{hYdZddlZddlZddlZddlZddlZddlZddlZddlm Z m Z m Z ddl m Z mZddlmZddlmZmZmZddlZddlZddlmZmZmZddlmZdd lmZmZm Z m!Z!m"Z"dd l#m$Z$m%Z%dd l&m'Z'ejPe)Z*Gd d e+Z,Gdde,Z-Gdde,Z.GddeZ/GddeZ0e GddZ1GddejdZ3y)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)Protocol) urlencodeurljoinurlparse) BaseModelFieldValidationError)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)check_resource_allowedresource_url_from_server_url)LATEST_PROTOCOL_VERSIONceZdZdZy)OAuthFlowErrorz%Base exception for OAuth flow errors.N__name__ __module__ __qualname____doc__P/var/www/html/hubwallet-dev/venv/lib/python3.12/site-packages/mcp/client/auth.pyrr%s/r rceZdZdZy)OAuthTokenErrorz"Raised when token operations fail.Nrrr r!r#r#)s,r r#ceZdZdZy)OAuthRegistrationErrorz&Raised when client registration fails.Nrrr r!r%r%-s0r r%cdeZdZUdZedddZeed<edddZeed<e d dZ y ) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..+) min_length max_length code_verifiercode_challengecdjdtdD}tj|j j }t j|jjd}|||S)zGenerate new PKCE parameters.c3K|];}tjtjtjzdz=yw)z-._~N)secretschoicestring ascii_lettersdigits).0_s r! z*PKCEParameters.generate..:s/rbcv/C/Cfmm/SV\/\ ]rsAAr)=)r,r-) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsr,r?r-s r!generatezPKCEParameters.generate7sprglmpgqrr  4 4 67>>@11&9@@BII#N~NNr N)returnr') rrrrr r,str__annotations__r- classmethodrErr r!r'r'1s?8srcBM3BsCNCCOOr r'cTeZdZdZdedzfdZdeddfdZdedzfdZdeddfd Z y) TokenStoragez+Protocol for token storage implementations.rFNc Kyw)zGet stored tokens.Nrselfs r! get_tokenszTokenStorage.get_tokensC  tokensc Kyw)z Store tokens.Nr)rNrRs r! set_tokenszTokenStorage.set_tokensGrPrQc Kyw)zGet stored client information.NrrMs r!get_client_infozTokenStorage.get_client_infoKrPrQ client_infoc Kyw)zStore client information.Nr)rNrWs r!set_client_infozTokenStorage.set_client_infoOrPrQ) rrrrrrOrTrrVrYrr r!rKrK@sP5 *t"3  z d  'AD'H  1K PT r rKceZdZUdZeed<eed<eed<eege dfed<ege e eedzffed<dZ e ed <dZ edzed <dZedzed <dZedzed <dZedzed <dZedzed<dZedzed<dZe dzed<eej4Zej4ed<dZedzed<dZedzed<dedefdZdeddfdZde fdZ!de fdZ"ddZ#defdZ$dd edzde fdZ%y) OAuthContextzOAuth flow context. server_urlclient_metadatastorageNredirect_handlercallback_handlerr@timeoutprotected_resource_metadataoauth_metadataauth_server_urlprotocol_versionrWcurrent_tokenstoken_expiry_time)default_factorylockdiscovery_base_urldiscovery_pathnamerFcNt|}|jd|jS)z,Extract base URL by removing path component.://)r schemenetloc)rNr\parseds r!get_authorization_base_urlz'OAuthContext.get_authorization_base_urlss%*%--FMM?33r