# Provider setup and configuration
Amazon Bedrock AgentCore Identity provides managed OAuth 2.0 supported providers for both inbound and outbound authentication. Each provider encapsulates the specific authentication protocols, endpoint configurations, and credential formats required for a particular service or identity system. The service provides built-in providers for popular services including Google, GitHub, Slack, and Salesforce with authorization server endpoints and provider-specific parameters pre-configured to reduce development effort. The providers abstract away the complexity of different OAuth 2.0 implementations, API authentication schemes, and token formats, presenting a unified interface to agents while handling the underlying protocol variations and edge cases.
Built-in providers are maintained by the AgentCore Identity team and automatically updated to handle changes in external service APIs, security requirements, and best practices.
Supported providers include:
**Topics**
+ [
# Amazon Cognito
](identity-idp-cognito.md)
+ [
# Auth0 by Okta
](identity-idp-auth0.md)
+ [
# Atlassian
](identity-idp-atlassian.md)
+ [
# CyberArk
](identity-idp-cyberark.md)
+ [
# Dropbox
](identity-idp-dropbox.md)
+ [
# Facebook
](identity-idp-facebook.md)
+ [
# FusionAuth
](identity-idp-fusionauth.md)
+ [
# GitHub
](identity-idp-github.md)
+ [
# Google
](identity-idp-google.md)
+ [
# HubSpot
](identity-idp-hubspot.md)
+ [
# LinkedIn
](identity-idp-linkedin.md)
+ [
# Microsoft
](identity-idp-microsoft.md)
+ [
# Notion
](identity-idp-notion.md)
+ [
# Okta
](identity-idp-okta.md)
+ [
# OneLogin
](identity-idp-onelogin.md)
+ [
# Ping Identity
](identity-idp-pingidentity.md)
+ [
# Reddit
](identity-idp-reddit.md)
+ [
# Salesforce
](identity-idp-salesforce.md)
+ [
# Slack
](identity-idp-slack.md)
+ [
# Spotify
](identity-idp-spotify.md)
+ [
# Twitch
](identity-idp-twitch.md)
+ [
# X
](identity-idp-x.md)
+ [
# Yandex
](identity-idp-yandex.md)
+ [
# Zoom
](identity-idp-zoom.md)
# Amazon Cognito
Amazon Cognito can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Cognito as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Cognito.
## Inbound
To add Cognito as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
+ Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
+ Enter valid `clientId` or `aud` claims for the token. This helps validate the tokens coming from your IDP and allow access for tokens that contain expected claims.
Use the following procedure to create a Cognito user pool as an inbound identity provider for user authentication with AgentCore Runtime. The following steps will create a Cognito user pool, a user pool client, add a user, and generate a bearer token for the user. The token is valid for 60 minutes by default.
**To create a Cognito user pool as an inbound identity provider for Runtime authentication**
1. Create a file named `setup_cognito.sh` with the following content:
**Note**
The following script is only meant as an example. You should customize the user pool settings and user credentials as needed for your application. Do not use this script directly in production environments.
```
#!/bin/bash
# Create User Pool and capture Pool ID directly
export POOL_ID=$(aws cognito-idp create-user-pool \
--pool-name "MyUserPool" \
--policies '{"PasswordPolicy":{"MinimumLength":8}}' \
--region us-east-1 | jq -r '.UserPool.Id')
# Create App Client and capture Client ID directly
export CLIENT_ID=$(aws cognito-idp create-user-pool-client \
--user-pool-id $POOL_ID \
--client-name "MyClient" \
--no-generate-secret \
--explicit-auth-flows "ALLOW_USER_PASSWORD_AUTH" "ALLOW_REFRESH_TOKEN_AUTH" \
--region us-east-1 | jq -r '.UserPoolClient.ClientId')
# Create User
aws cognito-idp admin-create-user \
--user-pool-id $POOL_ID \
--username "testuser" \
--temporary-password "${temp-password}" \
--region us-east-1 \
--message-action SUPPRESS > /dev/null
# Set Permanent Password
aws cognito-idp admin-set-user-password \
--user-pool-id $POOL_ID \
--username "testuser" \
--password "${permanent-user-password}" \
--region us-east-1 \
--permanent > /dev/null
# Authenticate User and capture Access Token
export BEARER_TOKEN=$(aws cognito-idp initiate-auth \
--client-id "$CLIENT_ID" \
--auth-flow USER_PASSWORD_AUTH \
--auth-parameters USERNAME='testuser',PASSWORD='${permanent-user-password}' \
--region us-east-1 | jq -r '.AuthenticationResult.AccessToken')
# Output the required values
echo "Pool id: $POOL_ID"
echo "Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/$POOL_ID/.well-known/openid-configuration"
echo "Client ID: $CLIENT_ID"
echo "Bearer Token: $BEARER_TOKEN"
```
1. Run the script to create the Cognito resources:
```
source setup_cognito.sh
```
1. Record the output values, which will look similar to:
```
Pool id: us-east-1_poolid
Discovery URL: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_userpoolid/.well-known/openid-configuration
Client ID: clientid
Bearer Token: bearertoken
```
You’ll need these values in the next steps.
