o iB@sdZddlmZddlmZmZddlmZddlm Z m Z ddl m Z m Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZmZerZdd lmZddlmZeeZ Gddde Z!GdddeZ"dS)zAzure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID OAuth authentication using the OAuth Proxy pattern for non-DCR OAuth flows. ) annotations) TYPE_CHECKINGAny) AsyncKeyValue) SecretStrfield_validator) BaseSettingsSettingsConfigDict) OAuthProxy) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetT)AuthorizationParams)OAuthClientInformationFullc@seZdZUdZededdZdZded<dZ ded <dZ ded <dZ ded <dZ ded <dZ ded <dZded<dZded<dZded<dZded<dZded<dZded<eddded ddZeddded ddZdS)!AzureProviderSettingsz"Settings for Azure OAuth provider.FASTMCP_SERVER_AUTH_AZURE_ignore) env_prefixenv_fileextraNz str | None client_idzSecretStr | None client_secret tenant_ididentifier_uribase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesadditional_authorize_scopesallowed_client_redirect_urisjwt_signing_keylogin.microsoftonline.comstrbase_authoritybefore)modevobjectreturncCt|SNr clsr+r2i/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/azure.py _parse_scopes3z#AzureProviderSettings._parse_scopescCr.r/r r0r2r2r3"_parse_additional_authorize_scopes8r5z8AzureProviderSettings._parse_additional_authorize_scopes)r+r,r-r!)__name__ __module__ __qualname____doc__r r model_configr__annotations__rrrrrr r"r#r$r%r(r classmethodr4r6r2r2r2r3rs2               rcs^eZdZdZeeeeeeeeeedededd*fddZd+fd#d$ Zd,fd(d) ZZS)- AzureProvideru Azure (Microsoft Entra) OAuth provider for FastMCP. This provider implements Azure/Microsoft Entra ID authentication using the OAuth Proxy pattern. It supports both organizational accounts and personal Microsoft accounts depending on the tenant configuration. Scope Handling: - required_scopes: Provide unprefixed scope names (e.g., ["read", "write"]) → Automatically prefixed with identifier_uri during initialization → Validated on all tokens and advertised to MCP clients - additional_authorize_scopes: Provide full format (e.g., ["User.Read"]) → NOT prefixed, NOT validated, NOT advertised to clients → Used to request Microsoft Graph or other upstream API permissions Features: - OAuth proxy to Azure/Microsoft identity platform - JWT validation using tenant issuer and JWKS - Supports tenant configurations: specific tenant ID, "organizations", or "consumers" - Custom API scopes and Microsoft Graph scopes in a single provider Setup: 1. Create an App registration in Azure Portal 2. Configure Web platform redirect URI: http://localhost:8000/auth/callback (or your custom path) 3. Add an Application ID URI under "Expose an API" (defaults to api://{client_id}) 4. Add custom scopes (e.g., "read", "write") under "Expose an API" 5. Set access token version to 2 in the App manifest: "requestedAccessTokenVersion": 2 6. Create a client secret 7. Get Application (client) ID, Directory (tenant) ID, and client secret Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.azure import AzureProvider # Standard Azure (Public Cloud) auth = AzureProvider( client_id="your-client-id", client_secret="your-client-secret", tenant_id="your-tenant-id", required_scopes=["read", "write"], # Unprefixed scope names additional_authorize_scopes=["User.Read", "Mail.Read"], # Optional Graph scopes base_url="http://localhost:8000", # identifier_uri defaults to api://{client_id} ) # Azure Government auth_gov = AzureProvider( client_id="your-client-id", client_secret="your-client-secret", tenant_id="your-tenant-id", required_scopes=["read", "write"], base_authority="login.microsoftonline.us", # Override for Azure Gov base_url="http://localhost:8000", ) mcp = FastMCP("My App", auth=auth) ``` NT)rrrrrrr r"r#r$client_storager%require_authorization_consentr(r str | NotSetTrrrstr | NotSetT | Nonerrr r"list[str] | NotSetT | Noner#r$list[str] | NotSetTr?AsyncKeyValue | Noner%str | bytes | NotSetTr@boolr(r-Nonecstdd||||||||| | | |d D}|js"d}t||js+d}t||js4d}t||js=d}t||jpEd|j|_|j pKg|_ |j}|j }d |d |d }d |d |d }t |||jd |jd}|jrx|j nd}d |d |d}d |d |d}t j|||j|||j|j|jp|j|j| |j| d d}|dkrd|}td|j||jrd|jnd|dS)u Initialize Azure OAuth provider. Args: client_id: Azure application (client) ID from your App registration client_secret: Azure client secret from your App registration tenant_id: Azure tenant ID (specific tenant GUID, "organizations", or "consumers") identifier_uri: Optional Application