feat(credential, gateway-target): support OAuth2 token exchange (RFC 8693) on Custom OAuth providers

[aidandaly24]

Description

AWS::BedrockAgentCore::OAuth2CredentialProvider supports RFC 8693 token exchange via Oauth2ProviderConfigInput.CustomOauth2ProviderConfig.OnBehalfOfTokenExchangeConfig, with allowed GrantType values TOKEN_EXCHANGE | JWT_AUTHORIZATION_GRANT and a nested TokenExchangeGrantTypeConfig. Source: OnBehalfOfTokenExchangeConfig CFN docs, CustomOauth2ProviderConfigInput docs.

This lets a Gateway Target (or any AgentCore caller using OAuth2 outbound auth) present an inbound JWT and receive a downstream token suitable for the upstream service — i.e. on-behalf-of flow.

The CLI does not surface this:

• OAuthCredentialProvider schema in agentcore-project.ts:195–208 has only discoveryUrl, scopes, vendor, managed, usage — no token-exchange fields.
• The L3 construct (@aws/agentcore-cdk — src/cdk/constructs/components/mcp/Gateway.ts:255–267) hardcodes grantType: 'CLIENT_CREDENTIALS' when wiring oauthCredentialProvider on a target.
• This is exposed only on the Custom OAuth2 provider config in CFN — built-in vendor providers (Google, GitHub, Slack, Salesforce, Microsoft, Atlassian, etc.) do not support token exchange.

This is referenced in the user ask as "Token Exchange — Target & Credential" (the credential-provider side and the gateway-target side both need plumbing).

Acceptance Criteria

• Extend OAuthCredentialProviderSchema (agentcore-project.ts:195–208) with an optional tokenExchange block:
  • grantType: 'TOKEN_EXCHANGE' | 'JWT_AUTHORIZATION_GRANT' (one-of)
  • tokenExchangeGrantTypeConfig — match the CFN sub-shape (subject token URI/types, audience, etc. — finalize from CFN docs).
• Restrict the new field to vendor: 'CustomOauth2' (CFN does not support it on built-in providers).
• Add CLI flags: --token-exchange-grant-type, --token-exchange-config-file <path> (JSON file for the nested struct), or stage these via raw agentcore.json edits initially.
• Add TUI fields under "Advanced OAuth options" in the credential add wizard.
• On Gateway Target outbound auth, allow grantType to be passed through (replace hardcoded 'CLIENT_CREDENTIALS' in @aws/agentcore-cdk Gateway.ts:255–267 with the schema field).
• Validate that grantType: 'TOKEN_EXCHANGE' is only paired with credential providers that have the token-exchange config set.
• Snapshot tests updated.

Additional Context

• CFN support: YES — Oauth2ProviderConfigInput.CustomOauth2ProviderConfig.OnBehalfOfTokenExchangeConfig (Custom OAuth2 only).
• L3 gap: yes — @aws/agentcore-cdk hardcodes grantType: 'CLIENT_CREDENTIALS'; needs to flow through from schema.
• Standards refs: RFC 8693 (OAuth Token Exchange) and RFC 7523 (JWT Bearer Token Profile).