Use the following procedure to create a Cognito user pool as an inbound identity provider for machine-to-machine authentication with AgentCore Gateway. The following steps will create a user pool, resource server, client credentials, and discovery URL configuration. This setup enables M2M authentication flows for Gateway access.
**To create a Cognito user pool as an inbound identity provider for Gateway authentication**
1. Create a user pool:
```
aws cognito-idp create-user-pool \
--region us-west-2 \
--pool-name "gateway-user-pool"
```
1. Record the user pool ID from the response or retrieve it using:
```
aws cognito-idp list-user-pools \
--region us-west-2 \
--max-results 60
```
1. Create a resource server for the user pool:
```
aws cognito-idp create-resource-server \
--region us-west-2 \
--user-pool-id \
--identifier "gateway-resource-server" \
--name "GatewayResourceServer" \
--scopes '[{"ScopeName":"read","ScopeDescription":"Read access"}, {"ScopeName":"write","ScopeDescription":"Write access"}]'
```
1. Create a client for the user pool:
```
aws cognito-idp create-user-pool-client \
--region us-west-2 \
--user-pool-id \
--client-name "gateway-client" \
--generate-secret \
--allowed-o-auth-flows client_credentials \
--allowed-o-auth-scopes "gateway-resource-server/read" "gateway-resource-server/write" \
--allowed-o-auth-flows-user-pool-client \
--supported-identity-providers "COGNITO"
```
Record the client ID and client secret from the response. You’ll need these values to configure the Cognito provider in AgentCore Identity.
1. If needed, create a domain for your user pool:
```
aws cognito-idp create-user-pool-domain \
--domain \
--user-pool-id \
--region us-west-2
```
**Note**
Remove any underscore from the `UserPoolId` when creating the domain. For example, if your user pool ID is "us-west-2\$1gmSGKKGr9", use "us-west-2gmSGKKGr9" as the domain.
1. Construct the discovery URL for your Cognito user pool:
```
https://cognito-idp.us-west-2.amazonaws.com//.well-known/openid-configuration
```
1. Configure the Gateway Inbound Auth with the following values:
1. **Discovery URL** : The URL constructed in the previous step
1. **Allowed clients** : The client ID obtained when creating the user pool client
## Outbound
To configure Cognito user pools as an outbound resource provider, use the following configuration:
```
{
"name": "Cognito",
"credentialProviderVendor": "CognitoOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://{your-cognito-domain}.auth.us-east-1.amazoncognito.com/oauth2/authorize",
"tokenEndpoint": "https://{your-cognito-domain}.auth.us-east-1.amazoncognito.com/oauth2/token",
"issuer": "https://cognito-idp.us-east-1.amazonaws.com/{your-user-pool-id}"
}
}
}
```
# Auth0 by Okta
Auth0 can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Auth0 as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Auth0.
## Inbound
To add Auth0 as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
+ Configure discovery URL from your IDP directory. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
+ Enter valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain expected claims.
Use the following procedure to set up Auth0 and obtain the necessary configuration values for Gateway authentication.
**To configure Auth0 for inbound authentication**
1. Create an API in Auth0:
1. Sign in to your Auth0 dashboard.
1. Open **APIs** and choose **Create API**.
1. Enter a name and identifier for your API (e.g., "gateway-api").
1. Select the signing algorithm (RS256 recommended).
1. Choose **Create**.
1. Configure API scopes:
1. In the API settings, go to the **Scopes** tab.
1. Add scopes such as "invoke:gateway" and "read:gateway".
1. Create an application:
1. Open **Applications** and choose **Create Application**.
1. Select **Machine to Machine Application**.
1. Select the API you created in step 1.
1. Authorize the application for the scopes you created.
1. Choose **Create**.
1. Record the client ID and client secret from the application settings. You’ll need these values to configure the Auth0 provider in AgentCore Identity.
1. Construct the discovery URL for your Auth0 tenant:
```
https://your-domain/.well-known/openid-configuration
```
Where *your-domain* is your Auth0 tenant domain (e.g., "dev-example.us.auth0.com").
1. Configure Inbound Auth with the following values:
1. **Discovery URL** : The URL constructed in the previous step
1. **Allowed audiences** : The API identifier you created in step 1
## Outbound
To configure Auth0 as an outbound resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "Auth0Oauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://your-auth0-tenant.auth0.com/authorize",
"tokenEndpoint": "https://your-auth0-tenant.auth0.com/oauth/token",
"issuer": "https://your-auth0-tenant.auth0.com"
}
}
}
```
# Atlassian
Atlassian can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Atlassian’s OAuth2 service and obtain access tokens for Atlassian API resources.
