# hˤbSrSSKrSSKJrJrJrJrJr SSK r SSK r SSK r SSK r SSKrSSKrSSKrSSKrSSKrSSKJr \ \R2SS :a\4O\4r"S S \5r"S S \5r Sr!SSjr""SS\ 5r#g!\a SSKJrJrJr SSK JrJr Nf=f! SSKJr Nk=f)zIThis OAuth2 client implementation aims to be spec-compliant, and generic.N) urlencodeparse_qs quote_plusurlparse urlunparse)rrr)rr)AuthCodeReceiver)errorc\rSrSrSrg)BrowserInteractionTimeoutErrorN)__name__ __module__ __qualname____firstlineno____static_attributes__rG/var/www/html/env/lib/python3.13/site-packages/msal/oauth2cli/oauth2.pyr r srr c\rSrSr\S5rSrSr\\0r\ S5r \ RS5r SSjr S r SS jrSS jrS rS rg) BaseClient"cL[R"U5RS5$)N=)base64urlsafe_b64encoderstrip) assertions rencode_saml_assertion BaseClient.encode_saml_assertion's'' 299$??rz6urn:ietf:params:oauth:client-assertion-type:jwt-bearerz8urn:ietf:params:oauth:client-assertion-type:saml2-bearercP[R"S[5 UR$Nz"Will be gone in next major releasewarningswarnDeprecationWarning _http_client)selfs rsessionBaseClient.session/s :`_. When leaving it with default value (None), we will use True instead. This does not apply if you have chosen to pass your own Http client. proxies (dict): It will be passed to the `proxies parameter in the underlying requests library `_. This does not apply if you have chosen to pass your own Http client. timeout (object): It will be passed to the `timeout parameter in the underlying requests library `_. This does not apply if you have chosen to pass your own Http client. z,Missing input parameter server_configurationNclient_assertion_typezEverify, proxies, or timeout is not allowed when http_client is in userT)timeout) ValueError configuration client_id client_secretclient_assertiondefault_headers default_bodylogging getLoggerrloggerr(requestsSessionverifyproxies functoolspartialrequest) r)server_configurationr3 http_clientr4r5r/r6r7r=r>r0r;s r__init__BaseClient.__init__:sj$KL L1"* 0.4"(.B ,9N  5 6''1 !W%8GC>41Q$!$>C ::g  "oofWo>F7O Ds  B B c URUS.nURRS5(azUR(aiURRURSS5nU"[ UR5(aUR5O UR5US'UR UR5 UR U=(d 05 UR5V V s0sHupU (dMX_M nn n URS5(aURUS5US'SS0n U R UR5 U R U=(d 05 UR(aUR(apS[R"S R[UR5[UR55RS 55R!S 5-U S 'S UR";a [%S 5eU=(d UR&R("UR"S 4XUS.UD6n U R*S:aU R-5 [.R0"U R25$s sn n f![$a( UR4R7SU R25 ef=f)N)r3 grant_typer/cU$Nras r*BaseClient._obtain_token..!rr5rHAcceptzapplication/jsonzBasic {}:{}ascii Authorizationtoken_endpointz)token_endpoint not found in configuration)headersrNdataiz(Token response is not in json format: %s)r3r7rLr5client_assertion_encoderscallablerJrKrIr6r4r b64encodeformatrencodedecoder2r1r(post status_coderaise_for_statusjsonloadstextr: exception) r)rTrNrbrarirM_dataencoderrOrP_headersresps r _obtain_tokenBaseClient._obtain_tokens^#nnJG    !8 9 9d>S>S4488%%&=> MG(/D1122%%'8<8M8M)E$ %  T&&' TZR "'++-5-$!1-5 99W  !__U7^>*Jt7I7I,J E&/4#$*6'?)3H_ % 4#5#5 5HI I.))...   / 0%   s "  ! ! # ::dii( (M6N  KK ! !>  K  s2 JJ6J2Kc [U[5(deURS05nURXS9 UR"SSU0UD6$)aObtain an access token via a refresh token. :param refresh_token: The refresh token issued to the client :param scope: If omitted, is treated as equal to the scope originally granted by the resource owner, according to https://tools.ietf.org/html/rfc6749#section-6 rb) refresh_tokenrH)rw) isinstance string_typespoprJrt)r)rwrHrMrbs robtain_token_by_refresh_token(BaseClient.obtain_token_by_refresh_tokensN-6666zz&"% - =!!GGGGrcz[U[[[45(aSR [ U55$U$)N )rxlistsettuplejoinsorted)r)sequences rrIBaseClient._stringify s/ hsE 2 3 388F8,- -r)r(r5r3r4r2r7r6r:) NNNNNNNNN)NNNNrV)rrrr staticmethodr CLIENT_ASSERTION_TYPE_JWTCLIENT_ASSERTION_TYPE_SAML2rcpropertyr*setterrDrQrtr{rIrrrrrr"s @@!Y"\!<>S T !! ^^""!"