k7irSrSSKJr SSKJr SSKJr SSKJr SSKJr SSK J r SS K J r "S S \ 5r g ) zauthlib.oauth2.rfc9068.token_validator. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Implementation of Validating JWT Access Tokens per `Section 4`_. .. _`Section 7`: https://www.rfc-editor.org/rfc/rfc9068.html#name-validating-jwt-access-token )jwt) DecodeError) JoseError)InsufficientScopeError)InvalidTokenError)BearerTokenValidator)JWTAccessTokenClaimscV^\rSrSrSrU4SjrSrSSS\4SjrS r S S jr S r U=r $) JWTBearerTokenValidatoraJWTBearerTokenValidator can protect your resource server endpoints. :param issuer: The issuer from which tokens will be accepted. :param resource_server: An identifier for the current resource server, which must appear in the JWT ``aud`` claim. Developers needs to implement the missing methods:: class MyJWTBearerTokenValidator(JWTBearerTokenValidator): def get_jwks(self): ... require_oauth = ResourceProtector() require_oauth.register_token_validator( MyJWTBearerTokenValidator( issuer="https://authorization-server.example.org", resource_server="https://resource-server.example.org", ) ) You can then protect resources depending on the JWT `scope`, `groups`, `roles` or `entitlements` claims:: @require_oauth( scope="profile", groups="admins", roles="student", entitlements="captain", ) def resource_endpoint(): ... c>>XlX l[TU] "U0UD6 gN)issuerresource_serversuper__init__)selfrrargskwargs __class__s `/home/james-whalen/.local/lib/python3.13/site-packages/authlib/oauth2/rfc9068/token_validator.pyr JWTBearerTokenValidator.__init__4s  . $)&)c[5e)a"Return the JWKs that will be used to check the JWT access token signature. Developers MUST re-implement this method. Typically the JWKs are statically stored in the resource server configuration, or dynamically downloaded and cached using :ref:`specs/rfc8414`:: def get_jwks(self): if "jwks" in cache: return cache.get("jwks") server_metadata = get_server_metadata(self.issuer) jwks_uri = server_metadata.get("jwks_uri") cache["jwks"] = requests.get(jwks_uri).json() return cache["jwks"] )NotImplementedError)rs rget_jwks JWTBearerTokenValidator.get_jwks9s "##rissstrreturncX R:H$r)r)rclaimsrs r validate_iss$JWTBearerTokenValidator.validate_issJskk!!rcBSURS.SS0SURS.SS0SS0SS0SS0SS0SS0SS0SS0SS0SS0SS0S.nUR5n[R"UU[ US9$![ a$n[URURS9UeS nAff=f) T) essentialvalidater()r(valueF)rexpaudsub client_idiatjti auth_timeacramrscopegroupsroles entitlements)key claims_clsclaims_optionsrealmextra_attributesN) r$rrrdecoder rrr<r=)r token_stringr:jwksexcs rauthenticate_token*JWTBearerTokenValidator.authenticate_tokenPs "&43D3DE&!%0D0DE&%t,&&%u-''!5)"E*!5)(%0  }} ::/-    #jj43H3H  sA00 B:BBc UR5 UR UR S/5U5(a [5eUR UR S5U5(a [5eUR UR S5U5(a [5eUR UR S5U5(a [5eg![a$n[URURS9UeSnAff=f)r'r;Nr4r5r6r7)r)rrr<r=scope_insufficientgetr)rtokenscopesrequestr5r6r7rAs rvalidate_token&JWTBearerTokenValidator.validate_token|s   NN   " "599Wb#96 B B(* *  " "599X#6 ? ?#% %  " "599W#5u = =#% %  " "599^#rYs0+)@;A(P&2P&r