## Outbound
**Step 1**
Use the following procedure to set up an Atlassian OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure an Atlassian OAuth2 application**
1. Open Atlassian’s developer console and register for a developer account.
1. Create a new application.
1. Select authorization and next to **OAuth 2.0 (3LO)** select **Configure**.
1. Enter the following as a callback URL for the app:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Choose **Save changes**.
1. Select **Permissions** and choose the permissions relevant to your application.
For more details, refer to [Atlassian’s OAuth 2.0 (3LO) apps documentation](https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/).
**Step 2**
To configure Atlassian as an outbound resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "AtlassianOAuth2",
"oauth2ProviderConfigInput": {
"atlassianOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# CyberArk
CyberArk can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through CyberArk’s OAuth2 service and obtain access tokens for CyberArk API resources.
## Outbound
**Step 1**
Use the following procedure to set up a CyberArk OpenID Connect application and obtain the necessary client credentials for AgentCore Identity.
**To configure a CyberArk OAuth2 application**
1. Open the developer console for CyberArk.
1. Open **Identity Administration** and then choose **Web Apps**.
1. Open the **Custom** tab.
1. Create a custom **OpenID Connect** application.
1. Open the **Trust** page, and use the following in the **Authorized Redirect URIs** :
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Record the client ID and client secret generated as you’ll need this information to configure the CyberArk resource provider in AgentCore Identity.
1. Configure any scopes necessary for your application.
1. Deploy the application by setting the appropriate permissions by opening the **Permissions** page and adding the relevant permissions.
For more details, refer to [CyberArk’s OpenID Connect documentation](https://docs.cyberark.com/identity/latest/en/content/applications/appscustom/openidaddconfigapp.htm).
**Step 2**
To configure CyberArk as an outbound resource provider, use the following:
```
{
"name": "CyberArk",
"credentialProviderVendor": "CyberArkOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://your-tenant-id.id.cyberark.cloud/OAuth2/Authorize/__idaptive_cybr_user_oidc",
"tokenEndpoint": "https://your-tenant-id.id.cyberark.cloud/OAuth2/Token/__idaptive_cybr_user_oidc",
"issuer": "https://your-tenant-id.id.cyberark.cloud/__idaptive_cybr_user_oidc"
}
}
}
```
# Dropbox
Dropbox can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Dropbox’s OAuth2 service and obtain access tokens for Dropbox API resources.
**Note**
Dropbox does not support the M2M/Client Credentials flow.
## Outbound
**Step 1**
Use the following procedure to set up a Dropbox OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Dropbox OAuth2 application**
1. Open the developer **App Console** for Dropbox.
1. Choose **Create app**.
1. Choose **Scoped access**.
1. For the access type, choose the access type appropriate for your application.
1. Provide a name for your application.
1. Choose **Create app**.
1. On the app overview page, open the OAuth2 section and add the following as a redirect URI:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. In the same section choose the dropdown below **Allow public clients (Implicit Grant & PKCE)** and choose **Disallow** in the options.
1. Record the app key and app secret as you’ll need the information to configure the Dropbox resource provider in AgentCore Identity.
1. In the **Permissions** tab for the application, select the scopes that are needed for your application.
For more details, refer to [Dropbox’s OAuth implementation guide](https://developers.dropbox.com/oauth-guide#implementing-oauth).
**Step 2**
To configure Dropbox as an outbound resource provider, use the following:
```
{
"name": "DropBox",
"credentialProviderVendor": "DropboxOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Facebook
Facebook can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Facebook’s OAuth2 service and obtain access tokens for Facebook API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Facebook OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Facebook OAuth2 application**
1. Create a [developer account with Facebook](https://developers.facebook.com/docs/facebook-login).
1. [Sign in](https://developers.facebook.com/) with your Facebook credentials.
1. From the **My Apps** menu, choose **Create New App**.
**Note**
If you don’t have an existing Facebook app, you will see a different option. Choose **Create App**.
1. On the **Create an app** page, choose a use case for your app, and then choose **Next**.
1. Enter a name for your Facebook app and choose **Create App**.
1. On the left navigation bar, choose **App Settings** , and then choose **Basic**.
1. Record the **App ID** and the **App Secret** . You will use them for configuring the Facebook provider in AgentCore Identity.
1. Choose **\$1 Add platform** from the bottom of the page.
1. On the **Select Platform** screen, select your platforms, and then choose **Next**.
1. Choose **Save changes**.
1. For **App Domains** , enter the domain of your application and `bedrock-agentcore.region.amazonaws.com`.
1. Choose **Save changes**.
1. From the navigation bar, choose **Products** , and then choose **Configure** from **Facebook Login**.
1. From the **Facebook Login** **Configure** menu, choose **Settings**.
1. Enter the following redirect URL into **Valid OAuth Redirect URIs** :
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Choose **Save changes**.
