound-auth api-key with inline OAuth fields) and ensures all required fields are present for each auth type.

This is the operations + CLI layer only. The interactive TUI wizard for outbound auth selection is a follow-up PR.

Related Issue

Part of the MCP Gateway Phase 1 integration (gateway-integration branch). Task 12a.

Type of Change

  • New feature

Testing

How have you tested the change?

  • I ran npm run test:unit and npm run test:integ
  • I ran npm run typecheck
  • I ran npm run lint
  • If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

15 new tests covering:

  • OAuth credential creation (writes correct config + env vars, handles duplicates, includes scopes)
  • Identity validation (OAuth requires discovery-url, client-id, client-secret)
  • Gateway target outbound auth validation (inline OAuth, incomplete fields, API_KEY conflicts, missing credential-name)

Checklist

  • I have read the CONTRIBUTING document
  • I have added any necessary tests that prove my fix is effective or my feature works
  • I have updated the documentation accordingly
  • I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
  • My changes generate no new warnings
  • Any dependent changes have been merged and published

@github-actions github-actions bot added the size/xl PR size: XL label Feb 24, 2026
@aidandaly24
feat: add OAuth credential support to add identity and outbound auth …
d486ba0 
…CLI flags

Extend createCredential to support OAuth credentials alongside API keys:
- CreateCredentialConfig is now a discriminated union (ApiKey vs OAuth)
- OAuth writes CLIENT_ID and CLIENT_SECRET to .env.local
- OAuth writes OAuthCredentialProvider config to agentcore.json

Add CLI flags for non-interactive workflows:
- add identity: --type oauth, --discovery-url, --client-id, --client-secret, --scopes
- add gateway-target: --outbound-auth, --credential-name, --oauth-client-id,
  --oauth-client-secret, --oauth-discovery-url, --oauth-scopes
- Inline OAuth credential creation when --oauth-* fields provided without --credential-name

Adds 15 new tests covering OAuth credential creation, validation, and edge cases.
@aidandaly24 aidandaly24 force-pushed the feat/batch-4-add-identity-oauth branch from 87cb33b to d486ba0 Compare February 24, 2026 17:03
@github-actions github-actions bot added size/m PR size: M and removed size/xl PR size: XL labels Feb 24, 2026
tejaskash
tejaskash requested changes Feb 24, 2026
View reviewed changes
@github-actions github-actions bot added size/m PR size: M and removed size/m PR size: M labels Feb 24, 2026
@github-actions github-actions bot added size/m PR size: M and removed size/m PR size: M labels Feb 24, 2026
@aidandaly24 aidandaly24 merged commit 3382eda into aws:feat/gateway-integration Feb 24, 2026
14 of 16 checks passed
aidandaly24 added a commit to aidandaly24/agentcore-cli that referenced this pull request Feb 24, 2026
@aidandaly24
fix: use nullish coalescing operator in validate.ts
6c91b7c 
Fix ESLint prefer-nullish-coalescing errors from merged aws#416.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tejaskash tejaskash tejaskash requested changes

Assignees

No one assigned

Labels

size/m PR size: M

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aidandaly24 @tejaskash