k7i~0SrSSKJr SSKrSSKJr SSKJrJrJ r SSK J r J r SSK Jr SSKJr SS KJr SS KJr SS KJr SS KJr SS KJrJr \"\5r"SS\ 5r"SS\5r"SS\5r g)aTGitHub OAuth provider for FastMCP. This module provides a complete GitHub OAuth integration that's ready to use with just a client ID and client secret. It handles all the complexity of GitHub's OAuth flow, token validation, and user management. Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider # Simple GitHub OAuth protection auth = GitHubProvider( client_id="your-github-client-id", client_secret="your-github-client-secret" ) mcp = FastMCP("My Protected Server", auth=auth) ``` ) annotationsN) AsyncKeyValue) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TokenVerifier) AccessToken) OAuthProxy)ENV_FILE parse_scopes) get_logger)NotSetNotSetTc\rSrSr%Sr\"S\SS9rSrS\ S'Sr S \ S 'Sr S \ S 'Sr S \ S 'Sr S\ S'SrS\ S'SrS\ S'SrS\ S'SrS\ S'\"SSS9\S55rSrg)GitHubProviderSettings(z#Settings for GitHub OAuth provider.FASTMCP_SERVER_AUTH_GITHUB_ignore) env_prefixenv_fileextraNz str | None client_idzSecretStr | None client_secretzAnyHttpUrl | str | Nonebase_url issuer_url redirect_pathlist[str] | Nonerequired_scopesz int | Nonetimeout_secondsallowed_client_redirect_urisjwt_signing_keybefore)modec[U5$)Nr)clsvs ^/home/james-whalen/.local/lib/python3.13/site-packages/fastmcp/server/auth/providers/github.py _parse_scopes$GitHubProviderSettings._parse_scopes;sA)__name__ __module__ __qualname____firstlineno____doc__r r model_configr__annotations__rrrrr!r"r#r$r classmethodr+__static_attributes__r.r-r*rr(s-%0L !Iz &*M#*(,H%,*.J'. $M:$(,O%,"&OZ&59 "29"&OZ&&X67r-rcJ^\rSrSrSrSSS.S U4SjjjrS SjrSrU=r$) GitHubTokenVerifierAzToken verifier for GitHub OAuth tokens. GitHub OAuth tokens are opaque (not JWTs), so we verify them by calling GitHub's API to check if they're valid and get user info. N r!r"c,>[TU]US9 X lg)zInitialize the GitHub token verifier. Args: required_scopes: Required OAuth scopes (e.g., ['user:email']) timeout_seconds: HTTP request timeout )r!N)super__init__r")selfr!r" __class__s r*r?GitHubTokenVerifier.__init__Hs 9.r-c# [R"URS9IShvN nURSSU3SSS.S9IShvN nURS :wa@[ R S URURSS 5 SSS5IShvN gUR5nURS SU3SSS.S9IShvN nURRS S 5nURS5Vs/sH*nUR5(dMUR5PM, nnU(dS/nUR(aq[U5n [UR5n U RU 5(d;[ R S[U 5[U 55 SSS5IShvN g[!U[#URSS55US[#US5URS5URS5URS5URS5US.S9sSSS5IShvN $GNGNGNGNs snfNN!,IShvN (df  g=f![R$a n [ R SU 5 Sn A gSn A f[&a n [ R SU 5 Sn A gSn A ff=f7f)z0Verify GitHub OAuth token by calling GitHub API.)timeoutNzhttps://api.github.com/userzBearer zapplication/vnd.github.v3+jsonzFastMCP-GitHub-OAuth) AuthorizationAcceptz User-Agent)headersz)GitHub token verification failed: %d - %sz!https://api.github.com/user/reposzx-oauth-scopes,userz6GitHub token missing required scopes. Has %d, needs %didunknownloginnameemail avatar_url)subrNrOrPrQgithub_user_data)tokenrscopes expires_atclaimsz!Failed to verify GitHub token: %sz#GitHub token verification error: %s)httpx AsyncClientr"get status_codeloggerdebugtextjsonrGsplitstripr!setissubsetlenr str RequestError Exception) r@rTclientresponse user_datascopes_responseoauth_scopes_headerscope token_scopestoken_scopes_setrequired_scopes_setes r* verify_token GitHubTokenVerifier.verify_tokenWsN ((1E1EFF&!'1+25'):"B&<","''3.LLC ,, ds+  #GFF&%MMO )/ 7+25'):"B&<)3)#'6&=&=&A&ABRTV&W#"5!:!:3!? !?{{}"EKKM!? $$*8L'''*<'8$*-d.B.B*C'.778HII T 01 34 $mGFFr#!)--i"@A'#"9T?3!*w!7 ) f 5!*w!7&/mmL&A,5  sGFFG.# EGFFFP!!  