**Step 2**
To configure Facebook as an outbound resource provider, use the following:
```
{
"name": "Facebook",
"credentialProviderVendor": "FacebookOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# FusionAuth
FusionAuth can be configured as an outbound resource credential provider for AgentCore Identity. This allows your agents to authenticate users through FusionAuth’s OAuth2 service and obtain access tokens for FusionAuth API resources.
## Outbound
**Step 1**
Use the following procedure to set up a FusionAuth OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a FusionAuth OAuth2 application**
1. Open the developer console for FusionAuth.
1. In the main navigation bar, choose **Applications**.
1. Choose **Add** to create a new application.
1. Enter a name for your application.
1. In the form mark the following as required: **Client Authentication** , **PKCE**.
1. For authorized redirect URLs, add the following:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Add the necessary scopes for your application.
1. Record the client ID and client secret. You’ll need this information to configure the FusionAuth resource provider in AgentCore Identity.
For more details, refer to [FusionAuth’s OAuth documentation](https://fusionauth.io/docs/lifecycle/authenticate-users/oauth/).
**Step 2**
To configure FusionAuth as an outbound resource provider, use the following:
```
{
"name": "FusionAuth",
"credentialProviderVendor": "FusionAuthOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://your-tenant-authorization-url",
"tokenEndpoint": "https://your-tenant-token-endpoint",
"issuer": "https://your-tenant-token-issuer"
}
}
}
```
# GitHub
GitHub can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through GitHub’s OAuth2 service and obtain access tokens for GitHub API resources.
## Outbound
**Step 1**
Use the following procedure to set up a GitHub OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a GitHub OAuth2 application**
1. Choose the profile picture of your github account and choose **Settings**.
1. Choose **Developer settings**.
1. Choose **OAuth Apps**.
1. On the OAuth2 apps page choose **New OAuth App**.
1. Enter the necessary details specific to your application. For authorization callback URL enter the following:
+ `https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback`
1. Choose **Register application** to create your Github OAuth app.
1. On Github’s OAuth Apps page, go to your newly created provider.
1. Under the client secrets section, choose **Generate a new client secret**.
1. Make a note of the newly created client secret. You’ll need this to configure your Github application with AgentCore Identity.
**Note**
Github only returns the full secret when it is created. If you lose track of it you’ll need to recreate the client secret to configure the provider in AgentCore Identity.
For more details, refer to Github’s documentation [Creating an OAuth app](https://docs.github.com/en/apps/oauth-apps/building-oauth-apps/creating-an-oauth-app).
**Step 2**
To configure the outbound GitHub resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "GithubOauth2",
"oauth2ProviderConfigInput": {
"GithubOauth2ProviderConfigInput": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
}
},
}
```
# Google
Google can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Google’s OAuth2 service and obtain access tokens for Google API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Google OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Google OAuth2 application**
1. Create a [developer account with Google](https://developers.google.com/identity).
1. Sign in to the [Google Cloud Platform console](https://console.cloud.google.com/home/dashboard).
1. From the top navigation bar, choose **Select a project** . If you already have a project in the Google platform, this menu displays your default project instead.
1. Choose **NEW PROJECT**.
1. Enter a name for your product and then choose **CREATE**.
1. On the left navigation bar, choose **APIs and Services** , and then choose **OAuth consent screen**.
1. Enter the app information, an **App domain** , **Authorized domains** , and **Developer contact information** . Your **Authorized domains** must include `bedrock-agentcore.region.amazonaws.com` . Choose **SAVE AND CONTINUE**.
1. Under **Scopes** , choose **Add or remove scopes** , and then choose the scopes necessary for your application.
1. Expand the left navigation bar again, choose **APIs and Services** , and then choose **Credentials**.
1. Choose **CREATE CREDENTIALS** , and then choose **OAuth client ID**.
1. Choose an **Application type** and give your client a **Name**.
1. Under **Authorized redirect URIs** , choose **ADD URI** . Enter the following:
+ `https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback`
1. Choose **CREATE**.
1. Securely store the values that Google displays under **Your client ID** and **Your client secret** . Provide these values to AgentCore Identity when you add a Google credential provider.
**Step 2**
To configure the outbound Google resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "GoogleOauth2",
"oauth2ProviderConfigInput": {
"GoogleOauth2ProviderConfigInput": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
}
},
}
```
# HubSpot
HubSpot can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through HubSpot’s OAuth2 service and obtain access tokens for HubSpot API resources.
**Note**
HubSpot does not support the M2M/Client Credentials flow.
## Outbound
**Step 1**
Use the following procedure to set up a HubSpot OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a HubSpot OAuth2 application**
1. Open the developer console for HubSpot.
1. In the main navigation bar, choose **Apps**.
1. Choose **Create App**.
1. Enter a name for your application.
1. Choose the **Auth** tab and enter the following as a Redirect URL:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Configure any scopes that are required for your application.
