o Df*D@s@ddlmZmZddlmZGdddeZddZddZd S) )urlparse is_valid_url)is_secure_transportc@seZdZdZgdZddZddZddZd d Zd d Z d dZ ddZ ddZ ddZ ddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zed/d0Zed1d2Zed3d4Zed5d6Zed7d8Z d9d:Z!d;d<Z"d=S)>AuthorizationServerMetadatazDefine Authorization Server Metadata via `Section 2`_ in RFC8414_. .. _RFC8414: https://tools.ietf.org/html/rfc8414 .. _`Section 2`: https://tools.ietf.org/html/rfc8414#section-2 )issuerauthorization_endpointtoken_endpointjwks_uriregistration_endpointscopes_supportedresponse_types_supportedresponse_modes_supportedgrant_types_supported%token_endpoint_auth_methods_supported0token_endpoint_auth_signing_alg_values_supportedservice_documentationui_locales_supported op_policy_uri op_tos_urirevocation_endpoint*revocation_endpoint_auth_methods_supported5revocation_endpoint_auth_signing_alg_values_supportedintrospection_endpoint-introspection_endpoint_auth_methods_supported8introspection_endpoint_auth_signing_alg_values_supported code_challenge_methods_supportedcCsH|d}|s tdt|}t|std|js|jr"tddS)zREQUIRED. The authorization server's issuer identifier, which is a URL that uses the "https" scheme and has no query or fragment components. rz"issuer" is requiredz "issuer" MUST use "https" schemez!"issuer" has no query or fragmentN)get ValueErrorrrqueryfragment)selfrparsedr"V/home/ubuntu/webapp/venv/lib/python3.10/site-packages/authlib/oauth2/rfc8414/models.pyvalidate_issuers   z+AuthorizationServerMetadata.validate_issuercCsH|d}|rt|stddSt|j}ddh}||@r"tddS)zURL of the authorization server's authorization endpoint [RFC6749]. This is REQUIRED unless no grant types are supported that use the authorization endpoint. rz0"authorization_endpoint" MUST use "https" schemeNauthorization_codeimplicitz$"authorization_endpoint" is required)rrrsetr)r urlrauthorization_grant_typesr"r"r#validate_authorization_endpoint0s  z;AuthorizationServerMetadata.validate_authorization_endpointcCsT|d}|rt|dkr|ddkrdS|d}|s tdt|s(tddS) zURL of the authorization server's token endpoint [RFC6749]. This is REQUIRED unless only the implicit grant type is supported. rrr&Nrz"token_endpoint" is requiredz("token_endpoint" MUST use "https" scheme)rlenrr)r rr(r"r"r#validate_token_endpointAs   z3AuthorizationServerMetadata.validate_token_endpointcC&|d}|rt|stddSdS)alOPTIONAL. URL of the authorization server's JWK Set [JWK] document. The referenced document contains the signing key(s) the client uses to validate signatures from the authorization server. This URL MUST use the "https" scheme. The JWK Set MAY also contain the server's encryption key or keys, which are used by clients to encrypt requests to the server. When both signing and encryption keys are made available, a "use" (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. r z""jwks_uri" MUST use "https" schemeNrrrr r(r"r"r#validate_jwks_uriQ z-AuthorizationServerMetadata.validate_jwks_uricCr.)zwOPTIONAL. URL of the authorization server's OAuth 2.0 Dynamic Client Registration endpoint [RFC7591]. r z/"registration_endpoint" MUST use "https" schemeNr/r0r"r"r#validate_registration_endpoint`  z:AuthorizationServerMetadata.validate_registration_endpointcCt|ddS)zRECOMMENDED. JSON array containing a list of the OAuth 2.0 [RFC6749] "scope" values that this authorization server supports. Servers MAY choose not to advertise some supported scope values even when this parameter is used. r Nvalidate_array_valuer r"r"r#validate_scopes_supportediz5AuthorizationServerMetadata.validate_scopes_supportedcCs,|d}|s tdt|tstddS)a=REQUIRED. JSON array containing a list of the OAuth 2.0 "response_type" values that this authorization server supports. The array values used are the same as those used with the "response_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591]. r z&"response_types_supported" is requiredz-"response_types_supported" MUST be JSON arrayN)rr isinstancelist)r r r"r"r#!validate_response_types_supportedqs  z=AuthorizationServerMetadata.validate_response_types_supportedcCr5)aOPTIONAL. JSON array containing a list of the OAuth 2.0 "response_mode" values that this authorization server