Authorization Code Grant pattern secures AI agents on Amazon ECS with Amazon Bedrock AgentCore Identity

A new technical walkthrough demonstrates how to secure AI agents running on Amazon ECS by applying the OAuth 2.0 Authorization Code Grant pattern with Amazon Bedrock AgentCore Identity, enabling agents to act on users' behalf while preserving an auditable chain from user authentication through agent actions. The pattern matters because it ties each agent action to explicit user consent and identity, reducing risk and improving accountability for agent — driven access to external services.

The implementation is built on OAuth 2.0 (RFC 6749) for authorization and OpenID Connect (OIDC) for user authentication. In the Authorization Code Grant flow shown, a user authenticates with an identity provider and consents to the agent’s requested access; the application then exchanges the returned authorization code for a scoped access token, producing an audit trail linked to user identity and consent that can be inspected later.

A central security feature is session binding and per‑session scoped tokens. Session binding defends against CSRF and browser‑swapping attacks by explicitly linking a user session to the OAuth flow, while tokens are scoped to each user session following least‑privilege principles. AgentCore Identity stores the resulting tokens in a token vault, maintaining separation between long‑lived credentials and ephemeral, session‑bound tokens used by agents.

The walkthrough’s reference architecture deploys two Amazon ECS services behind an Application Load Balancer (ALB): an Agentic Workload that runs the AI agent and handles user requests, and a Session Binding Service that processes OAuth callbacks and completes the linkage between authenticated users and third‑party access tokens. The ALB performs inbound OIDC authentication, injects x-amzn-oidc headers into requests, and terminates TLS using certificates managed through AWS Certificate Manager, with DNS routing handled by an alias A record in Amazon Route 53.

The post clarifies two URLs that are often confused: the Callback URL is automatically generated when creating an OAuth client in AgentCore Identity and is registered with the Authorization Server as the redirect target, whereas the Session Binding URL is a customer‑managed endpoint that completes the session binding between the authenticated user and the OAuth flow. The walkthrough uses Microsoft Entra ID as a sample identity provider but notes that any OIDC‑compliant provider can be used.

For builders, the pattern yields concrete benefits — auditable, consented agent actions; per‑session scoped tokens that reduce blast radius; and a clear separation of responsibilities between the workload runtime and session binding logic. The blog includes a GitHub repository with complete source code and prerequisites so teams can reproduce the Authorization Code Grant pattern on ECS and adapt it to their own identity providers and operational needs.