)`ikdZddlZddlZddlZddlZddlZddlZddlmZm Z m Z ddl m Z m Z ddlmZmZddlmZmZmZmZddlZddlZddlmZmZmZddlmZmZdd lm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0dd l1m2Z2m3Z3m4Z4m5Z5m6Z6dd l7m8Z8m9Z9m:Z:ej;e<Z=Gd deZ>GddeZ?e GddZ@GddejAZBdS)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)AnyProtocol)quote urlencodeurljoinurlparse) BaseModelFieldValidationError)OAuthFlowErrorOAuthTokenError)8build_oauth_authorization_server_metadata_discovery_urls0build_protected_resource_metadata_discovery_urls$create_client_info_from_metadata_url"create_client_registration_requestcreate_oauth_metadata_requestextract_field_from_www_auth'extract_resource_metadata_from_www_authextract_scope_from_www_authget_client_metadata_scopeshandle_auth_metadata_response"handle_protected_resource_responsehandle_registration_responsehandle_token_response_scopesis_valid_client_metadata_urlshould_use_client_metadata_url)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)calculate_token_expirycheck_resource_allowedresource_url_from_server_urlcxeZdZUdZedddZeed<edddZeed<e d d Z d S) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..+) min_length max_length code_verifiercode_challengereturncVddtdD}tj|}t j| d}|||S)zGenerate new PKCE parameters.c3rK|]2}tjtjtjzdzV3dS)z-._~N)secretschoicestring ascii_lettersdigits).0_s j/home/jaya/work/projects/VOICE-AGENT/VIET/agent-env/lib/python3.11/site-packages/mcp/client/auth/oauth2.py z*PKCEParameters.generate..Bs=rrbcv/Cfm/SV\/\ ] ]rrrrrrr.=)r1r2) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsr1rGr2s r>generatezPKCEParameters.generate?srrglmpgqgqrrrrr  4 4 6 677>>@@1&99@@BBII#NNs~NNNNr@N)r3r,) __name__ __module__ __qualname____doc__rr1str__annotations__r2 classmethodrMr@r>r,r,9s88srcBBBM3BBB%sCCCNCCCCOOO[OOOr@r,cVeZdZdZdedzfdZdeddfdZdedzfdZdeddfd Z dS) TokenStoragez+Protocol for token storage implementations.r3Nc KdS)zGet stored tokens.NrUselfs r> get_tokenszTokenStorage.get_tokensK  r@tokensc KdS)z Store tokens.NrU)rZr]s r> set_tokenszTokenStorage.set_tokensOr\r@c KdS)zGet stored client information.NrUrYs r>get_client_infozTokenStorage.get_client_infoSr\r@ client_infoc KdS)zStore client information.NrU)rZrbs r>set_client_infozTokenStorage.set_client_infoWr\r@) rNrOrPrQr&r[r_r#rardrUr@r>rWrWHs55 *t"3     z d     'AD'H     1K PT      r@rWc XeZdZUdZeed<eed<eed<eege dfdzed<ege e eedzffdzed<dZ e ed <dZ edzed <dZedzed <dZedzed <dZedzed <dZedzed<dZedzed<dZedzed<dZe dzed<eejZejed<dedefdZdeddfdZdefdZ defdZ!d dZ"defdZ#d!dedzdefdZ$ d!de%eefde%eefdzde e%eefe%eefffdZ&dS)" OAuthContextzOAuth flow context. server_urlclient_metadatastorageNredirect_handlercallback_handlerr@timeoutclient_metadata_urlprotected_resource_metadataoauth_metadataauth_server_urlprotocol_versionrbcurrent_tokenstoken_expiry_time)default_factorylockr3cBt|}|jd|jS)z,Extract base URL by removing path component.z://)r schemenetloc)rZrgparseds r>get_authorization_base_urlz'OAuthContext.get_authorization_base_urlxs'*%%-33FM333r@tokenc8t|j|_dS)z4Update token expiry time using shared util function.N)r( expires_inrt)rZr|s r>update_token_expiryz OAuthContext.update_token_expiry}s!78H!I!Ir@ct|jo/|jjo#|j pt j|jkS)z Check if current token is valid.)boolrs access_tokenrttimerYs r>is_token_validzOAuthContext.is_token_validsK   V#0 V++Tty{{d>T/T   r@cPt|jo|jjo|jS)z Check if token can be refreshed.)rrs refresh_tokenrbrYs r>can_refresh_tokenzOAuthContext.can_refresh_tokens'D'bD,?,MbRVRbcccr@c"d|_d|_dS)zClear current tokens.N)rsrtrYs r> clear_tokenszOAuthContext.clear_tokenss"!