1. Once your app has been created, go back to the **Auth** tab for your application.
1. Record the client ID and client secret, you’ll need these when creating the HubSpot resource provider in AgentCore Identity.
For more details, refer to [HubSpot’s OAuth quickstart guide](https://developers.hubspot.com/docs/apps/legacy-apps/authentication/oauth-quickstart-guide).
**Step 2**
To configure HubSpot as an outbound resource provider, use the following:
```
{
"name": "Hubspot",
"credentialProviderVendor": "HubspotOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
**Note**
When calling GetResourceOAuth2Token, the scopes must include `oauth`.
# LinkedIn
LinkedIn can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through LinkedIn’s OAuth2 service and obtain access tokens for LinkedIn API resources.
## Outbound
**Step 1**
Use the following procedure to set up a LinkedIn OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a LinkedIn OAuth2 application**
1. Open LinkedIn’s developer portal and create an application.
1. In the Auth tab, note the client ID and client secret as you’ll need this information to configure LinkedIn as a provider in AgentCore Identity.
1. Under the OAuth2 settings section, add the following as an authorized redirect URL for the application:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Configure any scopes that are necessary for your application.
For more information about LinkedIn authentication, see [Authentication overview](https://learn.microsoft.com/en-us/linkedin/shared/authentication/authentication) on the Microsoft website.
**Step 2**
To configure LinkedIn as an outbound resource provider, use the following configuration:
```
{
"name": "NAME",
"credentialProviderVendor": "LinkedInOAuth2",
"oauth2ProviderConfigInput": {
"linkedInOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Microsoft
Microsoft Entra ID can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Microsoft Entra ID as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Microsoft Entra ID.
## Inbound
To add Microsoft Entra ID as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
+ Configure discovery URL for your Microsoft Entra ID Tenant. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
+ Enter valid `aud` claims for the token. This helps validate the tokens coming from your IDP and allows access for tokens that contain the expected claims.
You can configure these as part of configuration of Gateway and Runtime inbound configuration.
Before configuring Microsoft Entra ID as your identity provider, we recommend completing the basic setup steps outlined in [Integrate with Google Drive using OAuth2](identity-getting-started-google.md) . This ensures your development environment and SDK are properly configured before adding identity provider integration.
We support Microsoft Entra ID for v1.0 and v2.0 Access and ID tokens that do not have any custom claims. You can determine which token versions your entra application is issuing by parsing the JWT and looking at the `ver` claim.
For all token types, in your custom authorizer:
+ **Discovery URL** : Discovery URL should be one of the following:
+ For v1.0 tokens use: `https://login.microsoftonline.com/tenantId/.well-known/openid-configuration`
+ For v2.0 tokens use: `https://login.microsoftonline.com/tenantId/v2.0/.well-known/openid-configuration`
+ **Allowed audiences** : `aud` should be the Application Id.
### Configurations specific for v1.0 Access Tokens
When fetching the token from Microsoft Entra:
+ Include in authorization URL a scope like `entra-application-id/.default` alongside any other scopes your application might require. This allows Microsoft to know that you intend to use the access token against resources other than Microsoft’s Graph API and will result in a token that can be validated by AgentCore Identity.
### Configurations Specific for v2.0 AccessTokens
On Microsoft Entra:
+ While configuring the application, go to the Application Manifest and add `accessTokenAcceptedVersion=2`.
+ On the application, expose an API. The application ID URI and scopes can be whatever is necessary for your application; but, the scope must be included in the authorization URL when retrieving the access token.
### Configurations Specific for v1.0 and v2.0 Id Tokens
On Microsoft Entra:
+ While configuring the application, Enable ID Token Issuance in Application Registration.
+ Include mandatory `openid` scope while calling the authorize and token endpoint for Microsoft Entra Id during Ingress Flows.
## Outbound
To configure the outbound Microsoft resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "MicrosoftOAuth2",
"oauth2ProviderConfigInput": {
"microsoftOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"tenantId": "your-microsoft-entra-tenant"
}
}
}
```
# Notion
Notion can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Notion’s OAuth2 service and obtain access tokens for Notion API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Notion OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Notion OAuth2 application**
1. Open [https://www.notion.so/my-integrations](https://www.notion.so/my-integrations).
1. Choose **\$1 New integration**.
1. Choose **Public integration**.
1. Provide a name for your integration.
1. Choose **Submit**.
1. On the integration details page, open the **OAuth Domain & URIs** section and add the following as a redirect URI:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Record the OAuth client ID and OAuth client secret as you’ll need this information to configure the Notion resource provider in AgentCore Identity.
For more details, refer to [Notion’s authorization documentation](https://developers.notion.com/docs/authorization).
**Step 2**
To configure Notion as an outbound resource provider, use the following:
```
{
"name": "Notion",
"credentialProviderVendor": "NotionOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Okta
Okta can be configured as an identity provider for accessing AgentCore Gateway and Runtime, or an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate and authorize agent users with Okta as the identity provider and authorization server, or your agents to obtain credentials to access resources authorized by Okta.
