{h& ddlmZddlmZmZmZmZddlmZm Z m Z m Z ddl m Z mZddlmZmZGddeZGdd eZGd d eZGd d eZedZedGddeZedZedGddeZedZedGddeZGddeZedeZedeZedeZ Gdd eeeee fZ!d!e"d"e"d#zd$e"fd%Z#Gd&d'eZ$y#)() dataclass)GenericLiteralProtocolTypeVar)parse_qs urlencodeurlparse urlunparse)AnyUrl BaseModel)OAuthClientInformationFull OAuthTokencfeZdZUedzed<eedzed<eed<eed<eed<dZedzed<y)AuthorizationParamsNstatescopescode_challenge redirect_uri redirect_uri_provided_explicitlyresource) __name__ __module__ __qualname__str__annotations__listr boolrY/var/www/html/hubwallet-dev/venv/lib/python3.12/site-packages/mcp/server/auth/provider.pyrr s; : I &**HcDjr rcneZdZUeed<eeed<eed<eed<eed<eed<eed<dZ edzed <y) AuthorizationCodecoder expires_at client_idrrrNr) rrrrrrfloatr rrrr r!r#r#s< I IN&**HcDjr r#cFeZdZUeed<eed<eeed<dZedzed<y) RefreshTokentokenr&rNr%)rrrrrrr%intrr r!r)r)s$ JN I!Jd !r r)cZeZdZUeed<eed<eeed<dZedzed<dZedzed<y) AccessTokenr*r&rNr%r) rrrrrrr%r+rrr r!r-r-%s2 JN I!Jd !HcDjr r-)invalid_redirect_uriinvalid_client_metadatainvalid_software_statementunapproved_software_statementT)frozenc,eZdZUeed<dZedzed<y)RegistrationErrorerrorNerror_description)rrrRegistrationErrorCoderr6rrr r!r4r45s  $(sTz(r r4)invalid_requestunauthorized_client access_deniedunsupported_response_type invalid_scope server_errortemporarily_unavailablec,eZdZUeed<dZedzed<y)AuthorizeErrorr5Nr6)rrrAuthorizationErrorCoderr6rrr r!r@r@Fs !!$(sTz(r r@)r8invalid_client invalid_grantr9unsupported_grant_typer<c,eZdZUeed<dZedzed<y) TokenErrorr5Nr6)rrrTokenErrorCoderr6rrr r!rFrFVs $(sTz(r rFc&eZdZdZdededzfdZy) TokenVerifierz%Protocol for verifying bearer tokens.r*returnNc Kyw)z6Verify a bearer token and return access info if valid.Nrselfr*s r! verify_tokenzTokenVerifier.verify_token_)rrr__doc__rr-rNrr r!rIrI\s /EE d0BEr rIAuthorizationCodeT)bound RefreshTokenT AccessTokenTceZdZdededzfdZdeddfdZdededefd Zded ede dzfd Z ded e de fd Z ded ede dzfdZ ded e deede fdZdededzfdZdee zddfdZy) OAuthAuthorizationServerProviderr&rJNc Kyw)ae Retrieves client information by client ID. Implementors MAY raise NotImplementedError if dynamic client registration is disabled in ClientRegistrationOptions. Args: client_id: The ID of the client to retrieve. Returns: The client information, or None if the client does not exist. Nr)rMr&s r! get_clientz+OAuthAuthorizationServerProvider.get_clientk  rP client_infoc Kyw)af Saves client information as part of registering it. Implementors MAY raise NotImplementedError if dynamic client registration is disabled in ClientRegistrationOptions. Args: client_info: The client metadata to register. Raises: RegistrationError: If the client metadata is invalid. Nr)rMr[s r!register_clientz0OAuthAuthorizationServerProvider.register_clientzrZrPclientparamsc Kyw)a Called as part of the /authorize endpoint, and returns a URL that the client will be redirected to. Many MCP implementations will redirect to a third-party provider to perform a second OAuth exchange with that provider. In this sort of setup, the client has an OAuth connection with the MCP server, and the MCP server has an OAuth connection with the 3rd-party provider. At the end of this flow, the client should be redirected to the redirect_uri from params.redirect_uri. +--------+ +------------+ +-------------------+ | | | | | | | Client | --> | MCP Server | --> | 3rd Party OAuth | | | | | | Server | +--------+ +------------+ +-------------------+ | ^ | +------------+ | | | | | | | Redirect | |redirect_uri|<-----+ +------------------+ | | +------------+ Implementations will need to define another handler on the MCP server return flow to perform the second redirect, and generate and store an authorization code as part of completing the OAuth authorization step. Implementations SHOULD generate an authorization code with at least 160 bits of entropy, and MUST generate an authorization code with at least 128 bits of entropy. See https://datatracker.ietf.org/doc/html/rfc6749#section-10.10. Args: client: The client requesting authorization. params: The parameters of the authorization request. Returns: A URL to redirect the client to for authorization. Raises: AuthorizeError: If the authorization request is invalid. Nr)rMr^r_s r! authorizez*OAuthAuthorizationServerProvider.authorizes R rPauthorization_codec Kyw)a) Loads an AuthorizationCode by its code. Args: client: The client that requested the authorization code. authorization_code: The authorization code to get the challenge for. Returns: The AuthorizationCode, or None if not found NrrMr^rbs r!load_authorization_codez8OAuthAuthorizationServerProvider.load_authorization_coderZrPc Kyw)a Exchanges an authorization code for an access token and refresh token. Args: client: The client exchanging the authorization code. authorization_code: The authorization code to exchange. Returns: The OAuth token, containing access and refresh tokens. Raises: TokenError: If the request is invalid Nrrds r!exchange_authorization_codezrs_!66BB&B )   "9" )  % $) )) ! $)Y))  $))) EHE19JK|< ~[9 m x9K]\h9h1im `cS4ZC