§
    "¾<iO%  ã                  ó   — d Z ddlmZ ddlmZ ddlZddlmZmZ ddl	m
Z
mZ ddlmZ ddlmZ dd	lmZmZ dd
lmZ ddlmZ ddlmZ ddlmZ ddlmZmZ  ee¦  «        Z G d„ de
¦  «        Z  G d„ de¦  «        Z!dS )a  Descope authentication provider for FastMCP.

This module provides DescopeProvider - a complete authentication solution that integrates
with Descope's OAuth 2.1 and OpenID Connect services, supporting Dynamic Client Registration (DCR)
for seamless MCP client authentication.
é    )Úannotations)ÚurlparseN)Ú
AnyHttpUrlÚfield_validator)ÚBaseSettingsÚSettingsConfigDict)ÚJSONResponse)ÚRoute)ÚRemoteAuthProviderÚTokenVerifier)ÚJWTVerifier)ÚENV_FILE©Úparse_scopes)Ú
get_logger)ÚNotSetÚNotSetTc                  óª   — e Zd ZU  eded¬¦  «        ZdZded<   dZded<   dZ	d	ed
<   ded<   dZ
ded<    edd¬¦  «        ed„ ¦   «         ¦   «         ZdS )ÚDescopeProviderSettingsÚ$FASTMCP_SERVER_AUTH_DESCOPEPROVIDER_Úignore)Ú
env_prefixÚenv_fileÚextraNzAnyHttpUrl | NoneÚ
config_urlú
str | NoneÚ
project_idzAnyHttpUrl | str | NoneÚdescope_base_urlr   Úbase_urlzlist[str] | NoneÚrequired_scopesÚbefore)Úmodec                ó    — t          |¦  «        S ©Nr   )ÚclsÚvs     ú /Users/kimhansen/Desktop/03 Workspace/ceo-agents/chl-effectiveness/mcp-servers/whoop/.venv/lib/python3.11/site-packages/fastmcp/server/auth/providers/descope.pyÚ_parse_scopesz%DescopeProviderSettings._parse_scopes)   s   € õ ˜A‰ŒÐó    )Ú__name__Ú
__module__Ú__qualname__r   r   Úmodel_configr   Ú__annotations__r   r   r    r   Úclassmethodr(   © r)   r'   r   r      s½   € € € € € € Ø%Ð%Ø9ØØðñ ô €Lð %)€JÐ(Ð(Ð(Ñ(Ø!€JÐ!Ð!Ð!Ñ!Ø04ÐÐ4Ð4Ð4Ñ4ØÐÐÑØ(,€OÐ,Ð,Ð,Ñ,à€_Ð&¨XÐ6Ñ6Ô6Øðð ñ „[ñ 7Ô6ðð ð r)   r   c                  óD   ‡ — e Zd ZdZeeeeeddœdˆ fd„Z	 ddˆ fd„Zˆ xZS )ÚDescopeProvidera×  Descope metadata provider for DCR (Dynamic Client Registration).

    This provider implements Descope integration using metadata forwarding.
    This is the recommended approach for Descope DCR
    as it allows Descope to handle the OAuth flow directly while FastMCP acts
    as a resource server.

    IMPORTANT SETUP REQUIREMENTS:

    1. Create an MCP Server in Descope Console:
       - Go to the [MCP Servers page](https://app.descope.com/mcp-servers) of the Descope Console
       - Create a new MCP Server
       - Ensure that **Dynamic Client Registration (DCR)** is enabled
       - Note your Well-Known URL

    2. Note your Well-Known URL:
       - Save your Well-Known URL from [MCP Server Settings](https://app.descope.com/mcp-servers)
       - Format: ``https://.../v1/apps/agentic/P.../M.../.well-known/openid-configuration``

    For detailed setup instructions, see:
    https://docs.descope.com/identity-federation/inbound-apps/creating-inbound-apps#method-2-dynamic-client-registration-dcr

    Example:
        ```python
        from fastmcp.server.auth.providers.descope import DescopeProvider

        # Create Descope metadata provider (JWT verifier created automatically)
        descope_auth = DescopeProvider(
            config_url="https://.../v1/apps/agentic/P.../M.../.well-known/openid-configuration",
            base_url="https://your-fastmcp-server.com",
        )

        # Use with FastMCP
        mcp = FastMCP("My App", auth=descope_auth)
        ```
    N)r   r   r   r   r    Útoken_verifierr   úAnyHttpUrl | str | NotSetTr   ústr | NotSetTr   r   r    úlist[str] | NotSetT | Noner3   úTokenVerifier | Nonec          	     óì  •— t                                d„ |||||dœ                     ¦   «         D ¦   «         ¦  «        }t          t	          |j        ¦  «                             d¦  «        ¦  «        | _        |j        t	          |j        ¦  «        }|                     d¦  «        r|dt          d¦  «         …         }t          |¦  «        }	|	j                             d¦  «                             d¦  «        }
d|
v rN|
                     d¦  «        }|dz   t          |
¦  «        k     r|
|dz            | _        n$t!          d|› ¦  «        ‚t!          d	|› ¦  «        ‚|	j        › d
|	j        ›                      d¦  «        | _        nƒ|j        m|j        f|j        | _        t	          |j        ¦  «                             d¦  «        }|                     d¦  «        sd|› }|| _        | j        › d| j        › }nt!          d¦  «        ‚|€.t+          | j        › d| j        › d|d| j        |j        ¬¦  «        }t/          ¦   «                              |t          |¦  «        g| j        ¬¦  «         dS )az  Initialize Descope metadata provider.

