Ë †Kài*ãó´—ddlmZddlmZddlmZddlmZddlmZddlmZddl m Z dd l m Z dd l m Z d d lmZd d lmZd dlmZd dlmZGd„d«Zy)é)ÚJsonWebSignature)Ú JsonWebToken)Ú JoseErroré)ÚAuthorizationServer)Ú ClientMixin)ÚInvalidRequestError)Ú_validate_client)ÚBasicOAuth2Payload)Ú OAuth2Requesté)ÚInvalidRequestObjectError)ÚInvalidRequestUriError)ÚRequestNotSupportedError)ÚRequestUriNotSupportedErrorcó®—eZdZdZddedefd„Zdefd„Zdedefd„Z deded e d efd „Z deded e fd „Z d e d e fd„Zde fd„Zd e fd„Zd efd„Zd e d efd„Zy)ÚJWTAuthenticationRequestaAuthorization server extension implementing the support for JWT secured authentication request, as defined in :rfc:`RFC9101 <9101>`. :param support_request: Whether to enable support for the ``request`` parameter. :param support_request_uri: Whether to enable support for the ``request_uri`` parameter. This extension is intended to be inherited and registered into the authorization server:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def resolve_client_public_key(self, client: ClientMixin): return get_jwks_for_client(client) def get_request_object(self, request_uri: str): try: return requests.get(request_uri).text except requests.Exception: return None def get_server_metadata(self): return { "issuer": ..., "authorization_endpoint": ..., "require_signed_request_object": ..., } def get_client_require_signed_request_object(self, client: ClientMixin): return client.require_signed_request_object authorization_server.register_extension(JWTAuthenticationRequest()) Úsupport_requestÚsupport_request_uricó —||_||_y©N)rr)Úselfrrs úw/home/jay/workspace/scripts/.codegraph-venv/lib/python3.12/site-packages/authlib/oauth2/rfc9101/authorization_server.pyÚ__init__z!JWTAuthenticationRequest.__init__2s€Ø.ˆÔØ#6ˆÕ óÚauthorization_servercó<—|jd|j«y)NÚbefore_get_authorization_grant)Ú register_hookÚparse_authorization_request)rrs rÚ__call__z!JWTAuthenticationRequest.__call__6s€Ø×*Ñ*Ø ,¨d×.NÑ.Nõ rÚrequestcóî—t|j|jj«}|j |||«sy|j ||«}|j |||«}t|«}||_yr)r Ú query_clientÚpayloadÚ client_idÚ"_shoud_proceed_with_request_objectÚ_get_raw_request_objectÚ_decode_request_objectr )rrr"ÚclientÚraw_request_objectÚrequest_objectr%s rr z4JWTAuthenticationRequest.parse_authorization_request;s€ô"Ø × -Ñ -¨w¯©×/HÑ/Hó ˆð×6Ñ6Ø  '¨6ô ð à!×9Ñ9Ð:NÐPWÓXÐØ×4Ñ4Ø VÐ/ó ˆô% ^Ó4ˆØ!ˆrr*Úreturncó¨—d|jjvr9d|jjvr!td|jj¬«‚d|jjvr-|js t |jj¬«‚yd|jjvr-|j s t|jj¬«‚y|j|«r!td|jj¬«‚|j«}|r3|jdd«r!td |jj¬«‚y) Nr"Ú request_urizBThe 'request' and 'request_uri' parameters are mutually exclusive.©ÚstateTúGAuthorization requests for this client must use signed request objects.Úrequire_signed_request_objectFúGAuthorization requests for this server must use signed request objects.) r%Údatar r1rrrrÚ(get_client_require_signed_request_objectÚget_server_metadataÚget)rrr"r*Úmetadatas rr'z;JWTAuthenticationRequest._shoud_proceed_with_request_objectMs€ð ˜Ÿ™×,Ñ,Ñ ,°À'Ç/Á/×BVÑBVÑ1VÜ%ØTØ—o‘o×+Ñ+ôð 𠘟™×,Ñ,Ñ ,Ø×'Ò'Ü.°W·_±_×5JÑ5JÔKÐKØà ˜GŸO™O×0Ñ0Ñ 0Ø×+Ò+Ü1¸¿¹×8MÑ8MÔNÐNØð × 8Ñ 8¸Ô @Ü%ØYØ—o‘o×+Ñ+ôð ð×+Ñ+Ó-ˆÙ ˜Ÿ ™ Ð%DÀeÔLÜ%ØYØ—o‘o×+Ñ+ôð ð rcó—d|jjvrL|j|jjd«}|s t|jj¬«‚|S|jjd}|S)Nr/r0r")r%r5Úget_request_objectrr1)rrr"r+s rr(z0JWTAuthenticationRequest._get_raw_request_objectxsx€ð ˜GŸO™O×0Ñ0Ñ 0Ø!%×!8Ñ!8Ø—‘×$Ñ$ ]Ñ3ó"Ð ñ&Ü,°7·?±?×3HÑ3HÔIÐIð "Ð!ð")§¡×!5Ñ!5°iÑ!@Ð à!