LL B sK "I,H=I,IIAI I,II,K *II3I8I I )A=I& I,1I2I,6K 7A4I+ I,7I8I,<K =I,II,I II,I,I)I  I)%I,(K )I,,KJK  K(K>K KK )r")r!r r"int)rTrereturnzAccessToken | None) r/r0r1r2r3r?rrr7 __classcell__rAs@r*r9r9As:-1! /* / / /PPr-r9c v^\rSrSrSr\\\\\\\\S\SS. SU4SjjjrSrU=r$) GitHubProvideraComplete GitHub OAuth provider for FastMCP. This provider makes it trivial to add GitHub OAuth protection to any FastMCP server. Just provide your GitHub OAuth app credentials and a base URL, and you're ready to go. Features: - Transparent OAuth proxy to GitHub - Automatic token validation via GitHub API - User information extraction - Minimal configuration required Example: ```python from fastmcp import FastMCP from fastmcp.server.auth.providers.github import GitHubProvider auth = GitHubProvider( client_id="Ov23li...", client_secret="abc123...", base_url="https://my-server.com" ) mcp = FastMCP("My App", auth=auth) ``` NT) rrrrrr!r"r#client_storager$require_authorization_consentc >[RUUUUUUUUU S. R5V V s0sHupU [LdMX_M sn n 5nUR(d [ S5eUR (d [ S5eUR=(d SnUR=(d S/nURn[UUS9nUR (aUR R5OSn[TU]5SS URUUURURUR =(d URUU UR"U S 9 [$R'S URU5 g s sn n f) aInitialize GitHub OAuth provider. Args: client_id: GitHub OAuth app client ID (e.g., "Ov23li...") client_secret: GitHub OAuth app client secret base_url: Public URL where OAuth endpoints will be accessible (includes any mount path) issuer_url: Issuer URL for OAuth metadata (defaults to base_url). Use root-level URL to avoid 404s during discovery when mounting under a path. redirect_path: Redirect path configured in GitHub OAuth app (defaults to "/auth/callback") required_scopes: Required GitHub scopes (defaults to ["user"]) timeout_seconds: HTTP request timeout for GitHub API calls allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients. If None (default), all URIs are allowed. If empty list, no URIs are allowed. client_storage: Storage backend for OAuth state (client registrations, encrypted tokens). If None, a DiskStore will be created in the data directory (derived from `platformdirs`). The disk store will be encrypted using a key derived from the JWT Signing Key. jwt_signing_key: Secret for signing FastMCP JWT tokens (any string or bytes). If bytes are provided, they will be used as is. If a string is provided, it will be derived into a 32-byte key. If not provided, the upstream client secret will be used to derive a 32-byte key using PBKDF2. require_authorization_consent: Whether to require user consent before authorizing clients (default True). When True, users see a consent screen before being redirected to GitHub. When False, authorization proceeds directly without user confirmation. SECURITY WARNING: Only disable for local development or testing environments. ) rrrrrr!r"r#r$zQclient_id is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_IDzYclient_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRETr;rKr<rIz(https://github.com/login/oauth/authorizez+https://github.com/login/oauth/access_token) upstream_authorization_endpointupstream_token_endpointupstream_client_idupstream_client_secrettoken_verifierrrrr#r{r$r|z?Initialized GitHub OAuth provider for client %s with scopes: %sN)rmodel_validateitemsrr ValueErrorrr"r!r#r9get_secret_valuer>r?rrrr$r\r])r@rrrrrr!r"r#r{r$r|kr)settingstimeout_seconds_finalrequired_scopes_final"allowed_client_redirect_uris_finalrclient_secret_strrAs r*r?GitHubProvider.__init__sP*88"+%2 (",%2'6'64P'6 %'   DAF?   &!!c %%k  !) 8 8 >B ( 8 8 DVH-5-R-R*-11 :B9O9OH " " 3 3 5UW  ,V$Q'11#4)&&"00**!  )K)$44*G   M    ! { s E4 E4 r.)r str | NotSetTrrrAnyHttpUrl | str | NotSetTrrrrr!list[str] | NotSetTr"z int | NotSetTr#rr{zAsyncKeyValue | Noner$zstr | bytes | NotSetTr|bool) r/r0r1r2r3rr?r7rvrws@r*ryrys<$*'-/517'-/5)/rsf*# 1;;>-06%/03 H \2f-fRF ZF r-