k7iSrSSKJr SSKrSSKrSSKJrJr SSKJ r SSK J r SSK J r SSKJr SS KJr SS KJr \"\5rS r\SS j5r\SS j5rSSS.SSjjr"SS5rg)a"JWT token issuance and verification for FastMCP OAuth Proxy. This module implements the token factory pattern for OAuth proxies, where the proxy issues its own JWT tokens to clients instead of forwarding upstream provider tokens. This maintains proper OAuth 2.0 token audience boundaries. ) annotationsN)Anyoverload) JsonWebToken) JoseError)hashes)HKDF) PBKDF2HMAC) get_loggeri@Bcg)zHDerive JWT signing key from a high-entropy key material and server salt.N)high_entropy_materialsalts X/home/james-whalen/.local/lib/python3.13/site-packages/fastmcp/server/auth/jwt_issuer.pyderive_jwt_keyrcg)zGDerive JWT signing key from a low-entropy key material and server salt.Nr )low_entropy_materialrs rrr rr)rrcUbUb [S5eUb^[[R"5SUR 5SS9R UR 5S9n[ R"U5$Ubb[[R"5SUR 5[S9R UR 5S9n[ R"U5$[S5e)zWDerive JWT signing key from a high-entropy or low-entropy key material and server salt.zSEither high_entropy_material or low_entropy_material must be provided, but not both sFernet) algorithmlengthrinfo) key_material)rrr iterationszEEither high_entropy_material or low_entropy_material must be provided) ValueErrorr rSHA256encodederivebase64urlsafe_b64encoder KDF_ITERATIONS)rrr derived_keypbkdf2s rrr%s(-A-M a  (mmo  &3::<& = '' 44'mmo%  &299;& < ''// O rcx\rSrSrSrS SjrS S SjjrS SjrS SjrSr g) JWTIssuerJaIssues and validates FastMCP-signed JWT tokens using HS256. This issuer creates JWT tokens for MCP clients with proper audience claims, maintaining OAuth 2.0 token boundaries. Tokens are signed with HS256 using a key derived from the upstream client secret. cJXlX lX0l[S/5Ulg)zInitialize JWT issuer. Args: issuer: Token issuer (FastMCP server base URL) audience: Token audience (typically {base_url}/mcp) signing_key: HS256 signing key (32 bytes) HS256N)issueraudience _signing_keyr_jwt)selfr+r, signing_keys r__init__JWTIssuer.__init__Rs"  ' '+ rcT[[R"55nSSS.nURURUSR U5XT-UUS.nUR R XgUR5nURS5n [RSUUSS US 5 U $) aIssue a minimal FastMCP access token. FastMCP tokens are reference tokens containing only the minimal claims needed for validation and lookup. The JTI maps to the upstream token which contains actual user identity and authorization data. Args: client_id: MCP client ID scopes: Token scopes jti: Unique token identifier (maps to upstream token) expires_in: Token lifetime in seconds Returns: Signed JWT token r*JWTalgtyp )issaud client_idscopeexpiatjtiutf-8z/Issued access token for client=%s jti=%s exp=%dNr= inttimer+r,joinr.rr-decodeloggerdebug r/r;scopesr? expires_innowheaderpayload token_bytestokens rissue_access_tokenJWTIssuer.issue_access_tokends,$))+ /;;=="XXf%# ii&&v8I8IJ ""7+ =  G EN   rc V[[R"55nSSS.nURURUSR U5XT-UUSS.nUR R XgUR5nURS5n [RSUUS S US 5 U $) aIssue a minimal FastMCP refresh token. FastMCP refresh tokens are reference tokens containing only the minimal claims needed for validation and lookup. The JTI maps to the upstream token which contains actual user identity and authorization data. Args: client_id: MCP client ID scopes: Token scopes jti: Unique token identifier (maps to upstream token) expires_in: Token lifetime in seconds (should match upstream refresh expiry) Returns: Signed JWT token r*r4r5r8refresh)r9r:r;r<r=r>r? token_user@z0Issued refresh token for client=%s jti=%s exp=%dNrAr=rBrIs rissue_refresh_tokenJWTIssuer.issue_refresh_tokens,$))+ /;;=="XXf%#"  ii&&v8I8IJ ""7+ >  G EN   rcURRXR5nURS5nU(a9U[R"5:a [ R S5 [S5eURS5UR:wa [ R S5 [S5eURS5UR:wa [ R S5 [S 5e[ R S URS 55 U$![an[ R S U5 eS nAff=f)zVerify and decode a FastMCP token. Validates JWT signature, expiration, issuer, and audience. Args: token: JWT token to verify Returns: Decoded token payload Raises: JoseError: If token is invalid, expired, or has wrong claims r=z Token expiredzToken has expiredr9zToken has invalid issuerzInvalid token issuerr:zToken has invalid audiencezInvalid token audiencez*Token verified successfully for subject=%ssubzToken validation failed: %sN) r.rFr-getrDrGrHrr+r,)r/rPrNr=es r verify_tokenJWTIssuer.verify_tokens ii&&u.?.?@G++e$CsTYY[( _- 344{{5!T[[0 78 677{{5!T]]2 9: 899 LLP N  LL6 :  sDD E'D>>E)r.r-r,r+N)r+strr,r^r0bytes)i) r;r^rJz list[str]r?r^rKrCreturnr^)rPr^r`zdict[str, Any]) __name__ __module__ __qualname____firstlineno____doc__r1rQrVr\__static_attributes__r rrr'r'Js,,, ,. --- -  - -^... .  . .`)rr')rr^rr^r`r_)rr^rr^r`r_)r str | Nonerrgrr^r`r_)re __future__rr!rDtypingrr authlib.joserauthlib.jose.errorsrcryptography.hazmat.primitivesr'cryptography.hazmat.primitives.kdf.hkdfr )cryptography.hazmat.primitives.kdf.pbkdf2r fastmcp.utilities.loggingr rarGr#rr'r rrrps# %)18@0 H  S S R R )-'+"%"%"  "  "Jbbr