o i=@sdZddlmZddlZddlmZddlmZmZm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZeeZGd d d eZGd ddeZdS)aOIDC Proxy Provider for FastMCP. This provider acts as a transparent proxy to an upstream OIDC compliant Authorization Server. It leverages the OAuthProxy class to handle Dynamic Client Registration and forwarding of all OAuth flows. This implementation is based on: OpenID Connect Discovery 1.0 - https://openid.net/specs/openid-connect-discovery-1_0.html OAuth 2.0 Authorization Server Metadata - https://datatracker.ietf.org/doc/html/rfc8414 )SequenceN) AsyncKeyValue) AnyHttpUrl BaseModelmodel_validator)Self) TokenVerifier) OAuthProxy) JWTVerifier) get_loggerc @seZdZUdZdZeed<dZee BdBed<dZ ee BdBed<dZ ee BdBed<dZ ee BdBed<dZ ee BdBed <dZee BdBed <dZee dBed <dZee dBed <dZee dBed <dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZee dBed<dZ ee dBed<dZ!ee dBed<dZ"ee dBed<dZ#ee dBed<dZ$ee BdBed<dZ%ee dBed <dZ&ee dBed!<dZ'edBed"<dZ(edBed#<dZ)edBed$<dZ*edBed%<dZ+ee BdBed&<dZ,ee BdBed'<dZ-ee BdBed(<dZ.ee dBed)<dZ/ee dBed*<dZ0ee BdBed+<dZ1ee dBed,<dZ2ee dBed-<dZ3ee dBed.<dZ4e dBed/<e5d0d1d2e6fd3d4Z7e8d5ededBd6e9dBd2e6fd7d8Z:dS)9OIDCConfigurationzOIDC Configuration. See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata https://datatracker.ietf.org/doc/html/rfc8414#section-2 TstrictNissuerauthorization_endpointtoken_endpointuserinfo_endpointjwks_uriregistration_endpointscopes_supportedresponse_types_supportedresponse_modes_supportedgrant_types_supportedacr_values_supportedsubject_types_supported%id_token_signing_alg_values_supported(id_token_encryption_alg_values_supported(id_token_encryption_enc_values_supported%userinfo_signing_alg_values_supported(userinfo_encryption_alg_values_supported(userinfo_encryption_enc_values_supported+request_object_signing_alg_values_supported.request_object_encryption_alg_values_supported.request_object_encryption_enc_values_supported%token_endpoint_auth_methods_supported0token_endpoint_auth_signing_alg_values_supporteddisplay_values_supportedclaim_types_supportedclaims_supportedservice_documentationclaims_locales_supportedui_locales_supportedclaims_parameter_supportedrequest_parameter_supportedrequest_uri_parameter_supported require_request_uri_registration op_policy_uri op_tos_urirevocation_endpoint*revocation_endpoint_auth_methods_supported5revocation_endpoint_auth_signing_alg_values_supportedintrospection_endpoint-introspection_endpoint_auth_methods_supported8introspection_endpoint_auth_signing_alg_values_supported code_challenge_methods_supportedsigned_metadataafter)modereturncsjjsSddtdtddffdd }|dd |d d |d d |d d |d |d|dS)zEnforce strict rules.Fattris_urlr;Nc st|d}|sd|}t|t||rt|trdSzt|WdStyA}zd|}t|t||d}~ww)Nz)Missing required configuration metadata: z(Invalid URL for configuration metadata: )getattrloggererror ValueError isinstancer Exception)r<r=valuemessageeselfd/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/oidc_proxy.pyenforcers      z2OIDCConfiguration._enforce_strict..enforcerTrrrrrr)F)r strbool)rHrKrIrGrJ_enforce_strictls    z!OIDCConfiguration._enforce_strict config_urltimeout_secondscCsxi}|dur ||d<z!tjt|fi|}||}|dur&||d<||WSty;td|w)zGet the OIDC configuration for the specified config URL. Args: config_url: The OIDC config URL strict: The strict flag for the configuration timeout_seconds: HTTP request timeout in seconds Ntimeoutr z1Unable to get OIDC configuration for config url: ) httpxgetrLraise_for_statusjsonmodel_validaterCr? exception)clsrOr rP get_kwargsresponse config_datarIrIrJget_oidc_configurations    z(OIDCConfiguration.get_oidc_configuration);__name__ __module__ __qualname____doc__r rM__annotations__rrrLrrrrrrrrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8rrrN classmethodintr\rIrIrIrJr sv   r c%s:eZdZUdZeed<dddddddddddddd deeBdedBded ed edBd e dBd e dBd edBde edBdeeBdeeBdBdedBde edBde dBdee BdBdedBdeddf$fddZdededBd e dBdefddZdddddd edBd edBde edBd e dBde f ddZZS) OIDCProxyaOAuth provider that wraps OAuthProxy to provide configuration via an OIDC configuration URL. This provider makes it easier to add OAuth protection for any upstream provider that is OIDC compliant. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.oidc_proxy import OIDCProxy # Simple OIDC based protection auth = OIDCProxy( config_url="https://oidc.config.url", client_id="your-oidc-client-id", client_secret="your-oidc-client-secret", base_url="https://your.server.url", ) mcp = FastMCP("My Protected Server", auth=auth) ``` oidc_configNT) r audiencerPtoken_verifier algorithmrequired_scopes issuer_url redirect_pathallowed_client_redirect_urisclient_storagejwt_signing_keytoken_endpoint_auth_methodrequire_authorization_consentrOr client_id client_secretrfrPrgrhribase_urlrjrkrlrmrnrorpr;csN|std|s td|std| std|dur,|dur$td| dur,tdt|tr5t|}|||||_|jjrE|jjsRt d|jtd |jj r\t|jj nd}|durk|j ||| |d }t|jjt|jj||||| | p}| |jj | ||||d }| r| |d <|rd |i}||d<||d<t jdi|dS)a Initialize the OIDC proxy provider. Args: config_url: URL of upstream configuration strict: Optional strict flag for the configuration client_id: Client ID registered with upstream server client_secret: Client secret for upstream server audience: Audience for upstream server timeout_seconds: HTTP request timeout in seconds token_verifier: Optional custom token verifier (e.g., IntrospectionTokenVerifier for opaque tokens). If not provided, a JWTVerifier will be created using the OIDC configuration. Cannot be used with algorithm or required_scopes parameters (configure these on your verifier instead). algorithm: Token verifier algorithm (only used if token_verifier is not provided) required_scopes: Required scopes for token validation (only used if token_verifier is not provided) base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in upstream OAuth app (defaults to "/auth/callback") allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. Patterns support wildcards (e.g., "http://localhost:*", "https://*.example.com/*"). If None (default), only localhost redirect URIs are allowed. If empty list, all redirect URIs are allowed (not recommended for production). These are for MCP clients performing loopback redirects, NOT for the upstream OAuth app. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. token_endpoint_auth_method: Token endpoint authentication method for upstream server. Common values: "client_secret_basic", "client_secret_post", "none". If None, authlib will use its default (typically "client_secret_basic"). require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to the upstream IdP. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. zMissing required config URLzMissing required client idzMissing required client secretzMissing required base URLNzzCannot specify 'algorithm' when providing a custom token_verifier. Configure the algorithm on your token verifier instead.zCannot specify 'required_scopes' when providing a custom token_verifier. Configure required scopes on your token verifier instead.zInvalid OIDC Configuration: zMissing required OIDC endpointsrhrfrirP)upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secretupstream_revocation_endpointrgrsrjservice_documentation_urlrlrmrnrorprkrfextra_authorize_paramsextra_token_paramsrI)rArBrLrr\rerrr?debugr1get_token_verifierr(super__init__)rHrOr rqrrrfrPrgrhrirsrjrkrlrmrnrorpr1 init_kwargs extra_params __class__rIrJrs~B  zOIDCProxy.__init__cCstj|||dS)aGets the OIDC configuration for the specified configuration URL. Args: config_url: The OIDC configuration URL strict: The strict flag for the configuration timeout_seconds: HTTP request timeout in seconds )r rP)r r\)rHrOr rPrIrIrJr\Ys z OIDCProxy.get_oidc_configurationrtcCs"tt|jjt|jj|||dS)aXCreates the token verifier for the specified OIDC configuration and arguments. Args: algorithm: Optional token verifier algorithm audience: Optional token verifier audience required_scopes: Optional token verifier required_scopes timeout_seconds: HTTP request timeout in seconds )rrrhrfri)r rLrerr)rHrhrfrirPrIrIrJr~js  zOIDCProxy.get_token_verifier)r]r^r_r`r rarrLrMrcrlistrbytesrr\r~ __classcell__rIrIrrJrds           rd)r`collections.abcrrRkey_value.aio.protocolsrpydanticrrrtyping_extensionsrfastmcp.server.authrfastmcp.server.auth.oauth_proxyr !fastmcp.server.auth.providers.jwtr fastmcp.utilities.loggingr r]r?r rdrIrIrIrJs