k7i8SrSSKJr SSKrSSKJr SSKJrJrJ r SSK J r SSK J r SSKJr SS KJr SS KJr \"\5r"S S \5r"S S\5rg)aOIDC Proxy Provider for FastMCP. This provider acts as a transparent proxy to an upstream OIDC compliant Authorization Server. It leverages the OAuthProxy class to handle Dynamic Client Registration and forwarding of all OAuth flows. This implementation is based on: OpenID Connect Discovery 1.0 - https://openid.net/specs/openid-connect-discovery-1_0.html OAuth 2.0 Authorization Server Metadata - https://datatracker.ietf.org/doc/html/rfc8414 )SequenceN) AsyncKeyValue) AnyHttpUrl BaseModelmodel_validator)Self) TokenVerifier) OAuthProxy) JWTVerifier) get_loggerc \rSrSr%SrSr\\S'Sr\ \ -S-\S'Sr \ \ -S-\S'Sr \ \ -S-\S'Sr \ \ -S-\S 'Sr\ \ -S-\S 'Sr\ \ -S-\S 'Sr\\ S-\S 'Sr\\ S-\S 'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr\\ S-\S'Sr \\ S-\S'Sr!\\ S-\S'Sr"\\ S-\S'Sr#\\ S-\S'Sr$\\ S-\S'Sr%\ \ -S-\S 'Sr&\\ S-\S!'Sr'\\ S-\S"'Sr(\S-\S#'Sr)\S-\S$'Sr*\S-\S%'Sr+\S-\S&'Sr,\ \ -S-\S''Sr-\ \ -S-\S('Sr.\ \ -S-\S)'Sr/\\ S-\S*'Sr0\\ S-\S+'Sr1\ \ -S-\S,'Sr2\\ S-\S-'Sr3\\ S-\S.'Sr4\\ S-\S/'Sr5\ S-\S0'\6"S1S29S3\74S4j5r8\9S5\ S\S-S6\:S-S3\74S7j5r;S8rNc:>[TUS5nU(d%SU3n[RU5 [U5eU(a[ U[ 5(ag[ U5 g![ a+nSU3n[RU5 [U5UeSnAff=f)Nz)Missing required configuration metadata: z(Invalid URL for configuration metadata: )getattrloggererror ValueError isinstancer Exception)r@rAvaluemessageeselfs X/home/james-whalen/.local/lib/python3.13/site-packages/fastmcp/server/auth/oidc_proxy.pyenforce2OIDCConfiguration._enforce_strict..enforcersD$-EEdVL W% ))Zz:: 15! 1DTFK W% )q0 1s A%% B/&BBrTrrrrrr)F)rstrbool)rLrNs` rM_enforce_strict!OIDCConfiguration._enforce_strictls|{{K 1# 1t 1 1 1" $($/ $' D!*+)*78 config_urltimeout_secondsc0nUbX4S'[R"[U540UD6nUR5 UR 5nUbX&S'UR U5$![ a [RSU35 ef=f)zGet the OIDC configuration for the specified config URL. Args: config_url: The OIDC config URL strict: The strict flag for the configuration timeout_seconds: HTTP request timeout in seconds timeoutrz1Unable to get OIDC configuration for config url: ) httpxgetrPraise_for_statusjsonmodel_validaterHrD exception)clsrUrrV get_kwargsresponse config_datas rMget_oidc_configuration(OIDCConfiguration.get_oidc_configurations  &$3y ! yyZ?J?H  % % '"--/K!(.H%%%k2 2    CJ<P    s AA##$B)=__name__ __module__ __qualname____firstlineno____doc__rrQ__annotations__rrrPrrrrrrrrrrrrrrrr r!r"r#r$r%r&r'r(r)r*r+r,r-r.r/r0r1r2r3r4r5r6r7r8r9r:r;rrrR classmethodintrc__static_attributes__rerTrMrrsFD'+FJ t #*6:J,t3:.2NJ$t+215zC'$.5(,Hj3%,59:+d29-1hsmd*159hsmd2959hsmd29268C=4/615(3-$.548Xc]T18BF)8C=4+?FEI,hsmd.BIEI,hsmd.BIBF)8C=4+?FEI,hsmd.BIEI,hsmd.BIHL/#1ELKO2HSMD4HOKO2HSMD4HOBF)8C=4+?FMQ4hsmd6JQ59hsmd29268C=4/6-1hsmd*159:+d2959hsmd2915(3-$.5.2t 2/3337#TD[748$dTk8-1M:#d*1*.J S 4'.48c)D07GK. 0DKRV98C=4;OV6:J,t3:JN18C=43GN =hsmd>R>B$hsmd&:A"&OS4Z&'"#@#04t NQTXj rTrc#t^\rSrSr%Sr\\S'SSSSSSSSSSSSS. S\\-S\ S-S \S \S \S-S \ S-S \S-S\ \S-S\\-S\\-S-S\S-S\ \S-S\ S-S\\ -S-S\S-S\ SS4"U4SjjjrS\S\ S-S \ S-S\4SjrSSSSS.S \S-S \S-S\ \S-S \ S-S\4 SjjrSrU=r$) OIDCProxyahOAuth provider that wraps OAuthProxy to provide configuration via an OIDC configuration URL. This provider makes it easier to add OAuth protection for any upstream provider that is OIDC compliant. