+ wi%/j^RIt^RIt^RIHtHt^RIHtHt^RIH t H t ^RI H t H t ^RIHt^RIHtHtHtHtHt^RIHt]P0!]4tR R ltR R ltR RltRRltR'RRlltRRlt RRlt!RRlt"RRlt#RRlt$RRlt%RR lt&R!R"lt'R'R#R$llt(R%R&lt)R#)(N)urljoinurlparse)RequestResponse)AnyUrlValidationError)OAuthRegistrationErrorOAuthTokenError)MCP_PROTOCOL_VERSION)OAuthClientInformationFullOAuthClientMetadata OAuthMetadata OAuthTokenProtectedResourceMetadata)LATEST_PROTOCOL_VERSIONcJV^8dQhR\R\R\R,/#)response field_namereturnNrstr)formats"I/home/ubuntu/.local/lib/python3.14/site-packages/mcp/client/auth/utils.py __annotate__rs%(d cVPPR4pV'gR#V R2p\P!W24pV'd+VP ^4;'gVP ^4#R#)z{ Extract field from WWW-Authenticate header. Returns: Field value if found in WWW-Authenticate header, None otherwise zWWW-AuthenticateNz=(?:"([^"]+)"|([^\s,]+)))headersgetresearchgroup)rrwww_auth_headerpatternmatchs&& rextract_field_from_www_authr&sb&&**+=>O 56G IIg /E {{1~//Q/ rc>V^8dQhR\R\R,/#rrrNr)rs"rrr,s::(:sTz:rc\VR4#)z Extract scope parameter from WWW-Authenticate header as per RFC6750. Returns: Scope string if found in WWW-Authenticate header, None otherwise scope)r&rs&rextract_scope_from_www_authr,,s 'x 99rc>V^8dQhR\R\R,/#r(r)rs"rrr6s" F Fh F3: FrcPV'dVPR8wdR#\VR4#)z Extract protected resource metadata URL from WWW-Authenticate header as per RFC9728. Returns: Resource metadata URL if found in WWW-Authenticate header, None otherwise iNresource_metadata) status_coder&r+s&r'extract_resource_metadata_from_www_authr16s% x++s2 &x1D EErc`V^8dQhR\R,R\R\\,/#)r www_auth_urlN server_urlrrlist)rs"rrrCs-##3:#[^#cghkcl#rc\.pV'dVPV4\V4pVP RVP 2pVP'd<VPR8wd+\ VRVP 24pVPV4\ VR4pVPV4V#)a Build ordered list of URLs to try for protected resource metadata discovery. Per SEP-985, the client MUST: 1. Try resource_metadata from WWW-Authenticate header (if present) 2. Fall back to path-based well-known URI: /.well-known/oauth-protected-resource/{path} 3. Fall back to root-based well-known URI: /.well-known/oauth-protected-resource Args: www_auth_url: optional resource_metadata url extracted from the WWW-Authenticate header server_url: server url Returns: Ordered list of URLs to try for discovery :///z%/.well-known/oauth-protected-resource)appendrschemenetlocpathr)r3r4urlsparsedbase_urlpath_based_urlroot_based_urls&& r0build_protected_resource_metadata_discovery_urlsrCCs D L!j !F--FMM?3H{{{v{{c) -RSYS^S^R_+`a N#X'NONKK Krc V^8dQhR\R,R\R,R\R,R\R,/#)rwww_authenticate_scopeNprotected_resource_metadataauthorization_server_metadatar)rrr)rs"rrrisB$J!:T!A$14#7 4Z rcVeV#Ve*VPeRPVP4#Ve*VPeRPVP4#R#)zLSelect scopes as outlined in the 'Scope Selection Strategy' in the MCP spec.N )scopes_supportedjoin)rErFrGs&&&rget_client_metadata_scopesrLise)%% $ 05P5a5a5mxx3DDEE & 27T7e7e7qxx5FFGGrc`V^8dQhR\R,R\R\\,/#)rauth_server_urlNr4rr5)rs"rrrs.))cTXj)fi)nrsvnw)rcV'g)\V4pVP RVP R2.#.p\V4pVP RVP 2pVP'dVPR8wdRVPP R4 2pVP \ WE44RVPP R4 2pVP \ WF44VPP R4 R2pVP \ WF44V#VP \ VR44VP \ VR44V#)z Generate ordered list of (url, type) tuples for discovery attempts. Args: auth_server_url: URL for the OAuth Authorization Metadata URL if found, otherwise None server_url: URL for the MCP server, used as a fallback if auth_server_url is None r8z'/.well-known/oauth-authorization-serverr9z!/.well-known/openid-configuration)rr;r<r=rstripr:r)rNr4r?r>r@ oauth_path oidc_paths&& r8build_oauth_authorization_server_metadata_discovery_urlsrSs2 *%==/V]]O3Z[\\D o &F--FMM?3H{{{v{{c)>v{{?Q?QRU?V>WX  GH128 8J8J38O7PQ  GH01{{))#.//PQ  GH01  KK"KLM KK"EFG Krc>V^8dQhR\R\R,/#r()rr)rs"rrrs!