o i8@s(ddlmZddlmZmZddlmZddlmZddl m Z ddl m Z m Z mZddl mZddlmZmZdd lmZmZdd lmZmZdd lmZdd lmZdd lmZddl m!Z!e!e"Z#Gddde Z GdddeZ$Gddde$ZGddde$Z%Gddde$e e ee fZ&dS)) annotations)Anycast)AuthContextMiddleware)BearerAuthBackend) AccessToken)AuthorizationCode OAuthAuthorizationServerProvider RefreshToken) TokenVerifier)create_auth_routes create_protected_resource_routes)ClientRegistrationOptionsRevocationOptions) AnyHttpUrlField) Middleware)AuthenticationMiddleware)Route) get_loggerc@s$eZdZUdZeedZded<dS)rz)AccessToken that includes all JWT claims.)default_factoryzdict[str, Any]claimsN)__name__ __module__ __qualname____doc__rdictr__annotations__rr^/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/auth.pyr$s rc@s\eZdZdZ  ddddZdd dZ d d!ddZ d d!ddZd"ddZd d#ddZ dS)$ AuthProvideraFBase class for all FastMCP authentication providers. This class provides a unified interface for all authentication providers, whether they are simple token verifiers or full OAuth authorization servers. All providers must be able to verify tokens and can optionally provide custom authentication routes. Nbase_urlAnyHttpUrl | str | Nonerequired_scopeslist[str] | NonecCs&t|tr t|}||_|pg|_dS)a4 Initialize the auth provider. Args: base_url: The base URL of this server (e.g., http://localhost:8000). This is used for constructing .well-known endpoints and OAuth metadata. required_scopes: List of OAuth scopes required for all requests. N) isinstancestrrr!r#selfr!r#rrr__init__3s zAuthProvider.__init__tokenr&returnAccessToken | Nonec td)aVerify a bearer token and return access info if valid. All auth providers must implement token verification. Args: token: The token string to validate Returns: AccessToken object if valid, None if invalid or expired &Subclasses must implement verify_tokenNotImplementedErrorr(r*rrr verify_tokenEs zAuthProvider.verify_tokenmcp_path str | None list[Route]cCsgS)a0Get all routes for this authentication provider. This includes both well-known discovery routes and operational routes. Each provider is responsible for creating whatever routes it needs: - TokenVerifier: typically no routes (default implementation) - RemoteAuthProvider: protected resource metadata routes - OAuthProvider: full OAuth authorization server routes - Custom providers: whatever routes they need Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata, but the provider does not create the actual MCP endpoint route. Returns: List of all routes for this provider (excluding the MCP endpoint itself) r)r(r3rrr get_routesRszAuthProvider.get_routescCs||}dd|DS)aGet well-known discovery routes for this authentication provider. This is a utility method that filters get_routes() to return only well-known discovery routes (those starting with /.well-known/). Well-known routes provide OAuth metadata and discovery endpoints that clients use to discover authentication capabilities. These routes should be mounted at the root level of the application to comply with RFC 8414 and RFC 9728. Common well-known routes: - /.well-known/oauth-authorization-server (authorization server metadata) - /.well-known/oauth-protected-resource/* (protected resource metadata) Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to construct path-scoped well-known URLs. Returns: List of well-known discovery routes (typically mounted at root level) cSs&g|]}t|tr|jdr|qS)z /.well-known/)r%rpath startswith).0routerrr s z6AuthProvider.get_well_known_routes..)r6)r(r3 all_routesrrrget_well_known_routesis z"AuthProvider.get_well_known_routeslistcCsttt|dttgS)zGet HTTP application-level middleware for this auth provider. Returns: List of Starlette Middleware instances to apply to the HTTP app )backend)rrrr)r(rrrget_middlewares zAuthProvider.get_middlewarer7AnyHttpUrl | NonecCsD|jdurdS|rt|jd}|d}t|d|S|jS)zGet the actual resource URL being protected. Args: path: The path where the resource endpoint is mounted (e.g., "/mcp") Returns: The full URL of the protected resource N/)r!r&rstriplstripr)r(r7prefixsuffixrrr_get_resource_urls  zAuthProvider._get_resource_urlNNr!r"r#r$r*r&r+r,Nr3r4r+r5)r+r>)r7r4r+rA) rrrrr)r2r6r=r@rGrrrrr *s    r cs2eZdZdZ  ddfdd Zdd dZZS)r zBase class for token verifiers (Resource Servers). This class provides token verification capability without OAuth server functionality. Token verifiers typically don't provide authentication routes by default. Nr!r"r#r$cstj||ddS)z Initialize the token verifier. Args: base_url: The base URL of this server required_scopes: Scopes that are required for all requests r!r#N)superr)r' __class__rrr)s zTokenVerifier.