o i]@sUdZddlmZddlZddlZddlZddlZddlZddlZddlm Z ddl m Z m Z m Z ddlmZmZddlZddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddl m!Z!m"Z"ddl m#Z$ddl%m&Z&ddl'm(Z(ddl)m*Z*m+Z+m,Z,m-Z-m.Z.m/Z/ddl0m1Z1ddl2m3Z3m4Z4ddl5m6Z6m7Z7ddl8m9Z9m:Z:m;Z;mm?Z?ddl@mAZAmBZBddlCmDZDddlEmFZFddlGmHZHddlImJZJmKZKddlLmMZMddlNmOZOmPZPddlQmRZRdd lSmTZTdd!lUmVZVmWZWmXZXmYZYmZZZm[Z[m\Z\m]Z]m^Z^e r eTe_Z`d"Zad#ebd$<d%Zcd#ebd&<d'Zdd#ebd(<Gd)d*d*e;ZeGd+d,d,e;ZfGd-d.d.e;ZgGd/d0d0e;ZhGd1d2d2e6Zi  3    dOdPdCdDZj   dQdRdIdJZkGdKdLdLe$Z#GdMdNdNeJZldS)SaOAuth Proxy Provider for FastMCP. This provider acts as a transparent proxy to an upstream OAuth Authorization Server, handling Dynamic Client Registration locally while forwarding all other OAuth flows. This enables authentication with upstream providers that don't support DCR or have restricted client registration policies. Key features: - Proxies authorization and token endpoints to upstream server - Implements local Dynamic Client Registration with fixed upstream credentials - Validates tokens using upstream JWKS - Maintains minimal local state for bookkeeping - Enhanced logging with request correlation This implementation is based on the OAuth 2.1 specification and is designed for production use with enterprise identity providers. ) annotationsN)urlsafe_b64encode) TYPE_CHECKINGAnyFinal) urlencodeurlparse)generate_token)AsyncOAuth2Client)Fernet)PydanticAdapter) AsyncKeyValue) DiskStore)FernetEncryptionWrapper)TokenErrorResponseTokenSuccessResponse) TokenHandler)PydanticJSONResponse)ClientAuthenticator) AccessTokenAuthorizationCodeAuthorizationParamsAuthorizeError RefreshToken TokenError)cors_middleware)ClientRegistrationOptionsRevocationOptions)OAuthClientInformationFull OAuthToken) AnyHttpUrlAnyUrl BaseModelField SecretStr)Request) HTMLResponseRedirectResponse)Route)override)settings) OAuthProvider TokenVerifier)AuthorizationHandler) JWTIssuerderive_jwt_key)validate_redirect_uri) get_logger) BUTTON_STYLESDETAIL_BOX_STYLESDETAILS_STYLESINFO_BOX_STYLESREDIRECT_SECTION_STYLESTOOLTIP_STYLES create_logo create_pagecreate_secure_html_responseiz Final[int]#DEFAULT_ACCESS_TOKEN_EXPIRY_SECONDSi, DEFAULT_AUTH_CODE_EXPIRY_SECONDSHTTP_TIMEOUT_SECONDSc@seZdZUdZded<ded<ded<ded<ded<ded <d ed <d ed <dZded<dZded<dZded<dZded<dS)OAuthTransactionzOAuth transaction state for consent flow. Stored server-side to track active authorization flows with client context. Includes CSRF tokens for consent protection per MCP security best practices. strtxn_id client_idclient_redirect_uri client_state str | Nonecode_challengecode_challenge_method list[str]scopesfloat created_atNresourceproxy_code_verifier csrf_token float | Nonecsrf_expires_at) __name__ __module__ __qualname____doc____annotations__rLrMrNrPrVrVe/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/oauth_proxy.pyr?ms    r?c@sZeZdZUdZded<ded<ded<ded<ded<d ed <d ed <d ed<d ed<dS) ClientCodezClient authorization code with PKCE and upstream tokens. Stored server-side after upstream IdP callback. Contains the upstream tokens bound to the client's PKCE challenge for secure token exchange. r@coderB redirect_urirErFrGrHrIdict[str, Any] idp_tokensrJ expires_atrKNrQrRrSrTrUrVrVrVrWrXs  rXc@sleZdZUdZded<ded<ded<ded<d ed <ded <ded <ded <d ed<eedZded<dS)UpstreamTokenSeta<Stored upstream OAuth tokens from identity provider. These tokens are obtained from the upstream provider (Google, GitHub, etc.) and stored in plaintext within this model. Encryption is handled transparently at the storage layer via FernetEncryptionWrapper. Tokens are never exposed to MCP clients. r@upstream_token_id access_tokenrE refresh_tokenrOrefresh_token_expires_atrJr] token_typescoperBrK)default_factoryr[raw_token_dataN)rQrRrSrTrUr#dictrgrVrVrVrWr_s r_c@s*eZdZUdZded<ded<ded<dS) JTIMappingzMaps FastMCP token JTI to upstream token ID. This allows stateless JWT validation while still being able to look up the corresponding upstream token when tools need to access upstream APIs. r@jtir`rJrKNr^rVrVrVrWris  ricsHeZdZUdZeddZded<eddZded<dfd d ZZ S)ProxyDCRClientaClient for DCR proxy with configurable redirect URI validation. This special client class is critical for the OAuth proxy to work correctly with Dynamic Client Registration (DCR). Here's why it exists: Problem: -------- When MCP clients use OAuth, they dynamically register with random localhost ports (e.g., http://localhost:55454/callback). The OAuth proxy needs to: 1. Accept these dynamic redirect URIs from clients based on configured patterns 2. Use its own fixed redirect URI with the upstream provider (Google, GitHub, etc.) 3. Forward the authorization code back to the client's dynamic URI Solution: --------- This class validates redirect URIs against configurable patterns, while the proxy internally uses its own fixed redirect URI with the upstream provider. This allows the flow to work even when clients reconnect with different ports or when tokens are cached. Without proper validation, clients could get "Redirect URI not registered" errors when trying to authenticate with cached tokens, or security vulnerabilities could arise from accepting arbitrary redirect URIs. N)defaultlist[str] | Noneallowed_redirect_uri_patternsrE client_namerZ AnyUrl | Nonereturnr!cs2|durt||jdr |St|St|S)a;Validate redirect URI against allowed patterns. Since we're acting as a proxy and clients register dynamically, we validate their redirect URIs against configurable patterns. This is essential for cached token scenarios where the client may reconnect with a different port. N)rZallowed_patterns)r0rnsuper)selfrZ __class__rVrWr0s  z$ProxyDCRClient.validate_redirect_uri)rZrprqr!) rQrRrSrTr#rnrUror0 __classcell__rVrVrurWrks rkApplication Access RequestrBr@rZrIrHrArNrorEtitle server_nameserver_icon_urlserver_website_urlclient_website_urlrqc  sddl|p |} |pd} | r#| } d| d| d}n| }d| d|d }|}d |d }d |p?|fd | pGdfd|fd|fd|r^dfdd|Dndfg}ddd|D}d|d}d|d|d}d}dt||pdd d!|d"|d"|d"|d#|d$ }tttttt }t |}|j }d%d&g}|r|d'vr| |d(d)|}d*|}t||||d+S),zCCreate a styled HTML consent page for OAuth authorization requests.rNFastMCPz zzG