%rc"VP^8Xd2VP4GRjxL p\P!V4pV#R#L \dR#i;i5i)z Handle protected resource metadata discovery response. Per SEP-985, supports fallback when discovery fails at one URL. Returns: True if metadata was successfully discovered, False if we should try next URL N)r0areadrmodel_validate_jsonr)rcontentmetadatas& r"handle_protected_resource_responserZs[s" $NN,,G0DDWMHO-  s8AA AA AA AAAAc`V^8dQhR\R\\\R,3,/#r()rtupleboolr)rs"rrrs*  ( uT=[_K_E_?` rc"VP^8Xd4VP4GRjxL p\P!V4pRV3#VPR8gVPR8dR#R#LD \dRu#i;i5i)NTii)TN)FN)r0rVrrWr)rrXasms& rhandle_auth_metadata_responserass" $NN,,G33GA??Bc0V^8dQhR\R\/#)rurlr)rr)rs"rrrsXXsXwXrc2\RV\\/R7#)GET)r)rr r)rcs&rcreate_oauth_metadata_requestrfs 5#(<>U'V WWrcVV^8dQhR\R,R\R\R\/#)rauth_server_metadataNclient_metadata auth_base_urlr)rr rr)rs"rrrs7 s s'$. sAT seh s  srcV'd)VP'd\VP4pM \VR4pVPRRRR7p\ RW4RR/R7#) z9Build registration request or skip if already registered.z /registerTjson)by_aliasmode exclude_nonePOSTz Content-Typezapplication/json)rlr)registration_endpointrr model_dumpr)rhrirjregistration_urlregistration_datas&&& r"create_client_registration_requestrusa  4 J J J3IIJ"=+>'22Dv\`2a 6+n^pMq rrrc0V^8dQhR\R\/#rrr)rr )rs"rrrs L L L>X LrcR"VPR9d>VP4GRjxL \RVP RVP 24hVP4GRjxL p\P !V4pV#LZL \ dp\RT 24hRp?ii;i5i)zHandle registration response.NzRegistration failed: rIzInvalid registration response: )r_)r0rVr textr rWr)rrX client_infoes& rhandle_registration_responser}s:-nn$'V^8dQhR\R,R\/#)rrcNr)rr])rs"rrrscDjTrcV'gR#\V4pVPR8H;'dVPR9# \dR#i;i)zValidate that a URL is suitable for use as a client_id (CIMD). The URL must be HTTPS with a non-root pathname. Args: url: The URL to validate Returns: True if the URL is a valid HTTPS URL with a non-root pathname Fhttps)r9)rr;r= Exception)rcr?s& ris_valid_client_metadata_urlrsJ #}}'HHFKKy,HH s == A  A cXV^8dQhR\R,R\R,R\/#)roauth_metadataNclient_metadata_urlr)rrr])rs"rrr s4HH!D(HtH HrcFV'gR#V'gR#VPRJ#)aDetermine if URL-based client ID (CIMD) should be used instead of DCR. URL-based client IDs should be used when: 1. The server advertises client_id_metadata_document_supported=true 2. The client has a valid client_metadata_url configured Args: oauth_metadata: OAuth authorization server metadata client_metadata_url: URL-based client ID (already validated) Returns: True if CIMD should be used, False if DCR should be used FT)%client_id_metadata_document_supported)rrs&&rshould_use_client_metadata_urlr s!"    ? ?4 GGrc`V^8dQhR\R\\,R,R\/#)rr redirect_urisNr)rr6rr )rs"rrr$s--1&\D-@rc\VRVR7#)aCreate client information using a URL-based client ID (CIMD). When using URL-based client IDs, the URL itself becomes the client_id and no client_secret is used (token_endpoint_auth_method="none"). Args: client_metadata_url: The URL to use as the client_id redirect_uris: The redirect URIs from the client metadata (passed through for compatibility with OAuthClientInformationFull which inherits from OAuthClientMetadata) Returns: OAuthClientInformationFull with the URL as client_id none) client_idtoken_endpoint_auth_methodr)r )rrs&&r$create_client_info_from_metadata_urlr$s &%#)# rc0V^8dQhR\R\/#rw)rr)rs"rrr;s>>>>rc"VP4GRjxL p\P!V4pV#L \dp\ RT 24hRp?ii;i5i)aVParse and validate token response with optional scope validation. Parses token response JSON. Callers should check response.status_code before calling. Args: response: HTTP response from token endpoint (status already checked by caller) Returns: Validated OAuthToken model Raises: OAuthTokenError: If response JSON is invalid NzInvalid token response: )rVrrWrr )rrXtoken_responser|s& rhandle_token_response_scopesr;sX > ((#77@) > 8<==>s1A646A6 AAAA)N)*loggingr urllib.parserrhttpxrrpydanticrrmcp.client.authr r mcp.client.streamable_httpr mcp.shared.authr r rrr mcp.typesr getLogger__name__loggerr&r,r1rCrLrSrZrarfrur}rrrrrrrs *#,C;.   8 $,: F#L0)X2 X s L (H4.>r