o i\C@sdZddlmZddlZddlmZddlmZmZm Z ddl m Z m Z ddl mZddlmZdd lmZmZmZdd lmZdd lmZdd lmZdd lmZddlmZddlm Z m!Z!ee"Z#Gddde Z$GdddeZ%GdddeZ&Gddde Z'GdddeZ(dS)a7WorkOS authentication providers for FastMCP. This module provides two WorkOS authentication strategies: 1. WorkOSProvider - OAuth proxy for WorkOS Connect applications (non-DCR) 2. AuthKitProvider - DCR-compliant provider for WorkOS AuthKit Choose based on your WorkOS setup and authentication requirements. ) annotationsN) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) JSONResponse)Route) AccessTokenRemoteAuthProvider TokenVerifier) OAuthProxy) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc@seZdZUdZededdZdZded<dZ ded <dZ ded <dZ d ed <dZ d ed <dZ ded<dZded<dZded<dZded<dZded<edddeddZdS)WorkOSProviderSettingsz#Settings for WorkOS OAuth provider.FASTMCP_SERVER_AUTH_WORKOS_ignore env_prefixenv_fileextraN str | None client_idzSecretStr | None client_secretauthkit_domainzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesz int | Nonetimeout_secondsallowed_client_redirect_urisjwt_signing_keybeforemodecCt|SNrclsvr1j/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/fastmcp/server/auth/providers/workos.py _parse_scopes3z$WorkOSProviderSettings._parse_scopes)__name__ __module__ __qualname____doc__rr model_configr__annotations__rr r!r"r#r%r&r'r(r classmethodr3r1r1r1r2rs(            rcs4eZdZdZddddfd d ZdddZZS)WorkOSTokenVerifierzToken verifier for WorkOS OAuth tokens. WorkOS AuthKit tokens are opaque, so we verify them by calling the /oauth2/userinfo endpoint to check validity and get user info. N )r%r&r strr%r$r&intcs$tj|d|d|_||_dS)zInitialize the WorkOS token verifier. Args: authkit_domain: WorkOS AuthKit domain (e.g., "https://your-app.authkit.app") required_scopes: Required OAuth scopes timeout_seconds: HTTP request timeout )r%/N)super__init__rstripr r&)selfr r%r& __class__r1r2rB@s  zWorkOSTokenVerifier.__init__tokenreturnAccessToken | Nonecsvztj|jd4IdHn}|j|jdd|dddIdH}|jdkrAtd |j|jdd WdIdHWdS| }t |t |d d |j pRgd|d |d |d |d|d|dddWdIdHWS1IdHswYWdStj y}z td|WYd}~dSd}~wty}z td|WYd}~dSd}~ww)z7Verify WorkOS OAuth token by calling userinfo endpoint.)timeoutNz/oauth2/userinfozBearer zFastMCP-WorkOS-OAuth) Authorizationz User-Agent)headersz)WorkOS token verification failed: %d - %ssubunknownemailemail_verifiedname given_name family_name)rNrPrQrRrSrT)rGrscopes expires_atclaimsz!Failed to verify WorkOS token: %sz#WorkOS token verification error: %s)httpx AsyncClientr&getr status_codeloggerdebugtextjsonr r>r% RequestError Exception)rDrGclientresponse user_dataer1r1r2 verify_tokenRsR   4$  z WorkOSTokenVerifier.verify_token)r r>r%r$r&r?)rGr>rHrI)r5r6r7r8rBrf __classcell__r1r1rEr2r<9s  r<c s>eZdZdZeeeeeeeeededd dfddZZS)WorkOSProviderarComplete WorkOS OAuth provider for FastMCP. This provider implements WorkOS AuthKit OAuth using the OAuth Proxy pattern. It provides OAuth2 authentication for users through WorkOS Connect applications. Features: - Transparent OAuth proxy to WorkOS AuthKit - Automatic token validation via userinfo endpoint - User information extraction from ID tokens - Support for standard OAuth scopes (openid, profile, email) Setup Requirements: 1. Create a WorkOS Connect application in your dashboard 2. Note your AuthKit domain (e.g., "https://your-app.authkit.app") 3. Configure redirect URI as: http://localhost:8000/auth/callback 4. Note your Client ID and Client Secret Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.workos import WorkOSProvider auth = WorkOSProvider( client_id="client_123", client_secret="sk_test_456", authkit_domain="https://your-app.authkit.app", base_url="http://localhost:8000" ) mcp = FastMCP("My App", auth=auth) ``` NT) rrr r!r"r#r%r&r'client_storager(require_authorization_consentr str | NotSetTrr r!AnyHttpUrl | str | NotSetTr"r#r%list[str] | NotSetT | Noner& int | NotSetTr'list[str] | NotSetTriAsyncKeyValue | Noner(str | bytes | NotSetTrjboolc s tdd||||||||| | d D} | jstd| js%td| js,td| j}|ds9d|}|d }| j pBd }| j pGg}| j }| jrS| j nd }t |||d }tj|d |d| j||| j| j| jpt| j|| | j| d td| j|dS)aInitialize WorkOS OAuth provider. Args: client_id: WorkOS client ID client_secret: WorkOS client secret authkit_domain: Your WorkOS AuthKit domain (e.g., "https://your-app.authkit.app") base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in WorkOS (defaults to "/auth/callback") required_scopes: Required OAuth scopes (no default) timeout_seconds: HTTP request timeout for WorkOS API calls allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to WorkOS. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. cSi|] \}}|tur||qSr1r.0kr0r1r1r2 s   z+WorkOSProvider.__init__..) rrr r!r"r#r%r&r'r(zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_CLIENT_SECRETz[authkit_domain is required - set via parameter or FASTMCP_SERVER_AUTH_WORKOS_AUTHKIT_DOMAIN)zhttp://https://ryr@r=)r r%r&z/oauth2/authorizez /oauth2/token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierr!r#r"r'rir(rjzFInitialized WorkOS OAuth provider for client %s with AuthKit domain %sN)rmodel_validateitemsr ValueErrorrr startswithrCr&r%r'get_secret_valuer<rArBr!r#r"r(r\r])rDrrr r!r"r#r%r&r'rir(rjsettingsauthkit_domain_strauthkit_domain_finaltimeout_seconds_final scopes_final"allowed_client_redirect_uris_finalclient_secret_strrrEr1r2rBs|*      zWorkOSProvider.__init__)rrkrrkr rkr!rlr"rlr#rkr%rmr&rnr'rorirpr(rqrjrr)r5r6r7r8rrBrgr1r1rEr2rhs$rhc@sPeZdZUededdZded<ded<dZded <ed d d e d d Z dS)AuthKitProviderSettings$FASTMCP_SERVER_AUTH_AUTHKITPROVIDER_rrrr r!Nr$r%r)r*cCr,r-rr.r1r1r2r3&r4z%AuthKitProviderSettings._parse_scopes) r5r6r7rrr9r:r%rr;r3r1r1r1r2rs   rcs@eZdZdZeeedddfd d Z ddfdd ZZS)AuthKitProvideruAuthKit metadata provider for DCR (Dynamic Client Registration). This provider implements AuthKit integration using metadata forwarding instead of OAuth proxying. This is the recommended approach for WorkOS DCR as it allows WorkOS to handle the OAuth flow directly while FastMCP acts as a resource server. IMPORTANT SETUP REQUIREMENTS: 1. Enable Dynamic Client Registration in WorkOS Dashboard: - Go to Applications → Configuration - Toggle "Dynamic Client Registration" to enabled 2. Configure your FastMCP server URL as a callback: - Add your server URL to the Redirects tab in WorkOS dashboard - Example: https://your-fastmcp-server.com/oauth2/callback For detailed setup instructions, see: https://workos.com/docs/authkit/mcp/integrating/token-verification Example: ```python from fastmcp.server.auth.providers.workos import AuthKitProvider # Create AuthKit metadata provider (JWT verifier created automatically) workos_auth = AuthKitProvider( authkit_domain="https://your-workos-domain.authkit.app", base_url="https://your-fastmcp-server.com", ) # Use with FastMCP mcp = FastMCP("My App", auth=workos_auth) ``` N)r r!r%rr rlr!r%rmrTokenVerifier | Nonecstdd|||dD}t|jd|_tt|jd|_|dur6t|jd|jd|j d}t j |t|jg|jd dS) a|Initialize AuthKit metadata provider. Args: authkit_domain: Your AuthKit domain (e.g., "https://your-app.authkit.app") base_url: Public URL of this FastMCP server required_scopes: Optional list of scopes to require for all requests token_verifier: Optional token verifier. If None, creates JWT verifier for AuthKit cSrsr1rtrur1r1r2rxas z,AuthKitProvider.__init__..)r r!r%r@Nz /oauth2/jwksRS256)jwks_uriissuer algorithmr%)rauthorization_serversr!) rrrr>r rCrr!rr%rArB)rDr r!r%rrrEr1r2rBPs.    zAuthKitProvider.__init__mcp_pathrrH list[Route]cs2t|}fdd}|td|dgd|S)aGet OAuth routes including AuthKit authorization server metadata forwarding. This returns the standard protected resource routes plus an authorization server metadata endpoint that forwards AuthKit's OAuth metadata to clients. Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata. c sz:t4IdH$}|jdIdH}||}t|WdIdHWS1IdHs4wYWdStyY}ztdd|dddWYd}~Sd}~ww)zPForward AuthKit OAuth authorization server metadata with FastMCP customizations.N'/.well-known/oauth-authorization-server server_errorz"Failed to fetch AuthKit metadata: )errorerror_descriptioni)r[)rXrYrZr raise_for_statusr_r ra)requestrbrcmetadatarerDr1r2#oauth_authorization_server_metadatas&  4zGAuthKitProvider.get_routes..oauth_authorization_server_metadatarGET)endpointmethods)rA get_routesappendr )rDrroutesrrErr2rs  zAuthKitProvider.get_routes)r rlr!rlr%rmrrr-)rrrHr)r5r6r7r8rrBrrgr1r1rEr2r,s&1r))r8 __future__rrXkey_value.aio.protocolsrpydanticrrrpydantic_settingsrrstarlette.responsesr starlette.routingr fastmcp.server.authr r r fastmcp.server.auth.oauth_proxyr!fastmcp.server.auth.providers.jwtrfastmcp.settingsrfastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr5r\rr<rhrrr1r1r1r2s,         H