+ winRt^RIt^RIt^RIt^RIt^RIt^RIt^RIHtH t H t ^RI H t H t ^RIHtHt^RIHtHtHtHt^RIt^RIt^RIHtHtHt^RIHtHt^RIH t H!t!H"t"H#t#H$t$H%t%H&t&H't'H(t(H)t)H*t*H+t+H,t,H-t-H.t.^R I/H0t0^R I1H2t2H3t3H4t4H5t5H6t6^R I7H8t8H9t9H:t:]Pv!]<4t=!R R ]4t>!RR]4t?] !RR44t@!RR]P4tBR#)z| OAuth2 Authentication implementation for HTTPX. Implements authorization code flow with PKCE and automatic token refresh. N)AsyncGenerator AwaitableCallable) dataclassfield)AnyProtocol)quote urlencodeurljoinurlparse) BaseModelFieldValidationError)OAuthFlowErrorOAuthTokenError)8build_oauth_authorization_server_metadata_discovery_urls0build_protected_resource_metadata_discovery_urls$create_client_info_from_metadata_url"create_client_registration_requestcreate_oauth_metadata_requestextract_field_from_www_auth'extract_resource_metadata_from_www_authextract_scope_from_www_authget_client_metadata_scopeshandle_auth_metadata_response"handle_protected_resource_responsehandle_registration_responsehandle_token_response_scopesis_valid_client_metadata_urlshould_use_client_metadata_url)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)calculate_token_expirycheck_resource_allowedresource_url_from_server_urlcxa]tRt^9toRt]!R^+^R7t]!R^+^R7t]V3RlRl4t V3Rlt Rt Vt R#) PKCEParametersz.PKCE (Proof Key for Code Exchange) parameters..) min_length max_lengthc<V^8dQhRR/#)returnr+)format __classdict__s"J/home/ubuntu/.local/lib/python3.14/site-packages/mcp/client/auth/oauth2.py __annotate__PKCEParameters.__annotate__@sOO)Oc RPR\^444p\P!VP 44P 4p\ P!V4P4PR4pV!WR7#)zGenerate new PKCE parameters.c3"TFEp\P!\P\P,R,4xKG R#5i)z-._~N)secretschoicestring ascii_lettersdigits).0_s& r4 *PKCEParameters.generate..Bs4rgqbcv/C/Cfmm/SV\/\ ] ]gqsA A=) code_verifiercode_challenge) joinrangehashlibsha256encodedigestbase64urlsafe_b64encodedecoderstrip)clsrErLrFs& r4generatePKCEParameters.generate?snrglmpgqrr  4 4 67>>@11&9@@BII#NNNr7c2<V^8dQh/S[;R&S[;R&#)r/rErFstr)r2r3s"r4r5r69sBC r7r1N) __name__ __module__ __qualname____firstlineno____doc__rrErF classmethodrR__annotate_func____static_attributes____classdictcell__r3s@r4r+r+9s?8srcBMsCNOOr7r+cla]tRt^HtoRtV3RlRltV3RlRltV3RlRltV3RlR ltR t Vt R #) TokenStoragez+Protocol for token storage implementations.c.<V^8dQhRS[R,/#r/r0Nr%)r2r3s"r4r5TokenStorage.__annotate__Ks  *t"3 r7c "R#5i)zGet stored tokens.Nr1selfs&r4 get_tokensTokenStorage.get_tokensK c$<V^8dQhRS[RR/#)r/tokensr0Nre)r2r3s"r4r5rfOs  z d r7c "R#5i)z Store tokens.Nr1)riros&&r4 set_tokensTokenStorage.set_tokensOrlrmc.