o *ik@sdZddlZddlZddlZddlZddlZddlZddlmZm Z m Z ddl m Z m Z ddlmZmZddlmZmZmZmZddlZddlZddlmZmZmZddlmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0dd l1m2Z2m3Z3m4Z4m5Z5m6Z6dd l7m8Z8m9Z9m:Z:e;e<Z=Gd ddeZ>GdddeZ?e GdddZ@GdddejAZBdS)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)AnyProtocol)quote urlencodeurljoinurlparse) BaseModelFieldValidationError)OAuthFlowErrorOAuthTokenError)8build_oauth_authorization_server_metadata_discovery_urls0build_protected_resource_metadata_discovery_urls$create_client_info_from_metadata_url"create_client_registration_requestcreate_oauth_metadata_requestextract_field_from_www_auth'extract_resource_metadata_from_www_authextract_scope_from_www_authget_client_metadata_scopeshandle_auth_metadata_response"handle_protected_resource_responsehandle_registration_responsehandle_token_response_scopesis_valid_client_metadata_urlshould_use_client_metadata_url)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)calculate_token_expirycheck_resource_allowedresource_url_from_server_urlc@sLeZdZUdZeddddZeed<eddddZeed<e d d d Z d S) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..+) min_length max_length code_verifiercode_challengereturncCsJdddtdD}t|}t| d}|||dS)zGenerate new PKCE parameters.css&|]}ttjtjdVqdS)z-._~N)secretschoicestring ascii_lettersdigits).0_r:S/home/ubuntu/veenaModal/venv/lib/python3.10/site-packages/mcp/client/auth/oauth2.py Bs$z*PKCEParameters.generate..r,=)r/r0) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsr/rCr0r:r:r;generate?s zPKCEParameters.generateN)r1r*) __name__ __module__ __qualname____doc__rr/str__annotations__r0 classmethodrIr:r:r:r;r*9s r*c@sXeZdZdZdedBfddZdeddfddZdedBfd d Zd eddfd d Z dS) TokenStoragez+Protocol for token storage implementations.r1NcdS)zGet stored tokens.Nr:selfr:r:r; get_tokensKzTokenStorage.get_tokenstokenscrR)z Store tokens.Nr:)rTrWr:r:r; set_tokensOrVzTokenStorage.set_tokenscrR)zGet stored client information.Nr:rSr:r:r;get_client_infoSrVzTokenStorage.get_client_info client_infocrR)zStore client information.Nr:)rTrZr:r:r;set_client_infoWrVzTokenStorage.set_client_info) rJrKrLrMr%rUrXr"rYr[r:r:r:r;rQHs rQc @seZdZUdZeed<eed<eed<eege dfdBed<ege e eedBffdBed<dZ e ed <dZ edBed <dZedBed <dZedBed <dZedBed <dZedBed<dZedBed<dZedBed<dZe dBed<eejdZejed<dedefddZdeddfddZdefddZ defddZ!d(ddZ"defd d!Z#d)dedBdefd"d#Z$ d)d$e%eefd%e%eefdBde e%eefe%eefffd&d'Z&dS)* OAuthContextzOAuth flow context. server_urlclient_metadatastorageNredirect_handlercallback_handlerr@timeoutclient_metadata_urlprotected_resource_metadataoauth_metadataauth_server_urlprotocol_versionrZcurrent_tokenstoken_expiry_time)default_factorylockr1cCst|}|jd|jS)z,Extract base URL by removing path component.z://)r schemenetloc)rTr]parsedr:r:r;get_authorization_base_urlxsz'OAuthContext.get_authorization_base_urltokencCst|j|_dS)z4Update token expiry time using shared util function.N)r' expires_inrj)rTrqr:r:r;update_token_expiry}sz OAuthContext.update_token_expirycCs(t|jo|jjo|j pt|jkS)z Check if current token is valid.)boolri access_tokenrjtimerSr:r:r;is_token_valids zOAuthContext.is_token_validcCst|jo |jjo |jS)z Check if token can be refreshed.)rtri refresh_tokenrZrSr:r:r;can_refresh_tokenszOAuthContext.can_refresh_tokencCsd|_d|_dS)zClear current tokens.N)rirjrSr:r:r; clear_tokenss zOAuthContext.clear_tokenscCs8t|j}|jr|jjrt|jj}t||dr|}|S)zGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. )requested_resourceconfigured_resource)r)r]reresourcerNr()rTr} prm_resourcer:r:r;get_resource_urls   zOAuthContext.get_resource_urlcCs|jdurdS|s dS|dkS)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later NTFz 2025-06-18)re)rTrhr:r:r;should_include_resource_params z*OAuthContext.should_include_resource_paramdataheaderscCs|duri}|js ||fS|jj}|dkrQ|jjrQ|jjrQt|jjdd}t|jjdd}|d|}t|}d||d<dd | D}||fS|d kr_|jjr_|jj|d <||fS) zPrepare authentication for token requests. Args: data: The form data to send headers: Optional headers dict to update Returns: Tuple of (updated_data, updated_headers) Nclient_secret_basicr2)safe:zBasic AuthorizationcSsi|] \}}|dkr||qS) client_secretr:)r8kvr:r:r; sz3OAuthContext.prepare_token_auth..client_secret_postr) rZtoken_endpoint_auth_method client_idrr rD b64encoderBrFitems)rTrr auth_method encoded_idencoded_secret credentialsencoded_credentialsr:r:r;prepare_token_auths   zOAuthContext.prepare_token_authr1NN)'rJrKrLrMrNrOr#rQrrtuplercfloatrdrer&rfr$rgrhrZr"rir%rjranyioLockrlrprsrtrwryrzrrdictrr:r:r:r;r\\s@ $   r\c@sveZdZdZdZ    d-dedededeege dfdBd