ID URI for your custom API (defaults to api://{client_id}). This URI is automatically prefixed to all required_scopes during initialization. Example: identifier_uri="api://my-api" + required_scopes=["read"] → tokens validated for "api://my-api/read" base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in Azure App registration (defaults to "/auth/callback") base_authority: Azure authority base URL (defaults to "login.microsoftonline.com"). For Azure Government, use "login.microsoftonline.us". required_scopes: Custom API scope names WITHOUT prefix (e.g., ["read", "write"]). - Automatically prefixed with identifier_uri during initialization - Validated on all tokens - Advertised in Protected Resource Metadata - Must match scope names defined in Azure Portal under "Expose an API" Example: ["read", "write"] → validates tokens containing ["api://xxx/read", "api://xxx/write"] additional_authorize_scopes: Microsoft Graph or other upstream scopes in full format. - NOT prefixed with identifier_uri - NOT validated on tokens - NOT advertised to MCP clients - Used to request additional permissions from Azure (e.g., Graph API access) Example: ["User.Read", "Mail.Read", "offline_access"] These scopes allow your FastMCP server to call Microsoft Graph APIs using the upstream Azure token, but MCP clients are unaware of them. allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to Azure. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. cSsi|] \}}|tur||qSr2)r).0kr+r2r2r3 s z*AzureProvider.__init__..) rrrrrrr r"r#r$r%r(zPclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_IDzXclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_CLIENT_SECRETztenant_id is required - set via parameter or FASTMCP_SERVER_AUTH_AZURE_TENANT_ID. Use your Azure tenant ID (found in Azure Portal), 'organizations', or 'consumers'arequired_scopes must include at least one scope - set via parameter or FASTMCP_SERVER_AUTH_AZURE_REQUIRED_SCOPES. Azure's OAuth API requires the 'scope' parameter in authorization requests. Use the unprefixed scope names from your Azure App registration (e.g., ['read', 'write'])zapi://zhttps:///z/v2.0z/discovery/v2.0/keysRS256)jwks_uriissueraudience algorithmr"z/oauth2/v2.0/authorizez/oauth2/v2.0/token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierrr rr$r?r%r@r&z using authority zAInitialized Azure OAuth provider for client %s with tenant %s%s%sz and identifier_uri N)rmodel_validateitemsr ValueErrorrrr"rr#r(r get_secret_valuesuper__init__rr rr$r%loggerinfo)selfrrrrrrr r"r#r$r?r%r@r(settingsmsgtenant_id_finalbase_authority_finalrOrNrWclient_secret_strauthorization_endpointtoken_endpointauthority_info __class__r2r3r]zs=    zAzureProvider.__init__clientrparamsrr'csv|}t|dr"t|dd}|dur"|jddid}|r"td|t||IdH}d|vr2dnd}||dS)aStart OAuth transaction and redirect to Azure AD. Override parent's authorize method to filter out the 'resource' parameter which is not supported by Azure AD v2.0 endpoints. The v2.0 endpoints use scopes to determine the resource/audience instead of a separate parameter. Args: client: OAuth client information params: Authorization parameters from the client Returns: Authorization URL to redirect the user to Azure AD resourceN)updatezNFiltering out 'resource' parameter '%s' for Azure AD v2.0 (use scopes instead)?&zprompt=select_account)hasattrgetattr model_copyr^debugr\ authorize)r`rkrl params_to_useoriginal_resourceauth_url separatorrir2r3ru%s  zAzureProvider.authorizetxn_id transactiondict[str, Any]cs|dp |jp g}g}|D]}d|vsd|vr||q||jd|q|jr3||j|}||d<t||S)zBuild Azure authorization URL with prefixed scopes. Overrides parent to prefix scopes with identifier_uri before sending to Azure, while keeping unprefixed scopes in the transaction for MCP clients. scopesz://rL) getr"appendrr#extendcopyr\_build_upstream_authorize_url)r`rzr{unprefixed_scopesprefixed_scopesscopemodified_transactionrir2r3rJs   z+AzureProvider._build_upstream_authorize_url)rrArrArrArrBrrArrAr rAr"rCr#rCr$rDr?rEr%rFr@rGr(rAr-rH)rkrrlrr-r')rzr'r{r|r-r') r7r8r9r:rr]rur __classcell__r2r2rir3r>>s(>,%r>N)#r: __future__rtypingrrkey_value.aio.protocolsrpydanticrrpydantic_settingsrr fastmcp.server.auth.oauth_proxyr !fastmcp.server.auth.providers.jwtr fastmcp.settingsr fastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrmcp.server.auth.providerrmcp.shared.authrr7r^rr>r2r2r2r3s$         !