The application z1 wants to access the MCP server zZ. Please ensure you recognize the callback address below.

z
Credentials will be sent to:
z
zApplication NamezApplication WebsiteN/AzApplication IDz Redirect URIzRequested Scopesz, c3s|]}|VqdSNescape).0s html_modulerVrW sz&create_consent_html..None cSs"g|] \}}d|d|dqS)zH
z.:
z
rVrlabelvaluerVrVrW $sz'create_consent_html..zx
Advanced Details
z+
zo
u
Why am I seeing this? This FastMCP server requires your consent to allow a new client to connect. This protects you from confused deputy attacks, where malicious clients could impersonate you and steal access.

Learn more about FastMCP security →
-
icon_urlalt_textz=

Application Access Request

z
z zhttps:zhttp:)httphttps: zbdefault-src 'none'; style-src 'unsafe-inline'; img-src https: data:; base-uri 'none'; form-action contentryadditional_styles csp_policy)htmlrjoinr8r5r6r4r3r2r7rschemelowerappendr9)rBrZrIrArNroryrzr{r|r}client_displayserver_name_escapedwebsite_url_escapedserver_display intro_boxredirect_uri_escapedredirect_section detail_rowsdetail_rows_htmladvanced_detailsform help_linkrrparsed_redirectredirect_schemeform_action_schemesform_action_directiverrVrrWcreate_consent_htmls            r error_title error_message error_detailsdict[str, str] | Nonec sddl|}d|d}d}|r'dfdd|D}d |d }d t||p-d d d|d|d|d } tttd} d} t| || | dS)aCreate a styled HTML error page for OAuth errors. Args: error_title: The error title (e.g., "OAuth Error", "Authorization Failed") error_message: The main error message to display error_details: Optional dictionary of error details to show (e.g., {"Error Code": "invalid_client"}) server_name: Optional server name to display server_icon_url: Optional URL to server icon/logo Returns: Complete HTML page as a string rNz5

z

rcs.g|]\}}d|d|dqS)zP
z2:
z&
rrrrVrWrsz%create_error_html..z
Error Details
z7
rr~rz

