fix(e2e): broaden CUSTOM_JWT rejection regex to match service response#1622
Closed
notgitika wants to merge 1 commit into
Closed
fix(e2e): broaden CUSTOM_JWT rejection regex to match service response#1622notgitika wants to merge 1 commit into
notgitika wants to merge 1 commit into
Conversation
The harness-custom-jwt e2e test asserts that SigV4 invocations against a CUSTOM_JWT harness are rejected. The assertion regex did not account for the actual 403 message returned by the AgentCore service: "missing required audience claim." This occurs because the CLI auto-attaches a bearer token (via the managed OAuth credential) which lacks a standard JWT aud claim — the Cognito access_token uses client_id instead. The harness's HarnessAuthValidator.validateTokenAudience() rejects it with this message rather than the auth-type-mismatch message the regex expected. Broaden the regex to accept this valid rejection variant. The test's intent (SigV4/invalid-auth is rejected with 403) remains unchanged.
github-actions
Bot
added
the
agentcore-harness-reviewing
agentcore-devx-automation
Bot
added
the
claude-security-reviewing
Contributor
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-devx-automation
Bot
removed
the
claude-security-reviewing
Contributor
Package TarballHow to installgh release download pr-1622-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.20.2.tgz |
agentcore-cli-automation
approved these changes
Jun 23, 2026
agentcore-cli-automation
left a comment
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
LGTM. Targeted one-line regex fix to an e2e test; the root-cause analysis in the PR description matches what I see in the code:
- The harness test exercises the managed-OAuth path (
--client-id/--client-secretonadd harness), which causes the CLI to auto-attach a bearer token on the "SigV4-only" invoke. That request reaches the service, which rejects on the audience claim — the existing regex didn't cover that response. - The sibling
byo-custom-jwt.test.tspatchesagentcore.jsondirectly without registering a managed credential, so no token is auto-attached and the rejection happens via a different path that the existing regex already matches. No update needed there. - The negative assertion on line 263 (
not.toMatch) remains safe — a successful invoke response won't contain "missing required audience claim".
No source/telemetry impact, e2e-test-only change.
github-actions
Bot
removed
the
agentcore-harness-reviewing
Contributor
Author
|
this one makes more sense #1624 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Fixes the
harness-custom-jwt.test.tse2e test that has been failing on mainline since the harness flows were brought into the standard build (PR #1598).Root Cause
The test deploys a harness with a CUSTOM_JWT authorizer (Cognito), then invokes without an explicit
--bearer-token. The CLI auto-attaches a bearer token via the managed OAuth credential. The Cognitoaccess_tokenlacks a standardaudclaim (Cognito usesclient_idinstead), so the service'sHarnessAuthValidator.validateTokenAudience()inYggdrasillDataPlaneServicerejects it with:The test's regex only matched
configured for CUSTOM_JWT,authoriz(ation|er).*mismatch, ordifferent.*authorization— none of which match the actual service response.Fix
Broaden the regex to also accept
missing required audience claim. The test's intent (SigV4/invalid-auth is rejected with 403) is unchanged — theexitCode !== 0assertion still validates the rejection. The negative assertion on line 262 (not.toMatch) remains safe because a successful bearer-token invoke will never contain this message.Testing
expect(output).not.toMatch(...)) on the bearer-token success path is unaffected since a successful invoke returns the agent response, not an auth error