        Args:
            config_url: Your Descope Well-Known URL (e.g., "https://.../v1/apps/agentic/P.../M.../.well-known/openid-configuration")
                This is the new recommended way. If provided, project_id and descope_base_url are ignored.
            project_id: Your Descope Project ID (e.g., "P2abc123"). Used with descope_base_url for backwards compatibility.
            descope_base_url: Your Descope base URL (e.g., "https://api.descope.com"). Used with project_id for backwards compatibility.
            base_url: Public URL of this FastMCP server
            required_scopes: Optional list of scopes that must be present in validated tokens.
                These scopes will be included in the protected resource metadata.
            token_verifier: Optional token verifier. If None, creates JWT verifier for Descope
        c                ó,   — i | ]\  }}|t           u¯||“ŒS r0   )r   )Ú.0Úkr&   s      r'   ú
<dictcomp>z,DescopeProvider.__init__.<locals>.<dictcomp>l   s3   € ð 
ð 
ð 
áAqð F??ð 1ð #??r)   )r   r   r   r   r    ú/Nz!/.well-known/openid-configurationÚagenticé   z.Could not extract project_id from config_url: z-Could not find 'agentic' in config_url path: z://)zhttp://úhttps://r@   ú	/v1/apps/z^Either config_url (new API) or both project_id and descope_base_url (old API) must be providedz/.well-known/jwks.jsonÚRS256)Újwks_uriÚissuerÚ	algorithmÚaudiencer    )r3   Úauthorization_serversr   )r   Úmodel_validateÚitemsr   Ústrr   Úrstripr   ÚendswithÚlenr   ÚpathÚstripÚsplitÚindexr   Ú
ValueErrorÚschemeÚnetlocr   Ú
startswithr   r    ÚsuperÚ__init__)Úselfr   r   r   r   r    r3   ÚsettingsÚ
issuer_urlÚ
parsed_urlÚ
path_partsÚagentic_indexÚdescope_base_url_strÚ	__class__s                €r'   rW   zDescopeProvider.__init__U   sâ  ø€ õ, +×9Ò9ð
ð 
ð #-Ø",Ø(8Ø (Ø'6ðð ÷ ’%‘'”'ð
ñ 
ô 
ñ
ô 
ˆõ #¥3 xÔ'8Ñ#9Ô#9×#@Ò#@ÀÑ#EÔ#EÑFÔFˆŒð ÔÑ*õ ˜XÔ0Ñ1Ô1ˆJØ×"Ò"Ð#FÑGÔGð UØ'Ð(S­3Ð/RÑ+SÔ+SÐ*SÐ(SÔT
õ " *Ñ-Ô-ˆJØ#œ×.Ò.¨sÑ3Ô3×9Ò9¸#Ñ>Ô>ˆJð ˜JÐ&Ð&Ø *× 0Ò 0°Ñ ;Ô ;Ø  1Ñ$¥s¨:¡¤Ò6Ð6Ø&0°ÀÑ1BÔ&CD”OOå$ØUÈÐUÐUñô ð õ !ØPÀJÐPÐPñô ð ð
 (2Ô'8Ð$PÐ$P¸ZÔ=NÐ$PÐ$P×$WÒ$WØñ%ô %ˆDÔ!Ð!ð Ô Ð,°Ô1JÐ1Và&Ô1ˆDŒOÝ#& xÔ'@Ñ#AÔ#A×#HÒ#HÈÑ#MÔ#MÐ à'×2Ò2Ð3JÑKÔKð IØ'HÐ2FÐ'HÐ'HÐ$Ø$8ˆDÔ!à Ô1ÐMÐM¸D¼OÐMÐMˆJˆJåØpñô ð ð
 Ð!Ý(Ø Ô1Ð[Ð[°D´OÐ[Ð[Ð[Ø!Ø!ØœØ (Ô 8ðñ ô ˆNõ 	‰Œ×ÒØ)Ý#-¨jÑ#9Ô#9Ð":Ø”]ð 	ñ 	
ô 	
ð 	
ð 	
ð 	
r)   Úmcp_pathr   Úreturnúlist[Route]c                ó¢   •‡ — t          ¦   «                              |¦  «        }ˆ fd„}|                     t          d|dg¬¦  «        ¦  «         |S )a£  Get OAuth routes including Descope authorization server metadata forwarding.