z

rz zI .info-box.error { color: #111827; } zTdefault-src 'none'; style-src 'unsafe-inline'; img-src https: data:; base-uri 'none'r) rrritemsr8r5r4r3r9) rrrrzr{error_message_escaped error_boxdetails_sectionrrrrrVrrWcreate_error_htmlsN      rcs"eZdZdZdfdd ZZS)ra9TokenHandler that returns OAuth 2.1 compliant error responses. The MCP SDK always returns HTTP 400 for all client authentication issues. However, OAuth 2.1 Section 5.3 and the MCP specification require that invalid or expired tokens MUST receive a HTTP 401 response. This handler extends the base MCP SDK TokenHandler to transform client authentication failures into OAuth 2.1 compliant responses: - Changes 'unauthorized_client' to 'invalid_client' error code - Returns HTTP 401 status code instead of 400 for client auth failures Per OAuth 2.1 Section 5.3: "The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported." Per MCP spec: "Invalid or expired tokens MUST receive a HTTP 401 response." obj)TokenSuccessResponse | TokenErrorResponsecsRt|tr#|jdkr#|jr#d|jvr#ttd|j|jdddddd St|S) zGOverride response method to provide OAuth 2.1 compliant error handling.unauthorized_clientzInvalid client_idinvalid_client)errorerror_description error_uriizno-storezno-cache)z Cache-ControlPragma)r status_codeheaders) isinstancerrrrrrsresponse)rtrrurVrWrs$   zTokenHandler.response)rr)rQrRrSrTrrwrVrVrurWrsrcsLeZdZdZdddddddddddddd d~fd"d#Zdd&d'Zedd*d+Zedd/d0Zedd4d5Z edd8d9Z eddt d |j|jrWt|jdSd dS) aMRegister a client locally When a client registers, we create a ProxyDCRClient that is more forgiving about validating redirect URIs, since the DCR client's redirect URI will likely be localhost or unknown to the proxied IDP. The proxied IDP only knows about this server's fixed redirect URI. Nz-client_id is required for client registrationzhttp://localhostauthorization_coderbnonero)rB client_secret redirect_uris grant_typesrerrnro)rrzClient registered with redirect_uri: %s - if restricting redirect URIs, ensure this pattern is allowed in allowed_client_redirect_urisz*Registered client %s with %d redirect URIsr)rB ValueErrorrkr+r,r!r-rerrgetattrrputrrr)rtr( proxy_clienturirVrVrWregister_clients>      zOAuthProxy.register_clientr&paramsrc s$td}d}d}|jr|jr|\}}td||jdur'tdddt ||jt |j |j p3d|jt |dd |jp>gtt |d d|d }|jj||d d IdH|jss|||}td||j|rnd|Sd|St |jdd|}td||j|rd|Sd|S)aStart OAuth transaction and route through consent interstitial. Flow: 1. Store transaction with client details and PKCE (if forwarding) 2. Return local /consent URL; browser visits consent first 3. Consent handler redirects to upstream IdP if approved/already approved If consent is disabled (require_authorization_consent=False), skip the consent screen and redirect directly to the upstream IdP. NzLGenerated proxy PKCE for transaction %s (forwarding client PKCE to upstream)rClient ID is requiredrrrrGS256rL) rArBrCrDrFrGrIrKrLrMrrttlzyStarting OAuth transaction %s for client %s, redirecting directly to upstream IdP (consent disabled, PKCE forwarding: %s)rdisabledrz/consent?txn_id=z^Starting OAuth transaction %s for client %s, redirecting to consent page (PKCE forwarding: %s))secrets token_urlsaferrFr#rrrBrr?r@rZstater/rItimerr0r_build_upstream_authorize_url model_dumprr) rtr&r4rArMproxy_code_challenge