tokencx|jr'tj|jz|_yd|_y)zUpdate token expiry time.N) expires_intimerh)rNrss r!update_token_expiryz OAuthContext.update_token_expiryxs,   %)YY[53C3C%CD "%)D "r ct|jxrH|jjxr0|j xs!t j|jkS)z Check if current token is valid.)boolrg access_tokenrhrvrMs r!is_token_validzOAuthContext.is_token_validsU    V##00 V+++Ttyy{d>T>T/T  r cxt|jxr$|jjxr |jS)z Check if token can be refreshed.)ryrg refresh_tokenrWrMs r!can_refresh_tokenzOAuthContext.can_refresh_tokens0D''bD,?,?,M,MbRVRbRbccr c d|_d|_y)zClear current tokens.N)rgrhrMs r! clear_tokenszOAuthContext.clear_tokenss"!%r ct|j}|jrD|jjr.t |jj}t ||r|}|S)zGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. )requested_resourceconfigured_resource)rr\rcresourcerGr)rNr prm_resources r!get_resource_urlzOAuthContext.get_resource_urlsV 0@  + +0P0P0Y0Yt??HHIL%Wcd'r c,|jy|sy|dk\S)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later TFz 2025-06-18)rc)rNrfs r!should_include_resource_paramz*OAuthContext.should_include_resource_params(  + + 7  <//r rFN)N)&rrrrrGrHrrKrrtuplerbfloatrcrrdrrerfrWrrgrrhranyioLockrjrkrlrrrwryr{r~rrrrr r!r[r[TsmO(( uio566r9U3d ?-C#DDEEGUEI!:T!AH+/NMD(/"&OS4Z&#'cDj'6:K+d29)-NJ%,&*ut|*UZZ8D%**8&*d )%)d )4S4S4 ***  d4d& # 0cDj0TX0r r[ceZdZdZdZ d"dedededeege dfdege e eedzffd e f d Z d e jd edzfd Zd e jd e j fdZde jd dfdZd eefdZd e j dzfdZde jd dfdZd e eeffdZdeded e j fdZde jd dfdZd e j fdZde jd efdZd#dZde j d dfdZded e j fdZde jd dfd Z de j d e!e j e jffd!Z"y)$OAuthClientProviderzw OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. Tr\r]r^r_Nr`rbc>t|||||||_d|_y)z!Initialize OAuth2 authentication.)r\r]r^r_r`rbFN)r[context _initialized)rNr\r]r^r_r`rbs r!__init__zOAuthClientProvider.__init__s,$!+--   "r init_responserFc|r|jdk7ry|jjd}|syd}tj||}|r$|j dxs|j dSy)z Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728. Returns: Resource metadata URL if found in WWW-Authenticate header, None otherwise NzWWW-Authenticatez)resource_metadata=(?:"([^"]+)"|([^\s,]+))) status_codeheadersgetresearchgroup)rNrwww_auth_headerpatternmatchs r!(_extract_resource_metadata_from_www_authz3U[[^ 3r cK|j|}|s;|jj|jj}t |d}t j d|ttiSw)Nz%/.well-known/oauth-protected-resourceGETr) rrrrr\r httpxRequestrr)rNrurl auth_base_urls r!_discover_protected_resourcez0OAuthClientProvider._discover_protected_resources^;;MJ LLCCDLLD[D[\M-)PQC}}UC2FH_1`aasA1A3responsec4K|jdk(rt |jd{}tj|}||j_|j r(t|j d|j_yyy7`#t$rYywxYww)zHandle discovery response.Nr) rareadrmodel_validate_jsonrrcauthorization_serversrGrerrNrcontentmetadatas r!