%r@ct|j}|jr8|jjr,t |jj}t ||r|}|S)zGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. )requested_resourceconfigured_resource)r*rgroresourcerRr))rZr prm_resources r>get_resource_urlzOAuthContext.get_resource_urls` 0@@  + (0P0Y (t?HIIL%Wcddd ('r@c(|jdS|sdS|dkS)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later NTFz 2025-06-18)ro)rZrrs r>should_include_resource_paramz*OAuthContext.should_include_resource_params.  + 74  5 <//r@dataheadersc|i}|js||fS|jj}|dkr|jjr|jjrt |jjd}t |jjd}|d|}t j|}d||d<d| D}n!|d kr|jjr|jj|d <||fS) zPrepare authentication for token requests. Args: data: The form data to send headers: Optional headers dict to update Returns: Tuple of (updated_data, updated_headers) Nclient_secret_basicr5)safe:zBasic Authorizationc&i|]\}}|dk ||S) client_secretrU)r<kvs r> z3OAuthContext.prepare_token_auth..s(JJJTQQ/5I5IAq5I5I5Ir@client_secret_postr) rbtoken_endpoint_auth_method client_idrr rH b64encoderFrJitems)rZrr auth_method encoded_idencoded_secret credentialsencoded_credentialss r>prepare_token_authzOAuthContext.prepare_token_auths  ?G != &A / / /D4D4N /SWScSq /t/9CCCJ"4#3#AKKKN'::.::K"("2;3E3E3G3G"H"H"O"O"Q"Q 'E0C'E'EGO $JJTZZ\\JJJDD 0 0 0T5E5S 0$($4$BD !W}r@r3NN)'rNrOrPrQrRrSr$rWrrtuplermfloatrnror'rpr%rqrrrbr#rsr&rtranyioLockrvr{rrrrrrrdictrrUr@r>rfrf\sOOO(((( uio56====r9U3d ?-C#DDELLLLGU&*t***EI!:T!AHHH+/NMD(///"&OS4Z&&&#'cDj'''6:K+d2999)-NJ%,,,&*ut|***uUZ888D%*8884S4S4444 JJJJJJ     d4dddd&&&& #    00cDj0TX0000(FJ""cN"-1#s(^d-B" tCH~tCH~- .""""""r@rfceZdZdZdZ d dedededeege dfdzd ege e eedzffdzd e d edzfd Z d e jdefdZde jfdZde eeffdZdefdZiddededeeefdzde jfdZd e jddfdZde jfdZd e jdefdZd!dZde jddfdZd e jddfdZde jdee je jffdZdS)"OAuthClientProviderzw OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. TNrlrgrhrirjrkrmrnc |!t|std|t||||||||_d|_dS)alInitialize OAuth2 authentication. Args: server_url: The MCP server URL. client_metadata: OAuth client metadata for registration. storage: Token storage implementation. redirect_handler: Handler for authorization redirects. callback_handler: Handler for authorization callbacks. timeout: Timeout for the OAuth flow. client_metadata_url: URL-based client ID. When provided and the server advertises client_id_metadata_document_supported=true, this URL will be used as the client_id instead of performing dynamic client registration. Must be a valid HTTPS URL with a non-root pathname. Raises: ValueError: If client_metadata_url is provided but not a valid HTTPS URL with a non-root pathname. NzMclient_metadata_url must be a valid HTTPS URL with a non-root pathname, got: )rgrhrirjrkrmrnF)r ValueErrorrfcontext _initialized)rZrgrhrirjrkrmrns r>__init__zOAuthClientProvider.__init__st:  *3OPc3d3d *u`suu $!