transaction upstream_url consent_urlrVrVrW authorizesp        zOAuthProxy.authorizer)AuthorizationCode | Nonec s|jj|dIdH}|std|dSt|jkr.td||jj|dIdH}dS|j|jkr?td|j|jdS|jdurJtdddt ||jt |j d d |j |j|j p\d d S) zLoad authorization code for validation. Look up our client code and return authorization code object with PKCE challenge for validation. rNz Authorization code not found: %szAuthorization code expired: %sz/Authorization code client ID mismatch: %s vs %srr6r7)urlTr)rYrBrZ redirect_uri_provided_explicitlyrIr]rF)rr%rrr@r]deleterBrrr!rZrIrF)rtr&r) code_model_rVrVrWload_authorization_code$s:      z"OAuthProxy.load_authorization_coderrc s|jj|jdIdH}|std|jtdd|j}|jj|jdIdHt d}t d}|drintr;r@rr_rrIrBrr0r issue_access_tokenissue_refresh_tokenrrirrrrrrr)rtr&r)rLr\r` access_jti refresh_jtirPrQrcupstream_token_setfastmcp_access_tokenfastmcp_refresh_tokenrVrVrWexchange_authorization_codeSs                         z&OAuthProxy.exchange_authorization_coderbRefreshToken | Nonecs|j|S)z&Load refresh token from local storage.)rr%)rtr&rbrVrVrWload_refresh_tokens zOAuthProxy.load_refresh_tokenrrIrHc sz |j|j}|d}Wnty&}z td|tdd|d}~ww|jj|dIdH}|sBt d|ddtdd |j j|j dIdH}|s_t d |j ddtdd |j slt d tdd t |j|j|jtd} z*td|dd| j d'|j|j |rd|ndd|jIdH} tdWnty}zt d|tdd||d}~wwt| dt} | d|_t| |_d} | d} r| |j kr| |_ tdd| vrt| d} t| |_td| n|jrt|jt} n d} t| |_| |_|j j|j || p4|jr3t|jtnddIdH|jdurEtddt d}|jj!|j||| d }|jj|t"||j td!| dIdHt d}|jj#|j||| pydd }| pd}|jj|t"||j td!|dIdH|jj$|dIdHtd"t%||j|tt| d#|j&|<t'||j|dd#|j(|<||j)|<||j*|<|j(+|jd|j*+|jd}|r|j&+|d|j)+|dt,d$|j|dd|ddt-|d%| |d|d&S)(aExchange FastMCP refresh token for new FastMCP access token. Implements two-tier refresh: 1. Verify FastMCP refresh token 2. Look up upstream token via JTI mapping 3. Refresh upstream token with upstream provider 4. Update stored upstream token 5. Issue new FastMCP access token 6. Keep same FastMCP refresh token (unless upstream rotates) rjz+FastMCP refresh token validation failed: %srOzInvalid refresh tokenNrz+JTI mapping not found for refresh token: %srUzRefresh token mapping not foundz Upstream token set not found: %szUpstream token not foundz#No upstream refresh token availablez$Refresh not supported for this tokenrBr+rtimeoutz"Refreshing upstream token (jti=%s)r)rIrbrez%Successfully refreshed upstream tokenz!Upstream token refresh failed: %szUpstream refresh failed: rPrarbzUpstream refresh token rotatedrQrRrSr:rr6r5rVrWzCRotated refresh token (old JTI invalidated - one-time use enforced)rXzYIssued new FastMCP tokens (rotated refresh) for client=%s (access_jti=%s, refresh_jti=%s)rTrZrV).r  verify_tokenrY Exceptionrrrrr%rrr`rbr rrget_secret_valuerr>rrrr[r;rar@r]rcrgr0rBr=r>r\rir]rKrrrrrrpopinfor)rtr&rbrIrefresh_payloadr_e jti_mappingr` oauth_clienttoken_responsenew_expires_innew_refresh_expires_innew_upstream_refreshnew_access_jtinew_fastmcp_accessnew_refresh_jtinew_fastmcp_refresh refresh_ttl old_accessrVrVrWexchange_refresh_tokens.                              