~hl9ddlmZddlZddlZddlZddlmZddlmZm Z ddl m Z m Z ddl Z ddlZddlmZddlmZddlmZmZdd lmZdd lmZdd lmZmZdd lmZdd lm Z ddl!m"Z"ddl#m$Z$dgZ%e$e&Z'ddZ(GddeZ)GddeZGddeZ* d ddZ+ d ddZ, d d dZ-y)!) annotationsN)Path)AnyLiteral)urljoinurlparse)OAuthClientProvider) TokenStorage)OAuthClientInformationFullOAuthClientMetadata) OAuthMetadata) OAuthToken) AnyHttpUrlValidationError)settings)create_oauth_callback_server)find_available_port) get_loggerOAuthc(tjdz S)Nzoauth-mcp-client-cache)fastmcp_global_settingshomeU/opt/mcp/mcp-sentiment/venv/lib/python3.12/site-packages/fastmcp/client/auth/oauth.pydefault_cache_dirr&s " ' '*B BBrcZeZdZUdZdZded<dZded<dZded<dgZded <dZ ded <y) ServerOAuthMetadataz More flexible OAuth metadata model that accepts broader ranges of values than the restrictive MCP standard model. This handles real-world OAuth servers like PayPal that may support additional methods not in the MCP specification. Nzlist[str] | None code_challenge_methods_supported%token_endpoint_auth_methods_supportedgrant_types_supportedcodez list[str]response_types_supportedresponse_modes_supported) __name__ __module__ __qualname____doc__r__annotations__r r!r#r$rrrrr+sO:>$&6=?C)+;B/3+2,2(i226.5rrc eZdZdZ ddZy)r zL OAuth client provider with more flexible OAuth metadata discovery. cK|j|}t|d}ddlm}d|i}t j 4d{} |j ||d{}|jdk(r dddd{y|j|j}tjd|tj|cdddd{S777g7 #t$r |j |d{7}|jdk(rYdddd{7y|j|j}tjd |tj|cYcdddd{7S#t$r*tjd YYdddd{7ywxYwwxYw#1d{7swYyxYww) z Discover OAuth metadata with flexible validation. This is nearly identical to the parent implementation but uses ServerOAuthMetadata instead of the restrictive MCP OAuthMetadata. '/.well-known/oauth-authorization-serverr)LATEST_PROTOCOL_VERSIONzMCP-Protocol-VersionN)headerszOAuth metadata discovered: z+OAuth metadata discovered (no MCP header): z!Failed to discover OAuth metadata)_get_authorization_base_urlr mcp.typesr-httpx AsyncClientget status_coderaise_for_statusjsonloggerdebugrmodel_validate Exception exception) self server_url auth_base_urlurlr-r.clientresponse metadata_jsons r_discover_oauth_metadataz,OAuthClientProvider._discover_oauth_metadataIs88D m%NO5)+BC$$&  & !'C!AA''3.    ))+ (   :=/JK*99-H   A     %+ZZ_44H++s2#   --/$,MMOMLLEm_U/==mLL)   *! $$%HI/   *     s AG C"G G C*C$C*3 G >C&?G A C* G C(G $C*&G (G * G4FD  FG  G )D,*G 0A F<G=G > G  F  G G/G0G 1 G <F?=G GGG  GG GG N)r>strreturnzServerOAuthMetadata | None)r%r&r'r(rDrrrr r Ds( ( #( rr cxeZdZdZd ddZeddZddZddZddZ ddZ dd Z dd Z dd Z ed dd Zy)FileTokenStoragez File-based token storage implementation for OAuth credentials and tokens. Implements the mcp.client.auth.TokenStorage protocol. Each instance is tied to a specific server URL for proper token isolation. Ncr||_|xs t|_|jjddy)z-Initialize storage for a specific server URL.T)exist_okparentsN)r>r cache_dirmkdir)r=r>rLs r__init__zFileTokenStorage.__init__|s0$"9&7&9 dD9rcNt|}|jd|jS)z0Extract the base URL (scheme + host) from a URL.://)rschemenetloc)r@parseds r get_base_urlzFileTokenStorage.get_base_urls&#--FMM?33rc|j|j}|jddjddjddjddS)z:Generate a safe filesystem key from the server's base URL.rP_./:)rTr>replace)r=base_urls r get_cache_keyzFileTokenStorage.get_cache_keysO$$T__5   UC ( WS#  WS#  WS#   rcL|j}|j|d|dz S)z4Get the file path for the specified cache file type.rV.json)r\rL)r= file_typekeys r_get_file_pathzFileTokenStorage._get_file_paths,  "~~3%q 5 999rc6K|jd} tj|j}|S#tt j tf$r>}tjd|j|jd|Yd}~yd}~wwxYww)zLoad tokens from file storage.tokenszCould not load tokens for : N) rarmodel_validate_json read_textFileNotFoundErrorr7JSONDecodeErrorrr8r9rTr>)r=pathrces r get_tokenszFileTokenStorage.get_tokenss""8, 33DNN4DEF M!4#7#7I  LL,T->->t-O,PPRSTRUV   s+B$:BB4B BBBcK|jd}|j|jdtj d|j |j yw)zSave tokens to file storage.rcindentzSaved tokens for Nra write_textmodel_dump_jsonr8r9rTr>)r=rcris r set_tokenszFileTokenStorage.set_tokenssT""8, ..a.89 ():):4??)K(LMNA%A'cK|jd} tj|j}|j d{}|Vt j