[ǻi# ddlmZmZddlmZddlmZddlmZddl m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&ddl'm(Z(defdZ)dZ*dZ+dZ,dZ-dee geeezfde.e/defdZ0 d.de!eeefd ed!edzd"e#dzd#e$dzde.ef d$Z1d ed!edzd"e#d#e$de(f d%Z2d&edefd'Z3 d.d(ed)e.ed*e.e/dzd+e/dzd,edzde.ef d-Z4y)/) AwaitableCallable)Any)urlparse) AnyHttpUrl)CORSMiddleware)Request)Response)Routerequest_response)ASGIApp)AuthorizationHandler)MetadataHandler)RegistrationHandler)RevocationHandler) TokenHandler)ClientAuthenticator) OAuthAuthorizationServerProvider)ClientRegistrationOptionsRevocationOptions)MCP_PROTOCOL_VERSION_HEADER) OAuthMetadataurlc|jdk7rA|jdk7r2|j&|jjds td|jr td|j r tdy)z Validate that the issuer URL meets OAuth 2.0 requirements. Args: url: The issuer URL to validate Raises: ValueError: If the issuer URL is invalid https localhostNz 127.0.0.1zIssuer URL must be HTTPSz#Issuer URL must not have a fragmentz'Issuer URL must not have a query string)schemehost startswith ValueErrorfragmentquery)rs T/opt/lhia/marcimex/agent/venv/lib/python3.12/site-packages/mcp/server/auth/routes.pyvalidate_issuer_urlr$sp g HH # XX !#((*=*=k*J344 ||>?? yyBCCz /authorizez/tokenz /registerz/revokehandler allow_methodsreturnc@tt|d|tg}|S)N*)app allow_originsr' allow_headers)rr r)r&r'cors_apps r#cors_middlewarer/8s) W %#23 H Or%Nprovider issuer_urlservice_documentation_urlclient_registration_optionsrevocation_optionsc t||xs t}|xs t}t||||}t |}t dt t|jddgddgt tt|jddgt tt t||jddgddgg}|jrFt||}|jt t t |jddgddg|jrEt#||} |jt t$t | jddgddg|S)Nz'/.well-known/oauth-authorization-serverGETOPTIONSendpointmethodsPOST)options)r$rrbuild_metadatarr r/rhandleAUTHORIZATION_PATHr TOKEN_PATHrenabledrappendREGISTRATION_PATHrREVOCATION_PATH) r0r1r2r3r4metadataclient_authenticatorroutesregistration_handlerrevocation_handlers r#create_auth_routesrJEs #"="\AZA\+B/@/B!# H /x8  5$)00 "I&    *(3::FO    $X';<CC#Y'  !F4#**2 /   !((//Y' +   !!.x9MN (&--Y' +    Mr%ctt|jdtz}tt|jdtz}t ||||j dgdddgddgd|dddddg}|jr/tt|jdtz|_ |jr8tt|jdtz|_ ddg|_ |S) N/codeauthorization_code refresh_tokenclient_secret_postclient_secret_basicS256)issuerauthorization_endpointtoken_endpointscopes_supportedresponse_types_supportedresponse_modes_supportedgrant_types_supported%token_endpoint_auth_methods_supported0token_endpoint_auth_signing_alg_values_supportedservice_documentationui_locales_supported op_policy_uri op_tos_uriintrospection_endpoint code_challenge_methods_supported) rstrrstripr?r@r valid_scopesrArCregistration_endpointrDrevocation_endpoint*revocation_endpoint_auth_methods_supported)r1r2r3r4authorization_url token_urlrEs r#r=r=s #3z?#9#9##>AS#ST3z?11#6CDI0 4AA"(!%3_E/CEZ.[9=7!#*0H&#**)3C O4J4J34ORc4c)d&!!'1#j/2H2H2MP_2_'`$?SUj>k; Or%resource_server_urlctt|}|jdk7r |jnd}t|jd|j d|S)u Build RFC 9728 compliant protected resource metadata URL. Inserts /.well-known/oauth-protected-resource between host and resource path as specified in RFC 9728 §3.1. Args: resource_server_url: The resource server URL (e.g., https://example.com/mcp) Returns: The metadata URL (e.g., https://example.com/.well-known/oauth-protected-resource/mcp) rLz://z%/.well-known/oauth-protected-resource)rrbpathrrnetloc)rjparsed resource_paths r#build_resource_metadata_urlrqsQc-. /F#);;##5FKK2M s6==/9^_l^mn oor% resource_urlauthorization_serversrV resource_nameresource_documentationcddlm}ddlm}||||||}||}t |} t t | } | j} t| t|jddgddggS)a} Create routes for OAuth 2.0 Protected Resource Metadata (RFC 9728). Args: resource_url: The URL of this resource server authorization_servers: List of authorization servers that can issue tokens scopes_supported: Optional list of scopes supported by this resource Returns: List of Starlette routes for protected resource metadata r) ProtectedResourceMetadataHandler)ProtectedResourceMetadata)resourcersrVrtrur6r7r8) !mcp.server.auth.handlers.metadatarwmcp.shared.authrxrqrrbrmr r/r>) rrrsrVrtrurwrxrEr& metadata_urlrowell_known_paths r# create_protected_resource_routesr~s$S9(3)#5 H/x8G/|rs/!4&(5#C=A=7FEQB)DZD4"    wiIh,?!?? @ 9    48DH37 N.sC}=NN *D0N";T!A N *D0 N  %[ Nb%%)D0%";%* %  %PpZpJp,*. $04 ,, +,3i$&,: , '- ,  %[ ,r%