AI Practices AI实践 5h ago Updated 5h ago 更新于 5小时前 46

Implement on-behalf-of token exchange for multi-tenant agents with Amazon Bedrock AgentCore Gateway 使用Amazon Bedrock AgentCore Gateway实现多租户代理的“代表用户”令牌交换

Amazon Bedrock AgentCore Identity natively supports OAuth 2.0 Token Exchange (RFC 8693) to solve identity propagation issues in multi-tenant generative AI agents. The On-Behalf-Of (OBO) pattern preserves the original user's identity via the `sub` claim while binding the token to specific downstream audiences via the `aud` claim, enforcing cryptographic least privilege. AgentCore Gateway automatically intercepts tool calls and performs token exchanges against tenant-specific authorization servers 解决多租户AI代理在调用下游API时的身份传递难题,避免审计断裂或混淆副手问题。 利用OAuth 2.0 Token Exchange (RFC 8693)标准,通过Amazon Bedrock AgentCore Identity原生支持On-Behalf-Of (OBO)令牌交换。 实现身份端到端传播与密码学最小权限原则,确保下游令牌仅绑定特定租户和服务,防止跨租户越权。 无需代理代码实现交换逻辑,由AgentCore Gateway透明拦截并执行令牌转换,降低开发复杂度。 提供基于Okta的参考实现TravelBot,展示JWT声明变换及防御纵深机制在多租户场景下的应用。

65
Hot 热度
70
Quality 质量
60
Impact 影响力

Analysis 深度分析

TL;DR

  • Amazon Bedrock AgentCore Identity natively supports OAuth 2.0 Token Exchange (RFC 8693) to solve identity propagation issues in multi-tenant generative AI agents.
  • The On-Behalf-Of (OBO) pattern preserves the original user's identity via the sub claim while binding the token to specific downstream audiences via the aud claim, enforcing cryptographic least privilege.
  • AgentCore Gateway automatically intercepts tool calls and performs token exchanges against tenant-specific authorization servers, removing the need for custom exchange logic within the agent code.
  • This approach mitigates the "confused deputy" problem by ensuring downstream APIs can independently validate tokens without blindly trusting the agent's service identity.

Why It Matters

This development addresses a critical security bottleneck in deploying enterprise-grade AI agents, specifically regarding secure identity management across multi-tenant environments. By standardizing on RFC 8693, AWS enables developers to build scalable agent architectures that maintain strict audit trails and granular access controls without complex custom authentication layers. This reduces the risk of privilege escalation and unauthorized data access, which are primary concerns for organizations adopting agentic workflows.

Technical Details

  • Native RFC 8693 Support: Amazon Bedrock AgentCore Identity implements the OAuth 2.0 Token Exchange specification as a credential-provider grant type, allowing seamless integration with standard authorization servers like Okta.
  • Claim Transformation: During the exchange, the inbound user token's sub (subject) claim is preserved to identify the original caller, while the aud (audience) claim is rewritten to match the specific downstream API. An act (actor) claim records the agent performing the action, separating authorization decisions from audit logging.
  • Gateway Interception: Bedrock AgentCore Gateway acts as an interceptor that identifies the target tenant and orchestrates the token exchange with the corresponding authorization server before the tool call is executed, keeping the agent code clean.
  • Reference Implementation: The guide utilizes "TravelBot," a multi-tenant booking assistant serving tenants like Acme and Globex, demonstrating how distinct tokens are issued for each tenant's booking API to prevent cross-tenant token reuse.

Industry Insight

  • Adopt Standardized Token Exchange: Organizations building multi-agent systems should prioritize RFC 8693 compliance to ensure interoperability with existing identity providers and reduce custom security overhead.
  • Shift Security Left in Agent Design: Developers must design agent architectures with identity propagation in mind from the start, leveraging gateway-level interception rather than embedding authentication logic within individual agent models.
  • Auditability as a Feature: The separation of sub (user) and act (agent) claims provides a robust framework for compliance and forensic analysis, making it easier to demonstrate regulatory adherence in AI-driven business processes.

TL;DR

  • 解决多租户AI代理在调用下游API时的身份传递难题,避免审计断裂或混淆副手问题。
  • 利用OAuth 2.0 Token Exchange (RFC 8693)标准,通过Amazon Bedrock AgentCore Identity原生支持On-Behalf-Of (OBO)令牌交换。
  • 实现身份端到端传播与密码学最小权限原则,确保下游令牌仅绑定特定租户和服务,防止跨租户越权。
  • 无需代理代码实现交换逻辑,由AgentCore Gateway透明拦截并执行令牌转换,降低开发复杂度。
  • 提供基于Okta的参考实现TravelBot,展示JWT声明变换及防御纵深机制在多租户场景下的应用。

为什么值得看

本文深入剖析了多租户生成式AI系统中至关重要的身份安全架构,为开发者提供了从理论到落地的完整解决方案。它明确了在复杂代理交互中如何平衡用户体验与安全合规,是构建生产级AI Agent身份治理的重要参考。

技术解析

  • 核心机制:采用OAuth 2.0 Token Exchange (RFC 8693)规范,将用户原始令牌转换为针对特定下游服务的新令牌。新令牌的sub保留原始调用者身份,aud绑定目标服务,act记录执行动作的主体。
  • 架构组件:Amazon Bedrock AgentCore Gateway负责拦截工具调用并识别目标租户,AgentCore Identity作为凭证提供者执行实际的令牌交换,两者协同工作以移除代理侧的逻辑负担。
  • 安全优势:相比服务账户模拟(混淆副手风险)或直接转发用户令牌(受众不匹配),OBO模式实现了密码学最小权限。每个下游调用携带独立签名的令牌,且令牌无法跨租户复用。
  • 声明分离:通过区分sub(授权决策依据)和act/cid(审计日志与速率限制依据),下游API可独立验证身份而不必信任代理本身,增强了系统的可审计性和安全性。
  • 参考实现:提供了名为TravelBot的多租户预订助手示例,演示了Acme和Globex两个租户间的隔离交互,相关代码将在aws-samples仓库发布。

行业启示

  • 标准化身份治理:AI Agent的安全架构应尽早采纳行业标准(如RFC 8693),而非依赖自定义或脆弱的模拟机制,以确保互操作性和长期维护性。
  • 零信任架构落地:在多租户SaaS环境中,必须实施严格的受众绑定和最小权限原则,防止因代理漏洞导致的横向移动和数据泄露。
  • 基础设施即安全:利用云服务商提供的原生身份网关(如AgentCore Gateway)可以显著降低构建安全AI系统的工程成本,使开发者专注于业务逻辑而非底层认证细节。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Agent Agent Security 安全 Deployment 部署