## Inbound
To add Okta as an identity provider and authorization server for accessing AgentCore Gateway and Runtime, you must:
+ Configure a discovery URL from your Okta tenant. This helps AgentCore Identity get the metadata related to your OAuth authorization server and token verification keys.
+ Enter valid `aud` claims for the token. This helps validate the tokens coming from your IdP and allows access for tokens that contain expected claims.
**To configure Okta for inbound authentication**
1. Open the Okta developer console.
1. In the left navigation bar, choose **Applications**.
1. Choose **Create App Integration**.
1. Choose **OIDC - OpenID Connect** as the sign-in method for your application.
1. Choose **Web Application** as your application type.
1. Provide a name for your application.
1. Select **Authorization Code** and/or **Client Credentials** depending on your needs.
1. For **Sign-in redirect URIs** add your application endpoint that will receive the Okta token.
1. Adjust the **Assignments** section as necessary depending on your needs.
1. Choose **Save**.
1. Create an Okta API to represent your application:
+ In the left navigation bar, choose **Security**.
+ Go to **API** and choose **Add Authorization Server**.
+ Follow the flow to create an authorization server dedicated to your Okta tenant.
+ Once the authorization server has been created, choose the **Access Policies** tab on the overview page to configure an appropriate access policy.
+ Define the necessary custom scopes for the authorization server that is needed for your application.
1. Construct the discovery URL for your Okta tenant:
```
https://your-tenant.okta.com/oauth2/your-authorization-server
```
1. Configure Inbound Auth with the following values:
+ **Discovery URL:** The URL constructed in the previous step
+ **Allowed Audiences:** The audience value you provided when creating the API in step 11
For more details, refer to [Okta’s documentation](https://developer.okta.com/docs/concepts/oauth-openid/).
### Add a client\$1id claim into access token claims
Okta by default does not include `client_id` as a standard claim in their tokens. To populate the claim in the token, you need to customize the claims through the authorization server that you use to issue tokens.
**To add client\$1id claim to access tokens**
1. In the left navigation bar, choose **Security** . Go to **API** and choose the authorization server that you intend to use for your application.
1. In the details page for the authorization server, choose the **Claims** tab and choose **Add Claim**.
1. Name the new claim **client\$1id** and set the value to **app.clientId**.
1. Set **Include in token type** to **Access Token**.
1. Choose **Save**.
For more details, refer to [Okta’s documentation](https://developer.okta.com/docs/guides/customize-tokens-returned-from-okta/main/).
## Outbound
Follow the same steps for configuring Okta as an inbound provider; however, when configuring the **Sign-in redirect URIs** add the callback URL that is assigned to your provider when creating the provider in AgentCore Identity.
To configure Okta as an outbound resource provider in AgentCore Identity, use the following:
```
{
"name": "Okta",
"credentialProviderVendor": "OktaOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/authorize",
"tokenEndpoint": "https://your-tenant.okta.com/oauth2/your-authorization-server/v1/token",
"issuer": "https://your-tenant.okta.com/oauth2/your-authorization-server"
}
}
}
```
# OneLogin
OneLogin can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through OneLogin’s OAuth2 service and obtain access tokens for OneLogin API resources.
## Outbound
**Step 1**
Use the following procedure to set up a OneLogin OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a OneLogin OAuth2 application**
1. Open the OneLogin Administration panel.
1. Add a new app.
1. Search for OIDC and select the OpenId Connect app.
1. Choose a name for your application and choose **Save**.
1. On the page for the app, go to the **Configuration** tab and add the following as a redirect URI:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Open the **SSO** tab and note the client ID and client secret as you’ll need these to configure the OneLogin app in AgentCore Identity.
1. Change the Token endpoint authentication method to **POST**.
1. Choose **Save**.
**Step 2**
To configure OneLogin as an outbound resource provider use the following:
```
{
"name": "OneLogin",
"credentialProviderVendor": "OneLoginOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://your-tenant.onelogin.com/oidc/2/auth",
"tokenEndpoint": "https://your-tenant.onelogin.com/oidc/2/token",
"issuer": "https://your-tenant.onelogin.com/oidc/2"
}
}
}
```
# Ping Identity
Ping Identity’s PingOne platform can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through PingOne’s OAuth2 service and obtain access tokens for PingOne API resources.
## Outbound
**Note**
You can only configure a PingOne OAuth2 application as either a user federation or M2M OAuth2 client but not both.
**Step 1**
Use the following procedure to set up a PingOne OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a PingOne OAuth2 application**
1. Sign onto the PingOne admin console.
1. In the left navigation bar, under **Applications** , choose **Application**.
1. On the page, choose the **\$1** icon next to **Applications** to create a new application.
1. To configure your application as a M2M OAuth2 client:
+ Select **Client Credentials** for Grant Type.