& o\!YY[4 +==\ rc [R"5nSnURSS5URSS5-U- U:a[R"S5 UR S05nUR SUR URS US 05 UR"URS 4SU0UD6nURS 5S :XaURSS5S-US'X1S'U$)Nrlatest_attempt_atrrrz:Attempted too soon. Please do time.sleep(flow["interval"])rbr3rrrr r) rrLr%r&rzrJr3 DEVICE_FLOWrt)r)rrMnowskewrbresults r_obtain_token_by_device_flow#Client._obtain_token_by_device_flowPsiik 88' +dhhz1.E E Ls R MMV Wzz&"%    ] +T--@ ##   \ *A15A9?A ::g + -#xx A6:D $' ! rcRURSS5[R"5:$)Nrr)rLr)rs rrYClient.fsq(ADIIK(Orc UR"U40UD6nURS5UR;aU$[URSS55H*nU"U5(aUs $[R "S5 M, M)aObtain token by a device flow object, with customizable polling effect. Args: flow (dict): An object previously generated by initiate_device_flow(...). Its content WILL BE CHANGED by this method during each run. We share this object with you, so that you could implement your own loop, should you choose to do so. exit_condition (Callable): This method implements a loop to provide polling effect. The loop's exit condition is calculated by this callback. The default callback makes the loop run until the flow expires. Therefore, one of the ways to exit the polling early, is to change the flow["expires_at"] to a small number such as 0. In case you are doing async programming, you may want to completely turn off the loop. You can do so by using a callback as: exit_condition = lambda flow: True to make the loop run only once, i.e. no polling, hence non-block. r rrr)rrLDEVICE_FLOW_RETRIABLE_ERRORSrangersleep)r)rexit_conditionrMris robtain_token_by_device_flow"Client.obtain_token_by_device_flowdsr:66tFvFFzz'"$*K*KK 488J23!$''!M 1 4 rc SUR;a [S5eURSnUR"U4X#US.UD6nSU;aSOSnU<U<[U5<3$)Nauthorization_endpointz1authorization_endpoint not found in configuration redirect_urirHstate?&)r2r1rQr) r)rGrrHrrMrrNseps r_build_auth_request_uriClient._build_auth_request_urisx $4+=+= =PQ Q!%!3!34L!M00 (422c13 &8IJJrc d[R"S[5 UR"U4X#US.UD6$)zGenerate an authorization uri to be visited by resource owner. Parameters are the same as another method :func:`initiate_auth_code_flow()`, whose functionality is a superset of this method. :return: The auth uri as a string. z'Use initiate_auth_code_flow() instead. r)r%r&r'r)r)rGrrHrrMs rbuild_auth_request_uriClient.build_auth_request_uris<  ?AST++ (4 rc FURSS5nSU;a [S5e[5nU=(d4 SR[R "[ RS55UUS.nUR"U4USUS S .[U40UD6D6nXS 'US US 'U$) aInitiate an auth code flow. Later when the response reaches your redirect_uri, you can use :func:`~obtain_token_by_auth_code_flow()` to complete the authentication/authorization. This method also provides PKCE protection automatically. :param list scope: It is a list of case-sensitive strings. Some ID provider can accept empty string to represent default scope. :param str redirect_uri: Optional. If not specified, server will use the pre-registered one. :param str state: An opaque value used by the client to maintain state between the request and callback. If absent, this library will automatically generate one internally. :param kwargs: Other parameters, typically defined in OpenID Connect. :return: The auth code flow. It is a dict in this form:: { "auth_uri": "https://...", // Guide user to visit this "state": "...", // You may choose to verify it by yourself, // or just let obtain_token_by_auth_code_flow() // do that for you. "...": "...", // Everything else are reserved and internal } The caller is expected to:: 1. somehow store this content, typically inside the current session, 2. guide the end user (i.e. resource owner) to visit that auth_uri, 3. and then relay this dict and subsequent auth response to :func:`~obtain_token_by_auth_code_flow()`. rGcodetokenz(response_type="token ..." is not allowedr)rrrHrr)rcode_challenge_methodauth_urir) rzr1rrrrrrrr) r)rHrrrMrGpkcerrs rinitiate_auth_code_flowClient.initiate_auth_code_flowsV ?F; m #GH H+-NbggfmmF4H4H"&MN( // $ 01"&'7"8$4"6" $ $Z $_ 5_ rc [U[5(a[U[5(deURS5(d [S5eURS5URS5:wa9[SR URS5URS555eU(aI[ U5[ URS/55- (a[SURS5-5eURS5(a\UR "US4URS5U=(d URS5[URS05US S 9S .UD6$URS 5(aES US 0nURS 5(aUS US 'URS5(aUSUS'U$[S5e)aTWith the auth_response being redirected back, validate it against auth_code_flow, and then obtain tokens. Internally, it implements PKCE to mitigate the auth code interception attack. :param dict auth_code_flow: The same dict returned by :func:`~initiate_auth_code_flow()`. :param dict auth_response: A dict based on query string received from auth server. :param scope: You don't usually need to use scope parameter here. Some Identity Provider allows you to provide a subset of what you specified during :func:`~initiate_auth_code_flow`. :type scope: collections.Iterable[str] :return: * A dict containing "access_token" and/or "id_token", among others, depends on what scope was used. (See https://tools.ietf.org/html/rfc6749#section-5.1) * A dict containing "error", optionally "error_description", "error_uri". (It is either `this `_ or `that `_ * Most client-side data error would result in ValueError exception. So the usage pattern could be without any protocol details:: def authorize(): # A controller in a web app try: result = client.obtain_token_by_auth_code_flow( session.get("flow", {}), auth_resp) if "error" in result: return render_template("error.html", result) store_tokens() except ValueError: # Usually caused by CSRF pass # Simply ignore them return redirect(url_for("index")) rz!state missing from auth_code_flowzstate mismatch: {} vs {}rHz$scope must be None or a subset of %srrrbr)r)rrHrbr error_description error_uriz3auth_response must contain either "code" or "error")rxrrLr1rfr#_obtain_token_by_authorization_coderz)r)auth_code_flow auth_responserHrMr s robtain_token_by_auth_code_flow%Client.obtain_token_by_auth_code_flowsV.$//J}d4S4SSS!!'** @A A   g &-*;*;G*D D7>>""7+]->->w-GIJ J SZ#n&8&8"&E"FF69K9KG9TTV V   V $ $;;f% +//?:~11':JJvr*"0"A      W % %mG45E  !455-:;N-O)*  --%2;%?k"LNOOrc U(aUR"U4SU0UD6$[U=(d S5nUR(d [S5eURcSO URn[ US9nURS:waUOj[ URSRURUR55URURURUR45nURRS RU55 UR"U4SU0UD6sSSS5 $!,(df  g=f![ a [S U-5ef=f) aA native app can use this method to obtain token via a local browser. Internally, it implements PKCE to mitigate the auth code interception attack. :param scope: A list of scopes that you would like to obtain token for. :type scope: collections.Iterable[str] :param extra_scope_to_consent: Some IdP allows you to include more scopes for end user to consent. The access token returned by this method will NOT include those scopes, but the refresh token would record those extra consent, so that your future :func:`~obtain_token_by_refresh_token()` call would be able to obtain token for those additional scopes, silently. :type scope: collections.Iterable[str] :param string redirect_uri: The redirect_uri to be sent via auth request to Identity Provider (IdP), to indicate where an auth response would come back to. Such as ``http://127.0.0.1:0`` (default) or ``http://localhost:1234``. If port 0 is specified, this method will choose a system-allocated port, then the actual redirect_uri will contain that port. To use this behavior, your IdP would need to accept such dynamic port. Per HTTP convention, if port number is absent, it would mean port 80, although you probably want to specify port 0 in this context. :param dict auth_params: These parameters will be sent to authorization_endpoint. :param int timeout: In seconds. None means wait indefinitely. :param str browser_name: If you did ``webbrowser.register("xyz", None, BackgroundBrowser("/path/to/browser"))`` beforehand, you can pass in the name "xyz" to use that browser. The default value ``None`` means using default browser, which is customizable by env var $BROWSER. :return: Same as :func:`~obtain_token_by_auth_code_flow()` rzhttp://127.0.0.1:0z$redirect_uri should contain hostnameNP)portrr]zUsing {} as redirect_uriz,Can't listen on port %s. You may try port 0.)