Kih#dZddlmZddlZddlmZmZmZddlm Z m Z ddl m Z ddl mZddlmZmZdd lmZdd lmZdd lmZdd lmZdd lmZmZeeZGdde ZGddeZ y)aScalekit authentication provider for FastMCP. This module provides ScalekitProvider - a complete authentication solution that integrates with Scalekit's OAuth 2.1 and OpenID Connect services, supporting Resource Server authentication for seamless MCP client authentication. ) annotationsN) AnyHttpUrlfield_validatormodel_validator) BaseSettingsSettingsConfigDict) JSONResponse)Route)RemoteAuthProvider TokenVerifier) JWTVerifier)ENV_FILE parse_scopes) get_logger)NotSetNotSetTceZdZUededZded<ded<dZd ed <dZd ed <dZ d ed <e d de ddZ e ddZy)ScalekitProviderSettings%FASTMCP_SERVER_AUTH_SCALEKITPROVIDER_ignore) env_prefixenv_fileextrarenvironment_urlstr resource_idNzAnyHttpUrl | Nonebase_urlmcp_urlzlist[str] | Nonerequired_scopesbefore)modect|SNr)clsvalues r/home/jay/workspace/scripts/.codegraph-venv/lib/python3.12/site-packages/fastmcp/server/auth/providers/scalekit.py _parse_scopesz&ScalekitProviderSettings._parse_scopes'sE""afterc|jxs |j}| d}t|tj |d||S)Nz@Either base_url or mcp_url must be provided for ScalekitProviderr)rr ValueErrorobject __setattr__)selfresolvedmsgs r'_resolve_base_urlz*ScalekitProviderSettings._resolve_base_url,s@==0DLL  TCS/ !4X6 r))r&r-)__name__ __module__ __qualname__rr model_config__annotations__rrr r classmethodr(rr2r)r'rrs%:L  "&H&!%G %(,O%,&X6#7#'"#r)rcfeZdZdZeeeeeedd dfdZ d dfd ZxZS) ScalekitProvideraScalekit resource server provider for OAuth 2.1 authentication. This provider implements Scalekit integration using resource server pattern. FastMCP acts as a protected resource server that validates access tokens issued by Scalekit's authorization server. IMPORTANT SETUP REQUIREMENTS: 1. Create an MCP Server in Scalekit Dashboard: - Go to your [Scalekit Dashboard](https://app.scalekit.com/) - Navigate to MCP Servers section - Register a new MCP Server with appropriate scopes - Ensure the Resource Identifier matches exactly what you configure as MCP URL - Note the Resource ID 2. Environment Configuration: - Set SCALEKIT_ENVIRONMENT_URL (e.g., https://your-env.scalekit.com) - Set SCALEKIT_RESOURCE_ID from your created resource - Set BASE_URL to your FastMCP server's public URL For detailed setup instructions, see: https://docs.scalekit.com/mcp/overview/ Example: ```python from fastmcp.server.auth.providers.scalekit import ScalekitProvider # Create Scalekit resource server provider scalekit_auth = ScalekitProvider( environment_url="https://your-env.scalekit.com", resource_id="sk_resource_...", base_url="https://your-fastmcp-server.com", ) # Use with FastMCP mcp = FastMCP("My App", auth=scalekit_auth) ``` N)r client_idrrrr token_verifierc|tu}tj|||||djD cic]\} } | tur| | c} } } | jt j d|rt j dt| jjd|_| j|_ | jxsg|_ t| j} t jd|j|j| |j|nt jd|jd|j|jt|jd|jd |jxsd }nt jd t |A|t#|jd |jg| ycc} } w)aInitialize Scalekit resource server provider. Args: environment_url: Your Scalekit environment URL (e.g., "https://your-env.scalekit.com") resource_id: Your Scalekit resource ID base_url: Public URL of this FastMCP server required_scopes: Optional list of scopes that must be present in tokens token_verifier: Optional token verifier. If None, creates JWT verifier for Scalekit )rrrrr NztScalekitProvider parameter 'mcp_url' is deprecated and will be removed in a future release. Rename it to 'base_url'.zScalekitProvider no longer requires 'client_id'. The parameter is accepted only for backward compatibility and will be removed in a future release./z_Initializing ScalekitProvider: environment_url=%s resource_id=%s base_url=%s required_scopes=%szSCreating default JWTVerifier for Scalekit: jwks_uri=%s issuer=%s required_scopes=%sz/keysRS256)jwks_uriissuer algorithmr z0Using custom token verifier for ScalekitProviderz /resources/)r=authorization_serversr)rrmodel_validateitemsrloggerwarningrrrstriprr rdebugr super__init__r)r/rr<rrrr r=legacy_client_idkvsettingsbase_url_value __class__s r'rLzScalekitProvider.__init___s(%F2+::(7#. (&'6  %' AqF?1       ' NN+   NNI  #8#;#;<CCCH#//'77=2X../ m          ! LLe''(.$$$$   ) 0017++! $ 4 4 < N LLK L )d223;t?O?O>PQR#$  q sG ct|}tjd|jfd}|j t d|dg|S)aGet OAuth routes including Scalekit authorization server metadata forwarding. This returns the standard protected resource routes plus an authorization server metadata endpoint that forwards Scalekit's OAuth metadata to clients. Args: mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp") This is used to advertise the resource URL in metadata. z>Preparing Scalekit metadata routes: mcp_path=%s resource_id=%scfK jdj}tjd|t j 4d{}|j |d{}|j|j}tjdt|jt|cdddd{S77o7 #1d{7swYyxYw#t$r5}tjd|tdd|dd cYd}~Sd}~wwxYww) zQForward Scalekit OAuth authorization server metadata with FastMCP customizations.z2/.well-known/oauth-authorization-server/resources/z1Fetching Scalekit OAuth metadata: metadata_url=%sNz8Scalekit metadata fetched successfully: metadata_keys=%sz#Failed to fetch Scalekit metadata: server_error)errorerror_descriptioni) status_code)rrrGrJhttpx AsyncClientgetraise_for_statusjsonlistkeysr ExceptionrV)request metadata_urlclientresponsemetadataer/s r'#oauth_authorization_server_metadatazHScalekitProvider.get_routes..oauth_authorization_server_metadatas "&"6"6!77ijnjzjzi{|  G!,,.22&%+ZZ %==H--/'}}HLLRX]]_-(1222=2222  B1#FG#!//RSTRU-V!$  sD1A C0CC0C'C(AC C0CC0D1C0CC0C-!C$ "C-)C0,D1-C00 D.9*D)#D.$D1)D..D1z'/.well-known/oauth-authorization-serverGET)endpointmethods)rK get_routesrGrJrappendr )r/mcp_pathroutesrgrRs` r'rkzScalekitProvider.get_routess\#H- L      6  9<   r))rAnyHttpUrl | str | NotSetTr< str | NotSetTrrprrorror zlist[str] | NotSetTr=zTokenVerifier | Noner$)rmz str | Nonereturnz list[Route])r3r4r5__doc__rrLrk __classcell__)rRs@r'r;r;7s%T7=#)%+/5.4/5/3U 4U ! U # U - U ,U -U -U r $88 88r)r;)!rr __future__rrYpydanticrrrpydantic_settingsrrstarlette.responsesr starlette.routingr fastmcp.server.authr r !fastmcp.server.auth.providers.jwtr fastmcp.settingsrfastmcp.utilities.authrfastmcp.utilities.loggingrfastmcp.utilities.typesrrr3rGrr;r9r)r'rsX# AA>,#A9%/03 H |:w)wr)