o i@sdZddlmZddlZddlZddlmZmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZeeZd ZedddZedddZddddddZGdddZdS)a"JWT token issuance and verification for FastMCP OAuth Proxy. This module implements the token factory pattern for OAuth proxies, where the proxy issues its own JWT tokens to clients instead of forwarding upstream provider tokens. This maintains proper OAuth 2.0 token audience boundaries. ) annotationsN)Anyoverload) JsonWebToken) JoseError)hashes)HKDF) PBKDF2HMAC) get_loggeri@Bhigh_entropy_materialstrsaltreturnbytescCdS)zHDerive JWT signing key from a high-entropy key material and server salt.N)r r rrd/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/jwt_issuer.pyderive_jwt_keyrlow_entropy_materialcCr)zGDerive JWT signing key from a low-entropy key material and server salt.Nr)rr rrrr r)r r str | NonecCs|dur |dur td|dur'ttd|ddj|d}t|S|durBttd|t dj|d}t|Std) zWDerive JWT signing key from a high-entropy or low-entropy key material and server salt.NzSEither high_entropy_material or low_entropy_material must be provided, but not both sFernet) algorithmlengthr info) key_material)rrr iterationszEEither high_entropy_material or low_entropy_material must be provided) ValueErrorrrSHA256encodederivebase64urlsafe_b64encoder KDF_ITERATIONS)r rr derived_keypbkdf2rrrr%s6  c@s<eZdZdZdddZ ddddZdddZdddZdS) JWTIssueraIssues and validates FastMCP-signed JWT tokens using HS256. This issuer creates JWT tokens for MCP clients with proper audience claims, maintaining OAuth 2.0 token boundaries. Tokens are signed with HS256 using a key derived from the upstream client secret. issuerr audience signing_keyrcCs"||_||_||_tdg|_dS)zInitialize JWT issuer. Args: issuer: Token issuer (FastMCP server base URL) audience: Token audience (typically {base_url}/mcp) signing_key: HS256 signing key (32 bytes) HS256N)r'r( _signing_keyr_jwt)selfr'r(r)rrr__init__Rs zJWTIssuer.__init__ client_idscopes list[str]jti expires_inintrc Csttt}ddd}|j|j|d|||||d}|j|||j}|d} t d||dd |d | S) aIssue a minimal FastMCP access token. FastMCP tokens are reference tokens containing only the minimal claims needed for validation and lookup. The JTI maps to the upstream token which contains actual user identity and authorization data. Args: client_id: MCP client ID scopes: Token scopes jti: Unique token identifier (maps to upstream token) expires_in: Token lifetime in seconds Returns: Signed JWT token r*JWTalgtyp )issaudr0scopeexpiatr3utf-8z/Issued access token for client=%s jti=%s exp=%dNr> r5timer'r(joinr,rr+decodeloggerdebug r-r0r1r3r4nowheaderpayload token_bytestokenrrrissue_access_tokends&    zJWTIssuer.issue_access_tokenc Csvtt}ddd}|j|j|d|||||dd}|j|||j}|d} t d||d d |d | S) a7Issue a minimal FastMCP refresh token. FastMCP refresh tokens are reference tokens containing only the minimal claims needed for validation and lookup. The JTI maps to the upstream token which contains actual user identity and authorization data. Args: client_id: MCP client ID scopes: Token scopes jti: Unique token identifier (maps to upstream token) expires_in: Token lifetime in seconds (should match upstream refresh expiry) Returns: Signed JWT token r*r6r7r:refresh)r;r<r0r=r>r?r3 token_user@z0Issued refresh token for client=%s jti=%s exp=%dNrAr>rBrHrrrissue_refresh_tokens(    zJWTIssuer.issue_refresh_tokenrMdict[str, Any]c CszL|j||j}|d}|r|tkrtdtd|d|jkr0tdtd|d|j krAtdtd td |d |WSty_}ztd |d }~ww)a3Verify and decode a FastMCP token. Validates JWT signature, expiration, issuer, and audience. Args: token: JWT token to verify Returns: Decoded token payload Raises: JoseError: If token is invalid, expired, or has wrong claims r>z Token expiredzToken has expiredr;zToken has invalid issuerzInvalid token issuerr<zToken has invalid audiencezInvalid token audiencez*Token verified successfully for subject=%ssubzToken validation failed: %sN) r,rEr+getrCrFrGrr'r()r-rMrKr>errr verify_tokens*      zJWTIssuer.verify_tokenN)r'r r(r r)r)r/) r0r r1r2r3r r4r5rr )rMr rrR)__name__ __module__ __qualname____doc__r.rNrQrVrrrrr&Js  /0r&)r r r r rr)rr r r rr)r rrrr r rr)rZ __future__rr!rCtypingrr authlib.joserauthlib.jose.errorsrcryptography.hazmat.primitivesr'cryptography.hazmat.primitives.kdf.hkdfr)cryptography.hazmat.primitives.kdf.pbkdf2r fastmcp.utilities.loggingr rWrFr#rr&rrrrs*         %