~h!^ddlZddlmZddlmZddlmZddlmZddlm Z Gdde Z y) N)Optional)Uniongenerate_token)jwt)BearerTokenGeneratorceZdZdZ d fd ZdZdZdeee effdZ de efdZ de e fdZde e efd Zdefd Zd ZxZS) JWTBearerTokenGeneratoraA JWT formatted access token generator. :param issuer: The issuer identifier. Will appear in the JWT ``iss`` claim. :param \\*\\*kwargs: Other parameters are inherited from :class:`~authlib.oauth2.rfc6750.token.BearerTokenGenerator`. This token generator can be registered into the authorization server:: class MyJWTBearerTokenGenerator(JWTBearerTokenGenerator): def get_jwks(self): ... def get_extra_claims(self, client, grant_type, user, scope): ... authorization_server.register_token_generator( "default", MyJWTBearerTokenGenerator( issuer="https://authorization-server.example.org" ), ) cXt||j||||_||_y)N)super__init__access_token_generatorissueralg)selfrrrefresh_token_generatorexpires_generator __class__s X/opt/mcp/mcp-sentiment/venv/lib/python3.12/site-packages/authlib/oauth2/rfc9068/token.pyr z JWTBearerTokenGenerator.__init__"s1   ' ')@BS  ct)zReturn the JWKs that will be used to sign the JWT access token. Developers MUST re-implement this method:: def get_jwks(self): return load_jwks("jwks.json") )NotImplementedError)rs rget_jwksz JWTBearerTokenGenerator.get_jwks/s "##rciS)aYReturn extra claims to add in the JWT access token. Developers MAY re-implement this method to add identity claims like the ones in :ref:`specs/oidc` ID Token, or any other arbitrary claims:: def get_extra_claims(self, client, grant_type, user, scope): return generate_user_info(user, scope) rclient grant_typeuserscopes rget_extra_claimsz(JWTBearerTokenGenerator.get_extra_claims8s  rreturnc"|jS)ajReturn the audience for the token. By default this simply returns the client ID. Developers MAY re-implement this method to add extra audiences:: def get_audiences(self, client, user, scope): return [ client.get_client_id(), resource_server.get_id(), ] ) get_client_id)rrrr s r get_audiencesz%JWTBearerTokenGenerator.get_audiencesBs##%%rcy)aAuthentication Context Class Reference. Returns a user-defined case sensitive string indicating the class of authentication the used performed. Token audience may refuse to give access to some resources if some ACR criteria are not met. :ref:`specs/oidc` defines one special value: ``0`` means that the user authentication did not respect `ISO29115`_ level 1, and will be refused monetary operations. Developers MAY re-implement this method:: def get_acr(self, user): if user.insecure_session(): return "0" return "urn:mace:incommon:iap:silver" .. _ISO29115: https://www.iso.org/standard/45138.html Nrrrs rget_acrzJWTBearerTokenGenerator.get_acrOs rcy)a}User authentication time. Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. Developers MAY re-implement this method:: def get_auth_time(self, user): return datetime.timestamp(user.get_auth_time()) Nrr's r get_auth_timez%JWTBearerTokenGenerator.get_auth_timearcy)a{Authentication Methods References. Defined by :ref:`specs/oidc` as an option list of user-defined case-sensitive strings indication which authentication methods have been used to authenticate the user. Developers MAY re-implement this method:: def get_amr(self, user): return ["2FA"] if user.has_2fa_enabled() else [] Nrr's rget_amrzJWTBearerTokenGenerator.get_amrlr+rctdS)zJWT ID. Create an unique identifier for the token. Developers MAY re-implement this method:: def get_jti(self, client, grant_type, user scope): return generate_random_string(16) rrs rget_jtizJWTBearerTokenGenerator.get_jtiwsb!!rc ttj}||j||z}|j||j ||j |||||d}|r|j |d<n|j |d< |j||||d<|j|x}r||d<|j|x} r| |d<|j|x} r| |d<|j|j|||||jdd } tj| ||j!d } | j#S) N)issexp client_idiatjtir subFaud auth_timeacramrzat+jwt)rtyp)keycheck)inttime_get_expires_inrr$r0 get_user_idr%r*r(r-updater!rrencoderdecode) rrrrr now expires_in token_datar9r:r;header access_tokens rrz.JWTBearerTokenGenerator.access_token_generatorsq$))+4// CC ;;--/<< D%@    $ 0 0 2Ju !' 4 4 6Ju  !% 2 264 GJu **40 09 0&/J{ # ,,t$ $3 $ #Ju  ,,t$ $3 $ #Ju  $// D%PQ(3zz     ""$$r)RS256NN)__name__ __module__ __qualname____doc__r rr!rstrlistr%rr(r?r*r-r0r __classcell__)rs@rr r s4  $ $ &E#tCy.4I &x}$ Xc]  xS 2 "#"Y%rr ) r@typingrrauthlib.common.securityr authlib.joserauthlib.oauth2.rfc6750.tokenrr rrrrWs& 2=P%2P%r