d|j|jd|jd}|jdy|S7^#ttjtf$r>}t j d|j|jd|Yd}~yd}~wwxYww) z*Load client information from file storage. client_infoNz#No tokens found for client info at zX. OAuth flow may have been incomplete. Clearing client info to force fresh registration.T missing_okzCould not load client info for rd)rar rerfrkr8r9rTr>unlinkrgr7rhr)r=rirvrcclient_info_pathrjs rget_client_infoz FileTokenStorage.get_client_infos""=1 4HH K  ??,,F~ 9$:K:KDOO:\9]^mm $(#6#6}#E  ''4'8 -"4#7#7I  LL1$2C2CDOO2T1UUWXYWZ[   sMD 6B, B* AB,'D (B,)D *B,,D 4D>D DD cK|jd}|j|jdtj d|j |j yw)z(Save client information to file storage.rvrmrnzSaved client info for Nrp)r=rvris rset_client_infoz FileTokenStorage.set_client_infosT""=1  3313=> -d.?.?.P-QRSrtcddg}|D]%}|j|}|jd'tjd|j |j y)z&Clear all cached data for this server.rvrcTrwzCleared OAuth cache for N)raryr8inforTr>)r= file_typesr_ris rclearzFileTokenStorage.clears_>KX=V # )I&&y1D KK4K ( )  .t/@/@/Q.RSTrc|xs t}|jsyddg}|D].}|jd|dD]}|jd0tj dy) z&Clear all cached data for all servers.Nrvrcz*_r^Trwz$Cleared all OAuth client cache data.)rexistsglobryr8r)clsrLrr_files r clear_allzFileTokenStorage.clear_allsx4!2!4 ! >KX=V # -I!I;e'<= - t , - -  :;rN)r>rErL Path | None)r@rErFrE)rFrE)r_z Literal['client_info', 'tokens']rFr)rFzOAuthToken | None)rcrrFNone)rFz!OAuthClientInformationFull | None)rvr rFr)rFr)rLrrFr)r%r&r'r(rN staticmethodrTr\rarkrsr{r}r classmethodrrrrrHrHtsZ: 44  : "O 8T U <  !! %  !sCBCCBBB CBC!B0 C;B<C C BCBCCCC0C1 C<B?=CCCC C CCc N t|}|jd|j t d d}t |t rdj |}td|t|gddgdgd|d |xsi}t | }dd } d fd } t ||| | } | S)a} Create an OAuthClientProvider for an MCP server. This is intended to be provided to the `auth` parameter of an httpx.AsyncClient (or appropriate FastMCP client/transport instance) Args: mcp_url: Full URL to the MCP endpoint (e.g., "http://host/mcp/sse") scopes: OAuth scopes to request. Can be a space-separated string or a list of strings. client_name: Name for this client during registration token_storage_cache_dir: Directory for FileTokenStorage additional_client_metadata: Extra fields for OAuthClientMetadata Returns: OAuthClientProvider rPzhttp://127.0.0.1:z /callback authorization_code refresh_tokenr"client_secret_post) client_name redirect_uris grant_typesresponse_typestoken_endpoint_auth_methodscope)r>rLcfKtjd|tj|yw)zOpen browser for authorization.zOAuth authorization URL: N)r8r webbrowseropen)authorization_urls rredirect_handlerzOAuth..redirect_handlerZs) /0A/BCD)*s/1cKtjj}t|}t j 4d{}|j |jtjdd} t j|5|d{\}}||fcdddd|_ tjdd{|jjcdddd{S77e747 #1swYnxYwn#t$rtd|dwxYw d|_ tjdd{7|jjnD#d|_ tjdd{7|jjwxYwdddd{7y#1d{7swYyxYww) z4Handle OAuth callback and return (auth_code, state).)portr>response_futureNu7🎧 OAuth callback server started on http://127.0.0.1:gr@Tg?zOAuth callback timed out after z seconds)asyncioget_running_loop create_futureranyiocreate_task_group start_soonserver8r fail_after should_exitsleep cancel_scopecancel TimeoutError)rservertgTIMEOUT auth_codestate redirect_portrs rcallback_handlerzOAuth..callback_handler_s"224BBD.&+ **, ) ) MM&,, ' KKI-Y G )%%g.,-<'<$Iu$e+,, &*"mmC(((&&(! ) ) )(= ) ),,,  X"%DWIX#VWW X, &*"mmC(((&&(&*"mmC(((&&(! ) ) ) ) )sA G# D G#6GDD"D# D- D6GD G4 G#D G#D G G#D DE8D44E88GE G8 F9F  F99G< G#G G#G G G G#)r>client_metadatastoragerrr)rrErFr)rFztuple[str, str | None]) rrQrRr isinstancelistjoinr rrHr )rscopesrtoken_storage_cache_diradditional_client_metadata parsed_url redirect_urirrrroauth_providerrrs @@rrr's2'"J#**+3z/@/@.ABO()M&}oY?L&$&!)!,/0)?;x#7  & +O".EG + )@)"')) N r)rFrr)rrErdict[str, Any] | NonerFz_MCPServerOAuthMetadata | None)rrErrrFbool)NzFastMCP ClientNN) rrErzstr | list[str] | NonerrErrrrrF_MCPOAuthClientProvider). __future__rrr7rpathlibrtypingrr urllib.parserrrr2mcp.client.authr rr mcp.shared.authr r r rrpydanticrrfastmcprrfastmcp.client.oauth_callbackrfastmcp.utilities.httprfastmcp.utilities.loggingr__all__r%r8rrrHrrrrrrrs%" * J(1770 ) H C 6162- 1- `o<|o