<V^8dQhRS[R,/#rdr")r2r3s"r4r5rfSs  'AD'H r7c "R#5i)zGet stored client information.Nr1rhs&r4get_client_infoTokenStorage.get_client_infoSrlrmc$<V^8dQhRS[RR/#)r/ client_infor0Nrt)r2r3s"r4r5rfWs  1K PT r7c "R#5i)zStore client information.Nr1)rirys&&r4set_client_infoTokenStorage.set_client_infoWrlrmr1N) rWrXrYrZr[rjrqrvr{r^r_r`s@r4rbrbHs05        r7rbca]tRt^\toRtRtRtRtRtRt Rt Rt Rt Rt ]!]P R7tV3RlRltV3RlRltV3R lR ltV3R lR ltV3R lRltV3RlRltRV3RlRlltRV3RlRlltV3RltRtVtR#) OAuthContextzOAuth flow context.r@N)default_factoryc&<V^8dQhRS[RS[/#)r/ server_urlr0rU)r2r3s"r4r5OAuthContext.__annotate__xs44S4S4r7c N\V4pVP RVP 2#)z,Extract base URL by removing path component.z://)r schemenetloc)rirparseds&& r4get_authorization_base_url'OAuthContext.get_authorization_base_urlxs%*%--FMM?33r7c$<V^8dQhRS[RR/#)r/tokenr0Nre)r2r3s"r4r5r}sJJJJr7c :\VP4VnR#)z4Update token expiry time using shared util function.N)r' expires_intoken_expiry_time)rirs&&r4update_token_expiry OAuthContext.update_token_expiry}s!78H8H!Ir7c <V^8dQhRS[/#r/r0bool)r2r3s"r4r5rs   r7c \VP;'dZVPP;'d<VP'*;'g#\P!4VP8*4#)z Check if current token is valid.)rcurrent_tokens access_tokenrtimerhs&r4is_token_validOAuthContext.is_token_validsd    V V##00 V V+++TTtyy{d>T>T/T  r7c <V^8dQhRS[/#rr)r2r3s"r4r5rsdd4dr7c \VP;'d+VPP;'d VP4#)z Check if token can be refreshed.)rr refresh_tokenryrhs&r4can_refresh_tokenOAuthContext.can_refresh_tokens6D''bbD,?,?,M,MbbRVRbRbccr7c<V^8dQhRR/#rdr1)r2r3s"r4r5rs&&d&r7c "RVnRVnR#)zClear current tokens.Nrrrhs&r4 clear_tokensOAuthContext.clear_tokenss"!%r7c <V^8dQhRS[/#rrU)r2r3s"r4r5rs  # r7c \VP4pVP'dPVPP'd4\ VPP4p\ WR7'dTpV#)zoGet resource URL for RFC 8707. Uses PRM resource if it's a valid parent, otherwise uses canonical server URL. requested_resourceconfigured_resource)r)rprotected_resource_metadataresourcerVr()rir prm_resources& r4get_resource_urlOAuthContext.get_resource_urls\ 0@  + + +0P0P0Y0Y0Yt??HHIL%dd'r7c4<V^8dQhRS[R,RS[/#)r/protocol_versionNr0)rVr)r2r3s"r4r5rs 00cDj0TX0r7c @VPeR#V'gR#VR8#)zDetermine if the resource parameter should be included in OAuth requests. Returns True if: - Protected resource metadata is available, OR - MCP-Protocol-Version header is 2025-06-18 or later TFz 2025-06-18)r)rirs&&r4should_include_resource_param*OAuthContext.should_include_resource_params(  + + 7  <//r7c <V^8dQhRS[S[S[3,RS[S[S[3,R,RS[S[S[S[3,S[S[S[3,3,/#)r/dataheadersNr0)dictrVtuple)r2r3s"r4r5rsT""cN"-1#s(^d-B" tCH~tCH~- ."r7c