o hY@sjdZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z m Z ddl m Z mZddlmZddlmZmZmZddlZddlZddlmZmZmZddlmZdd lmZmZm Z m!Z!m"Z"dd l#m$Z$m%Z%dd l&m'Z'e(e)Z*Gd d d e+Z,Gddde,Z-Gddde,Z.GdddeZ/GdddeZ0e GdddZ1Gdddej2Z3dS)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)Protocol) urlencodeurljoinurlparse) BaseModelFieldValidationError)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)check_resource_allowedresource_url_from_server_url)LATEST_PROTOCOL_VERSIONc@eZdZdZdS)OAuthFlowErrorz%Base exception for OAuth flow errors.N__name__ __module__ __qualname____doc__rrP/var/www/html/openai_agents/venv/lib/python3.10/site-packages/mcp/client/auth.pyr%rc@r)OAuthTokenErrorz"Raised when token operations fail.Nrrrrrr!)r r!c@r)OAuthRegistrationErrorz&Raised when client registration fails.Nrrrrrr"-r r"c@sLeZdZUdZeddddZeed<eddddZeed<e d d d Z d S) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..+) min_length max_length code_verifiercode_challengereturncCsJdddtdD}t|}t| d}|||dS)zGenerate new PKCE parameters.css&|]}ttjtjdVqdS)z-._~N)secretschoicestring ascii_lettersdigits).0_rrr :s$z*PKCEParameters.generate..r%=)r(r)) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsr(r:r)rrrgenerate7s zPKCEParameters.generateN)r*r#) rrrrr r(str__annotations__r) classmethodr@rrrrr#1s r#c@sXeZdZdZdedBfddZdeddfddZdedBfd d Zd eddfd d Z dS) TokenStoragez+Protocol for token storage implementations.r*NcdS)zGet stored tokens.Nrselfrrr get_tokensCzTokenStorage.get_tokenstokenscrE)z Store tokens.Nr)rGrJrrr set_tokensGrIzTokenStorage.set_tokenscrE)zGet stored client information.NrrFrrrget_client_infoKrIzTokenStorage.get_client_info client_infocrE)zStore client information.Nr)rGrMrrrset_client_infoOrIzTokenStorage.set_client_info) rrrrrrHrKrrLrNrrrrrD@s rDc@seZdZUdZeed<eed<eed<eege dfed<ege e eedBffed<dZ e ed <dZ edBed <dZedBed <dZedBed <dZedBed <dZedBed<dZedBed<dZe dBed<eejdZejed<dZedBed<dZedBed<dedefddZdeddfddZde fddZ!de fddZ"d%dd Z#defd!d"Z$d&d edBde fd#d$Z%dS)' OAuthContextzOAuth flow context. server_urlclient_metadatastorageNredirect_handlercallback_handlerr@timeoutprotected_resource_metadataoauth_metadataauth_server_urlprotocol_versionrMcurrent_tokenstoken_expiry_time)default_factorylockdiscovery_base_urldiscovery_pathnamer*cCst|}|jd|jS)z,Extract base URL by removing path component.://)r schemenetloc)rGrPparsedrrrget_authorization_base_urlssz'OAuthContext.get_authorization_base_urltokencCs$|jr t|j|_dSd|_dS)zUpdate token expiry time.N) expires_intimer\)rGrfrrrupdate_token_expiryxs z OAuthContext.update_token_expirycCs(t|jo|jjo|j pt|jkS)z Check if current token is valid.)boolr[ access_tokenr\rhrFrrris_token_valids zOAuthContext.is_token_validcCst|jo |jjo |jS)z Check if token can be refreshed.)rjr[ refresh_tokenrMrFrrrcan_refresh_tokenszOAuthContext.can_refresh_tokencCsd|_d|_dS)zClear current tokens.N)r[r\rFrrr clear_tokenss zOAuthContext.clear_tokenscCs8t|j}|jr|jjrt|jj}t||dr|}|S)zGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. )requested_resourceconfigured_resource)rrPrWresourcerAr)rGrr prm_resourcerrrget_resource_urls   zOAuthContext.get_resource_urlcCs|jdurdS|s dS|dkS)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later NTFz 2025-06-18)rW)rGrZrrrshould_include_resource_params z*OAuthContext.should_include_resource_paramr*N)N)&rrrrrArBrrDrrtuplerVfloatrWrrXrrYrZrMrr[rr\ranyioLockr^r_r`rerirjrlrnrortrurrrrrOTs2    rOc@seZdZdZdZ d4dedededeege dfd ege e eedBffd e f d d Z d e jdedBfddZd e jde jfddZde jddfddZdeefddZde jdBfddZde jddfddZde eeffddZdedede jfd d!Zde jddfd"d#Zde jfd$d%Zde jdefd&d'Zd5d(d)Zd*e jddfd+d,Zd-ede jfd.d/Zde jddfd0d1Z d*e jde!e je jffd2d3Z"dS)6OAuthClientProviderzw OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. TrUrPrQrRrSNrTrVcCs t||||||d|_d|_dS)z!Initialize OAuth2 authentication.)rPrQrRrSrTrVFN)rOcontext _initialized)rGrPrQrRrSrTrVrrr__init__s  zOAuthClientProvider.