o c۷i%/ @s ddlZddlZddlmZmZddlmZmZddlm Z m Z ddl m Z m Z ddlmZddlmZmZmZmZmZddlmZeeZd ed ed edBfd d Zd ed edBfddZd ed edBfddZdedBded eefddZ d7dedBdedBdedBd edBfddZ!dedBded eefddZ"d ed edBfddZ#d ed e$e%edBffd d!Z&d"ed efd#d$Z'd%edBd&ed'ed efd(d)Z(d ed efd*d+Z)d"edBd e%fd,d-Z*d.edBd/edBd e%fd0d1Z+ d7d/ed2ee dBd efd3d4Z,d ed efd5d6Z-dS)8N)urljoinurlparse)RequestResponse)AnyUrlValidationError)OAuthRegistrationErrorOAuthTokenError)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)LATEST_PROTOCOL_VERSIONresponse field_namereturncCsF|jd}|s dS|d}t||}|r!|dp |dSdS)z Extract field from WWW-Authenticate header. Returns: Field value if found in WWW-Authenticate header, None otherwise zWWW-AuthenticateNz=(?:"([^"]+)"|([^\s,]+)))headersgetresearchgroup)rrwww_auth_headerpatternmatchrK/home/ubuntu/vllm_env/lib/python3.10/site-packages/mcp/client/auth/utils.pyextract_field_from_www_auths   r cCs t|dS)z Extract scope parameter from WWW-Authenticate header as per RFC6750. Returns: Scope string if found in WWW-Authenticate header, None otherwise scope)r rrrrextract_scope_from_www_auth,s r#cCs|r|jdkr dSt|dS)z Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728. Returns: Resource metadata URL if found in WWW-Authenticate header, None otherwise iNresource_metadata) status_coder r"rrr'extract_resource_metadata_from_www_auth6s r& www_auth_url server_urlcCspg}|r ||t|}|jd|j}|jr,|jdkr,t|d|j}||t|d}|||S)a; Build ordered list of URLs to try for protected resource metadata discovery. Per SEP-985, the client MUST: 1. Try resource_metadata from WWW-Authenticate header (if present) 2. Fall back to path-based well-known URI: /.well-known/oauth-protected-resource/{path} 3. Fall back to root-based well-known URI: /.well-known/oauth-protected-resource Args: www_auth_url: optional resource_metadata url extracted from the WWW-Authenticate header server_url: server url Returns: Ordered list of URLs to try for discovery :///z%/.well-known/oauth-protected-resource)appendrschemenetlocpathr)r'r(urlsparsedbase_urlpath_based_urlroot_based_urlrrr0build_protected_resource_metadata_discovery_urlsCs    r4www_authenticate_scopeprotected_resource_metadataauthorization_server_metadatacCsL|dur|S|dur|jdurd|jS|dur$|jdur$d|jSdS)zLSelect scopes as outlined in the 'Scope Selection Strategy' in the MCP spec.N )scopes_supportedjoin)r5r6r7rrrget_client_metadata_scopesis   r;auth_server_urlcCs|st|}|jd|jdgSg}t|}|jd|j}|jr]|jdkr]d|jd}|t||d|jd}|t|||jdd}|t|||S|t|d|t|d|S)a Generate ordered list of (url, type) tuples for discovery attempts. Args: auth_server_url: URL for the OAuth Authorization Metadata URL if found, otherwise None server_url: URL for the MCP server, used as a fallback if auth_server_url is None r)z'/.well-known/oauth-authorization-serverr*z!/.well-known/openid-configuration)rr,r-r.rstripr+r)r<r(r0r/r1 oauth_path oidc_pathrrr8build_oauth_authorization_server_metadata_discovery_urlss" r@csD|jdkr z|IdH}t|}|WStyYdSwdS)z Handle protected resource metadata discovery response. Per SEP-985, supports fallback when discovery fails at one URL. Returns: True if metadata was successfully discovered, False if we should try next URL N)r%areadrmodel_validate_jsonr)rcontentmetadatarrr"handle_protected_resource_responses   rFcs`|jdkr"z|IdH}t|}d|fWSty!YdSw|jdks,|jdkr.dSdS)NrAT)TNii)FN)r%rBr rCr)rrDasmrrrhandle_auth_metadata_responses    rHurlcCstd|ttidS)NGET)r)rr r)rIrrrcreate_oauth_metadata_requestsrKauth_server_metadataclient_metadata auth_base_urlcCsD|r |jr t|j}nt|d}|jdddd}td||ddidS) z9Build registration request or skip if already registered.z /registerTjson)by_aliasmode exclude_nonePOSTz Content-Typezapplication/json)rOr)registration_endpointstrr model_dumpr)rLrMrNregistration_urlregistration_datarrr"create_client_registration_requests   rYc sx|jdvr|IdHtd|jd|jz|IdH}t|}|WSty;}ztd|d}~ww)zHandle registration response.)rANzRegistration failed: r8zInvalid registration response: )r%rBrtextr rCr)rrD client_infoerrrhandle_registration_responses  r^cCs<|sdSzt|}|jdko|jdvWStyYdSw)zValidate that a URL is suitable for use as a client_id (CIMD). The URL must be HTTPS with a non-root pathname. Args: url: The URL to validate Returns: True if the URL is a valid HTTPS URL with a non-root pathname Fhttps)r*)rr,r. Exception)rIr0rrris_valid_client_metadata_urls  rboauth_metadataclient_metadata_urlcCs|sdS|sdS|jduS)aDetermine if URL-based client ID (CIMD) should be used instead of DCR. URL-based client IDs should be used when: 1. The server advertises client_id_metadata_document_supported=true 2. The client has a valid client_metadata_url configured Args: oauth_metadata: OAuth authorization server metadata client_metadata_url: URL-based client ID (already validated) Returns: True if CIMD should be used, False if DCR should be used FT)%client_id_metadata_document_supported)rcrdrrrshould_use_client_metadata_url s  rf redirect_uriscCst|d|dS)aCreate client information using a URL-based client ID (CIMD). When using URL-based client IDs, the URL itself becomes the client_id and no client_secret is used (token_endpoint_auth_method="none"). Args: client_metadata_url: The URL to use as the client_id redirect_uris: The redirect URIs from the client metadata (passed through for compatibility with OAuthClientInformationFull which inherits from OAuthClientMetadata) Returns: OAuthClientInformationFull with the URL as client_id none) client_idtoken_endpoint_auth_methodrg)r )rdrgrrr$create_client_info_from_metadata_url$s rkc sHz|IdH}t|}|WSty#}ztd|d}~ww)avParse and validate token response with optional scope validation. Parses token response JSON. Callers should check response.status_code before calling. Args: response: HTTP response from token endpoint (status already checked by caller) Returns: Validated OAuthToken model Raises: OAuthTokenError: If response JSON is invalid NzInvalid token response: )rBrrCrr )rrDtoken_responser]rrrhandle_token_response_scopes;s rm)N).loggingr urllib.parserrhttpxrrpydanticrrmcp.client.authrr mcp.client.streamable_httpr mcp.shared.authr r r rr mcp.typesr getLogger__name__loggerrUr r#r&listr4r;r@rFtupleboolrHrKrYr^rbrfrkrmrrrrs~     ) ,