Vf/pVP'gW3#VPPpVR8XdVPP'dVPP'd\ VPPRR7p\ VPPRR7pV RV 2p\ P !VP44P4pRV 2VR&VP4UU u/uFwrVR8wgKWbK ppp W3#VR8Xd6VPP'dVPPVR&W3#uup pi) zPrepare authentication for token requests. Args: data: The form data to send headers: Optional headers dict to update Returns: Tuple of (updated_data, updated_headers) client_secret_basicr9)safe:zBasic Authorization client_secretclient_secret_post) rytoken_endpoint_auth_method client_idrr rM b64encoderKrOitems) rirr auth_method encoded_idencoded_secret credentialsencoded_credentialskvs &&& r4prepare_token_authOAuthContext.prepare_token_authsI ?G= &&AA / /D4D4D4N4N4NSWScScSqSqSqt//99CJ"4#3#3#A#AKN'L.)9:K"("2"2;3E3E3G"H"O"O"Q )/0C/D'EGO $%)ZZ\J\TQQ/5IDAD\DJ } 0 0T5E5E5S5S5S$($4$4$B$BD !} Ks  E"E"c<V^8dQh/S[;R&S[;R&S[;R&S[S[.S[R,3,R,;R&S[.S[S[S[S[R,3,,3,R,;R&S[;R&S[R,;R&S[R,;R &S[R,;R &S[R,;R &S[R,;R &S[ R,;R &S[ R,;R&S[R,;R&S[ P;R&#)r/rclient_metadatastorageNredirect_handlercallback_handlertimeoutclient_metadata_urlroauth_metadataauth_server_urlrryrrlock) rVr#rbrrrfloatr&r$r"r%anyioLock)r2r3s"r4r5r\s%O  )(   uio56==r9U3d ?-C#DDELLt*";T!AH"D(/4Z& Dj'!&,d29',%,-.t|*/4 **85r7rN)rWrXrYrZr[rrrrrrryrrrrrrrrrrrrrrr]r^r_r`s@r4r~r~\sG&*EI+/N"&O#'6:K)-N&*UZZ8D44 JJ  dd&&  00&""qr7r~c0a]tRt^toRtRtR"V3RlRlltV3RlRltV3RlR ltV3R lR lt V3R lR lt V3RlRlt R//V3RlRllt V3RlRlt V3RlRltV3RlRltV3RlRltV3RlRltV3RlRltV3RlR ltR!tVtR#)#OAuthClientProviderzk OAuth2 authentication for httpx. Handles OAuth flow with automatic client registration and token storage. TNc<V^8dQhRS[RS[RS[RS[S[.S[R,3,R,RS[.S[S[S[S[R,3,,3,R,RS[RS[R,/#) r/rrrrNrrr)rVr#rbrrrr)r2r3s"r4r5 OAuthClientProvider.__annotate__s+"+"+"-+" +" #C5)D/#9:TA +" #2ysC$J1G'H#HIDP +"+"!4Z+"r7c  Ve \V4'g\RV 24h\VVVVVVVR7VnRVnR#)aInitialize OAuth2 authentication. Args: server_url: The MCP server URL. client_metadata: OAuth client metadata for registration. storage: Token storage implementation. redirect_handler: Handler for authorization redirects. callback_handler: Handler for authorization callbacks. timeout: Timeout for the OAuth flow. client_metadata_url: URL-based client ID. When provided and the server advertises client_id_metadata_document_supported=true, this URL will be used as the client_id instead of performing dynamic client registration. Must be a valid HTTPS URL with a non-root pathname. Raises: ValueError: If client_metadata_url is provided but not a valid HTTPS URL with a non-root pathname. NzMclient_metadata_url must be a valid HTTPS URL with a non-root pathname, got: )rrrrrrrF)r ValueErrorr~context _initialized)rirrrrrrrs&&&&&&&&r4__init__OAuthClientProvider.