o i)@sdZddlmZddlZddlZddlmZddlZddlm Z m Z m Z ddl m Z mZddlmZmZddlmZdd lmZdd lmZdd lmZmZeeZGd d d e ZGdddeZdS)a!OAuth 2.0 Token Introspection (RFC 7662) provider for FastMCP. This module provides token verification for opaque tokens using the OAuth 2.0 Token Introspection protocol defined in RFC 7662. It allows FastMCP servers to validate tokens issued by authorization servers that don't use JWT format. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.introspection import IntrospectionTokenVerifier # Verify opaque tokens via RFC 7662 introspection verifier = IntrospectionTokenVerifier( introspection_url="https://auth.example.com/oauth/introspect", client_id="your-client-id", client_secret="your-client-secret", required_scopes=["read", "write"] ) mcp = FastMCP("My Protected Server", auth=verifier) ``` ) annotationsN)Any) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) AccessToken TokenVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@seZdZUdZededdZdZded<dZ ded<dZ d ed <d Z d ed <dZ ded<dZ ded<edddeddZdS)"IntrospectionTokenVerifierSettingsz8Settings for OAuth 2.0 Token Introspection verification."FASTMCP_SERVER_AUTH_INTROSPECTION_ignore) env_prefixenv_fileextraNz str | Noneintrospection_url client_idzSecretStr | None client_secret inttimeout_secondszlist[str] | Nonerequired_scopeszAnyHttpUrl | str | Nonebase_urlbefore)modecCst|S)Nr )clsvr#q/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/introspection.py _parse_scopes;sz0IntrospectionTokenVerifierSettings._parse_scopes)__name__ __module__ __qualname____doc__rr model_configr__annotations__rrrrrr classmethodr%r#r#r#r$r+s        rcsPeZdZdZeeeeeeddfd dZdddZdddZdddZZ S) IntrospectionTokenVerifiera OAuth 2.0 Token Introspection verifier (RFC 7662). This verifier validates opaque tokens by calling an OAuth 2.0 token introspection endpoint. Unlike JWT verification which is stateless, token introspection requires a network call to the authorization server for each token validation. The verifier authenticates to the introspection endpoint using HTTP Basic Auth with the provided client_id and client_secret, as specified in RFC 7662. Use this when: - Your authorization server issues opaque (non-JWT) tokens - You need to validate tokens from Auth0, Okta, Keycloak, or other OAuth servers - Your tokens require real-time revocation checking - Your authorization server supports RFC 7662 introspection Example: ```python verifier = IntrospectionTokenVerifier( introspection_url="https://auth.example.com/oauth/introspect", client_id="my-service", client_secret="secret-key", required_scopes=["api:read"] ) ``` rrrrrrr str | NotSetTrrr int | NotSetTrlist[str] | NotSetT | Noner!AnyHttpUrl | str | NotSetT | Nonec stdd||||||dD}|jstd|js!td|js(tdtj|j |j d|j|_|j|_|j |_|j |_ t t|_dS) a" Initialize the introspection token verifier. Args: introspection_url: URL of the OAuth 2.0 token introspection endpoint client_id: OAuth client ID for authenticating to the introspection endpoint client_secret: OAuth client secret for authenticating to the introspection endpoint timeout_seconds: HTTP request timeout in seconds (default: 10) required_scopes: Required scopes for all tokens (optional) base_url: Base URL for TokenVerifier protocol cSsi|] \}}|tur||qSr#)r).0kr"r#r#r$ ss  z7IntrospectionTokenVerifier.__init__..r.zhintrospection_url is required - set via parameter or FASTMCP_SERVER_AUTH_INTROSPECTION_INTROSPECTION_URLzXclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_INTROSPECTION_CLIENT_IDz`client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_INTROSPECTION_CLIENT_SECRET)rrN)rmodel_validateitemsr ValueErrorrrsuper__init__rrget_secret_valuerrr&logger)selfrrrrrrsettings __class__r#r$r:]s@ z#IntrospectionTokenVerifier.__init__returnstrcCs2|jd|j}t|dd}d|S)zsz>IntrospectionTokenVerifier._extract_scopes..cSsg|]}|rt|qSr#)rBrPr#r#r$rRs)get isinstancerBsplitlist)r=rK scope_valuer#r#r$_extract_scopess   z*IntrospectionTokenVerifier._extract_scopestokenAccessToken | Nonec s`ztj|jd4IdH}|}|j|j|dd|ddddIdH}|jd krJ|jd |j|j r:|j dd nd  WdIdHWdS| }| d d sg|jd WdIdHWdS| dpq| dd}| d}|r|t kr|jd| WdIdHWdS| |}|jrt|} t|j} | | s|jd| |  WdIdHWdSt|t|||rt|nd|dWdIdHWS1IdHswYWdStjy|jd|jYdStjy} z|jd| WYd} ~ dSd} ~ wty/} z|jd| WYd} ~ dSd} ~ ww)a Verify a bearer token using OAuth 2.0 Token Introspection (RFC 7662). This method makes a POST request to the introspection endpoint with the token, authenticated using HTTP Basic Auth with the client credentials. Args: token: The opaque token string to validate Returns: AccessToken object if valid and active, None if invalid, inactive, or expired )timeoutN access_token)rYtoken_type_hintz!application/x-www-form-urlencodedzapplication/json) Authorizationz Content-TypeAccept)dataheadersz(Token introspection failed: HTTP %d - %sactiveFz)Token introspection returned active=falsersubunknownexpz4Token validation failed: expired token for client %sz4Token missing required scopes. Has: %s, Required: %s)rYrscopes expires_atclaimsz.Token introspection timed out after %d secondsz&Token introspection request failed: %szToken introspection error: %s)httpx AsyncClientrrJpostr status_coder<debugtextjsonrStimerXrsetissubsetr rBrTimeoutException RequestError Exception) r=rYclient auth_headerresponseintrospection_datarrgrh token_scopesrer#r#r$ verify_tokens    "    2  A4Iz'IntrospectionTokenVerifier.verify_token) rr/rr/rr/rr0rr1rr2)rArB)rKrLrArM)rYrBrArZ) r&r'r(r)rr:rJrXr~ __classcell__r#r#r?r$r-As > r-)r) __future__rrDrrtypingrrkpydanticrrrpydantic_settingsrrfastmcp.server.authr r fastmcp.settingsr fastmcp.utilities.authr fastmcp.utilities.loggingrfastmcp.utilities.typesrrr&r<rr-r#r#r#r$s