        This returns the standard protected resource routes plus an authorization server
        metadata endpoint that forwards Descope's OAuth metadata to clients.

        Args:
            mcp_path: The path where the MCP endpoint is mounted (e.g., "/mcp")
                This is used to advertise the resource URL in metadata.
        c              “  ó¨  •K  — 	 t          j        ¦   «         4 ƒd{V —†}|                     ‰j        › d‰j        › d¦  «        ƒ d{V —†}|                     ¦   «          |                     ¦   «         }t          |¦  «        cddd¦  «        ƒd{V —† S # 1 ƒd{V —†swxY w Y   dS # t          $ r!}t          dd|› dœd¬¦  «        cY d}~S d}~ww xY w)	zPForward Descope OAuth authorization server metadata with FastMCP customizations.NrA   ú'/.well-known/oauth-authorization-serverÚserver_errorz"Failed to fetch Descope metadata: )ÚerrorÚerror_descriptioniô  )Ústatus_code)	ÚhttpxÚAsyncClientÚgetr   r   Úraise_for_statusÚjsonr	   Ú	Exception)ÚrequestÚclientÚresponseÚmetadataÚerX   s        €r'   Ú#oauth_authorization_server_metadatazGDescopeProvider.get_routes.<locals>.oauth_authorization_server_metadataÉ   s»  øè è € ðÝ Ô,Ñ.Ô.ð 2ð 2ð 2ð 2ð 2ð 2ð 2°&Ø%+§Z¢ZØÔ0ÐsÐs¸4¼?ÐsÐsÐsñ&ô &ð  ð  ð  ð  ð  ð  Hð ×-Ò-Ñ/Ô/Ð/Ø'Ÿ}š}™œHÝ'¨Ñ1Ô1ð2ð 2ð 2ð 2ñ 2ô 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2ð 2øøøð 2ð 2ð 2ð 2ð 2ð 2øõ ð ð ð Ý#à!/Ø-UÐRSÐ-UÐ-Uðð ð !$ðñ ô ð ð ð ð ð ð øøøøðøøøsA   …B& žA"BÂ B& Â
BÂB& Â BÂ!B& Â&
CÂ0CÃCÃCre   ÚGET)ÚendpointÚmethods)rV   Ú
get_routesÚappendr
   )rX   r`   Úroutesru   r_   s   `   €r'   ry   zDescopeProvider.get_routes¹   sr   øø€ õ ‘”×#Ò# HÑ-Ô-ˆð	ð 	ð 	ð 	ð 	ð( 	ŠÝØ9Ø<Ø˜ðñ ô ñ	
ô 	
ð 	
ð ˆr)   )r   r4   r   r5   r   r4   r   r4   r    r6   r3   r7   r$   )r`   r   ra   rb   )r*   r+   r,   Ú__doc__r   rW   ry   Ú__classcell__)r_   s   @r'   r2   r2   /   s—   ø€ € € € € ð#ð #ðP 28Ø$*Ø7=Ø/5Ø6<Ø/3ðb
ð b
ð b
ð b
ð b
ð b
ð b
ð b
ðL  $ð,ð ,ð ,ð ,ð ,ð ,ð ,ð ,ð ,ð ,ð ,r)   r2   )"r|   Ú
__future__r   Úurllib.parser   rj   Úpydanticr   r   Úpydantic_settingsr   r   Ústarlette.responsesr	   Ústarlette.routingr
   Úfastmcp.server.authr   r   Ú!fastmcp.server.auth.providers.jwtr   Úfastmcp.settingsr   Úfastmcp.utilities.authr   Úfastmcp.utilities.loggingr   Úfastmcp.utilities.typesr   r   r*   Úloggerr   r2   r0   r)   r'   ú<module>r‹      s‚  ððð ð #Ð "Ð "Ð "Ð "Ð "à !Ð !Ð !Ð !Ð !Ð !à €€€Ø 0Ð 0Ð 0Ð 0Ð 0Ð 0Ð 0Ð 0Ø >Ð >Ð >Ð >Ð >Ð >Ð >Ð >Ø ,Ð ,Ð ,Ð ,Ð ,Ð ,Ø #Ð #Ð #Ð #Ð #Ð #à AÐ AÐ AÐ AÐ AÐ AÐ AÐ AØ 9Ð 9Ð 9Ð 9Ð 9Ð 9Ø %Ð %Ð %Ð %Ð %Ð %Ø /Ð /Ð /Ð /Ð /Ð /Ø 0Ð 0Ð 0Ð 0Ð 0Ð 0Ø 3Ð 3Ð 3Ð 3Ð 3Ð 3Ð 3Ð 3à	ˆHÑ	Ô	€ðð ð ð ð ˜lñ ô ð ð&vð vð vð vð vÐ(ñ vô vð vð vð vr)   