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.oidc_proxy import OIDCProxy # Simple OIDC based protection auth = OIDCProxy( config_url="https://oidc.config.url", client_id="your-oidc-client-id", client_secret="your-oidc-client-secret", base_url="https://your.server.url", ) mcp = FastMCP("My Protected Server", auth=auth) ``` oidc_configNT) raudiencerV algorithmrequired_scopes issuer_url redirect_pathallowed_client_redirect_urisclient_storagejwt_signing_keytoken_endpoint_auth_methodrequire_authorization_consentrUr client_id client_secretrsrVrtrubase_urlrvrwrxryrzr{r|r>c>U(d [S5eU(d [S5eU(d [S5eU (d [S5e[U[5(a [U5nUR XU5UlUR R (aUR R(d-[RSUR 35 [S5eUR R(a[UR R5OSnURUUUUS9n[UR R 5[UR R5UUUUU U =(d U UR RU U UUUS .nU (aU US 'U(aS U0nUUS 'UUS '[TU]8"S0UD6 g)ai Initialize the OIDC proxy provider. Args: config_url: URL of upstream configuration strict: Optional strict flag for the configuration client_id: Client ID registered with upstream server client_secret: Client secret for upstream server audience: Audience for upstream server timeout_seconds: HTTP request timeout in seconds algorithm: Token verifier algorithm required_scopes: Required OAuth scopes base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in upstream OAuth app (defaults to "/auth/callback") allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. Patterns support wildcards (e.g., "http://localhost:*", "https://*.example.com/*"). If None (default), only localhost redirect URIs are allowed. If empty list, all redirect URIs are allowed (not recommended for production). These are for MCP clients performing loopback redirects, NOT for the upstream OAuth app. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. token_endpoint_auth_method: Token endpoint authentication method for upstream server. Common values: "client_secret_basic", "client_secret_post", "none". If None, authlib will use its default (typically "client_secret_basic"). require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to the upstream IdP. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. zMissing required config URLzMissing required client idzMissing required client secretzMissing required base URLzInvalid OIDC Configuration: zMissing required OIDC endpointsNrtrsrurV)upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secretupstream_revocation_endpointtoken_verifierrrvservice_documentation_urlrxryrzr{r|rwrsextra_authorize_paramsextra_token_paramsre)rFrGrPrrcrrrrrDdebugr4get_token_verifierr+super__init__)rLrUrr}r~rsrVrtrurrvrwrxryrzr{r|r4r init_kwargs extra_params __class__s rMrOIDCProxy.__init__s|:; ;9: :=> >89 9 j# & &#J/J66    77##22 LL78H8H7IJ K>? ?33   44 5  00++ 1 03  770(+4+;+;+J+J'K"+&3,?, $0)-)9)9)O)O,H,.*D-J! & +8K ( &1L4@K0 10rsQ % 1;;"-690 H N NbA A rT