ege e eedBffdBd e d edBfd d Z de jdefddZde jfddZde eeffddZdefddZiddededeeefdBde jfddZde jddfddZde jfd d!Zde jdefd"d#Zd.d$d%Zd&e jddfd'd(Zde jddfd)d*Zd&e jdee je jffd+d,ZdS)/OAuthClientProviderzw OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. TNrbr]r^r_r`rarcrdc Cs@|durt|std|t|||||||d|_d|_dS)alInitialize OAuth2 authentication. Args: server_url: The MCP server URL. client_metadata: OAuth client metadata for registration. storage: Token storage implementation. redirect_handler: Handler for authorization redirects. callback_handler: Handler for authorization callbacks. timeout: Timeout for the OAuth flow. client_metadata_url: URL-based client ID. When provided and the server advertises client_id_metadata_document_supported=true, this URL will be used as the client_id instead of performing dynamic client registration. Must be a valid HTTPS URL with a non-root pathname. Raises: ValueError: If client_metadata_url is provided but not a valid HTTPS URL with a non-root pathname. NzMclient_metadata_url must be a valid HTTPS URL with a non-root pathname, got: )r]r^r_r`rarcrdF)r ValueErrorr\context _initialized)rTr]r^r_r`rarcrdr:r:r;__init__s zOAuthClientProvider.__init__responser1cs|jdkr:z|IdH}t|}||j_|jr#t|jd|j_WdSt y9t d|j j YdSw|jdkrLt d|j j d dStd |j) z Handle protected resource metadata discovery response. Per SEP-985, supports fallback when discovery fails at one URL. Returns: True if metadata was successfully discovered, False if we should try next URL NrTz'Invalid protected resource metadata at Fiz)Protected resource metadata not found at z, trying next URLz,Protected Resource Metadata request failed: ) status_codeareadr&model_validate_jsonrreauthorization_serversrNrgrloggerwarningrequesturldebugrrTrcontentmetadatar:r:r;#_handle_protected_resource_responses&     z7OAuthClientProvider._handle_protected_resource_responsecs*|IdH\}}|||IdH}|S)zPerform the authorization flow.N)!_perform_authorization_code_grant"_exchange_token_authorization_code)rT auth_coder/ token_requestr:r:r;_perform_authorization.sz*OAuthClientProvider._perform_authorizationc sj|jjjdur td|jjstd|jjstd|jjr-|jjjr-t|jjj}n |j |jj }t |d}|jj sBtdt }td}d|jj jt|jjjd ||jd d }|j|jjrn|j|d <|jjjrz|jjj|d <|dt|}|j|IdH|jIdH\}}|dust||std|d||std||jfS)z5Perform the authorization redirect and get auth code.N6No redirect URIs provided for authorization code grantz9No redirect handler provided for authorization code grantz9No callback handler provided for authorization code grantz /authorizez*No client info available for authorization coderS256) response_typer redirect_uristater0code_challenge_methodr}scope?zState parameter mismatch: z != zNo authorization code received)rr^ redirect_urisrr`rarfauthorization_endpointrNrpr]r rZr*rIr3 token_urlsaferr0rrhrrr compare_digestr/) rT auth_endpoint auth_base_url pkce_paramsr auth_paramsauthorization_urlrreturned_stater:r:r;r4sD     z5OAuthClientProvider._perform_authorization_code_grantcCsB|jjr|jjjrt|jjj}|S|j|jj}t|d}|S)N/token)rrftoken_endpointrNrpr]r )rT token_urlrr:r:r;_get_token_endpointis  z'OAuthClientProvider._get_token_endpoint) token_datarr/rcs|jjjdur td|jjstd|}|pi}|d|t|jjjd|jjj|d|j |jj r@|j |d<dd i}|j ||\}}t jd |||d S) z9Build token exchange request for authorization_code flow.NrzMissing client infoauthorization_coder) grant_typerrrr/r} Content-Type!application/x-www-form-urlencodedPOSTrr)rr^rrrZrupdaterNrrrhrrhttpxRequest)rTrr/rrrr:r:r;rqs( z6OAuthClientProvider._exchange_token_authorization_codecst|jdkr|IdH}|d}td|jd|t|IdH}||j_|j||jj |IdHdS)zHandle token exchange response.rNzutf-8zToken exchange failed (z): ) rrrFrrrrirsr_rX)rTrbody body_texttoken_responser:r:r;_handle_token_responses   z*OAuthClientProvider._handle_token_responsecs|jjr |jjjstd|jjr|jjjstd|jjr,|jjjr,t|jjj}n |j |jj }t |d}d|jjj|jjjd}|j |jj rT|j|d<ddi}|j||\}}tjd |||d S) zBuild token refresh request.zNo refresh token availablezNo client info availablerrx)rrxrr}rrrr)rrirxrrZrrfrrNrpr]r rrhrrrr)rTrr refresh_datarr:r:r;_refresh_tokens$ z"OAuthClientProvider._refresh_tokencs|jdkrtd|j|jdSz#|IdH}t|}||j_|j ||jj |IdHWdSt yMt d|jYdSw)z:Handle token refresh response. Returns True if successful.rzToken refresh failed: FNTzInvalid refresh response)rrrrrzrr%rrirsr_rXr exception)rTrrrr:r:r;_handle_refresh_responses"       z,OAuthClientProvider._handle_refresh_responsecs8|jjIdH|j_|jjIdH|j_d|_dS)z#Load stored tokens and client info.NT)rr_rUrirYrZrrSr:r:r; _initializes zOAuthClientProvider._initializercCs4|jjr|jjjrd|jjj|jd<dSdSdS)zs2D  |