)`iQ@dZddlZddlmZmZddlmZmZddlm Z ddl Z ddl Z ddl m Z mZddlmZmZmZmZddlmZmZGd d eZd ed eegeeffd ZGdde ZGddeZGdde ZGddeZdS)a OAuth client credential extensions for MCP. Provides OAuth providers for machine-to-machine authentication flows: - ClientCredentialsOAuthProvider: For client_credentials with client_id + client_secret - PrivateKeyJWTOAuthProvider: For client_credentials with private_key_jwt authentication (typically using a pre-built JWT from workload identity federation) - RFC7523OAuthClientProvider: For jwt-bearer grant (RFC 7523 Section 2.1) N) AwaitableCallable)AnyLiteral)uuid4) BaseModelField)OAuthClientProviderOAuthFlowErrorOAuthTokenError TokenStorage)OAuthClientInformationFullOAuthClientMetadataceZdZdZ ddededededed d edzd dffd Zdd Zd e j fdZ d e j fdZ xZ S)ClientCredentialsOAuthProvideraOAuth provider for client_credentials grant with client_id + client_secret. This provider sets client_info directly, bypassing dynamic client registration. Use this when you already have client credentials (client_id and client_secret). Example: ```python provider = ClientCredentialsOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", client_secret="my-client-secret", ) ``` client_secret_basicN server_urlstorage client_id client_secrettoken_endpoint_auth_method)rclient_secret_postscopesreturnctddg||}t|||dddtd||dg|||_dS)aInitialize client_credentials OAuth provider. Args: server_url: The MCP server URL. storage: Token storage implementation. client_id: The OAuth client ID. client_secret: The OAuth client secret. token_endpoint_auth_method: Authentication method for token endpoint. Either "client_secret_basic" (default) or "client_secret_post". scopes: Optional space-separated list of scopes to request. Nclient_credentials redirect_uris grant_typesrscoper@)rrrrrr )rsuper__init__r_fixed_client_info) selfrrrrrrclient_metadata __class__s /home/jaya/work/projects/VOICE-AGENT/VIET/agent-env/lib/python3.11/site-packages/mcp/client/auth/extensions/client_credentials.pyr#z'ClientCredentialsOAuthProvider.__init__)s~*.-.'A     _gtT5QQQ"<'-.'A # # # cK|jjd{V|j_|j|j_d|_dSz6Load stored tokens and set pre-configured client_info.NTcontextr get_tokenscurrent_tokensr$ client_info _initializedr%s r( _initializez*ClientCredentialsOAuthProvider._initializeON,0L,@,K,K,M,M&M&M&M&M&M&M ##'#:   r)c:K|d{VS)z)Perform client_credentials authorization.N"_exchange_token_client_credentialsr2s r(_perform_authorizationz5ClientCredentialsOAuthProvider._perform_authorizationU*<<>>>>>>>>>r)ctKddi}ddi}|j||\}}|j|jjr|j|d<|jjjr|jjj|d<|}tj d|||S) z:Build token exchange request for client_credentials grant. grant_typer Content-Type!application/x-www-form-urlencodedresourcer POSTdataheaders) r-prepare_token_authshould_include_resource_paramprotocol_versionget_resource_urlr&r _get_token_endpointhttpxRequestr% token_datarB token_urls r(r7zAClientCredentialsOAuthProvider._exchange_token_client_credentialsYs .& $23V"W#l==j'RR G < 5 5dl6S T T E%)\%B%B%D%DJz " < ' - E"&,">"DJw ,,.. }VYZQQQQr))rNrN)__name__ __module__ __qualname____doc__strr rr#r3rHrIr8r7 __classcell__r's@r(rrs,\q!$ $ $ $  $  $ %,,W$X $ d $  $ $ $ $ $ $ L!!!! ?em????R%-RRRRRRRRr)rtokenrc0dtdtffd }|S)aCreate an assertion provider that returns a static JWT token. Use this when you have a pre-built JWT (e.g., from workload identity federation) that doesn't need the audience parameter. Example: ```python provider = PrivateKeyJWTOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", assertion_provider=static_assertion_provider(my_prebuilt_jwt), ) ``` Args: token: The pre-built JWT assertion string. Returns: An async callback suitable for use as an assertion_provider. audiencerc KSN)rWrUs r(providerz+static_assertion_provider..providers  r)rR)rUr[s` r(static_assertion_providerr]ns6. Or)c&eZdZUdZedZeed<edZeed<edZ eed<ed d Z eed <ed d Z e ed<edd Z eeefdzed<deegeeffdZdS)SignedJWTParametersaParameters for creating