#_handle_protected_resource_responsez7OAuthClientProvider._handle_protected_resource_responses   3 &  ( 004HHQ;C 81136x7U7UVW7X3YDLL02 '0 #  s9BB BAB BB BBBBcg}|jjxs|jj}t|}|jd|j }|j rH|j dk7r9d|j jd}|jt|||jt|d|j rH|j dk7r9d|j jd}|jt|||jdd}|j||S)zCGenerate ordered list of (url, type) tuples for discovery attempts.rn/z'/.well-known/oauth-authorization-serverz!/.well-known/openid-configuration) rrer\r rorppathrCappendr )rNurlsrerqbase_url oauth_path oidc_path oidc_fallbacks r!_get_discovery_urlsz'OAuthClientProvider._get_discovery_urlss,,66Q$,,:Q:Q/*mm_C 7 ;;6;;#-B6;;CUCUVYCZB[\J KK*5 6 GH&OPQ ;;6;;#-;FKK#>#T#TU  LLCCDLLD[D[\M&}kB  LL88CCTX^mqCr}} $+<~WiFj  sC6C8cK|jdvr=|jd{td|jd|j |jd{}t j |}||j _|j jj|d{y77Z7 #t$r}td|d}~wwxYww)zHandle registration response.)rNzRegistration failed:  zInvalid registration response: ) rrr%textrrrrWr^rYr)rNrrrWes r!_handle_registration_responsez1OAuthClientProvider._handle_registration_response*s   z 1.." " "(+@AUAU@VVWX`XeXeWf)gh h P$NN,,G4HHQK'2DLL $,,&&66{C C C #- D P(+J1#)NO O PsX"C B;)C C"B=#AC5B?6C:C =C?C C CCC cK|jjrJ|jjjr*t|jjj}n;|jj |jj }t |d}|jjs tdtj}tjd}d|jjjt|jjjd||j dd}|jj#|jj$r|jj'|d<|jjj(r#|jjj(|d <|d t+|}|jj-|d {|jj/d {\}}|tj0||std |d ||s td||j2fS7m7Mw)z5Perform the authorization redirect and get auth code.z /authorizez*No client info available for authorization coderS256) response_type client_id redirect_uristater-code_challenge_methodrscope?NzState parameter mismatch: z != zNo authorization code received)rrdauthorization_endpointrGrrr\r rWrr'rEr1 token_urlsaferr] redirect_urisr-rrfrrr r_r`compare_digestr,) rN auth_endpointr pkce_paramsr auth_paramsauthorization_url auth_codereturned_states r!_perform_authorizationz*OAuthClientProvider._perform_authorization8s << & &4<<+F+F+]+] ; ; R RSM LLCCDLLD[D[\M#M<@M||'' !MN N%--/ %%b)$11;; < < J J1 MN)88%+   << 5 5dll6S6S T&*ll&C&C&EK # << ' ' - -#'<<#?#?#E#EK ,oQy/E.FGll++,=>>>+/,,*G*G*I$I! >  !)?)?PU)V #=n=MTRWQX!YZ Z !AB B+3333 ?%Js%G>I2I.!I2"I0#A I20I2rr,cvK|jjs td|jjrJ|jjjr*t |jjj}n;|jj |jj}t|d}d|t |jjjd|jjj|d}|jj|jjr|jj|d<|jjjr#|jjj|d<t!j"d||d d i Sw) zBuild token exchange request.zMissing client info/tokenauthorization_coder) grant_typerrrr,r client_secretrr!application/x-www-form-urlencodeddatar)rrWrrdtoken_endpointrGrrr\r r]rrrrfrrrr)rNrr, token_urlr token_datas r!