k7iLSrSSKJr SSKrSSKJr SSKJrJr SSK r SSK J r J r SSK Jr SSKJr SS KJr SS KJrJrJr SS KJrJr SS KJr SS KJrJr SSKJ r SSK!J"r" SSK#J$r$ SSK%J&r&J'r' \$"\(5r)"SS\SS9r*"SS\5r+\"SSSS9"SS55r,"SS\5r-"SS\5r."S S!\5r/g)"z*TokenVerifier implementations for FastMCP.) annotationsN) dataclass)Anycast) JsonWebKey JsonWebToken) JoseError) serialization)rsa) AnyHttpUrl SecretStrfield_validator) BaseSettingsSettingsConfigDict) TypedDict) AccessToken TokenVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTcj\rSrSr%SrS\S'S\S'S\S'S\S'S\S'S\S 'S \S 'S\S 'S rg)JWKDatazJSON Web Key data structure.strktykidusealgne list[str]x5cx5tN__name__ __module__ __qualname____firstlineno____doc____annotations____static_attributes__r'[/home/james-whalen/.local/lib/python3.13/site-packages/fastmcp/server/auth/providers/jwt.pyrrs-& H H H H F F N Hr0rF)totalc$\rSrSr%SrS\S'Srg)JWKSData(z JSON Web Key Set data structure.z list[JWKData]keysr'Nr(r'r0r1r4r4(s * r0r4T)frozenkw_onlyreprc|\rSrSr%SrS\S'S\S'\S Sj5rS S S jjrS r g) RSAKeyPair.zRSA key pair for JWT testing.r private_keyr public_keyc[R"SSS9nUR[RR [R R[R"5S9RS5nUR5R[RR [RRS9RS5nU"[U5US9$)zT Generate an RSA key pair for testing. Returns: RSAKeyPair: Generated key pair ii)public_exponentkey_size)encodingformatencryption_algorithmutf-8)rBrC)r=r>)r generate_private_key private_bytesr EncodingPEM PrivateFormatPKCS8 NoEncryptiondecoder> public_bytes PublicFormatSubjectPublicKeyInfor )clsr= private_pem public_pems r1generateRSAKeyPair.generate5s..! "//"++// ..44!.!;!;!=0  &/   " " $ \&//33$11FFVG_ !+.!  r0NcSS0nU(aXxS'UU[[R"55[[R"55U-S.n U(aX9S'U(aSRU5U S'U(aU RU5 [ S/5n U R XUR R55n U RS5$) a Generate a test JWT token for testing purposes. Args: subject: Subject claim (usually user ID) issuer: Issuer claim audience: Audience claim - can be a string or list of strings (optional) scopes: List of scopes to include expires_in_seconds: Token expiration time in seconds additional_claims: Any additional claims to include kid: Key ID to include in header r!RS256r)subissiatexpaud scoperE) inttimejoinupdaterencoder=get_secret_valuerM) selfsubjectissueraudiencescopesexpires_in_secondsadditional_claimsrheaderpayloadjwt_lib token_bytess r1 create_tokenRSAKeyPair.create_tokenYs.! 5Mtyy{#tyy{#&88   %EN "xx/GG   NN, -y)nn T-->>@ !!'**r0r')returnr;)z fastmcp-userzhttps://fastmcp.example.comNNNN)rfrrgrrhstr | list[str] | Nonerilist[str] | Nonerjr_rkzdict[str, Any] | Noner str | Nonerrr) r)r*r+r,r-r. classmethodrTrpr/r'r0r1r;r;.s'O! ! J&3+/#'"&372+2+2+) 2+ ! 2+  2+12+2+ 2+2+r0r;c\rSrSr%Sr\"S\SS9rSrS\ S'Sr S\ S 'Sr S\ S 'Sr S\ S 'Sr S \ S 'SrS\ S'SrS\ S'\"SSS9\S55rSrg)JWTVerifierSettingsz$Settings for JWT token verification.FASTMCP_SERVER_AUTH_JWT_ignore) env_prefixenv_fileextraNrvr>jwks_urirg algorithmrtrhrurequired_scopeszAnyHttpUrl | str | Nonebase_urlbefore)modec[U5$Nr)rQvs r1 _parse_scopes!JWTVerifierSettings._parse_scopessAr0r')r)r*r+r,r-rr model_configr>r.rrgrrhrrrrwrr/r'r0r1ryrys.