z!OAuthProxy.exchange_refresh_tokenrYAccessToken | Nonec szW|j|}|d}|jj|dIdH}|s!td|WdS|jj|jdIdH}|s8td|jWdS|j|j IdH}|sLtdWdStd|dd|WSt yq}z td |WYd}~dSd}~ww) aValidate FastMCP JWT by swapping for upstream token. This implements the token swap pattern: 1. Verify FastMCP JWT signature (proves it's our token) 2. Look up upstream token via JTI mapping 3. Decrypt upstream token 4. Validate upstream token with provider (GitHub API, JWT validation, etc.) 5. Return upstream validation result The FastMCP JWT is a reference token - all authorization data comes from validating the upstream token via the TokenVerifier. rjrNzJTI mapping not found: %szUpstream token not found: %sz Upstream token validation failedz5Token swap successful for JTI=%s (upstream validated)rUz Token swap validation failed: %s) r rhrr%rrrr`rrari)rtrYpayloadrjror` validatedrnrVrVrWload_access_tokens>       zOAuthProxy.load_access_tokenAccessToken | RefreshTokenc sVt|tr'|j|jd|j|jd}|r&|j|d|j|dn |j|jd|j|jd}|rG|j|d|j|d|jrzpostrrrjrrrir)rtrYpaired_refresh paired_access http_clientrnrVrVrW revoke_token sF  (  zOAuthProxy.revoke_tokenmcp_path list[Route]c st|}g}d}d}tdt|dt|D]\}}td|d|dt|ddd t|d dt|trj|j d krj|j d urjd |j vsQd|j vrjd}t ||j d d d}| td |jd dgdqt|tr|j dkr|j d urd|j vrd}t|t|d} | tdt| jddgddgdq| |q| t|j|jd gd| td|jd dgdtd|d|dt|d|S)aGet OAuth routes with custom handlers for better error UX. This method creates standard OAuth routes and replaces: - /authorize endpoint: Enhanced error responses for unregistered clients - /token endpoint: OAuth 2.1 compliant error codes Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata. Fz0get_routes called - configuring OAuth routes in z routeszRoute z: z - path: pathrz , methods: methodsz /authorizeNGETPOSTT)providerrrzr{)rendpointrz/token)rclient_authenticatorOPTIONSz/consentu0✅ OAuth routes configured: authorize_endpoint=z, token_endpoint=z, total routes=z$ (includes OAuth callback + consent))rs get_routesrrr enumerater/rr(rrr-rrhandlerrrr_handle_idp_callback_handle_consent) rtrroutes custom_routestoken_route_foundauthorize_route_foundirouteauthorize_handler token_handlerrurVrWr9s *          zOAuthProxy.get_routesrequestr%HTMLResponse | RedirectResponsec s4zp|jd}|jd}|jd}|r=|jd}td||tdd|p*d|r2d |ind d }t|d d WS|rA|sStdtddd}t|d d WS|jj|dId H}|srtd|tddd}t|d d WS|}t|j |j |j t d} z]t|jd|j} td| |j|| d} |d} | r| | d<td||jr| |jtd|t|j| jd5i| Id H} td|dt| dWn)ty }ztd|tdd |d}t|d!d WYd }~WSd }~wwtd"}ttt}|j j!|t"||d#|d$|d%|d&|d'| |td( td)Id H|jj#|dId H|d$}|d*}||d+}d,|vrXd-nd,}||t$|}td.|t%|d/d0WSty}ztjd1|d2d3tdd4d}t|d!d WYd }~Sd }~ww)6aHandle callback from upstream IdP and forward to client. This implements the DCR-compliant callback forwarding: 1. Receive IdP callback with code and txn_id as state 2. Exchange IdP code for tokens (server-side) 3. Generate our own client code bound to PKCE challenge 4. Redirect to client's callback with client code and original state rYr?rrzIdP callback error: %s - %sz OAuth ErrorzAuthentication failed: z Unknown errorz Error CodeN)rrr)rrz+IdP callback missing code or transaction IDzHMissing authorization code or transaction ID from the identity provider.)rrrz,IdP callback with invalid transaction ID: %szNInvalid or expired authorization transaction. Please try authenticating again.rfrz2Exchanging IdP code for tokens with redirect_uri: )rIrYrZrMr!zBIncluding proxy code_verifier in token exchange for transaction %sz4Adding extra token parameters for transaction %s: %sz9Successfully exchanged IdP code for tokens (transaction: z, PKCE: )zIdP token exchange failed: %sz.Token exchange with identity provider failed: ir5rBrCrFrGrI) rYrBrZrFrGrIr\r]rKr:rD)rYr??