__init__s\:  *3OPc3d3d_`s_tu $!+-- 3  "r7c$<V^8dQhRS[RR/#)r/prmr0N)r&)r2r3s"r4r5rs!rr2KrPTrr7c "VP'd\VP4MRpV'gR#\VPP4p\ W2R7'g\ RV RV 24hR#5i)z?Validate that PRM resource matches the server URL per RFC 8707.NrzProtected resource z does not match expected )rrVr)rrr(r)rirrdefault_resources&& r4_validate_resource_match,OAuthClientProvider._validate_resource_matchsf,/LLLs3<<(d  7 8O8OP%9Ill #6|nD]^n]o!pq qms 1A:AA:c:<V^8dQhRS[PRS[/#r/responser0httpxResponser)r2r3s"r4r5rs %..UYr7c X"VP^8XdVP4GRjxL p\P!V4pW0PnVP 'd,\VP ^,4VPnR#VPR8Xd0\PRVPP R24R#\RVP 24hL \d1\PRTPP 24R#i;i5i) z Handle protected resource metadata discovery response. Per SEP-985, supports fallback when discovery fails at one URL. Returns: True if metadata was successfully discovered, False if we should try next URL NTz'Invalid protected resource metadata at Fiz)Protected resource metadata not found at z, trying next URLz,Protected Resource Metadata request failed: ) status_codeareadr&model_validate_jsonrrauthorization_serversrVrrloggerwarningrequesturldebugrrircontentmetadatas&& r4#_handle_protected_resource_response7OAuthClientProvider._handle_protected_resource_responses   3 &  ( 004HHQ;C 811136x7U7UVW7X3YDLL0  ! !S ( LLDXEUEUEYEYDZZkl m!>x?S?S>TU #1# !HIYIYI]I]H^_` s:D*C,C*A'C,AD**C,,7D'#D*&D''D*c4<V^8dQhRS[P/#rrRequest)r2r3s"r4r5r7semmr7c |"VP4GRjxL wrVPW4GRjxL pV#L!L5i)zPerform the authorization flow.N)!_perform_authorization_code_grant"_exchange_token_authorization_code)ri auth_coderE token_requests& r4_perform_authorization*OAuthClientProvider._perform_authorization7s;)-)O)O)Q#Q "EEi__ $R_s<8<:<<c6<V^8dQhRS[S[S[3,/#r)rrV)r2r3s"r4r5r=s3434sCx34r7c F"VPPPf \R4hVPP'g \R4hVPP 'g \R4hVPP 'dQVPP P'd+\VPP P4pM;VPPVPP4p\VR4pVPP'g \R4h\P4p\P !^ 4pRRR VPPP"R \VPPP^,4R VR VP$R R/pVPP'VPP(4'dVPP+4VR&VPPP,'d$VPPP,VR&V R\/V4 2pVPP V4GRjxL VPP 4GRjxL wrxVe\P0!W4'g\RV RV 24hV'g \R4hWsP23#LyLY5i)z5Perform the authorization redirect and get auth code.N6No redirect URIs provided for authorization code grantz9No redirect handler provided for authorization code grantz9No callback handler provided for authorization code grantz /authorizez*No client info available for authorization response_typecoder redirect_uristaterFcode_challenge_methodS256rscope?zState parameter mismatch: z != zNo authorization code received)rr redirect_urisrrrrauthorization_endpointrVrrr ryr+rRr; token_urlsaferrFrrrrr compare_digestrE) ri auth_endpoint auth_base_url pkce_paramsr auth_paramsauthorization_urlrreturned_states & r4r5OAuthClientProvider._perform_authorization_code_grant=sj << ' ' 5 5 = !YZ Z||,,, !