o i6q@sndZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z m Z ddl m Z mZddlmZmZddlmZmZmZddlZddlZddlmZmZmZddlmZdd lmZm Z m!Z!m"Z"m#Z#dd l$m%Z%m&Z&dd l'm(Z(e)e*Z+Gd d d e,Z-Gddde-Z.Gddde-Z/GdddeZ0GdddeZ1e GdddZ2Gdddej3Z4dS)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)AnyProtocol) urlencodeurljoinurlparse) BaseModelFieldValidationError)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)check_resource_allowedresource_url_from_server_url)LATEST_PROTOCOL_VERSIONc@eZdZdZdS)OAuthFlowErrorz%Base exception for OAuth flow errors.N__name__ __module__ __qualname____doc__rr\/var/www/html/karishye-ai-python/venv/lib/python3.10/site-packages/mcp/client/auth/oauth2.pyr%rc@r)OAuthTokenErrorz"Raised when token operations fail.Nrrrrr r")r!r"c@r)OAuthRegistrationErrorz&Raised when client registration fails.Nrrrrr r#-r!r#c@sLeZdZUdZeddddZeed<eddddZeed<e d d d Z d S) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..+) min_length max_length code_verifiercode_challengereturncCsJdddtdD}t|}t| d}|||dS)zGenerate new PKCE parameters.css&|]}ttjtjdVqdS)z-._~N)secretschoicestring ascii_lettersdigits).0_rrr :s$z*PKCEParameters.generate..r&=)r)r*) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsr)r;r*rrr generate7s zPKCEParameters.generateN)r+r$) rrrrr r)str__annotations__r* classmethodrArrrr r$1s r$c@sXeZdZdZdedBfddZdeddfddZdedBfd d Zd eddfd d Z dS) TokenStoragez+Protocol for token storage implementations.r+NcdS)zGet stored tokens.Nrselfrrr get_tokensCzTokenStorage.get_tokenstokenscrF)z Store tokens.Nr)rHrKrrr set_tokensGrJzTokenStorage.set_tokenscrF)zGet stored client information.NrrGrrr get_client_infoKrJzTokenStorage.get_client_info client_infocrF)zStore client information.Nr)rHrNrrr set_client_infoOrJzTokenStorage.set_client_info) rrrrrrIrLrrMrOrrrr rE@s rEc@sjeZdZUdZeed<eed<eed<eege dfdBed<ege e eedBffdBed<dZ e ed <dZ edBed <dZedBed <dZedBed <dZedBed <dZedBed<dZedBed<dZe dBed<eejdZejed<dedefddZdeddfddZdefddZdefddZ d#ddZ!defdd Z"d$d edBdefd!d"Z#dS)% OAuthContextzOAuth flow context. server_urlclient_metadatastorageNredirect_handlercallback_handlerr@timeoutprotected_resource_metadataoauth_metadataauth_server_urlprotocol_versionrNcurrent_tokenstoken_expiry_time)default_factorylockr+cCst|}|jd|jS)z,Extract base URL by removing path component.://)r schemenetloc)rHrQparsedrrr get_authorization_base_urlosz'OAuthContext.get_authorization_base_urltokencCs$|jr t|j|_dSd|_dS)zUpdate token expiry time.N) expires_intimer])rHrerrr update_token_expiryts z OAuthContext.update_token_expirycCs(t|jo|jjo|j pt|jkS)z Check if current token is valid.)boolr\ access_tokenr]rgrGrrr is_token_valid{s zOAuthContext.is_token_validcCst|jo |jjo |jS)z Check if token can be refreshed.)rir\ refresh_tokenrNrGrrr can_refresh_tokenszOAuthContext.can_refresh_tokencCsd|_d|_dS)zClear current tokens.N)r\r]rGrrr clear_tokenss zOAuthContext.clear_tokenscCs8t|j}|jr|jjrt|jj}t||dr|}|S)zGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. )requested_resourceconfigured_resource)rrQrXresourcerBr)rHrq prm_resourcerrr get_resource_urls   zOAuthContext.get_resource_urlcCs|jdurdS|s dS|dkS)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later NTFz 2025-06-18)rX)rHr[rrr should_include_resource_params z*OAuthContext.should_include_resource_paramr+NN)$rrrrrBrCrrErrtuplerWfloatrXrrYrrZr[rNrr\rr]ranyioLockr_rdrhrirkrmrnrsrtrrrr rPTs. $  rPc@s2eZdZdZdZ   dAdedededeege dfdBd ege e eedBffdBd e f d d Z d e jdeefddZd e jdededBfddZd e jdedBfddZd e jdedBfddZde jdefddZd e jddfddZdeefddZde jdBfdd Zde jddfd!d"Zde jfd#d$Zde eeffd%d&Zdefd'd(Zid)d*ed+ed,eeefdBde jfd-d.Z de jddfd/d0Z!de jfd1d2Z"de jdefd3d4Z#dBd5d6Z$d7e jddfd8d9Z%d:ede jfd;d<Z&de jddfd=d>Z'd7e jde(e je jffd?d@Z)dS)COAuthClientProviderzw OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. TNrVrQrRrSrTrUrWcCs t||||||d|_d|_dS)z!Initialize OAuth2 authentication.)rQrRrSrTrUrWFN)rPcontext _initialized)rHrQrRrSrTrUrWrrr __init__s  zOAuthClientProvider.__init__ init_responser+cCs~g}||}|r||t|jj}|jd|j}|jr3|jdkr3t|d|j}||t|d}|||S)a$ Build ordered list of URLs to try for protected resource metadata discovery. Per SEP-985, the client MUST: 1. Try resource_metadata from WWW-Authenticate header (if present) 2. Fall back to path-based well-known URI: /.well-known/oauth-protected-resource/{path} 3. Fall back to root-based well-known URI: /.well-known/oauth-protected-resource Args: init_response: The initial 401 response from the server Returns: Ordered list of URLs to try for discovery r`/z%/.well-known/oauth-protected-resource) (_extract_resource_metadata_from_www_authappendr r|rQrarbpathr )rHrurls www_auth_urlrcbase_urlpath_based_urlroot_based_urlrrr (_build_protected_resource_discovery_urlss      zr"rrrr|rRsetsplitr\rhrSrLr) rHrbodyrtoken_responserequested_scopesreturned_scopesunauthorized_scopesrrrr _handle_token_responses*    z*OAuthClientProvider._handle_token_responsecs|jjr |jjjstd|jjstd|jjr'|jjjr't|jjj}n |j|jj }t |d}d|jjj|jjj d}|j |jj rO|j|d<|jjjr[|jjj|d<tjd||d d id S) zBuild token refresh request.zNo refresh token availablezNo client info availablerrl)rrlrrqrrrrr)r|r\rlr"rNrYrrBrdrQr rrtr[rsrrr)rHrr refresh_datarrr _refresh_tokens(   z"OAuthClientProvider._refresh_tokencs|jdkrtd|j|jdSz#|IdH}t|}||j_|j ||jj |IdHWdSt yMt d|jYdSw)z:Handle token refresh response. Returns True if successful.rzToken refresh failed: FNTzInvalid refresh response)rrrr|rnrrrr\rhrSrLr exception)rHrrrrrr _handle_refresh_response"s"       z,OAuthClientProvider._handle_refresh_responsecs8|jjIdH|j_|jjIdH|j_d|_dS)z#Load stored tokens and client info.NT)r|rSrIr\rMrNr}rGrrr _initialize7s zOAuthClientProvider._initializercCs4|jjr|jjjrd|jjj|jd<dSdSdS)zs8   Z