_obtain_token_by_browserrhostnamer1r_AuthCodeReceiverrschemerfget_portpathrNqueryfragmentr:debugPermissionError)r)rauth_code_receiverrM _redirect_uri listen_portreceiveruris robtain_token_by_browserClient.obtain_token_by_browser?sd^ 00"I1=IAGI I!!E1EF %%CD D$$,B-2D2D  N" 4&3&8&8A&=l:!((NN=#9#98;L;L;NO!&&!((!''!** OD !!"<"C"CC"HI44:+.:28:544 N>LN N Ns+) E 2B[[U] "X40UD6 X0lX@lXPlgrV)superrrDon_obtaining_tokenson_removing_rton_updating_rt)r)rBr3r"r#r$rM __class__s rrDClient.__init__s, fd$%9OO#6 ,,rc >UR5n[[U]"XU/UQ70UD6n SU ;aU R5n Sn X:XaX;aU(dU R U S5 SU ;aU SR 5n OUR S5n U=(d UR"URU URSUXUS.5 U $)Nr rwrHr`)r3rHr`rTresponserNrb) copyr!rrtrzsplitrLr"r3r2)r)rTrNrb also_save_rtr"argsrMrprs_respRTrHr%s rrtClient._obtain_tokens  VT0 8(,8068 $ IIKE BBK  "d#%g,,.  '* [[U] "[U[5(dU"U5OU4UUSLS.UD6nUR S5S:XaU=(d UR "U5 SnUSLa#X;aU=(d UR"XU5 U$)aThis is an overload which will trigger token storage callbacks. :param token_item: A refresh token (RT) item, in flexible format. It can be a string, or a whatever data structure containing RT string and its metadata, in such case the `rt_getter` callable must be able to extract the RT string out from the token item data structure. Either way, this token_item will be passed into other callbacks as-is. :param scope: If omitted, is treated as equal to the scope originally granted by the resource owner, according to https://tools.ietf.org/html/rfc6749#section-6 :param rt_getter: A callable to translate the token_item to a raw RT string :param on_removing_rt: If absent, fall back to the one defined in initialization :param on_updating_rt: Default to None, it will fall back to the one defined in initialization. This is the most common case. As a special case, you can pass in a False, then this function will NOT trigger on_updating_rt() for RT UPDATE, instead it will allow the RT to be added by on_obtaining_tokens(). This behavior is useful when you are migrating RTs from elsewhere into a token storage managed by this library. F)rHr+r invalid_grantrw)r!rr{rxryrLr#r$) r)rrH rt_getterr#r$rMrsr.r%s rr{$Client.obtain_token_by_refresh_token#s@VT@!*l;; j !AK'50    88G  /  2t22 2J ?   &2:  2t22 2JR I rc URRUS5nURS05nURX5"U5S9 UR"U4SU0UD6$)aThis method implements Assertion Framework for OAuth2 (RFC 7521). See details at https://tools.ietf.org/html/rfc7521#section-4.1 :param assertion: The assertion bytes can be a raw SAML2 assertion, or a JWT assertion. :param grant_type: It is typically either the value of :attr:`GRANT_TYPE_SAML2`, or :attr:`GRANT_TYPE_JWT`, the only two profiles defined in RFC 7521. :param scope: Optional. It must be a subset of previously granted scopes. cU$rVrrWs rrY2Client.obtain_token_by_assertion..]r[rrb)rHr)grant_assertion_encodersrLrzrJrt)r)rrTrHrMrqrbs robtain_token_by_assertion Client.obtain_token_by_assertionPs\//33J Lzz&"% %79+= >!!*B4B6BBr)r"r#r$rV)NNN)NN) NNNNNNNNNN)NNFN)!rrrr__doc__rrGRANT_TYPE_SAML2GRANT_TYPE_JWTrr r8rrrrrrrrrrrr rrrrDrtr{r9r __classcell__)r%s@rrr%s= E$ K$J FBN 0*2R2RS8,P$PAE KAE,26 BP QPl# GNX#'!!"#8J   26D426 M-1C M !32: -15 $B?CD+\04CCrr)r)$r;rl urllib.parserrrrr ImportErrorurllibr8r%rrsysr?rrrauthcoder rrsocketr version_infostr basestringry RuntimeErrorr objectrrrrrrrrJsO -RR  ;0 ))!,1v ~  \ ll^,  {CZ{C}-77,,-"0/sBB$B! B!$B.