+-- 3    "r@responser3cK|jdkr |d{V}tj|}||j_|jr$t|jd|j_dS#t$r+t d|j j YdSwxYw|jdkr*td|j j d dStd |j) z Handle protected resource metadata discovery response. Per SEP-985, supports fallback when discovery fails at one URL. Returns: True if metadata was successfully discovered, False if we should try next URL NrTz'Invalid protected resource metadata at Fiz)Protected resource metadata not found at z, trying next URLz,Protected Resource Metadata request failed: ) status_codeareadr'model_validate_jsonrroauthorization_serversrRrqrloggerwarningrequesturldebugrrZrcontentmetadatas r>#_handle_protected_resource_responsez7OAuthClientProvider._handle_protected_resource_responses   3 & &  ( 0 00000004HQQ;C 81Z36x7UVW7X3Y3YDL0t"   _IYI]__```uu  !S ( ( LLlXEUEYlll m m m5!Ux?SUU sA%A661B+*B+c|K|d{V\}}|||d{V}|S)zPerform the authorization flow.N)!_perform_authorization_code_grant"_exchange_token_authorization_code)rZ auth_coder1 token_requests r>_perform_authorizationz*OAuthClientProvider._perform_authorization.s\)-)O)O)Q)Q#Q#Q#Q#Q#Q#Q ="EEiQ^________ r@cK|jjjtd|jjstd|jjstd|jjr0|jjjrt|jjj}n4|j |jj }t|d}|jj stdt}tjd}d|jj jt|jjjd ||jd d }|j|jjr|j|d <|jjjr|jjj|d <|dt/|}|j|d{V|jd{V\}}|tj||std|d||std||jfS)z5Perform the authorization redirect and get auth code.N6No redirect URIs provided for authorization code grantz9No redirect handler provided for authorization code grantz9No callback handler provided for authorization code grantz /authorizez*No client info available for authorization coderS256) response_typer redirect_uristater2code_challenge_methodrscope?zState parameter mismatch: z != zNo authorization code received)rrh redirect_urisrrjrkrpauthorization_endpointrRr{rgr rbr,rMr7 token_urlsaferr2rrrrrr compare_digestr1) rZ auth_endpoint auth_base_url pkce_paramsr auth_paramsauthorization_urlrreturned_states r>rz5OAuthClientProvider._perform_authorization_code_grant4sh < ' 5 = !YZZ Z|, ^ !\]] ]|, ^ !\]] ] < & A4<+F+] A ; RSSMM LCCDLD[\\M#M<@@M|' O !MNN N%--// %b))$1; < J1 MNN)8%+    < 5 5dl6S T T F&*l&C&C&E&EK # < ' - F#'<#?#EK ,GGy/E/EGGl++,=>>>>>>>>>+/,*G*G*I*I$I$I$I$I$I$I! >  !)?PU)V)V ! !Yn!Y!YRW!Y!YZZ Z C !ABB B+333r@c|jjr0|jjjrt|jjj}n4|j|jj}t |d}|S)N/token)rrptoken_endpointrRr{rgr )rZ token_urlrs r>_get_token_endpointz'OAuthClientProvider._get_token_endpointisd < & 94<+F+U 9DL7FGGII LCCDLD[\\M x88Ir@) token_datarr1rc8K|jjjtd|jjstd|}|pi}|d|t|jjjd|jjj|d|j |jj r|j |d<dd i}|j ||\}}tjd ||| S) z9Build token exchange request for authorization_code flow.NrzMissing client infoauthorization_coder) grant_typerrrr1r Content-Type!application/x-www-form-urlencodedPOSTrr)rrhrrrbrupdaterRrrrrrrhttpxRequest)rZrr1rrrs r>rz6OAuthClientProvider._exchange_token_authorization_codeqs$ < ' 5 = !YZZ Z|' 8 !677 7,,.. %2 2! #DL$@$Nq$Q R R!\5?!.       < 5 5dl6S T T E%)\%B%B%D%DJz ""#FG"l==j'RR G}VYZQQQQr@crK|jdkrI|d{V}|d}td|jd|t |d{V}||j_|j||jj |d{VdS)zHandle token exchange response.rNzutf-8zToken exchange failed (z): ) rrrJrrrrsrrir_)rZrbody body_texttoken_responses r>_handle_token_responsez*OAuthClientProvider._handle_token_responses  3 & &!))))))))D G,,I!"