&z.Forwarding to client callback for transaction .rIrz!Error in IdP callback handler: %sT)exc_infozIInternal server error during OAuth callback processing. Please try again.rV)& query_paramsr%rrrr&rrBr rrrjrr>r@rrrrrrupdaterkeys fetch_tokenrrir=r>r[r@r<rr0rXrKrr')rtridp_coderArr html_contenttransaction_modelrDrpidp_redirect_uri token_paramsrMr\rn client_codecode_expires_atrCrDcallback_params separatorclient_callback_urlrVrVrWrs              zOAuthProxy._handle_idp_callbackr2cCsVt|}|jpd}|jd|j|}|dr)t|dkr)|dd}|S)z9Normalize a URI to a canonical form for consent tracking.rz://rN)rrrrnetlocendswithr)rtr2parsedr normalizedrVrVrW_normalize_uriBs   zOAuthProxy._normalize_urirZ str | AnyUrlcCs|t|}|d|S)zICreate a stable key for consent tracking from client_id and redirect_uri.r)rr@)rtrBrZrrVrVrW_make_client_keyKszOAuthProxy._make_client_key base_namecCs|jrd|Sd|S)zCReturn secure cookie name for HTTPS, fallback for HTTP development.z__Host-__)r )rtrrVrVrW _cookie_namePs  zOAuthProxy._cookie_namer}cCsB|j}t||tj}t | }|d|S)zdSign a cookie payload with HMAC-SHA256. Returns: base64(payload).base64(signature) .) rrjrhmacnewrrr base64 b64encoder )rtr}r signature signature_b64rVrVrW _sign_cookieVszOAuthProxy._sign_cookie signed_valuecCsz5d|vrWdS|dd\}}|j}t||tj}t |}t ||s3WdS|WSt y?YdSw)ztVerify and extract payload from signed cookie. Returns: payload if signature valid, None otherwise rNr) rsplitrrjrrrrrr r b64decodecompare_digestri)rtrr}rr expected_sig provided_sigrVrVrW_verify_cookieas  zOAuthProxy._verify_cookiecCs||}|j|p|jd|}|sgSz.||}|s)td|gWSt|}t | }t |t rDdd|DWSWgStyVtd|YgSw)z_Decode and verify a signed base64-encoded JSON list from cookie. Returns [] if missing/invalid.rz+Cookie signature verification failed for %scSsg|]}t|qSrV)r@)rxrVrVrWrsz2OAuthProxy._decode_list_cookie..z-Failed to decode cookie %s; treating as empty)rcookiesr%rrrrrrjsonloadsr rrri)rtrr secure_namerawr}rrrVrVrW_decode_list_cookiexs&     zOAuthProxy._decode_list_cookievaluescCs*tj|dd}t|}||S)znEncode values to base64 and sign with HMAC. Returns: signed cookie value (payload.signature) ),r) separators)rdumpsrrrr r)rtrr} payload_b64rVrVrW_encode_list_cookies zOAuthProxy._encode_list_cookier value_b64max_ager[c Cs(||}|j||||jdddddS)NTlaxr)rsecurehttponlysamesiter)r set_cookier )rtrrrrnamerVrVrW_set_list_cookies  zOAuthProxy._set_list_cookierArDr[c Csd|jt|jd|j|d}|dp|jpg}|r&d||d<|d}|rGt |  }t | d}||d <d |d <|d }rR||d <|jr[||jd |jvrbdnd } |j| t|S)zKConstruct the upstream IdP authorization URL using stored transaction data.rYr) response_typerBrZr?rIrrerMrrFr8rGrLrr)rr@rrrr%rrrrrr rr rrrr) rtrArDr scopes_to_userMr"rCrLrrVrVrWrAs*  z(OAuthProxy._build_upstream_authorize_urlcs,|jdkr||IdHS||IdHS)zFHandle consent page - dispatch to GET or POST handler based on method.rN)method_submit_consent_show_consent_page)rtrrVrVrWrs zOAuthProxy._handle_consentc s ddlm}|jd}|stdddS|jj|dIdH}|s'tdddS|}||d |d }t| |d }t| |d }||vrU| ||} t | d dS||vr}d|dp`dd} d|d vrkdnd} t |d | t | d dSt d} td} | |_| |_|jj||ddIdH| |d<| |d<||d IdH}|rt|ddnd}t|jjdd}t||r|j}|j}|r|djnd}|j}nd}d}d}t|d |d |dpg|| ||||d }t|}|j|d|| gdd|S) z;Display consent page or auto-approve/deny based on cookies.r)r~rA3