__init__r*r&r+r,cr-)z6Verify a bearer token and return access info if valid.r.r/r1rrrr2szTokenVerifier.verify_tokenrHrIrJ)rrrrr)r2 __classcell__rrrOrr s r csJeZdZUdZded<  ddfdd ZdddZ ddddZZS)RemoteAuthProvidera&Authentication provider for resource servers that verify tokens from known authorization servers. This provider composes a TokenVerifier with authorization server metadata to create standardized OAuth 2.0 Protected Resource endpoints (RFC 9728). Perfect for: - JWT verification with known issuers - Remote token introspection services - Any resource server that knows where its tokens come from Use this when you have token verification logic and want to advertise the authorization servers that issue valid tokens. rr!Ntoken_verifierr authorization_serverslist[AnyHttpUrl]AnyHttpUrl | str resource_namer4resource_documentationrAcs.tj||jd||_||_||_||_dS)aInitialize the remote auth provider. Args: token_verifier: TokenVerifier instance for token validation authorization_servers: List of authorization servers that issue valid tokens base_url: The base URL of this server resource_name: Optional name for the protected resource resource_documentation: Optional documentation URL for the protected resource rMN)rNr)r#rSrTrWrX)r(rSrTr!rWrXrOrrr)s zRemoteAuthProvider.__init__r*r&r+r,cs|j|IdHS)z1Verify token using the configured token verifier.N)rSr2r1rrrr2szRemoteAuthProvider.verify_tokenr3r5c Cs8g}||}|r|t||j|jj|j|jd|S)zfGet routes for this provider. Creates protected resource metadata routes (RFC 9728). ) resource_urlrTscopes_supportedrWrX)rGextendr rTrSr#rWrX)r(r3routesrYrrrr6s  zRemoteAuthProvider.get_routesrH) rSr rTrUr!rVrWr4rXrArJrKrL) rrrrrr)r2r6rQrrrOrrRs   rRcsLeZdZdZdddddddfddZdddZ ddfdd ZZS) OAuthProviderzOAuth Authorization Server provider. This class provides full OAuth server functionality including client registration, authorization flows, token issuance, and token verification. N) issuer_urlservice_documentation_urlclient_registration_optionsrevocation_optionsr#r!rVr^r"r_r` ClientRegistrationOptions | NoneraRevocationOptions | Noner#r$c stj||d|dur|j|_nt|trt||_n||_|jdurE|jdurEt|jt|jkrEtd|jd|jd|jdt |t|trSt|}||_ ||_ ||_ dS)a Initialize the OAuth provider. Args: base_url: The public URL of this FastMCP server issuer_url: The issuer URL for OAuth metadata (defaults to base_url) service_documentation_url: The URL of the service documentation. client_registration_options: The client registration options. revocation_options: The revocation options. required_scopes: Scopes that are required for all requests. rMNzOAuth endpoints at z , issuer at z3. Ensure well-known routes are accessible at root (zY/.well-known/). See: https://gofastmcp.com/deployment/http#mounting-authenticated-servers) rNr)r!r^r%r&rloggerinfor r_r`ra)r(r!r^r_r`rar#rOrrr)s(        zOAuthProvider.__init__r*r&r+r,cs||IdHS)aX Verify a bearer token and return access info if valid. This method implements the TokenVerifier protocol by delegating to our existing load_access_token method. Args: token: The token string to validate Returns: AccessToken object if valid, None if invalid or expired N)load_access_tokenr1rrrr2Ls zOAuthProvider.verify_tokenr3r4r5cs|jdusJ|jdusJt||j|j|j|jd}||}|rA|jr-|jjr-|jjn|j}t |t t |jg|d}| || t ||S)atGet OAuth authorization server routes and optional protected resource routes. This method creates the full set of OAuth routes including: - Standard OAuth authorization server routes (/.well-known/oauth-authorization-server, /authorize, /token, etc.) - Optional protected resource routes Returns: List of OAuth routes N)providerr^r_r`ra)rYrTrZ)r!r^r r_r`rarG valid_scopesr#r rrr[rNr6)r(r3 oauth_routesrYsupported_scopesprotected_routesrOrrr6[s2    zOAuthProvider.get_routes) r!rVr^r"r_r"r`rbrarcr#r$rJrKrL)rrrrr)r2r6rQrrrOrr] s  5r]N)' __future__rtypingrr'mcp.server.auth.middleware.auth_contextr&mcp.server.auth.middleware.bearer_authrmcp.server.auth.providerr_SDKAccessTokenrr r r TokenVerifierProtocolmcp.server.auth.routesr r mcp.server.auth.settingsrrpydanticrrstarlette.middlewarer#starlette.middleware.authenticationrstarlette.routingrfastmcp.utilities.loggingrrrdr rRr]rrrrs0          I