_exchange_tokenz#OAuthClientProvider._exchange_tokenfsF||'' !67 7 << & &4<<+F+F+U+UDLL77FFGI LLCCDLLD[D[\M x8I/ < < J J1 MN11;;*   << 5 5dll6S6S T%)\\%B%B%DJz " << # # 1 1*.,,*B*B*P*PJ '}} IJIl8m  sF7F9cK|jdk7rtd|j |jd{}tj|}|j r|j jj rot|j jj j}t|j j}||z }|rtd|||j _ |j j||j jj|d{y77#t$r}td|d}~wwxYww)zHandle token exchange response.rzToken exchange failed: Nz$Server granted unauthorized scopes: zInvalid token response: )rr#rrrrrr]setsplitrgrwr^rTr)rNrrtoken_responserequested_scopesreturned_scopesunauthorized_scopesrs r!_handle_token_responsez*OAuthClientProvider._handle_token_responses=   3 &!$;H? ?||''!"<= = << & &4<<+F+F+U+UDLL77FFGI LLCCDLLD[D[\M x8I*!\\88FF11;;  << 5 5dll6S6S T'+||'D'D'FL $ << # # 1 1,0LL,D,D,R,RL )}} IL>Kn:o  sG*G,c6K|jdk7r=tjd|j|jj y |j d{}t j|}||j_|jj||jjj|d{y7s7#t$r2tjd|jj YywxYww)z:Handle token refresh response. Returns True if successful.rzToken refresh failed: FNTzInvalid refresh response)rloggerwarningrrrrrrgrwr^rTr exception)rNrrrs r!_handle_refresh_responsez,OAuthClientProvider._handle_refresh_responses   3 & NN3H4H4H3IJ K LL % % ' $NN,,G';;GDN*8DLL ' LL , ,^ <,,&&11.A A A- B    7 8 LL % % ' sOA DC#C$A-CCCDCC8DDDDcK|jjjd{|j_|jjj d{|j_d|_y7V7w)z#Load stored tokens and client info.NT)rr^rOrgrVrWrrMs r! _initializezOAuthClientProvider._initializes\,0LL,@,@,K,K,M&M #)-)=)=)M)M)O#O   'N#Os!(BB:B%B&BBrequestc|jjrR|jjjr1d|jjj|jd<yyy)z7#t&$rY8wxYw7777s7W#t2$rt4j7dwxYw7l#1d{7swY|xYww)zHTTPX auth flow integration.NFrriizOAuth flow error)rrjrrrrrrfr{r~rrrrrrrr r rrrrrr Exceptionrr)rNrrefresh_requestrefresh_responserdiscovery_requestdiscovery_responsediscovery_urlsroauth_metadata_requestoauth_metadata_responseregistration_requestregistration_responserr, token_requestrs r!async_auth_flowz#OAuthClientProvider.async_auth_flows<<$$< < $$&&(((-4OO,?,?@T,UDLL )<<..0T\\5S5S5U(,(;(;(="=)8#8 !::;KLLL(-D%||**,%%g.$}H##s*%/3.O.OPX.Y(Y%/@)@&BBCUVVV&*%=%=%?N- "151T1TUX1Y.8N2N/2>>#E)&*&J&JKb&c c c %5@@3FJaJmJmqtJt! "261F1F1H+H(+6J0J-"@@AVWWW6:5P5P5R/R,I}+/*>*>y-*X$XM+8%8N55nEEEs< < ~ g& A< (#>M)ZV!d#2) () ,IX0S%YE $$%78u< < < < sBK/JK/ KJ A9K;J <KJA K&J5:J;J5J>J5J,J-J1 J5J5(J+)J5J- J5 J/!J5=J1>J5J3J5 K/+K,K/ K KKJ5J5J J($J5'J((J5-J5/J51J53J55 KKK/K, K# !K,(K/)rar)#rrrrrequires_response_bodyrGrrKrrrrrrResponserrrrlistrrrrrrrryrrrr r rrrr r!rrs  """-" " #C5)D/#9: " #2ysC$J1G'H#HI ""(ennY\_cYc0 b bSXS`S` b %.. UY T#Y6  (< " PENN Pt P,4eCHo,4\ s 3 5== <BU^^BB. emm >u~~$*! d d$d b#b%--bUennUQUUBU]]B~emm]b]k]kNk?lBr r)4rr@r<loggingrr1r3rvcollections.abcrrr dataclassesrrtypingr urllib.parser r r rrpydanticr r rmcp.client.streamable_httprmcp.shared.authrrrrrmcp.shared.auth_utilsrr mcp.typesr getLoggerrrrrr#r%r'rKr[Authrrr r!r*s   ??(55 66;W-   8 $0Y0-n-1^1 OY O 8 ( [0[0 [0|t%**tr