o h@sddlmZmZddlmZddlmZddlmZddl m Z ddl m Z ddl mZmZddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddl m!Z!m"Z"ddl#m$Z$ddl%m&Z&defddZ'dZ(dZ)dZ*dZ+dee ge ee Bfde,e-defddZ.   d0d eeeefd!ed"edBd#e!dBd$e"dBde,ef d%d&Z/d!ed"edBd#e!d$e"de&f d'd(Z0   d0d)ed*e,ed+e,e-dBd,e-dBd-edBde,ef d.d/Z1dS)1) AwaitableCallable)Any) AnyHttpUrl)CORSMiddleware)Request)Response)Routerequest_response)ASGIApp)AuthorizationHandler)MetadataHandler)RegistrationHandler)RevocationHandler) TokenHandler)ClientAuthenticator) OAuthAuthorizationServerProvider)ClientRegistrationOptionsRevocationOptions)MCP_PROTOCOL_VERSION_HEADER) OAuthMetadataurlcCsR|jdkr|jdkr|jdur|jdstd|jr td|jr'tddS)z Validate that the issuer URL meets OAuth 2.0 requirements. Args: url: The issuer URL to validate Raises: ValueError: If the issuer URL is invalid https localhostNz 127.0.0.1zIssuer URL must be HTTPSz#Issuer URL must not have a fragmentz'Issuer URL must not have a query string)schemehost startswith ValueErrorfragmentquery)rr W/var/www/html/openai_agents/venv/lib/python3.10/site-packages/mcp/server/auth/routes.pyvalidate_issuer_urls r"z /authorizez/tokenz /registerz/revokehandler allow_methodsreturncCstt|d|tgd}|S)N*)app allow_originsr$ allow_headers)rr r)r#r$cors_appr r r!cors_middleware7sr+Nprovider issuer_urlservice_documentation_urlclient_registration_optionsrevocation_optionsc Cst||pt}|p t}t||||}t|}tdtt|jddgddgdtt t |jddgdtt tt ||jddgddgdg}|j rbt||d}|ttt|jddgddgd|j r|t||} |ttt| jddgddgd|S)Nz'/.well-known/oauth-authorization-serverGETOPTIONSendpointmethodsPOST)options)r"rrbuild_metadatarr r+r handleAUTHORIZATION_PATHr TOKEN_PATHrenabledrappendREGISTRATION_PATHrREVOCATION_PATH) r,r-r.r/r0metadataclient_authenticatorroutesregistration_handlerrevocation_handlerr r r!create_auth_routesDsx     rEcCstt|dt}tt|dt}t||||jdgdddgdgd|dddddgd}|jr>tt|dt|_ |jrQtt|dt |_ dg|_ |S)N/codeauthorization_code refresh_tokenclient_secret_postS256)issuerauthorization_endpointtoken_endpointscopes_supportedresponse_types_supportedresponse_modes_supportedgrant_types_supported%token_endpoint_auth_methods_supported0token_endpoint_auth_signing_alg_values_supportedservice_documentationui_locales_supported op_policy_uri op_tos_uriintrospection_endpoint code_challenge_methods_supported) rstrrstripr:r;r valid_scopesr<r>registration_endpointr?revocation_endpoint*revocation_endpoint_auth_methods_supported)r-r.r/r0authorization_url token_urlr@r r r!r8s2r8 resource_urlauthorization_serversrO resource_nameresource_documentationc CsRddlm}ddlm}||||||d}||}tdt|jddgddgdgS) a} Create routes for OAuth 2.0 Protected Resource Metadata (RFC 9728). Args: resource_url: The URL of this resource server authorization_servers: List of authorization servers that can issue tokens scopes_supported: Optional list of scopes supported by this resource Returns: List of Starlette routes for protected resource metadata r) ProtectedResourceMetadataHandler)ProtectedResourceMetadata)resourcerdrOrerfz%/.well-known/oauth-protected-resourcer1r2r3)!mcp.server.auth.handlers.metadatargmcp.shared.authrhr r+r9) rcrdrOrerfrgrhr@r#r r r! create_protected_resource_routess   rl)NNN)2collections.abcrrtypingrpydanticrstarlette.middleware.corsrstarlette.requestsrstarlette.responsesrstarlette.routingr r starlette.typesr "mcp.server.auth.handlers.authorizer rjr !mcp.server.auth.handlers.registerrmcp.server.auth.handlers.revokermcp.server.auth.handlers.tokenr&mcp.server.auth.middleware.client_authrmcp.server.auth.providerrmcp.server.auth.settingsrrmcp.server.streamable_httprrkrr"r:r;r>r?listr[r+rEr8rlr r r r!s                  Q +