`H_refresh_tokenz"OAuthClientProvider._refresh_tokens[|* @$,2M2[ @!">?? ?|' >t|/G/Q >!"<== = < & 94<+F+U 9DL7FGGII LCCDLD[\\M x88I*!\8F1;( (  < 5 5dl6S T T G'+|'D'D'F'FL $"#FG $ ? ? g V V g}VY\7SSSSr@cK|jdkr=td|j|jdS |d{V}t j|}||j_|j ||jj |d{VdS#t$r7t d|jYdSwxYw)z:Handle token refresh response. Returns True if successful.rzToken refresh failed: FNTzInvalid refresh response)rrrrrrr&rrsrrir_r exception)rZrrrs r>_handle_refresh_responsez,OAuthClientProvider._handle_refresh_responses  3 & & NNJH4HJJ K K K L % % ' ' '5 $NN,,,,,,,,G';GDDN*8DL ' L , ,^ < < <,&11.AA A A A A A A A4      7 8 8 8 L % % ' ' '55 s A9C=DDcK|jjd{V|j_|jjd{V|j_d|_dS)z#Load stored tokens and client info.NT)rrir[rsrarbrrYs r> _initializezOAuthClientProvider._initializesn,0L,@,K,K,M,M&M&M&M&M&M&M #)-)=)M)M)O)O#O#O#O#O#O#O   r@rc|jjr/|jjjr d|jjj|jd<dSdSdS)z_add_auth_headerz$OAuthClientProvider._add_auth_headersZ < & d4<+F+S d/c9T9a/c/cGOO , , , d d d dr@c~K|d{V}tj|}||j_dSr)rr%rrrprs r>_handle_oauth_metadata_responsez3OAuthClientProvider._handle_oauth_metadata_responsesG (((((((( 4W==&. ###r@c K|jj4d{V|js|d{V|jt |j_|jsZ|j rA| d{V}|WV}| |d{Vsd|_|jr| ||WV}|j dkrO t|}t||jj}|D]}t#|}|WV} t%| d{V} | rL| |j_t)| jdksJt-| jd|j_nt0d|t5|jj|jj} | D]a}t#|} | WV} t7| d{V\}}|sn0|r|r||j_nt0d|bt;t=||jj|jj|jj_ |jj!s9tE|jj|jj#rt0d|jj#tI|jj#|jjj%}||j_!|jj&'|d{VntQ|jj|jj|j)|jj}|WV}tU|d{V}||j_!|jj&'|d{V|+d{VWV}|,|d{Vn)#tZ$rt0.d wxYw| ||WVn|j d krt_|d }|d kr t;t=||jj|jj_ |+d{VWV}|,|d{Vn)#tZ$rt0.d wxYw| ||WVdddd{VdS#1d{VswxYwYdS) zHTTPX auth flow integration.NFirz.Protected resource metadata discovery failed: z!OAuth metadata discovery failed: z"Using URL-based client ID (CIMD): )rzOAuth flow errorierrorinsufficient_scope)0rrvrrrgetr"rrrrrrrrrrrgrrrolenrrRrqrrrrrprrrhrrbr!rnrrrirdrr{rrr Exceptionrr)rZrrefresh_requestrefresh_responserwww_auth_resource_metadata_urlprm_discovery_urlsrdiscovery_requestdiscovery_responseprmasm_discovery_urlsoauth_metadata_requestoauth_metadata_responseokasmclient_informationregistration_requestregistration_responserrs r>async_auth_flowz#OAuthClientProvider.async_auth_flows<$D D D D D D D D $ )&&(((((((((-4O,?,?@T,U,UDL )<..00 .T\5S5S5U5U .(,(;(;(=(="="="="="="=)8#8#8#8 !::;KLLLLLLLL.(-D%|**,, /%%g...$}}}H#s**S5\]e5f5f2*Z6 8O**& 2aa,I#,N,N)3D-D-D-D*$FGY$Z$ZZZZZZZ aGJDLD!$C$= > > B B B B> 4: 6:5P5P5R5R/R/R/R/R/R/R)R)R)R"99.IIIIIIIIII$(();<<< %%g... ID D D D D D D D D D D D D D D D D D D D D D D D D D D D D D sDC=UL PU&Q?UA.S21U2&TU UU)NNrlNr) rNrOrPrQrequires_response_bodyrRr$rWrrrrrrResponserrrrrrrrrrrrrrrrrrUr@r>rrs "EISW*.+"+"+"-+" +" #C5)D/#9:TA +" #2ysC$J1G'H#HIDP +"+"!4Z+"+"+"+"Z%.UY@em 34sCx34343434jSZ\RRRR-0RAEc3hRVAVR RRRR> >U^ > > > > >TemTTTT<u~$*!!!! d d$dddd /en/QU//// FU]F~em]b]kNk?lFFFFFFr@r)CrQrHrDloggingr7r9rcollections.abcrrr dataclassesrrtypingrr urllib.parser r r r rrpydanticrrrmcp.client.auth.exceptionsrrmcp.client.auth.utilsrrrrrrrrrrrrrr r!mcp.client.streamable_httpr"mcp.shared.authr#r$r%r&r'mcp.shared.auth_utilsr(r)r* getLoggerrNrr,rWrfAuthrrUr@r>r(s$   ??????????(((((((( <<<<<<<<<<<< 6666666666FFFFFFFF"<;;;;;  8 $ $ O O O O OY O O O     8   ( yyyyyyy yxOOOOO%*OOOOOr@