%-L "J !HjFJ Iz '+H$+(,O%,(,H%,&X67r0ryc^\rSrSrSr\\\\\\\S.S U4SjjjrS SjrS SjrSSjr SSjr SS jr S r U=r $) JWTVerifieraI JWT token verifier supporting both asymmetric (RSA/ECDSA) and symmetric (HMAC) algorithms. This verifier validates JWT tokens using various signing algorithms: - **Asymmetric algorithms** (RS256/384/512, ES256/384/512, PS256/384/512): Uses public/private key pairs. Ideal for external clients and services where only the authorization server has the private key. - **Symmetric algorithms** (HS256/384/512): Uses a shared secret for both signing and verification. Perfect for internal microservices and trusted environments where the secret can be securely shared. Use this when: - You have JWT tokens issued by an external service (asymmetric) - You need JWKS support for automatic key rotation (asymmetric) - You have internal microservices sharing a secret key (symmetric) - Your tokens contain standard OAuth scopes and claims r>rrgrhrrrc >[RUUUUUUUS.R5VV s0sHupU [LdMX_M sn n5n U R(dU R (d [ S5eU R(aU R (a [ S5eU R=(d SnUS;a[ SUS35e[T U]%U RU RS9 XPlU RUl U RUl U RUlU R Ul[UR/5Ul[!["5Ul0UlS UlS Ulg s sn nf) a Initialize the JWT token verifier. Args: public_key: For asymmetric algorithms (RS256, ES256, etc.): PEM-encoded public key. For symmetric algorithms (HS256, HS384, HS512): The shared secret string. jwks_uri: URI to fetch JSON Web Key Set (only for asymmetric algorithms) issuer: Expected issuer claim audience: Expected audience claim(s) algorithm: JWT signing algorithm. Supported algorithms: - Asymmetric: RS256/384/512, ES256/384/512, PS256/384/512 (default: RS256) - Symmetric: HS256, HS384, HS512 required_scopes: Required scopes for all tokens base_url: Base URL for TokenVerifier protocol rz.Either public_key or jwks_uri must be providedz/Provide either public_key or jwks_uri, not bothrW> ES256ES384ES512HS256HS384HS512PS256PS384PS512rWRS384RS512zUnsupported algorithm: .)rrrrsN)rymodel_validateitemsrr>r ValueErrorrsuper__init__rrrgrhrjwtrr)logger _jwks_cache_jwks_cache_time _cache_ttl) rer>rrgrhrrrkrsettings __class__s r1rJWTVerifier.__init__sw4'55#- ($ (!*'6 (%' DAF?   ""8+<+<MN N   8#4#4NO O&&1'   6ykCD D &&$44  #oo  )) "-- ))  01 * ,.'(o s F F c# UR(a UR$SSKnSSKnURS5SnUSS[ U5S-- -- nUR UR U55nURS5nURU5IShvN $N![an[SU35UeSnAff=f7f)z'Get the verification key for the token.rNr=rz%Failed to extract key ID from token: ) r>base64jsonsplitlenloadsurlsafe_b64decodeget _get_jwks_key Exceptionr)retokenrr header_b64rlrr#s r1_get_verification_key!JWTVerifier._get_verification_key s ???? " Q  S)!,J #S_q%8!89 9JZZ 8 8 DEF**U#C++C00 00 QDQCHIq P Qs;CA8B BB CB B>*B99B>>Cc# UR(d [S5e[R"5nX R- UR:aqU(aXR ;aUR U$U(dE[ UR 5S:Xa,[[UR R555$[R"5IShvN nURUR5IShvN nUR5 UR5nSSS5IShvN 0UlWRS/5H_nURS5n[R "U5nUR#5n U(aXR U'MQXR S'Ma X lU(aIXR ;a+UR$R'SU5 [SUS 35eUR U$[ UR 5S:Xa,[[UR R555$[ UR 5S:a [S 5e[S 5eGNGN~GNQ!,IShvN (df  GNg=f![R(an [S U 35U eSn A f[*a2n UR$R'S U 35 [S U 35U eSn A ff=f7f)z(Fetch key from JWKS with simple caching.zJWKS URI not configuredNr6r_defaultz-JWKS key lookup failed: key ID '%s' not foundzKey ID 'z' not found in JWKSz2Multiple keys in JWKS but no key ID (kid) in tokenzNo keys found in JWKSzFailed to fetch JWKS: zJWKS fetch failed: )rrr`rrrrnextitervalueshttpx AsyncClientrraise_for_statusrr import_keyget_public_keyrdebug HTTPErrorr) rer current_timeclientresponse jwks_datakey_datakey_kidjwkr>r#s r1rJWTVerifier._get_jwks_key s~}}67 7yy{  // /$// As...'',,S!1!12a7D!1!1!8!8!:;<<, B((**f!'DMM!::))+$MMO +* "D %MM&"5",,u- ++H5 //1 0:$$W-4>$$Z06%1 !...KK%%G%xu4G%HII'',,t''(A-T%5%5%<%<%> ?@@))*Q.