~h1"ddlZddlmZddlmZmZddlZddlmZm Z ddl m Z ddl m Z ddlmZddlmZmZmZmZdd lmZmZdd lmZdd lmZmZmZGd d edZGddeZedddGddZ GddeZ!y)N) dataclass)Any TypedDict) JsonWebKey JsonWebToken) JoseError) serialization)rsa) AccessTokenAuthorizationCodeAuthorizationParams RefreshToken)OAuthClientInformationFull OAuthToken) SecretStr)ClientRegistrationOptions OAuthProviderRevocationOptionscheZdZUdZeed<eed<eed<eed<eed<eed<eeed<eed <y ) JWKDatazJSON Web Key data structure.ktykidusealgnex5cx5tN)__name__ __module__ __qualname____doc__str__annotations__list`/opt/mcp/mcp-sentiment/venv/lib/python3.12/site-packages/fastmcp/server/auth/providers/bearer.pyrrs1& H H H H F F cN Hr'rF)totalc"eZdZUdZeeed<y)JWKSDataz JSON Web Key Set data structure.keysN)rr r!r"r%rr$r&r'r(r+r+*s* w-r'r+T)frozenkw_onlyreprceZdZUeed<eed<eddZ ddedededzd eedzd e d e ee fdzd edzdefd Z y) RSAKeyPair private_key public_keyreturnctjdd}|j}|jtj j tjjt jjd}|jtj j tjjjd}|t||S)z~ Generate an RSA key pair for testing. Returns: tuple: (private_key_pem, public_key_pem) ii)public_exponentkey_size)encodingformatencryption_algorithmutf-8)r8r9)r2r3)r generate_private_keyr3 private_bytesr EncodingPEM PrivateFormatPKCS8 NoEncryptiondecode public_bytes PublicFormatSubjectPublicKeyInfor)clsr2r3 private_pem public_pems r(generatezRSAKeyPair.generate5s..! !++- "//"++// ..44!.!;!;!=0  &/  ,,"++// --BB-  &/  !+.!  r'Nsubjectissueraudiencescopesexpires_in_secondsadditional_claimsrcXtdg}ttj} ||| | |zd} |r|| d<|rdj|| d<|r| j |ddi} |r|| d<|j | | |j j} | jd S) a) Generate a test JWT token for testing purposes. Args: private_key_pem: RSA private key in PEM format subject: Subject claim (usually user ID) issuer: Issuer claim audience: Audience claim (optional) scopes: List of scopes to include expires_in_seconds: Token expiration time in seconds additional_claims: Any additional claims to include kid: Key ID for JWKS lookup (optional) Returns: Signed JWT token string RS256)isssubiatexpaud scoperr)keyr;) rinttimejoinupdateencoder2get_secret_valuerC) selfrKrLrMrNrOrPrjwtnowpayloadheader token_bytess r( create_tokenzRSAKeyPair.create_tokenXs4G9%$))+++   %GEN "xx/GG   NN, -! F5Mjj    113! !!'**r')r4r1)z fastmcp-userhttps://fastmcp.example.comNNNN) rr r!rr$r# classmethodrJr%r[dictrrgr&r'r(r1r10sO    H&3##'"&37:+:+:+* :+ S D :+  :+ S>D0:+4Z:+ :+r'r1c zeZdZdZ d dedzdedzdedzdedzdeedzf fd Zd ed efd Zd edzd efd Zd ed e dzfdZ de ee fd eefdZ ded edzfdZded dfdZdeded efdZdeded edzfdZdeded efdZdeded edzfdZdededeed efdZd e ezd dfdZxZS)!BearerAuthProviderae Simple JWT Bearer Token validator for hosted MCP servers. Uses RS256 asymmetric encryption. Supports either static public key or JWKS URI for key rotation. Note that this provider DOES NOT permit client registration or revocation, or any OAuth flows. It is intended to be used with a control plane that manages clients and tokens. Nr3jwks_urirLrMrequired_scopesc|s |s td|r |r tdt| |xsdtdt d|||_||_||_||_tdg|_ i|_ d|_ d |_ y ) a Initialize the provider. Either public_key or jwks_uri must be provided. Args: public_key: RSA public key in PEM format (for static key) jwks_uri: URI to fetch keys from (for key rotation) issuer: Expected issuer claim (optional) audience: Expected audience claim (optional) required_scopes: List of required scopes for access (optional) z.Either public_key or jwks_uri must be providedz/Provide either public_key or jwks_uri, not bothrhF)enabled) issuer_urlclient_registration_optionsrevocation_optionsrorRrriN) ValueErrorsuper__init__rrrLrMr3rnrrb _jwks_cache_jwks_cache_time _cache_ttl)rar3rnrLrMro __class__s r(rwzBearerAuthProvider.