Ð!rr+cón—|j|«} tttjj «««}|j ||«}|j«|j|«r3|jddk(r!td|jj¬«‚|j!«}|rE|j#dd«r3|jddk(r!td|jj¬«‚|d |jj$k7r!td |jj¬«‚d |vsd |vr!td |jj¬«‚|S#t$rC}t|jxstj|jj¬«|‚d}~wwxYw)N)Ú descriptionr1ÚalgÚnoner2r0r3Fr4r&z\The 'client_id' claim from the request parameters and the request object claims don't match.r"r/zVThe 'request' and 'request_uri' parameters must not be included in the request object.)Úresolve_client_public_keyrÚlistrÚALGORITHMS_REGISTRYÚkeysÚdecodeÚvalidaterrr=r%r1r6Úheaderr r7r8r&) rr"r*r+ÚjwksÚjwtr,Úerrorr9s rr)z/JWTAuthenticationRequest._decode_request_object‡sœ€ð×-Ñ-¨fÓ5ˆð ÜœtÔ$4×$HÑ$H×$MÑ$MÓ$OÓPÓQˆCØ ŸZ™ZÐ(:¸DÓAˆNØ × #Ñ #Ô %ð × 9Ñ 9¸&Ô AØ×%Ñ% eÑ,°Ò6ä%ØYØ—o‘o×+Ñ+ôð ð×+Ñ+Ó-ˆá Ø— ‘ Ð<¸eÔDØ×%Ñ% eÑ,°Ò6ä%ØYØ—o‘o×+Ñ+ôð ð ˜+Ñ &¨'¯/©/×*CÑ*CÒ CÜ%ð=à—o‘o×+Ñ+ôð ð ˜Ñ &¨-¸>Ñ*IÜ%ØhØ—o‘o×+Ñ+ôð ð Ðøôcò Ü+Ø!×-Ñ-ÒVÔ1J×1VÑ1VØ—o‘o×+Ñ+ôðð ûð ús“AE(Å( F4Å1>F/Æ/F4r/có—t«‚)aÊDownload the request object at ``request_uri``. This method must be implemented if the ``request_uri`` parameter is supported:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_request_object(self, request_uri: str): try: return requests.get(request_uri).text except requests.Exception: return None ©ÚNotImplementedError)rr/s rr;z+JWTAuthenticationRequest.get_request_objectÃó €ô"Ó#Ð#rcó—t«‚)aResolve the client public key for verifying the JWT signature. A client may have many public keys, in this case, we can retrieve it via ``kid`` value in headers. Developers MUST implement this method:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def resolve_client_public_key(self, client): if client.jwks_uri: return requests.get(client.jwks_uri).json return client.jwks rK©rr*s rÚresolve_client_public_keysz3JWTAuthenticationRequest.resolve_client_public_keysÑrMrcó—iS)aÐReturn server metadata which includes supported grant types, response types and etc. When the ``require_signed_request_object`` claim is :data:`True`, all clients require that authorization requests use request objects, and an error will be returned when the authorization request payload is passed in the request body or query string:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_server_metadata(self): return { "issuer": ..., "authorization_endpoint": ..., "require_signed_request_object": ..., } ©)rs rr7z,JWTAuthenticationRequest.get_server_metadataßs €ð$ˆ rcó—y)aIReturn the 'require_signed_request_object' client metadata. When :data:`True`, the client requires that authorization requests use request objects, and an error will be returned when the authorization request payload is passed in the request body or query string:: class JWTAuthenticationRequest(rfc9101.JWTAuthenticationRequest): def get_client_require_signed_request_object(self, client): return client.require_signed_request_object If not implemented, the value is considered as :data:`False`. FrRrOs rr6zAJWTAuthenticationRequest.get_client_require_signed_request_objectós€ðrN)TT)Ú__name__Ú __module__Ú __qualname__Ú__doc__Úboolrrr!r r rr'Ústrr(r)r;rPÚdictr7r6rRrrrrsÓ„ññ@7¨ð7È$ó7ð Ð-@ó ð "Ø$7ð"ØBOó"ð$)à1ð)ðð)ðð )ð ó )ðV "Ø$7ð "ØBOð "à ó "ð:Ø*ð:Ø@Có:ðx $¨có $ð $°ó $ð Tóð( ¸{ð Ètô rrN)Ú authlib.joserrÚauthlib.jose.errorsrÚrfc6749rrr Úrfc6749.authenticate_clientr Úrfc6749.requestsr r ÚerrorsrrrrrrRrrúras8ðÝ)Ý%Ý)å)Ý!Ý)Ý:Ý1Ý,Ý-Ý*Ý,Ý/÷oòor