$L%%<==K+:+***N B5aS9: A B KK   3A37 85aS9: A BsB?LJI9JJ>I<?$J# J.I?/CJLAJ L 0J<J?JJJ JJK?1K K? -K::K??LcSHRnX!;dM [X[5(aXR5s $[X[5(dMNXs $ /$)z Extract scopes from JWT claims. Supports both 'scope' and 'scp' claims. Checks the `scope` claim first (standard OAuth2 claim), then the `scp` claim (used by some Identity Providers). )r^scp) isinstancerrlist)reclaimsclaims r1_extract_scopesJWTVerifier._extract_scopes^sQ&EfmS11!=..00 t44!=( & r0c^ # URU5IShvN nURRX5nURS5=(d2 URS5=(d URS5=(d SnURS5nU(aRU[R"5:a9UR R SU5 UR RSU5 gUR(aXURS 5UR:wa9UR R S U5 UR RSU5 gUR(aURS 5m S n[UR[5(aS[T [5(a [U 4S jUR55nORT [[UR5;nO4[T [5(aURT ;nOT UR:HnU(d9UR R SU5 UR RSU5 gURU5nUR(ap[!U5n[!UR5n U R#U5(d:UR R SUU 5 UR RSU5 g[%U['U5UU(a [)U5OSUS9$GN![*a UR R S5 g[,a/n UR R S['U 55 Sn A gSn A ff=f7f)z Validates the provided JWT bearer token. Args: token: The JWT token string to validate Returns: AccessToken object if valid, None if invalid or expired N client_idazprXunknownr[z4Token validation failed: expired token for client %sz#Bearer token rejected for client %srYz6Token validation failed: issuer mismatch for client %sr\Fc3,># UH oT;v M g7frr').0expectedr\s r1 0JWTVerifier.load_access_token..s-)r>str | NotSetT | Nonerrrgrrhz str | list[str] | NotSetT | Nonerrrzlist[str] | NotSetT | Nonerz!AnyHttpUrl | str | NotSetT | None)rrrrr)rrvrrr)rzdict[str, Any]rrr$rrrrzAccessToken | None)r)r*r+r,r-rrrrrrrr/ __classcell__rs@r1rrs*,2)/'-5;*06<6<R)R' R % R 3 R(R4R4RRhQ(<B|"hT 3 3r0rcF^\rSrSrSrSSU4SjjjrSSjrSrU=r$) StaticTokenVerifieria Simple static token verifier for testing and development. This verifier validates tokens against a predefined dictionary of valid token strings and their associated claims. When a token string matches a key in the dictionary, the verifier returns the corresponding claims as if the token was validated by a real authorization server. Use this when: - You're developing or testing locally without a real OAuth server - You need predictable tokens for automated testing - You want to simulate different users/scopes without complex setup - You're prototyping and need simple API key-style authentication WARNING: Never use this in production - tokens are stored in plain text! c,>[TU]US9 Xlg)z Initialize the static token verifier. Args: tokens: Dict mapping token strings to token metadata Each token should have: client_id, scopes, expires_at (optional) required_scopes: Required scopes for all tokens )rN)rrtokens)rerrrs r1rStaticTokenVerifier.__init__s 9 r0c# URRU5nU(dgURS5nUbU[R"5:agURS/5nUR(aR[ U5n[ UR5nUR U5(d[ RSUSU35 g[UUSUUUS9$7f)z-Verify token against static token dictionary.Nrriz$Token missing required scopes. Has: z , Required: rr) rrr`rrrrrr)rer token_datarrirrs r1r StaticTokenVerifier.verify_token s[[__U+  ^^L1  !j499;&>"-   v;L!$"6"67O"++L99 :<. UdTef -!   sCC)rr)rzdict[str, dict[str, Any]]rrur) r)r*r+r,r-rrr/rrs@r1rrs3(-1)*   r0r)0r- __future__rr` dataclassesrtypingrrr authlib.joserrauthlib.jose.errorsr cryptography.hazmat.primitivesr )cryptography.hazmat.primitives.asymmetricr pydanticr r rpydantic_settingsrrtyping_extensionsrfastmcp.server.authrrfastmcp.settingsrfastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr)rrr4r;ryrrr'r0r1r s0" ! 1)89;;>':%/03 H   iu  y  $51\+\+2\+~,.A3-A3H ? -? r0