k7i:SSKrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJr SS KJ r SS KJ r S S K J r \R"\5rS r"SS\\ 5rg)N) JoseError)jwt) BaseGrant)InvalidClientError)InvalidGrantError)InvalidRequestError)TokenEndpointMixin)UnauthorizedClientErrorsign_jwt_bearer_assertionz+urn:ietf:params:oauth:grant-type:jwt-bearerc\rSrSr\rSS0SS0SS0S.rSr\SSj5r Sr S r S r S r S rS rSrSrSrg)JWTBearerGrant essentialT)issaudexp<Nc [XX#XEU40UD6$)Nr )keyissueraudiencesubject issued_at expires_atclaimskwargss [/home/james-whalen/.local/lib/python3.13/site-packages/authlib/oauth2/rfc7523/jwt_bearer.pysignJWTBearerGrant.sign!s") I6 MS  c[R"XRURS9nUR UR S9 U$![ a/n[RSU5 [URS9UeSnAff=f)zExtract JWT payload claims from request "assertion", per `Section 3.1`_. :param assertion: assertion string value in the request :return: JWTClaims :raise: InvalidGrantError .. _`Section 3.1`: https://tools.ietf.org/html/rfc7523#section-3.1 )claims_options)leewayzAssertion Error: %r descriptionN) rdecoderesolve_public_keyCLAIMS_OPTIONSvalidateLEEWAYrlogdebugrr()self assertionres r process_assertion_claims'JWTBearerGrant.process_assertion_claims0sv FZZ224CVCVF OO4;;O /  F II+Q /# >A E FsAA A?*A::A?cNURUS5nURX1U5$)Nr)resolve_issuer_clientresolve_client_key)r0headerspayloadclients r r*!JWTBearerGrant.resolve_public_keyDs)++GEN;&&v@@r#cURRRS5nU(d [S5eUR U5nUR US5n[ RSU5 URUR5(d[SURS35eX0Rl UR5 URS5nU(agURU5nU(d [SS 9e[ RS X55 URX55(d [!S S 9eXPRlg g ) aIThe client makes a request to the token endpoint by sending the following parameters using the "application/x-www-form-urlencoded" format per `Section 2.1`_: grant_type REQUIRED. Value MUST be set to "urn:ietf:params:oauth:grant-type:jwt-bearer". assertion REQUIRED. Value MUST contain a single JWT. scope OPTIONAL. The following example demonstrates an access token request with a JWT as an authorization grant: .. code-block:: http POST /token.oauth2 HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0. eyJpc3Mi[...omitted for brevity...]. J9l-ZhwP[...omitted for brevity...] .. _`Section 2.1`: https://tools.ietf.org/html/rfc7523#section-2.1 r1zMissing 'assertion' in requestrzValidate token request of %sz0The client is not authorized to use 'grant_type='subz Invalid 'sub' value in assertionr'z'Check client(%s) permission to User(%s)z,Client has no permission to access user dataN)requestformgetr r3r6r.r/check_grant_type GRANT_TYPEr r:validate_requested_scopeauthenticate_userrhas_granted_permissionruser)r0r1rr:rrGs r validate_token_request%JWTBearerGrant.validate_token_requestHs>LL%%))+6 %&FG G..y9++F5M: 0&9&&t77)B4??BSSTU %  %%'**U# ))'2D'4VWW II? N..v<<( N!%LL  r#cURURRRURRSS9n[ R SXRR5 URU5 SXR4$)zJIf valid and authorized, the authorization server issues an access token. F)scoperGinclude_refresh_tokenzIssue token %r to %r) generate_tokenr?r9rKrGr.r/r: save_tokenTOKEN_RESPONSE_HEADER)r0tokens r create_token_response$JWTBearerGrant.create_token_responsest##,,&&,,"""'$  (%1D1DE E5555r#c[5e)aFetch client via "iss" in assertion claims. Developers MUST implement this method in subclass, e.g.:: def resolve_issuer_client(self, issuer): return Client.query_by_iss(issuer) :param issuer: "iss" value in assertion :return: Client instance NotImplementedError)r0rs r r6$JWTBearerGrant.resolve_issuer_client "##r#c[5e)aResolve client key to decode assertion data. Developers MUST implement this method in subclass. For instance, there is a "jwks" column on client table, e.g.:: def resolve_client_key(self, client, headers, payload): # from authlib.jose import JsonWebKey key_set = JsonWebKey.import_key_set(client.jwks) return key_set.find_by_kid(headers["kid"]) :param client: instance of OAuth client model :param headers: headers part of the JWT :param payload: payload part of the JWT :return: ``authlib.jose.Key`` instance rU)r0r:r8r9s r r7!JWTBearerGrant.resolve_client_keys "##r#c[5e)zAuthenticate user with the given assertion claims. Developers MUST implement it in subclass, e.g.:: def authenticate_user(self, subject): return User.get_by_sub(subject) :param subject: "sub" value in claims :return: User instance rU)r0rs r rE JWTBearerGrant.authenticate_userrXr#c[5e)avCheck if the client has permission to access the given user's resource. Developers MUST implement it in subclass, e.g.:: def has_granted_permission(self, client, user): permission = ClientUserGrant.query(client=client, user=user) return permission.granted :param client: instance of OAuth client model :param user: instance of User model :return: bool rU)r0r:rGs r rF%JWTBearerGrant.has_granted_permissions "##r#)NNNN)__name__ __module__ __qualname____firstlineno__JWT_BEARER_GRANT_TYPErCr+r- staticmethodr!r3r*rHrRr6r7rErF__static_attributes__r_r#r rrsy&J T"T"T"NF     (A:%x 6 $$$ $ $r#r)logging authlib.joserrrfc6749rrrr r r r1r getLoggerr`r.rdrr_r#r rksJ"(')(-0 !Eu$Y 2u$r#