+ Select **Client Secret Post** for Token Endpoint Authentication Method.
+ Create a custom resource under Applications→Resources in the tabs on the left side of the page, including a scope. Then, add that scope to the application under its personal **Resources** tab. Then, make sure that scope is present in the 'scopes' field of GetResourceOauth2AccessToken.
1. To configure your application as a user federation Oauth2 client:
+ Select **Code** for Response Type.
+ Select **Authorization Code** for Grant Type.
+ Select **Client Secret Basic** for Token Endpoint Authentication Method.
For more details, refer to [Ping Identity’s PingOne API documentation](https://apidocs.pingidentity.com/pingone/getting-started/v1/api).
**Step 2**
To configure PingOne as an outbound resource provider use the following:
```
{
"name": "PingOne",
"credentialProviderVendor": "PingOneOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
"authorizationEndpoint": "https://auth.pingone.com/your-env-id/as/authorize",
"tokenEndpoint": "https://auth.pingone.com/your-env-id/as/token",
"issuer": "https://auth.pingone.com/your-env-id/as"
}
}
}
```
# Reddit
Reddit can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Reddit’s OAuth2 service and obtain access tokens for Reddit API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Reddit OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Reddit OAuth2 application**
1. Open Reddit’s developer console: [https://www.reddit.com/prefs/apps](https://www.reddit.com/prefs/apps).
1. Choose on **create an app**.
1. Select **web app** as the application type.
1. Configure the following as the redirect URI for the application:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. The client ID for the application is below the high-level summary of the application and the client secret is labelled **secret** . Note these values as you’ll need it to configure the Reddit provider in AgentCore Identity.
For more details, refer to [Reddit’s OAuth2 documentation](https://github.com/reddit-archive/reddit/wiki/oauth2).
**Step 2**
To configure Reddit as an outbound resource provider, use the following:
```
{
"name": "Reddit",
"credentialProviderVendor": "RedditOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Salesforce
Salesforce can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Salesforce’s OAuth2 service and obtain access tokens for Salesforce API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Salesforce OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Salesforce OAuth2 application**
1. In the developer portal for Salesforce, create a connected app and enter the name and other requested information specific to your application.
1. Enable and configure the OAuth settings for the application, providing the following as the callback URL:
+ `https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback`
1. Choose the necessary scopes and permissions your application will need.
1. Choose **Require Proof Key for Code Exchange (PKCE) Extension for Supported Authorization Flows**.
1. Choose **Require Secret for the Web Server Flow**.
1. Choose **Enable Authorization Code and Credentials Flow**.
1. If you wish to use Salesforce as a ClientCredentials/M2M provider then choose **Enable Client Credentials Flow** and follow the prompts.
1. Save your application and copy the client ID and client secret that is issued for the application. You will need these to configure Salesforce in AgentCore Identity.
For more details, refer to Salesforce’s documentation [Define an OpenID Connect Provider](https://help.salesforce.com/s/articleView?id=xcloud.service_provider_define_oid.htm).
**Step 2**
To configure the outbound Salesforce resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "SalesforceOauth2",
"oauth2ProviderConfigInput": {
"SalesforceOauth2ProviderConfigInput": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret",
}
},
}
```
# Slack
Slack can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Slack’s OAuth2 service and obtain access tokens for Slack API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Slack OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Slack OAuth2 application**
1. Create a Slack application, enter an app name, and choose the development workspace where the app will be built.
1. Choose the **OAuth & Permissions** section and set the following as the redirect URL for the application:
+ `https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback`
1. Copy the client ID and client secret that Slack issues for your application. You will need them for configuring the provider in AgentCore Identity.
For more details, refer to Slack’s documentation [Sign in with Slack](https://docs.slack.dev/authentication/sign-in-with-slack/).
**Step 2**
To configure the outbound Slack resource provider, use the following:
```
{
"name": "NAME",
"credentialProviderVendor": "SlackOauth2",
"oauth2ProviderConfigInput": {
"slackOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Spotify
Spotify can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Spotify’s OAuth2 service and obtain access tokens for Spotify API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Spotify OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Spotify OAuth2 application**
1. Open the developer dashboard for Spotify.
1. Choose **Create an App**.
1. Provide a name and description for your application.
1. Use the following as the **Redirect URI** for your application:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Select **Web API** for the API/SDKs that you intend to use for Spotify.
1. Choose **Save**.
1. On the application overview page, choose **Settings**.
1. On the **Basic Information** tab, record the client ID and client secret. You’ll need these values for configuring the Spotify resource provider in AgentCore Identity.
**Step 2**
To configure Spotify as an outbound resource provider, use the following:
```
{
"name": "Spotify",
"credentialProviderVendor": "SpotifyOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Twitch
Twitch can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Twitch’s OAuth2 service and obtain access tokens for Twitch API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Twitch OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Twitch OAuth2 application**
1. Sign in to the Twitch developer console.
1. Choose the **Applications** tab and then choose **Register your Application**.
1. Set a name for your application.
1. For the **OAuth Redirect URLs** field, use the following:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Select the application category that is appropriate for the application you’re developing (most likely this will be **Chat bot** ).
