§
    !¾<i¥!  ã                   óf   — d dl Z d dlmZ d dlmZ d dlmZ d dlmZ d dlm	Z	  G d„ de	¦  «        Z
dS )	é    N)ÚOptional)ÚUnion©Úgenerate_token)Újwt)ÚBearerTokenGeneratorc                   óÄ   ‡ — e Zd ZdZ	 	 	 dˆ fd„	Zd„ Zd„ Zdeee	e         f         fd„Z
dee         fd	„Zdee         fd
„Zdee	e                  fd„Zdefd„Zd„ Zˆ xZS )ÚJWTBearerTokenGeneratoraÓ  A JWT formatted access token generator.

    :param issuer: The issuer identifier. Will appear in the JWT ``iss`` claim.

    :param \\*\\*kwargs: Other parameters are inherited from
        :class:`~authlib.oauth2.rfc6750.token.BearerTokenGenerator`.

    This token generator can be registered into the authorization server::

        class MyJWTBearerTokenGenerator(JWTBearerTokenGenerator):
            def get_jwks(self): ...

            def get_extra_claims(self, client, grant_type, user, scope): ...


        authorization_server.register_token_generator(
            "default",
            MyJWTBearerTokenGenerator(
                issuer="https://authorization-server.example.org"
            ),
        )
    ÚRS256Nc                 ót   •— t          ¦   «                              | j        ||¦  «         || _        || _        d S )N)ÚsuperÚ__init__Úaccess_token_generatorÚissuerÚalg)Úselfr   r   Úrefresh_token_generatorÚexpires_generatorÚ	__class__s        €ú—/Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/authlib/oauth2/rfc9068/token.pyr   z JWTBearerTokenGenerator.__init__"   sA   ø€ õ 	‰Œ×ÒØÔ'Ð)@ÐBSñ	
ô 	
ð 	
ð ˆŒØˆŒˆˆó    c                 ó   — t          ¦   «         ‚)zÊReturn the JWKs that will be used to sign the JWT access token.
        Developers MUST re-implement this method::

            def get_jwks(self):
                return load_jwks("jwks.json")
        )ÚNotImplementedError)r   s    r   Úget_jwksz JWTBearerTokenGenerator.get_jwks/   s   € õ "Ñ#Ô#Ð#r   c                 ó   — i S )aY  Return extra claims to add in the JWT access token. Developers MAY
        re-implement this method to add identity claims like the ones in
        :ref:`specs/oidc` ID Token, or any other arbitrary claims::

            def get_extra_claims(self, client, grant_type, user, scope):
                return generate_user_info(user, scope)
        © ©r   ÚclientÚ
grant_typeÚuserÚscopes        r   Úget_extra_claimsz(JWTBearerTokenGenerator.get_extra_claims8   s	   € ð ˆ	r   Úreturnc                 ó*   — |                      ¦   «         S )aj  Return the audience for the token. By default this simply returns
        the client ID. Developers MAY re-implement this method to add extra
        audiences::

            def get_audiences(self, client, user, scope):
                return [
                    client.get_client_id(),
                    resource_server.get_id(),
                ]
        )Úget_client_id)r   r   r    r!   s       r   Úget_audiencesz%JWTBearerTokenGenerator.get_audiencesB   s   € ð ×#Ò#Ñ%Ô%Ð%r   c                 ó   — dS )aÙ  Authentication Context Class Reference.
        Returns a user-defined case sensitive string indicating the class of
        authentication the used performed. Token audience may refuse to give access to
        some resources if some ACR criteria are not met.
        :ref:`specs/oidc` defines one special value: ``0`` means that the user
        authentication did not respect `ISO29115`_ level 1, and will be refused monetary
        operations. Developers MAY re-implement this method::

            def get_acr(self, user):
                if user.insecure_session():
                    return "0"
                return "urn:mace:incommon:iap:silver"

        .. _ISO29115: https://www.iso.org/standard/45138.html
        Nr   ©r   r    s     r   Úget_acrzJWTBearerTokenGenerator.get_acrO   s	   € ð  ˆtr   c                 ó   — dS )a}  User authentication time.
        Time when the End-User authentication occurred. Its value is a JSON number
        representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC
        until the date/time. Developers MAY re-implement this method::

            def get_auth_time(self, user):
                return datetime.timestamp(user.get_auth_time())
        Nr   r(   s     r   Úget_auth_timez%JWTBearerTokenGenerator.get_auth_timea   ó	   € ð ˆtr   c                 ó   — dS )a{  Authentication Methods References.
        Defined by :ref:`specs/oidc` as an option list of user-defined case-sensitive
        strings indication which authentication methods have been used to authenticate
        the user. Developers MAY re-implement this method::

