Skip to content

Enforce per-tool approval flags + 3LO oauth_required for Gateway (protocol=mcp) tools #454

Description

@philmerrell

Summary

Follow-up to #419 (admin-managed AgentCore Gateway target registration). #419 shipped deliberately with zero new agent-side runtime code, so for protocol=mcp (Gateway) tools the catalog stores per-tool approval flags and requires_oauth_provider, but nothing enforces them at runtime. This issue tracks the agent-side wiring to actually enforce both.

Today both mechanisms are wired only for mcp_external tools.

⛔ Dependency

Backend for #419 is merged to develop (#450, #452, #453). This builds on the MCPGatewayConfig model + the protocol=mcp catalog rows it produces.

The enabling prerequisite (do this first)

Gateway tools currently bypass the catalog entirely at runtime — they surface straight from the Gateway discovery path as gateway_<target>___<tool> and RBAC is AppRole-based by that full id (apis/app_api/admin/services/tool_access.py). For either feature below to work, the agent loop must correlate a runtime gateway tool with its protocol=mcp catalog row (by target/tool name). That correlation unlocks both features at once.

Scope

1. Per-tool approval flags for gateway tools

  • Extend GatewayIntegration (agents/main_agent/tools/gateway_integration.py) to expose approval_names_for_client() mirroring ExternalMCPIntegration.approval_names_for_client(), populated from the catalog row's mcp_gateway_config.approval_required_names() at client-creation time.
  • Add a gateway path to the approval-hook lookup closure in base_agent.py (today MCPExternalApprovalHook resolves only mcp_external clients).
  • Gotcha: the catalog's tools[].name must match the raw MCP tool name, not the prefixed gateway_* id.

2. oauth_required (3LO) consent for gateway tools

  • Extend GatewayIntegration to track provider_id per client (from the row's requires_oauth_provider), and add gateway to the provider_lookup closure in base_agent.py. The existing OAuthConsentHook + oauth_required SSE machinery (session/hooks/oauth_consent.py) then works unchanged — it just needs the lookup to cover gateway clients.
  • Verify against a live target: that outbound 3LO via the Gateway needs the user's vaulted token present before the Gateway's on-behalf-of exchange (i.e. consent must complete first). Confirm customParameters used at consent match those on the registered target (token-vault-key gotcha).

Out of scope

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions