~hrddlZddlmZddlmZddlmZdZeje Z GddZ d Z y) N)jwt) JoseError)InvalidClientErrorz6urn:ietf:params:oauth:client-assertion-type:jwt-bearercJeZdZdZeZdZd dZdZdZ dZ dZ dZ d Z d Zy ) JWTBearerClientAssertionz]Implementation of Using JWTs for Client Authentication, which is defined by RFC7523. client_assertion_jwtc.||_||_||_y)N) token_url _validate_jtileeway)selfr validate_jtir s Y/opt/mcp/mcp-sentiment/venv/lib/python3.12/site-packages/authlib/oauth2/rfc7523/client.py__init__z!JWTBearerClientAssertion.__init__s") c4|j}|jd}|jd}|tk(rA|r?|j||}|j |||j |j Stjd|jy)Nclient_assertion_typeclient_assertionzAuthenticate via %r failed) formgetASSERTION_TYPEcreate_resolve_key_funcprocess_assertion_claimsauthenticate_clientclientlogdebugCLIENT_AUTH_METHOD)r query_clientrequestdataassertion_type assertion resolve_keys r__call__z!JWTBearerClientAssertion.__call__s||"9:HH/0 ^ + 66|WMK  ) ))[ A++GNN; ; .0G0GHrcdtdddid|jdddid}|jrd|jd|d<|S)zCreate a claims_options for verify JWT payload claims. Developers MAY overwrite this method to create a more strict options. T) essentialvalidater()r(value)isssubaudexpjti) _validate_issr r r)roptionss rcreate_claims_optionsz.JWTBearerClientAssertion.create_claims_options'sS"&=A&!%?&     +/T=N=NOGENrc tj|||j}|j|j|S#t $r2}t jd|t|j|d}~wwxYw)aaExtract JWT payload claims from request "assertion", per `Section 3.1`_. :param assertion: assertion string value in the request :param resolve_key: function to resolve the sign key :return: JWTClaims :raise: InvalidClientError .. _`Section 3.1`: https://tools.ietf.org/html/rfc7523#section-3.1 )claims_options)r zAssertion Error: %r descriptionN) rdecoder2r)r rrrrr6)rr$r%claimses rrz1JWTBearerClientAssertion.process_assertion_claims7su GZZ;t7Q7Q7SF OO4;;O /  G II+Q /$?Q F GsAA B-A<<Bcp|j|jdr|Std|j)Ntokenz,The client cannot authenticate with method: r5)check_endpoint_auth_methodrr)rrs rrz,JWTBearerClientAssertion.authenticate_clientLs;  , ,T-D-Dg NM FtG^G^F_`  rcfd}|S)Ncl|d}|}|s td|_j||S)Nr,z)The client does not exist on this server.r5)rrresolve_client_public_key)headerspayload client_idrr r!rs rr%zEJWTBearerClientAssertion.create_resolve_key_func..resolve_keyTsG I!),F( K$GN11&'B Br)rr r!r%s``` rrz0JWTBearerClientAssertion.create_resolve_key_funcSs Crct)afValidate if the given ``jti`` value is used before. Developers MUST implement this method:: def validate_jti(self, claims, jti): key = "jti:{}-{}".format(claims["sub"], jti) if redis.get(key): return False redis.set(key, 1, ex=3600) return True NotImplementedError)rr8r/s rrz%JWTBearerClientAssertion.validate_jtics "##rct)aNResolve the client public key for verifying the JWT signature. A client may have many public keys, in this case, we can retrieve it via ``kid`` value in headers. Developers MUST implement this method:: def resolve_client_public_key(self, client, headers): return client.public_key rE)rrr@s rr?z2JWTBearerClientAssertion.resolve_client_public_keyps "##rN)T<)__name__ __module__ __qualname____doc__rCLIENT_ASSERTION_TYPErrr&r2rrrrr?rCrrrr s> +/I *  $$rrc|d|k(S)Nr,rC)r8r+s rr0r0{s %=C r) logging authlib.joserauthlib.jose.errorsrrfc6749rr getLoggerrIrrr0rCrrrTs:)(Ig!l$l$^ r