__init__s$hMN N (NO O >!>(A%(P0?+     $   *,.'(r'tokenr4cxK|jr |jS ddl}ddl}|jdd}|ddt |dzz zz }|j |j |}|jd}|j|d{S7#t$r}td|d}~wwxYww)z'Get the verification key for the token.rN.=rz%Failed to extract key ID from token: ) r3base64jsonsplitlenloadsurlsafe_b64decodeget _get_jwks_key Exceptionru)rar|rr header_b64rerrs r(_get_verification_keyz(BearerAuthProvider._get_verification_keys ???? " J  S)!,J #S_q%8!89 9JZZ 8 8 DEF**U#C++C00 00 JDQCHI I Js;B:A8BBBB:B B7$B22B77B:rcK|js tdtj}||jz |jkre|r||j vr|j |S|sDt |j dk(r,tt|j jS tj4d{}|j|jd{}|j|j}dddd{i|_jdgD]Y}|jd}tj |}|j#} |r| |j |<K| |j d<[||_|r,||j vrtd|d|j |St |j dk(r,tt|j jSt |j dkDr td td 7t7T7'#1d{7swY8xYw#t$$r} td | d} ~ wwxYww) z(Fetch key from JWKS with simple caching.zJWKS URI not configuredNr,r_defaultzKey ID 'z' not found in JWKSz2Multiple keys in JWKS but no key ID (kid) in tokenzNo keys found in JWKSzFailed to fetch JWKS: )rnrur\ryrzrxrnextitervalueshttpx AsyncClientrraise_for_statusrr import_keyget_public_keyr) rar current_timeclientresponse jwks_datakey_datakey_kidjwkr3rs r(rz BearerAuthProvider._get_jwks_keysG}}67 7yy{  $// /$// Asd...'',,S!1!12a7D!1!1!8!8!:;<<& ;((* , ,f!'DMM!::))+$MMO  , , "D %MM&"5 >",,u- ++H5 //1 0:D$$W-4>D$$Z0 >%1D !d...$xu4G%HII'',,t''(A-T%5%5%<%<%> ?@@))*Q.$L%%<==E ,: , , , ,H ;5aS9: : ;sB-I:0IH< I I+H?,$I IIB-I I: AI I:/I?III I II I7$I22I77I:cK |j|d{}|jj||}|jd}|r|t jkry|j r|jd|j k7ry|j r@|jd}t|tr|j |vry||j k7ry|jdxs|jdxsd}|j|}t|t|||rt|SdS7&#t$rYyt$rYywxYww) z Validates the provided JWT bearer token. Args: token: The JWT token string to validate Returns: AccessToken object if valid, None if invalid or expired NrVrSrW client_idrTunknown)r|rrN expires_at)rrbrCrr\rLrM isinstancer%_extract_scopesr r#r[rr)rar|verification_keyclaimsrVrWrrNs r(load_access_tokenz$BearerAuthProvider.load_access_tokensC) %)%?%?%FF XX__U,<=F**U#CsTYY[({{::e$ 3}}jj'c4(}}C/#DMM) ;/Q6::e3DQ I))&1Fi.'*3s8  15  ; GH   sEED>A E#E$*EE;E E EEAE6E7E=E>E E E EEEErc|jdd}t|tr|jSt|tr|SgS)zExtract scopes from JWT claims.rY)rrr#rr%)rar scope_claims r(rz"BearerAuthProvider._extract_scopesIs@jj"- k3 '$$& &  T *  r'rc Ktdw)NzClient management not supportedNotImplementedError)rars r( get_clientzBearerAuthProvider.get_clientSs!"CDD  client_infoc Ktdw)Nz!Client registration not supportedr)rars r(register_clientz"BearerAuthProvider.register_clientVs!"EFFrrparamsc Ktdw)Nz Authorization flow not supportedr)rarrs r( authorizezBearerAuthProvider.authorizeY""DEErauthorization_codec Ktdw)Nz%Authorization code flow not supportedrrarrs r(load_authorization_codez*BearerAuthProvider.load_authorization_code^s""IJJrc Ktdw)Nz)Authorization code exchange not supportedrrs r(exchange_authorization_codez.BearerAuthProvider.exchange_authorization_codecs""MNNr refresh_tokenc Ktdw)Nz Refresh token flow not supportedr)rarrs r(load_refresh_tokenz%BearerAuthProvider.load_refresh_tokenhrrrNc Ktdw)Nz$Refresh token exchange not supportedr)rarrrNs r(exchange_refresh_tokenz)BearerAuthProvider.exchange_refresh_tokenms ""HIIrc Ktdw)NzToken revocation not supportedr)rar|s r( revoke_tokenzBearerAuthProvider.revoke_tokenus""BCCr)NNNNN)rr r!r"r#r%rwrrr rrkrrrrrr rr rrrrrrr __classcell__)r{s@r(rmrms"&#!#,0 '$J'*'d ' * ' cT) 'RJJJ(6;sTz6;c6;p3S3[45G3jd38ncE#E2Lt2SEG1KGPTGF0F:MF F K0KFIK T !K O0OFWO O F0FADF  F J*J$JS J  JD\)D Dr'rm)"r\ dataclassesrtypingrrr authlib.joserrauthlib.jose.errorsrcryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr mcp.server.auth.providerr r r rmcp.shared.authrrpydanticrfastmcp.server.auth.authrrrrr+r1rmr&r'r(rs !! 1)89   iu  y  $51a+a+2a+HdDdDr'