\] ]||,,, !\] ] << & & &4<<+F+F+]+]+] ; ; R RSM LLCCDLLD[D[\M#M<@M||''' !MN N%--/ %%b) V 11;; C < < J J1 MN U k88 #V   << 5 5dll6S6S T T&*ll&C&C&EK # << ' ' - - -#'<<#?#?#E#EK ,oQy/E.FGll++,=>>>+/,,*G*G*I$I!  !)?)?)V)V #=n=MTRWQX!YZ Z !AB B3333 ?%JsQA L! &L!3&L!%L!BL!DL!AL!#L$!L!L>L!L!L!c <V^8dQhRS[/#rrU)r2r3s"r4r5rrsSr7cVVPP'dRVPPP'd,\VPPP4pV#VPP VPP 4p\ VR4pV#)/token)rrtoken_endpointrVrrr )ri token_urlrs& r4_get_token_endpoint'OAuthClientProvider._get_token_endpointrs{ << & & &4<<+F+F+U+U+UDLL77FFGI!LLCCDLLD[D[\M x8Ir7 token_datacj<V^8dQhRS[RS[RS[S[S[3,R,RS[P/#)r/rrEr'Nr0)rVrrrr)r2r3s"r4r5rzsERRR-0RAEc3hRVAVR Rr7c "VPPPf \R4hVPP'g \R4hVP 4pT;'g/pVP RRRVR\VPPP^,4RVPPPRV/4VPPVPP4'dVPP4VR &R R /pVPPW54wr5\P!R WCVR 7#5i)z9Build token exchange request for authorization_code flow.r zMissing client info grant_typeauthorization_coderrrrEr Content-Type!application/x-www-form-urlencodedPOSTrr)rrrrryr%updaterVrrrrrrr)rirrEr'r$rs&&&$ r4r6OAuthClientProvider._exchange_token_authorization_codezs& << ' ' 5 5 = !YZ Z||''' !67 7,,. %%2 2 DLL$@$@$N$Nq$Q RT\\55??    << 5 5dll6S6S T T%)\\%B%B%DJz ""#FG"ll==jR }}VYQQsA E& #E&0C6E&c8<V^8dQhRS[PRR/#r/rr0Nrr)r2r3s"r4r5rs > >U^^ > >r7c "VP^8wdEVP4GRjxL pVPR4p\RVP RV 24h\ V4GRjxL pW@P nVP PV4VP PPV4GRjxL R#LL`L 5i)zHandle token exchange response.Nzutf-8zToken exchange failed (z): ) rrrOrrrrrrrq)rirbody body_texttoken_responses&& r4_handle_token_response*OAuthClientProvider._handle_token_responses   3 &!))D G,I!$;Hs4%C C>C &C'AC >C ?C C  C c4<V^8dQhRS[P/#rr)r2r3s"r4r5rsTTemmTr7c ,"VPP'd'VPPP'g \R4hVPP'd'VPPP 'g \R4hVPP 'dQVPP P'd+\VPP P4pM;VPPVPP4p\VR4pRRRVPPPRVPPP /pVPPVPP4'dVPP4VR&RR /pVPPW44wr4\ P"!R WVR 7#5i) zBuild token refresh request.zNo refresh token availablezNo client info availabler"r*rrrr,r-r.r/)rrrrryrrr#rVrrr rrrrrr)rir$r refresh_datars& r4_refresh_token"OAuthClientProvider._refresh_tokensw||***$,,2M2M2[2[2[!">? ?||'''t||/G/G/Q/Q/Q!"<= = << & & &4<<+F+F+U+U+UDLL77FFGI LLCCDLLD[D[\M x8I / T\\88FF 11;;(  << 5 5dll6S6S T T'+||'D'D'FL $"#FG $ ? ? V }}VY7SSs,AH&H,%H&H9%HCH=AHc:<V^8dQhRS[PRS[/#rr)r2r3s"r4r5rsu~~$r7c D"VP^8wd?