SDK-signed JWT assertions. Use `create_assertion_provider()` to create an assertion provider callback for use with `PrivateKeyJWTOAuthProvider`. Example: ```python jwt_params = SignedJWTParameters( issuer="my-client-id", subject="my-client-id", signing_key=private_key_pem, ) provider = PrivateKeyJWTOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", assertion_provider=jwt_params.create_assertion_provider(), ) ``` z0Issuer for JWT assertions (typically client_id).) descriptionissuerz.providersdikk""C{|T22577|| &&F% 6 d4555:fd&6$BXYYY Yr)r\)r%r[s` r(create_assertion_providerz-SignedJWTParameters.create_assertion_providers> ZS ZS Z Z Z Z Z Zr))rNrOrPrQr rarR__annotations__rbrcrhrkrxrldictrrrrrZr)r(r_r_s*%$VWWWFCWWW5%cdddGSdddu)TUUUKUUU"U7@ghhhshhh!E#;bccccccc/4uTOc/d/d/dtCH~,ddd8SE9S>4I+Jr)r_c eZdZdZ ddedededeegeefdedzddf fd Zdd Z de j fd Z d e eefddfd Zde j fdZxZS)PrivateKeyJWTOAuthProvideraqOAuth provider for client_credentials grant with private_key_jwt authentication. Uses RFC 7523 Section 2.2 for client authentication via JWT assertion. The JWT assertion's audience MUST be the authorization server's issuer identifier (per RFC 7523bis security updates). The `assertion_provider` callback receives this audience value and must return a JWT with that audience. **Option 1: Pre-built JWT via Workload Identity Federation** In production scenarios, the JWT assertion is typically obtained from a workload identity provider (e.g., GCP, AWS IAM, Azure AD): ```python async def get_workload_identity_token(audience: str) -> str: # Fetch JWT from your identity provider # The JWT's audience must match the provided audience parameter return await fetch_token_from_identity_provider(audience=audience) provider = PrivateKeyJWTOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", assertion_provider=get_workload_identity_token, ) ``` **Option 2: Static pre-built JWT** If you have a static JWT that doesn't need the audience parameter: ```python provider = PrivateKeyJWTOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", assertion_provider=static_assertion_provider(my_prebuilt_jwt), ) ``` **Option 3: SDK-signed JWT (for testing/simple setups)** For testing or simple deployments, use `SignedJWTParameters.create_assertion_provider()`: ```python jwt_params = SignedJWTParameters( issuer="my-client-id", subject="my-client-id", signing_key=private_key_pem, ) provider = PrivateKeyJWTOAuthProvider( server_url="https://api.example.com", storage=my_token_storage, client_id="my-client-id", assertion_provider=jwt_params.create_assertion_provider(), ) ``` Nrrrassertion_providerrrctddgd|}t|||ddd||_t d|dgd||_dS)aInitialize private_key_jwt OAuth provider. Args: server_url: The MCP server URL. storage: Token storage implementation. client_id: The OAuth client ID. assertion_provider: Async callback that takes the audience (authorization server's issuer identifier) and returns a JWT assertion. Use `SignedJWTParameters.create_assertion_provider()` for SDK-signed JWTs, `static_assertion_provider()` for pre-built JWTs, or provide your own callback for workload identity federation. scopes: Optional space-separated list of scopes to request. Nrprivate_key_jwtrr!)rrrrr )rr"r#_assertion_providerrr$)r%rrrrrr&r's r(r#z#PrivateKeyJWTOAuthProvider.__init__s,.-.'8     _gtT5QQQ#5 "<-.'8 # # # r)cK|jjd{V|j_|j|j_d|_dSr+r,r2s r(r3z&PrivateKeyJWTOAuthProvider._initialize%r4r)c:K|d{VS)z>Perform client_credentials authorization with private_key_jwt.Nr6r2s r(r8z1PrivateKeyJWTOAuthProvider._perform_authorization+r9r)rKcK|jjstdt|jjj}||d{V}||d<d|d<dS)IAdd JWT assertion for client authentication to token endpoint parameters./Missing OAuth metadata for private_key_jwt flowNclient_assertion6urn:ietf:params:oauth:client-assertion-type:jwt-bearerclient_assertion_type)r-oauth_metadatar rRrar)r%rKrW assertions r(_add_client_authentication_jwtz9PrivateKeyJWTOAuthProvider._add_client_authentication_jwt/s}|* T !RSS St|29::228<<<<<<<< *3 %&.f *+++r)cpKddi}ddi}||d{V|j|jjr|j|d<|jjjr|jjj|d<|}tj d ||| S) zOBuild token exchange request for client_credentials grant with private_key_jwt.r;rr<r=rKNr>r r?r@) rr-rDrErFr&r rGrHrIrJs r(r7z=PrivateKeyJWTOAuthProvider._exchange_token_client_credentials=s .& $23V"W11Z1HHHHHHHHH < 5 5dl6S T T E%)\%B%B%D%DJz " < ' - E"&,">"DJw ,,.. }VYZQQQQr)rYrM)rNrOrPrQrRr rrr#r3rHrIr8rrrr7rSrTs@r(rrs)99B" % % % %  % %cUIcN%:; % d %  % % % % % % N!!!! ?em???? g$sCx. gUY g g g gR%-RRRRRRRRr)rceZdZUdZeddZedzed<eddZedzed<eddZ edzed <edd Z edzed <edd Z e ee fdzed <eddZedzed<eddZedzed<eddZeed<ddedzdefdZdS) JWTParameterszJWT parameters.NzeJWT assertion for JWT authentication. Will be used instead of generating a new assertion if provided.rfrzIssuer for JWT assertions.raz&Subject identifier for JWT assertions.rbzAudience for JWT assertions.rWz%Additional claims for JWT assertions.r~rdrejwt_signing_algorithmzPrivate key for JWT signing.jwt_signing_keyrirjjwt_lifetime_secondswith_audience_fallbackrc |j|j}n|jstd|jstd|jstd|jr|jn|}|stdt tj}|j|j|||jz|ttd}| |j pitj||j|jpd}|S)Nz(Missing signing key for JWT bearer grantz#Missing issuer for JWT bearer grantz$Missing subject for JWT bearer grantz%Missing audience for JWT bearer grantrordrv)rrr rarbrWrxryrrRrrzr~r{r|r)r%rrrWr}r~s r( to_assertionzJWTParameters.to_assertioncs! > %II' Q$%OPPP; L$%JKKK< M$%KLLL(, Qt}};QH N$%LMMMdikk""C{|T66577|| &&F MM$++ , , , $4?I r)rY)rNrOrPrQr rrRrrarbrWr~rrrrrrxrrZr)r(rrRs!EJIsTz t9UVVVFC$JVVV%:bcccGS4Zccc 5;YZZZHcDjZZZ$)E$Dk$l$l$lFDcNT !lll(-gKr(s(s(s3:sss"'%B`"a"a"aOS4Zaaa %c?f g g g#ggg  3:       r)rc>eZdZdZ ddedededeegedfdzdegee eedzffdzd e d e dzd dffd Z dd dedede eefdzd ejffdZd ejffd Zde eeffdZd ejfdZxZS)RFC7523OAuthClientProvideraOAuth client provider for RFC 7523 jwt-bearer grant. .. deprecated:: Use :class:`ClientCredentialsOAuthProvider` for client_credentials with client_id + client_secret, or :class:`PrivateKeyJWTOAuthProvider` for client_credentials with private_key_jwt authentication instead. This provider supports the jwt-bearer authorization grant (RFC 7523 Section 2.1) where the JWT itself is the authorization grant. Nr!rr&rredirect_handlercallback_handlertimeoutjwt_parametersrcddl}|dtdt||||||||_dS)NrzsRFC7523OAuthClientProvider is deprecated. Use ClientCredentialsOAuthProvider or PrivateKeyJWTOAuthProvider instead.) stacklevel)warningswarnDeprecationWarningr"r#r) r%rr&rrrrrrr's r(r#z#RFC7523OAuthClientProvider.__init__si   5     _g?OQacjkkk,r)r auth_code code_verifierrKcK|pi}|jjjdkr||t |||d{VS)z9Build token exchange request for authorization_code flow.rrN)r-r&rrr""_exchange_token_authorization_code)r%rrrKr's r(rz=RFC7523OAuthClientProvider._exchange_token_authorization_codesp %2 < ' BFW W W  / /: / F F FWW?? =eo?pppppppppr)cKd|jjjvr|d{V}|St d{VS)zPerform the authorization flow.+urn:ietf:params:oauth:grant-type:jwt-bearerN)r-r&r_exchange_token_jwt_bearerr"r8)r% token_requestr's r(r8z1RFC7523OAuthClientProvider._perform_authorizationsk 8DL!>!@!@ :r)c@K|jjstd|jstd|jjst dt |jjj}|j|}d|d}|j |jj r|j |d<|jj j r|jj j |d<|}tjd ||d d i S) z2Build token exchange request for JWT bearer grant.zMissing client infozMissing JWT parameterszMissing OAuth metadatarr)r;rr>r r?r<r=r@)r-r0r rrr rRrarrDrErFr&r rGrHrI)r%rarrKrLs r(rz5RFC7523OAuthClientProvider._exchange_token_jwt_bearers1|' 8 !677 7" ; !9:: :|* <!":;; ;T\0788'44F4SS H"  < 5 5dl6S T T E%)\%B%B%D%DJz " < ' - E"&,">"DJw ,,.. } IJIl8m    r))NNr!N)rNrOrPrQrRrr rrtuplefloatrr#rrrHrIrr8rrrSrTs@r(rrs   EISW/3----- - #C5)D/#9:TA - #2ysC$J1G'H#HIDP --&,- ------,Z^qqqq-0qAEc3hRVAVq qqqqqq:em::::::ADcNAAAA& %-        r)r)rQrycollections.abcrrtypingrruuidrrHr{pydanticrr mcp.client.authr r r r mcp.shared.authrrrrRr]r_rrrrZr)r(rs //////// %%%%%%%%^^^^^^^^^^^^KKKKKKKKSRSRSRSRSR%8SRSRSRlSXseYs^6K-L:44444)444nMRMRMRMRMR!4MRMRMR`11111I111ha a a a a !4a a a a a r)