1. Set **Client Type** as **Confidential**.
1. Choose **Create**.
1. On the application details page, record the client ID and client secret as you’ll need this information for configuring the Twitch resource provider in AgentCore Identity.
For more details, refer to [Twitch’s app registration documentation](https://dev.twitch.tv/docs/authentication/register-app/).
**Step 2**
To configure Twitch as an outbound resource provider, use the following:
```
{
"name": "Twitch",
"credentialProviderVendor": "TwitchOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# X
X can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through X’s OAuth2 service and obtain access tokens for X API resources.
## Outbound
**Step 1**
Use the following procedure to set up a X OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure an X OAuth2 application**
1. Open the X developer portal.
1. In the left navigation bar, choose **Project & Apps**.
1. Choose on the X project you’ve created for the application.
1. Under the **Apps** header choose **Add an App**.
1. Choose **Create new**.
1. Provide a name and description for your application.
1. In the left navigation bar, choose the application that was just generated.
1. On the app details page for your new app, choose **Edit** in the User Authentication settings.
1. Select the **App permissions** necessary for your application.
1. For **Type of App** select **Web App, Automated App or Bot**.
1. Under **App Info** enter the following as the callback URL:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. For **Website URL** enter the URL for your application.
1. Choose **Save**.
1. Under the **Keys and token** tab for your application, go to the **OAuth 2.0 Client ID and Client Secret**.
1. Choose **Generate** and note the client ID and secret that get generated as you’ll need this information to configure the X resource provider in AgentCore Identity.
**Note**
X only displays the full client secret when it is generated, if you lose this information you’ll need to re-generate the client secret in the X developer portal.
For more details, refer to [X’s OAuth 2.0 documentation](https://docs.x.com/fundamentals/authentication/oauth-2-0/overview).
**Step 2**
To configure X as an outbound resource provider, use the following:
```
{
"name": "X",
"credentialProviderVendor": "XOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Yandex
Yandex can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Yandex’s OAuth2 service and obtain access tokens for Yandex API resources.
## Outbound
**Step 1**
Use the following procedure to set up a Yandex OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Yandex OAuth2 application**
1. Open the developer console for Yandex at [https://oauth.yandex.com/](https://oauth.yandex.com/).
1. Choose **Create app**.
1. Provide a name for your application.
1. For platforms, select **Web services**.
1. Choose **Save and Continue**.
1. Select the permissions necessary for your application and then choose **Save and Continue**.
1. Configure the following as the redirect URI for the application:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. Choose **Save and Continue**.
1. Once the client has been created, note the client ID and client secret assigned to your application as you’ll need them for configuring the Yandex provider in AgentCore Identity.
For more details, refer to [Yandex’s OAuth documentation](https://yandex.com/dev/id/doc/en/).
**Step 2**
To configure Yandex as an outbound resource provider, use the following:
```
{
"name": "Yandex",
"credentialProviderVendor": "YandexOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```
# Zoom
Zoom can be configured as an AgentCore Identity credential provider for outbound resource access. This allows your agents to authenticate users through Zoom’s OAuth2 service and obtain access tokens for Zoom API resources.
## Outbound
**Note**
You can only configure a Zoom OAuth2 application as either a user federation or M2M OAuth2 client but not both.
**Step 1**
Use the following procedure to set up a Zoom OAuth2 application and obtain the necessary client credentials for AgentCore Identity.
**To configure a Zoom OAuth2 application**
1. Sign in to the Zoom App Marketplace.
1. Choose **Develop** > **Build App**.
1. For a user federation app, select **General app** and choose **Create**.
+ On the app details page, add a name for your application and select how your application will be managed.
+ In the **OAuth Information** section, for both the OAuth Redirect URL and OAuth Allow Lists sections, use the following as the redirect URL for the application:
```
https://bedrock-agentcore.region.amazonaws.com/identities/oauth2/callback
```
1. For a M2M app, select **Server to Server OAuth App** and choose **Create**.
+ Add a name for your application.
+ On the app details page, choose **Scopes** and add the necessary scopes for your application.
+ Open **Information** and provide a company name, and developer contact information.
1. Record the client ID and client secret that have been generated for your application. You’ll need these values to configure the Zoom credential provider in AgentCore Identity.
For more details, refer to [Zoom’s integration documentation](https://developers.zoom.us/docs/integrations/create/).
**Step 2**
To configure Zoom as an outbound resource provider, use the following:
```
{
"name": "Zoom",
"credentialProviderVendor": "ZoomOauth2",
"oauth2ProviderConfigInput" : {
"includedOauth2ProviderConfig": {
"clientId": "your-client-id",
"clientSecret": "your-client-secret"
}
}
}
```