\PRVP 24VPP 4R#VP 4GRjxL p\ P!V4pW0PnVPPV4VPPPV4GRjxL R#LtL \d4\PR4TPP 4R#i;i5i)z:Handle token refresh response. Returns True if successful.zToken refresh failed: FNTzInvalid refresh response)rrrrrrr%rrrrrqr exception)rirrr8s&& r4_handle_refresh_response,OAuthClientProvider._handle_refresh_responses   3 & NN3H4H4H3IJ K LL % % ' $NN,,G';;GDN*8LL ' LL , ,^ <,,&&11.A A A- B    7 8 LL % % ' sOAD C&C'A-CCCD CC:DD DD c<V^8dQhRR/#rdr1)r2r3s"r4r5rs!!4!r7c "VPPP4GRjxL VPnVPPP 4GRjxL VPnRVnR#LWL5i)z#Load stored tokens and client info.NT)rrrjrrvryrrhs&r4 _initializeOAuthClientProvider._initializesZ,0LL,@,@,K,K,M&M #)-)=)=)M)M)O#O   'N#Os!(BB:B%B&BBc8<V^8dQhRS[PRR/#)r/rr0Nr)r2r3s"r4r5rs#dd d$dr7c VPP'd[VPPP'd3RVPPP 2VPR&R#R#R#)zV'dV'dWPnM\2P5RV 24Kn \=\?V4VPP(VPP:4VPP@n!VPPD'Eg\GVPP:VPPH4'd\2P5RVPPH 24\KVPPHVPP@PLR7pVVPn"VPPNPQV4GRjxL M\SVPP:VPP@VPPUVPP 44pV5xp\WV4GRjxL pVVPn"VPPNPQV4GRjxL VPY4GRjxL 5xpVP[V4GRjxL TPT4T5xMVPR 8Xd\aVR 4pVR 8Xdx\=\?V4VPP(4VPP@n!VPY4GRjxL 5xpVP[V4GRjxL VPV4V5xRRR4GRjxL R#ELELEL+ELELkELMELELELiEL.ELEL \\d\2P_R4hi;iLLw \\d\2P_R4hi;iLx +GRjxL 'giR#;i5i) zHTTPX auth flow integration.NFiz.Protected resource metadata discovery failed: z!OAuth metadata discovery failed: z"Using URL-based client ID (CIMD): )rzOAuth flow errorierrorinsufficient_scope)1rrrrGrgetr!rrrr>rCrKrrrrrrrrlenrrVrrrrrrrrrrryr rrrrr{rrrrr9 ExceptionrBr)rirrefresh_requestrefresh_responserwww_auth_resource_metadata_urlprm_discovery_urlsrdiscovery_requestdiscovery_responserasm_discovery_urlsoauth_metadata_requestoauth_metadata_responseokasmclient_informationregistration_requestregistration_responser8rSs&& r4async_auth_flow#OAuthClientProvider.async_auth_flows#<<$$$$$$$&&(((-4OO,?,?@T,UDLL )<<..00T\\5S5S5U5U(,(;(;(="=)8#8 !::;KLLL(-D%||**,,%%g.$}H##s*U5\]e5f2*Z6 8O8O*& 2,I#,N)3D-D*$FGY$ZZ"&"?"?"DDDGJLLD!$C$=$= > B B 44: 6:5P5P5R/R)R"99.III %%g. M%$$(#>M2[E,#_8[2kZ,OE $$%78(0SI$(();<A%$$$s#Z W:Z &Y.W=AY."Y.Y.XY.3X4 Y.>&Y.%(Y.A XX  X(X<X =CX X X&X.FX.X/A:X)X*=X'X(X?XXXX ;Y.AY1Y2Y YYY.( Z 3Y,4Z =Y.Y.Y.X X XXXXXX"YY.YY"Y))Y.,Z .Z 4Y75 Z Z  Z )rr)NNrN)rWrXrYrZr[requires_response_bodyrrrrrr%rr9r>rCrGrKrOrfr^r_r`s@r4rrs "+"+"Zrr@ 3434jRY[RR> > >TT<*!! dd // HHr7r)Cr[rMrIloggingr;r=rcollections.abcrrr dataclassesrrtypingrr urllib.parser r r r rrpydanticr rrmcp.client.auth.exceptionsrrmcp.client.auth.utilsrrrrrrrrrrrrrrr mcp.client.streamable_httpr!mcp.shared.authr"r#r$r%r&mcp.shared.auth_utilsr'r(r) getLoggerrWrr+rbr~Authrr1r7r4rvs  ??( << 66F"<   8 $ OY O 8 ( yy yxZ%**Zr7