o id*@sdZddlmZddlmZddlmZmZmZddl m Z m Z ddl m Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZmZeeZGddde ZGdddeZ GdddeZ!dS)aAWS Cognito OAuth provider for FastMCP. This module provides a complete AWS Cognito OAuth integration that's ready to use with a user pool ID, domain prefix, client ID and client secret. It handles all the complexity of AWS Cognito's OAuth flow, token validation, and user management. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.aws_cognito import AWSCognitoProvider # Simple AWS Cognito OAuth protection auth = AWSCognitoProvider( user_pool_id="your-user-pool-id", aws_region="eu-central-1", client_id="your-cognito-client-id", client_secret="your-cognito-client-secret" ) mcp = FastMCP("My Protected Server", auth=auth) ``` ) annotations) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TokenVerifier) AccessToken) OIDCProxy) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@seZdZUdZededdZdZded<dZ ded<dZ ded <dZ d ed <dZ d ed <dZ d ed<dZded<dZded<dZded<dZded<edddeddZdS)AWSCognitoProviderSettingsz(Settings for AWS Cognito OAuth provider. FASTMCP_SERVER_AUTH_AWS_COGNITO_ignore) env_prefixenv_fileextraN str | None user_pool_id aws_region client_idzSecretStr | None client_secretzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesallowed_client_redirect_urisjwt_signing_keybefore)modecCst|S)Nr)clsvr)g/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/aws.py _parse_scopes>sz(AWSCognitoProviderSettings._parse_scopes)__name__ __module__ __qualname____doc__rr model_configr__annotations__rrrrrr r"r#r$r classmethodr+r)r)r)r*r*s(            rcs"eZdZdZdfdd ZZS) AWSCognitoTokenVerifierz>Token verifier that filters claims to Cognito-specific subset.tokenstrreturnAccessToken | Nonecs\t|IdH}|sdS|jd|jd|jdgd}t|j|j|j|j|dS)z:Verify token and filter claims to Cognito-specific subset.Nsubusernamecognito:groups)r8r9r:)r4rscopes expires_atclaims) super verify_tokenr=getr r4rr;r<)selfr4 access_tokencognito_claims __class__r)r*r?Gs   z$AWSCognitoTokenVerifier.verify_token)r4r5r6r7)r,r-r.r/r? __classcell__r)r)rDr*r3Dsr3c sTeZdZdZeeeeeeeeededd d$fddZdddddd%d"d#ZZS)&AWSCognitoProvidera'Complete AWS Cognito OAuth provider for FastMCP. This provider makes it trivial to add AWS Cognito OAuth protection to any FastMCP server using OIDC Discovery. Just provide your Cognito User Pool details, client credentials, and a base URL, and you're ready to go. Features: - Automatic OIDC Discovery from AWS Cognito User Pool - Automatic JWT token validation via Cognito's public keys - Cognito-specific claim filtering (sub, username, cognito:groups) - Support for Cognito User Pools Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.aws_cognito import AWSCognitoProvider auth = AWSCognitoProvider( user_pool_id="eu-central-1_XXXXXXXXX", aws_region="eu-central-1", client_id="your-cognito-client-id", client_secret="your-cognito-client-secret", base_url="https://my-server.com", redirect_path="/custom/callback", ) mcp = FastMCP("My App", auth=auth) ``` NT) rrrrrrr r"r#client_storager$require_authorization_consentr str | NotSetTrrrrAnyHttpUrl | str | NotSetTrr r"list[str] | NotSetTr#rHAsyncKeyValue | Noner$str | bytes | NotSetTrIboolc stdd||||||||| | d D} | jstd| js%td| js,td| jp1dg}| j}| j p9d}| j p>d }d |d | jd }| jrQ| j nd }| j|_||_ t j || j|d|| j| j||| | j| d td| j|dS)aInitialize AWS Cognito OAuth provider. Args: user_pool_id: Your Cognito User Pool ID (e.g., "eu-central-1_XXXXXXXXX") aws_region: AWS region where your User Pool is located (defaults to "eu-central-1") client_id: Cognito app client ID client_secret: Cognito app client secret base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in Cognito app (defaults to "/auth/callback") required_scopes: Required Cognito scopes (defaults to ["openid"]) allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to AWS Cognito. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. cSsi|] \}}|tur||qSr))r).0kr(r)r)r* s   z/AWSCognitoProvider.__init__..) rrrrrrr r"r#r$z\user_pool_id is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_USER_POOL_IDzVclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_CLIENT_IDz^client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AWS_COGNITO_CLIENT_SECRETopenidz eu-central-1z/auth/callbackzhttps://cognito-idp.z.amazonaws.com/z!/.well-known/openid-configurationRS256) config_urlrr algorithmr"rrr r#rHr$rIzDInitialized AWS Cognito OAuth provider for client %s with scopes: %sN)rmodel_validateitemsr ValueErrorrrr"r#rr get_secret_valuer>__init__rrr$loggerdebug)rArrrrrrr r"r#rHr$rIsettingsrequired_scopes_final"allowed_client_redirect_uris_finalaws_region_finalredirect_path_finalrVclient_secret_strrDr)r*r\~sp*    zAWSCognitoProvider.__init__)rWaudiencer"timeout_secondsrWrrer!rf int | Noner6r cCs"tt|jj||t|jj|dS)aICreates a Cognito-specific token verifier with claim filtering. Args: algorithm: Optional token verifier algorithm audience: Optional token verifier audience required_scopes: Optional token verifier required_scopes timeout_seconds: HTTP request timeout in seconds )issuerrerWjwks_urir")r3r5 oidc_configrhri)rArWrer"rfr)r)r*get_token_verifiers  z%AWSCognitoProvider.get_token_verifier)rrJrrJrrJrrJrrKrrKr rJr"rLr#rLrHrMr$rNrIrO) rWrrerr"r!rfrgr6r )r,r-r.r/rr\rkrFr)r)rDr*rG_s(!vrGN)"r/ __future__rkey_value.aio.protocolsrpydanticrrrpydantic_settingsrrfastmcp.server.authr fastmcp.server.auth.authr fastmcp.server.auth.oidc_proxyr !fastmcp.server.auth.providers.jwtr fastmcp.settingsr fastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr,r]rr3rGr)r)r)r*s"