Error

Invalid or expired transaction

rrrNrBrCMCP_APPROVED_CLIENTSMCP_DENIED_CLIENTSrr access_deniedrDrrr?rrr5r9r:rNrProfastmcp_serverrI) rBrZrIrArNrorzr{r|MCP_CONSENT_STATEr)fastmcp.server.serverr~rr%r:rrBrsetrrAr'rr=r>r@rNrPr0r'r/appr?rriconssrc website_urlrrr)rtrr~rA txn_modeltxn client_keyapproveddeniedrErseprNrPr&rofastmcprzrr{r|rrrVrVrWrs            zOAuthProxy._show_consent_pageRedirectResponse | HTMLResponsecs|IdH}t|dd}t|dd}t|dd}|s(tdddS|jj|d IdH}|s:tdddS|}|d}t|d pJd } |rX||ksXt| kr^td ddS||d |d} |dkrt | |d} | | vr}| | | t | } |||} t| dd}|j|d| dd|j|d| gdd|S|dkrt | |d}| |vr| | | t |}d|dpdd}d|dvrdnd}|d|t|}t|dd}|j|d|dd|j|d| gdd|StdddS)zHHandle consent approval/denial, set cookies, and redirect appropriately.NrAractionrNrrrrrPrz5

Error

Invalid or expired consent token

rBrCapproverrri3rr<denyrrrDrrrz#

Error

Invalid action

)rr@r%r:rrBrJr@rrraddrsortedrAr'rr)rtrrrArrNrr expected_csrfr]rr approved_b64rErr denied_b64rrrrVrVrWr2st        zOAuthProxy._submit_consent)&rr@rr@rr@rr@rrErr,rrrrErrrrrrmrrmrrrrErrrrrrrrrr)rqr)rBr@rqr$)r(rrqr)r&rr4rrqr@)r&rr)r@rqrH)r&rr)rrqr)r&rrbr@rqrd)r&rrbrrIrHrqr)rYr@rqr|)rYrrqrr)rrErqr)rr%rqr)r2r@rqr@)rBr@rZrrqr@)rr@rqr@)r}r@rqr@)rr@rqrE)rr%rr@rqrH)rrHrqr@) rrrr@rr@rr[rqr)rAr@rDr[rqr@)rr%rqr)rQrRrSrTrr#r)r'r3rGrNrcrer{rrrrrrrrrrrrrArrrrwrVrVrurWrsfq   0 N .  )  R 8. g #      $ \r)NrxNNNN)rBr@rZr@rIrHrAr@rNr@rorEryr@rzrEr{rEr|rEr}rErqr@)NNN) rr@rr@rrrzrEr{rErqr@)mrT __future__rrrrrr=r@rtypingrrr urllib.parserrrauthlib.common.securityr !authlib.integrations.httpx_clientr cryptography.fernetr key_value.aio.adapters.pydanticr key_value.aio.protocolsr key_value.aio.stores.diskr!key_value.aio.wrappers.encryptionrmcp.server.auth.handlers.tokenrrr_SDKTokenHandlermcp.server.auth.json_responser&mcp.server.auth.middleware.client_authrmcp.server.auth.providerrrrrrrmcp.server.auth.routesrmcp.server.auth.settingsrrmcp.shared.authrrpydanticr r!r"r#r$starlette.requestsr%starlette.responsesr&r'starlette.routingr(typing_extensionsr)rr*fastmcp.server.auth.authr+r,&fastmcp.server.auth.handlers.authorizer-fastmcp.server.auth.jwt_issuerr.r/'fastmcp.server.auth.redirect_validationr0fastmcp.utilities.loggingr1fastmcp.utilities.uir2r3r4r5r6r7r8r9r:rQrr;rUr<r>r?rXr_rirkrrrrVrVrVrWs                     ,     = ! ]1