            def get_amr(self, user):
                return ["2FA"] if user.has_2fa_enabled() else []
        Nr   r(   s     r   Úget_amrzJWTBearerTokenGenerator.get_amrl   r,   r   c                 ó    — t          d¦  «        S )zçJWT ID.
        Create an unique identifier for the token. Developers MAY re-implement
        this method::

            def get_jti(self, client, grant_type, user scope):
                return generate_random_string(16)
        é   r   r   s        r   Úget_jtizJWTBearerTokenGenerator.get_jtiw   s   € õ ˜bÑ!Ô!Ð!r   c           
      ó  — t          t          j        ¦   «         ¦  «        }||                      ||¦  «        z   }| j        ||                     ¦   «         ||                      ||||¦  «        |dœ}|r|                     ¦   «         |d<   n|                     ¦   «         |d<   	 |                      |||¦  «        |d<   |                      |¦  «        x}r||d<   |  	                    |¦  «        x}	r|	|d<   |  
                    |¦  «        x}
r|
|d<   |                     |                      ||||¦  «        ¦  «         | j        dd	œ}t          j        |||                      ¦   «         d¬
¦  «        }|                     ¦   «         S )N)ÚissÚexpÚ	client_idÚiatÚjtir!   ÚsubFÚaudÚ	auth_timeÚacrÚamrzat+jwt)r   Útyp)ÚkeyÚcheck)ÚintÚtimeÚ_get_expires_inr   r%   r1   Úget_user_idr&   r+   r)   r.   Úupdater"   r   r   Úencoder   Údecode)r   r   r   r    r!   ÚnowÚ
expires_inÚ
token_datar:   r;   r<   ÚheaderÚaccess_tokens                r   r   z.JWTBearerTokenGenerator.access_token_generator   s¸  € Ý•$”)‘+”+ÑÔˆØ˜4×/Ò/°¸
ÑCÔCÑCˆ
ð ”;ØØ×-Ò-Ñ/Ô/ØØ—<’< ¨
°D¸%Ñ@Ô@Øð
ð 
ˆ
ð ð 		7Ø $× 0Ò 0Ñ 2Ô 2ˆJuÑÐð !'× 4Ò 4Ñ 6Ô 6ˆJuÑð	Hð !%× 2Ò 2°6¸4ÀÑ GÔ GˆJuÑð ×*Ò*¨4Ñ0Ô0Ð0ˆ9ð 	0Ø&/ˆJ{Ñ#ð
 —,’,˜tÑ$Ô$Ð$ˆ3ð 	$Ø #ˆJuÑð
 —,’,˜tÑ$Ô$Ð$ˆ3ð 	$Ø #ˆJuÑð 	×Ò˜$×/Ò/°¸
ÀDÈ%ÑPÔPÑQÔQÐQð œ¨(Ð3Ð3ˆå”zØØØ—’‘”Øð	
ñ 
ô 
ˆð ×"Ò"Ñ$Ô$Ð$r   )r   NN)Ú__name__Ú
__module__Ú__qualname__Ú__doc__r   r   r"   r   ÚstrÚlistr&   r   r)   r@   r+   r.   r1   r   Ú__classcell__)r   s   @r   r
   r
   
   s+  ø€ € € € € ðð ð4 Ø $Øðð ð ð ð ð ð$ð $ð $ðð ð ð&°E¸#¸tÀC¼y¸.Ô4Ið &ð &ð &ð &ð˜x¨œ}ð ð ð ð ð$	 X¨c¤]ð 	ð 	ð 	ð 	ð	˜x¨¨S¬	Ô2ð 	ð 	ð 	ð 	ð"¸#ð "ð "ð "ð "ðY%ð Y%ð Y%ð Y%ð Y%ð Y%ð Y%r   r
   )rA   Útypingr   r   Úauthlib.common.securityr   Úauthlib.joser   Úauthlib.oauth2.rfc6750.tokenr   r
   r   r   r   ú<module>rW      s§   ðØ €€€Ø Ð Ð Ð Ð Ð Ø Ð Ð Ð Ð Ð à 2Ð 2Ð 2Ð 2Ð 2Ð 2Ø Ð Ð Ð Ð Ð Ø =Ð =Ð =Ð =Ð =Ð =ðP%ð P%ð P%ð P%ð P%Ð2ñ P%ô P%ð P%ð P%ð P%r   