o i=5@sdZddlmZddlZddlZddlmZddlmZm Z m Z ddl m Z m Z ddlmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZmZeeZGddde ZGdddeZ GdddeZ!dS)aoGoogle OAuth provider for FastMCP. This module provides a complete Google OAuth integration that's ready to use with just a client ID and client secret. It handles all the complexity of Google's OAuth flow, token validation, and user management. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.google import GoogleProvider # Simple Google OAuth protection auth = GoogleProvider( client_id="your-google-client-id.apps.googleusercontent.com", client_secret="your-google-client-secret" ) mcp = FastMCP("My Protected Server", auth=auth) ``` ) annotationsN) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TokenVerifier) AccessToken) OAuthProxy)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@seZdZUdZededdZdZded<dZ ded <dZ d ed <dZ d ed <dZ ded <dZ ded<dZded<dZded<dZded<edddeddZdS)GoogleProviderSettingsz#Settings for Google OAuth provider.FASTMCP_SERVER_AUTH_GOOGLE_ignore) env_prefixenv_fileextraNz str | None client_idzSecretStr | None client_secretzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesz int | Nonetimeout_secondsallowed_client_redirect_urisjwt_signing_keybefore)modecCst|S)Nr )clsvr&j/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/google.py _parse_scopes=sz$GoogleProviderSettings._parse_scopes)__name__ __module__ __qualname____doc__rr model_configr__annotations__rrrrrrr r!r classmethodr(r&r&r&r'r*s&           rcs4eZdZdZddddfd d ZdddZZS)GoogleTokenVerifierzToken verifier for Google OAuth tokens. Google OAuth tokens are opaque (not JWTs), so we verify them by calling Google's tokeninfo API to check if they're valid and get user info. N rrrrrintcstj|d||_dS)zInitialize the Google token verifier. Args: required_scopes: Required OAuth scopes (e.g., ['openid', 'https://www.googleapis.com/auth/userinfo.email']) timeout_seconds: HTTP request timeout )rN)super__init__r)selfrr __class__r&r'r5Js zGoogleTokenVerifier.__init__tokenstrreturnAccessToken | Nonecsz0tj|jd4IdH}|jdd|iddidIdH}|jdkr8td |j WdIdHWdS|}|d }|r[t|d kr[td  WdIdHWdS|d d}dd| dD}|j rt |}t |j } | |stdt |t |  WdIdHWdSi} d|vsd|vrz|jdd|dddIdH} | jdkr| } Wnty} z td| WYd} ~ nd} ~ wwd} |rttt|} t||dd|| | dp|dd| d| d| d | d!| d"| d#| |d$ d%}td&|WdIdHWS1IdHs+wYWdStjyM} z td'| WYd} ~ dSd} ~ wtyf} z td(| WYd} ~ dSd} ~ ww))zus z4GoogleTokenVerifier.verify_token.. z6Google token missing required scopes. Has %d, needs %dopenidprofilez-https://www.googleapis.com/oauth2/v2/userinfozBearer ) Authorizationr?)rAz$Failed to fetch Google user info: %saudienceunknowniduser_idemailnamepicture given_name family_namelocale) subrQrRrSrTrUrVgoogle_user_datagoogle_token_info)r9rscopes expires_atclaimsz"Google token verified successfullyz!Failed to verify Google token: %sz#Google token verification error: %s)httpx AsyncClientrget status_codeloggerdebugjsonr3splitrsetissubsetlen Exceptiontimer RequestError)r6r9clientresponse token_inforC scope_string token_scopestoken_scopes_setrequired_scopes_set user_datauserinfo_responseer[r>r&r&r' verify_tokenYs      *    6V  z GoogleTokenVerifier.verify_token)rrrr3)r9r:r;r<)r)r*r+r,r5ru __classcell__r&r&r7r'r0Cs  r0c s<eZdZdZeeeeeeeededd dfddZZS)GoogleProvidera;Complete Google OAuth provider for FastMCP. This provider makes it trivial to add Google OAuth protection to any FastMCP server. Just provide your Google OAuth app credentials and a base URL, and you're ready to go. Features: - Transparent OAuth proxy to Google - Automatic token validation via Google's tokeninfo API - User information extraction from Google APIs - Minimal configuration required Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.google import GoogleProvider auth = GoogleProvider( client_id="123456789.apps.googleusercontent.com", client_secret="GOCSPX-abc123...", base_url="https://my-server.com" ) mcp = FastMCP("My App", auth=auth) ``` NT) rrrrrrrr client_storager!require_authorization_consentr str | NotSetTrrAnyHttpUrl | str | NotSetTrrrlist[str] | NotSetTr int | NotSetTr rxAsyncKeyValue | Noner!str | bytes | NotSetTryboolc stdd||||||||| d D} | jstd| js$td| jp(d} | jp.dg}| j}t || d}| jr@| j nd }t j d d | j||| j | j| jpT| j || | j| d td | j|dS)aInitialize Google OAuth provider. Args: client_id: Google OAuth client ID (e.g., "123456789.apps.googleusercontent.com") client_secret: Google OAuth client secret (e.g., "GOCSPX-abc123...") base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in Google OAuth app (defaults to "/auth/callback") required_scopes: Required Google scopes (defaults to ["openid"]). Common scopes include: - "openid" for OpenID Connect (default) - "https://www.googleapis.com/auth/userinfo.email" for email access - "https://www.googleapis.com/auth/userinfo.profile" for profile info timeout_seconds: HTTP request timeout for Google API calls allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to Google. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. cSsi|] \}}|tur||qSr&)r)rGkr%r&r&r' s   z+GoogleProvider.__init__..) rrrrrrrr r!zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRETr1rJr2rEz,https://accounts.google.com/o/oauth2/v2/authz#https://oauth2.googleapis.com/token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierrrrr rxr!ryz?Initialized Google OAuth provider for client %s with scopes: %sN)rmodel_validateitemsr ValueErrorrrrr r0get_secret_valuer4r5rrrr!rarb)r6rrrrrrrr rxr!rysettingstimeout_seconds_finalrequired_scopes_final"allowed_client_redirect_uris_finalrclient_secret_strr7r&r'r5sh+   zGoogleProvider.__init__)rrzrrzrr{rr{rrzrr|rr}r r|rxr~r!rryr)r)r*r+r,rr5rvr&r&r7r'rwsrw)"r, __future__rrir]key_value.aio.protocolsrpydanticrrrpydantic_settingsrrfastmcp.server.authr fastmcp.server.auth.authr fastmcp.server.auth.oauth_proxyr fastmcp.settingsr fastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr)rarr0rwr&r&r&r's$        w