__init__ init_responser*cCsR|r|jdkr dS|jd}|sdSd}t||}|r'|dp&|dSdS)z Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728. Returns: Resource metadata URL if found in WWW-Authenticate header, None otherwise NzWWW-Authenticatez)resource_metadata=(?:"([^"]+)"|([^\s,]+))) status_codeheadersgetresearchgroup)rGrwww_auth_headerpatternmatchrrr(_extract_resource_metadata_from_www_auths  z||}|s|j|jj}t|d}tjd|ttidS)Nz%/.well-known/oauth-protected-resourceGETr) rr|rerPr httpxRequestrr)rGrurl auth_base_urlrrr_discover_protected_resources   z0OAuthClientProvider._discover_protected_resourceresponsecsj|jdkr3z"|IdH}t|}||j_|jr&t|jd|j_WdSWdSt y2YdSwdS)zHandle discovery response.Nr) rareadrmodel_validate_jsonr|rWauthorization_serversrArYr rGrcontentmetadatarrr#_handle_protected_resource_responses   z7OAuthClientProvider._handle_protected_resource_responsecCsg}|jjp |jj}t|}|jd|j}|jr0|jdkr0d|jd}|t |||t |d|jrQ|jdkrQd|jd}|t |||dd}|||S)zCGenerate ordered list of (url, type) tuples for discovery attempts.ra/z'/.well-known/oauth-authorization-serverz!/.well-known/openid-configuration) r|rYrPr rbrcpathr>appendr )rGurlsrYrdbase_url oauth_path oidc_path oidc_fallbackrrr_get_discovery_urlss z'OAuthClientProvider._get_discovery_urlscst|jjrdS|jjr|jjjrt|jjj}n |j|jj}t|d}|jjj dddd}t j d||ddid S) z9Build registration request or skip if already registered.Nz /registerTjson)by_aliasmode exclude_nonePOST Content-Typezapplication/json)rr) r|rMrXregistration_endpointrArerPr rQ model_dumprr)rGregistration_urlrregistration_datarrr_register_clients  z$OAuthClientProvider._register_clientc s|jdvr|IdHtd|jd|jz|IdH}t|}||j_|jj |IdHWdSt yI}ztd|d}~ww)zHandle registration response.)rNzRegistration failed:  zInvalid registration response: ) rrr"textrrr|rMrRrNr )rGrrrMerrr_handle_registration_response*s  z1OAuthClientProvider._handle_registration_responsec s4|jjr|jjjrt|jjj}n |j|jj}t|d}|jjs'tdt }t d}d|jjj t|jjjd||jdd}|j|jjrS|j|d<|jjjr_|jjj|d <|d t|}|j|Id H|jId H\}}|d ust ||std |d ||std||jfS)z5Perform the authorization redirect and get auth code.z /authorizez*No client info available for authorization coderS256) response_type client_id redirect_uristater)code_challenge_methodrrscope?NzState parameter mismatch: z != zNo authorization code received)r|rXauthorization_endpointrArerPr rMrr#r@r, token_urlsaferrQ redirect_urisr)rurZrtrrrSrTcompare_digestr() rG auth_endpointr pkce_paramsr auth_paramsauthorization_url auth_codereturned_staterrr_perform_authorization8s8     z*OAuthClientProvider._perform_authorizationrr(cs|jjs td|jjr|jjjrt|jjj}n |j|jj}t|d}d|t|jj j d|jjj |d}|j |jj rH|j|d<|jjjrT|jjj|d<tjd||d d id S) zBuild token exchange request.zMissing client info/tokenauthorization_coder) grant_typerrrr(rr client_secretrr!application/x-www-form-urlencodeddatar)r|rMrrXtoken_endpointrArerPr rQrrrurZrtrrr)rGrr( token_urlr token_datarrr_exchange_tokenfs(    z#OAuthClientProvider._exchange_tokenc s|jdkrtd|jzH|IdH}t|}|jr@|jjjr@t|jjj }t|j }||}|r@td|||j_ |j ||jj |IdHWdStyi}ztd|d}~ww)zHandle token exchange response.rzToken exchange failed: Nz$Server granted unauthorized scopes: zInvalid token response: )rr!rrrrr|rQsetsplitr[rirRrKr )rGrrtoken_responserequested_scopesreturned_scopesunauthorized_scopesrrrr_handle_token_responses&   z*OAuthClientProvider._handle_token_responsecs|jjr |jjjstd|jjstd|jjr'|jjjr't|jjj}n |j|jj }t |d}d|jjj|jjj d}|j |jj rO|j|d<|jjjr[|jjj|d<tjd||d d id S) zBuild token refresh request.zNo refresh token availablezNo client info availablerrm)rrmrrrrrrrr)r|r[rmr!rMrXrrArerPr rrurZrtrrr)rGrr refresh_datarrr_refresh_tokens(   z"OAuthClientProvider._refresh_tokencs|jdkrtd|j|jdSz#|IdH}t|}||j_|j ||jj |IdHWdSt yMt d|jYdSw)z:Handle token refresh response. Returns True if successful.rzToken refresh failed: FNTzInvalid refresh response)rloggerwarningr|rorrrr[rirRrKr exception)rGrrrrrr_handle_refresh_responses"       z,OAuthClientProvider._handle_refresh_responsecs8|jjIdH|j_|jjIdH|j_d|_dS)z#Load stored tokens and client info.NT)r|rRrHr[rLrMr}rFrrr _initializes zOAuthClientProvider._initializerequestcCs4|jjr|jjjrd|jjj|jd<dSdSdS)zs8    ^