supports, as specified in "OAuth 2.0 Multiple Response Type Encoding Practices" [OAuth.Responses]. If omitted, the default is "["query", "fragment"]". The response mode value "form_post" is also defined in "OAuth 2.0 Form Post Response Mode" [OAuth.Post]. r Nr6r8r"r"r#!validate_response_modes_supported~z=AuthorizationServerMetadata.validate_response_modes_supportedcCr5)aOPTIONAL. JSON array containing a list of the OAuth 2.0 grant type values that this authorization server supports. The array values used are the same as those used with the "grant_types" parameter defined by "OAuth 2.0 Dynamic Client Registration Protocol" [RFC7591]. If omitted, the default value is "["authorization_code", "implicit"]". rNr6r8r"r"r#validate_grant_types_supportedr?z:AuthorizationServerMetadata.validate_grant_types_supportedcCr5)aOPTIONAL. JSON array containing a list of client authentication methods supported by this token endpoint. Client authentication method values are used in the "token_endpoint_auth_method" parameter defined in Section 2 of [RFC7591]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. rNr6r8r"r"r#.validate_token_endpoint_auth_methods_supportedr?zJAuthorizationServerMetadata.validate_token_endpoint_auth_methods_supportedcCt|d|jdS)auOPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the token endpoint for the signature on the JWT [JWT] used to authenticate the client at the token endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "token_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. Servers SHOULD support "RS256". The value "none" MUST NOT be used. rN)_validate_alg_valuesrr8r"r"r#9validate_token_endpoint_auth_signing_alg_values_supported  zUAuthorizationServerMetadata.validate_token_endpoint_auth_signing_alg_values_supportedcCr.)apOPTIONAL. URL of a page containing human-readable information that developers might want or need to know when using the authorization server. In particular, if the authorization server does not support Dynamic Client Registration, then information on how to register clients needs to be provided in this documentation. rz%"service_documentation" MUST be a URLNrrrr valuer"r"r#validate_service_documentations  z:AuthorizationServerMetadata.validate_service_documentationcCr5)zOPTIONAL. Languages and scripts supported for the user interface, represented as a JSON array of language tag values from BCP 47 [RFC5646]. If omitted, the set of supported languages and scripts is unspecified. rNr6r8r"r"r#validate_ui_locales_supportedr:z9AuthorizationServerMetadata.validate_ui_locales_supportedcCr.)ajOPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's requirements on how the client can use the data provided by the authorization server. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_policy_uri" appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect. rz"op_policy_uri" MUST be a URLNrFrGr"r"r#validate_op_policy_urir2z2AuthorizationServerMetadata.validate_op_policy_uricCr.)aOPTIONAL. URL that the authorization server provides to the person registering the client to read about the authorization server's terms of service. The registration process SHOULD display this URL to the person registering the client if it is given. As described in Section 5, despite the identifier "op_tos_uri", appearing to be OpenID-specific, its usage in this specification is actually referring to a general OAuth 2.0 feature that is not specific to OpenID Connect. rz"op_tos_uri" MUST be a URLNrFrGr"r"r#validate_op_tos_uris z/AuthorizationServerMetadata.validate_op_tos_uricCr.)z\OPTIONAL. URL of the authorization server's OAuth 2.0 revocation endpoint [RFC7009].rz-"revocation_endpoint" MUST use "https" schemeNr/r0r"r"r#validate_revocation_endpoints  z8AuthorizationServerMetadata.validate_revocation_endpointcCr5)aOPTIONAL. JSON array containing a list of client authentication methods supported by this revocation endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters]. If omitted, the default is "client_secret_basic" -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of OAuth 2.0 [RFC6749]. rNr6r8r"r"r#3validate_revocation_endpoint_auth_methods_supporteds zOAuthorizationServerMetadata.validate_revocation_endpoint_auth_methods_supportedcCrB)acOPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the revocation endpoint for the signature on the JWT [JWT] used to authenticate the client at the revocation endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "revocation_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. rN)rCrr8r"r"r#>validate_revocation_endpoint_auth_signing_alg_values_supportedrEzZAuthorizationServerMetadata.validate_revocation_endpoint_auth_signing_alg_values_supportedcCr.)ziOPTIONAL. URL of the authorization server's OAuth 2.0 introspection endpoint [RFC7662]. rz0"introspection_endpoint" MUST use "https" schemeNr/r0r"r"r#validate_introspection_endpointr4z;AuthorizationServerMetadata.validate_introspection_endpointcCr5)aUOPTIONAL. JSON array containing a list of client authentication methods supported by this introspection endpoint. The valid client authentication method values are those registered in the IANA "OAuth Token Endpoint Authentication Methods" registry [IANA.OAuth.Parameters] or those registered in the IANA "OAuth Access Token Types" registry [IANA.OAuth.Parameters]. (These values are and will remain distinct, due to Section 7.2.) If omitted, the set of supported authentication methods MUST be determined by other means. rNr6r8r"r"r#6validate_introspection_endpoint_auth_methods_supported s zRAuthorizationServerMetadata.validate_introspection_endpoint_auth_methods_supportedcCrB)alOPTIONAL. JSON array containing a list of the JWS signing algorithms ("alg" values) supported by the introspection endpoint for the signature on the JWT [JWT] used to authenticate the client at the introspection endpoint for the "private_key_jwt" and "client_secret_jwt" authentication methods. This metadata entry MUST be present if either of these authentication methods are specified in the "introspection_endpoint_auth_methods_supported" entry. No default algorithms are implied if this entry is omitted. The value "none" MUST NOT be used. rN)rCrr8r"r"r#Avalidate_introspection_endpoint_auth_signing_alg_values_supportedrEz]AuthorizationServerMetadata.validate_introspection_endpoint_auth_signing_alg_values_supportedcCr5)aOPTIONAL. JSON array containing a list of Proof Key for Code Exchange (PKCE) [RFC7636] code challenge methods supported by this authorization server. Code challenge method values are used in the "code_challenge_method" parameter defined in Section 4.3 of [RFC7636]. The valid code challenge method values are those registered in the IANA "PKCE Code Challenge Methods" registry [IANA.OAuth.Parameters]. If omitted, the authorization server does not support PKCE. rNr6r8r"r"r#)validate_code_challenge_methods_supported(s zEAuthorizationServerMetadata.validate_code_challenge_methods_supportedcC|dddgS)Nr rrrr8r"r"r#r 4z4AuthorizationServerMetadata.response_modes_supportedcCrT)Nrr%r&rUr8r"r"r#r9rVz1AuthorizationServerMetadata.grant_types_supportedcC|ddgS)Nrclient_secret_basicrUr8r"r"r#r>zAAuthorizationServerMetadata.token_endpoint_auth_methods_supportedcCrW)NrrXrUr8r"r"r#rCrYzFAuthorizationServerMetadata.revocation_endpoint_auth_methods_supportedcCrW)NrrXrUr8r"r"r#rHszIAuthorizationServerMetadata.introspection_endpoint_auth_methods_supportedcCs$|jD] }t|d|qdS)z#Validate all server metadata value. validate_N) REGISTRY_KEYSobject__getattribute__)r keyr"r"r#validateOs z$AuthorizationServerMetadata.validatec CsLzt||WSty%}z||jvr||WYd}~S|d}~ww)N)r\r]AttributeErrorr[r)r r^errorr"r"r# __getattr__Ts z'AuthorizationServerMetadata.__getattr__N)#__name__ __module__ __qualname____doc__r[r$r*r-r1r3r9r=r>r@rArDrIrJrKrLrMrNrOrPrQrRrSpropertyr rrrrr_rbr"r"r"r#rsJ               rcCsx||}|rt|tstd|dt|}ddh}||@r*|s*td|d|r8d|vr:td|ddSdS)N"" MUST be JSON arrayprivate_key_jwtclient_secret_jwtz " is requirednonez&the value "none" MUST NOT be used in ")rr;r<rr')datar^auth_methods_supportedrH auth_methodsjwt_auth_methodsr"r"r#rC]s   rCcCs4||}|durt|tstd|ddSdS)Nrhri)rr;r<r)metadatar^valuesr"r"r#r7ms r7N) authlib.common.urlsrrauthlib.common.securityrdictrrCr7r"r"r"r#s Z