§ iÝ[f¿!ãór—ddlZddlmZddlmZddlmZddlmZddlmZddl m Z Gd„d e ¦«Z dS) éN)ÚList)ÚOptional)ÚUnion©Úgenerate_token)Újwt)ÚBearerTokenGeneratorcóć—eZdZdZ dˆfd„ Zd„Zd„Zdeee effd„Z de efd „Z de e fd „Zde e efd „Zdefd „Zd „ZˆxZS)ÚJWTBearerTokenGeneratoraÒA JWT formatted access token generator. :param issuer: The issuer identifier. Will appear in the JWT ``iss`` claim. :param \*\*kwargs: Other parameters are inherited from :class:`~authlib.oauth2.rfc6750.token.BearerTokenGenerator`. This token generator can be registered into the authorization server:: class MyJWTBearerTokenGenerator(JWTBearerTokenGenerator): def get_jwks(self): ... def get_extra_claims(self, client, grant_type, user, scope): ... authorization_server.register_token_generator( 'default', MyJWTBearerTokenGenerator(issuer='https://authorization-server.example.org'), ) ÚRS256Ncót•—t¦« |j||¦«||_||_dS)N)ÚsuperÚ__init__Úaccess_token_generatorÚissuerÚalg)ÚselfrrÚrefresh_token_generatorÚexpires_generatorÚ __class__s €úP/var/www/piapp/venv/lib/python3.11/site-packages/authlib/oauth2/rfc9068/token.pyrz JWTBearerTokenGenerator.__init__"sAø€õ ‰Œ×ÒØ Ô 'Ð)@ÐBSñ ô ð ðˆŒ ØˆŒˆˆócó—t¦«‚)zÊReturn the JWKs that will be used to sign the JWT access token. Developers MUST re-implement this method:: def get_jwks(self): return load_jwks("jwks.json") )ÚNotImplementedError)rs rÚget_jwksz JWTBearerTokenGenerator.get_jwks/s€õ"Ñ#Ô#Ð#rcó—iS)aYReturn extra claims to add in the JWT access token. Developers MAY re-implement this method to add identity claims like the ones in :ref:`specs/oidc` ID Token, or any other arbitrary claims:: def get_extra_claims(self, client, grant_type, user, scope): return generate_user_info(user, scope) ©©rÚclientÚ grant_typeÚuserÚscopes rÚget_extra_claimsz(JWTBearerTokenGenerator.get_extra_claims8s €ðˆ rÚreturncó*—| ¦«S)akReturn the audience for the token. By default this simply returns the client ID. Developpers MAY re-implement this method to add extra audiences:: def get_audiences(self, client, user, scope): return [ client.get_client_id(), resource_server.get_id(), ] )Ú get_client_id)rrr!r"s rÚ get_audiencesz%JWTBearerTokenGenerator.get_audiencesBs€ð×#Ò#Ñ%Ô%Ð%rcó—dS)aÚAuthentication Context Class Reference. Returns a user-defined case sensitive string indicating the class of authentication the used performed. Token audience may refuse to give access to some resources if some ACR criterias are not met. :ref:`specs/oidc` defines one special value: ``0`` means that the user authentication did not respect `ISO29115`_ level 1, and will be refused monetary operations. Developers MAY re-implement this method:: def get_acr(self, user): if user.insecure_session(): return '0' return 'urn:mace:incommon:iap:silver' .. _ISO29115: https://www.iso.org/standard/45138.html Nr©rr!s rÚget_acrzJWTBearerTokenGenerator.get_acrOs €ð ˆtrcó—dS)a}User authentication time. Time when the End-User authentication occurred. Its value is a JSON number representing the number of seconds from 1970-01-01T0:0:0Z as measured in UTC until the date/time. Developers MAY re-implement this method:: def get_auth_time(self, user): return datetime.timestamp(user.get_auth_time()) Nrr)s rÚ get_auth_timez%JWTBearerTokenGenerator.get_auth_timeaó €ðˆtrcó—dS)a{Authentication Methods References. Defined by :ref:`specs/oidc` as an option list of user-defined case-sensitive strings indication which authentication methods have been used to authenticate the user. Developers MAY re-implement this method:: def get_amr(self, user): return ['2FA'] if user.has_2fa_enabled() else [] Nrr)s rÚget_amrzJWTBearerTokenGenerator.get_amrlr-rcó —td¦«S)zçJWT ID. Create an unique identifier for the token. Developers MAY re-implement this method:: def get_jti(self, client, grant_type, user scope): return generate_random_string(16) érrs rÚget_jtizJWTBearerTokenGenerator.get_jtiws€õ˜bÑ!Ô!Ð!rc ó—ttj¦«¦«}|| ||¦«z}|j|| ¦«|| ||||¦«|dœ}|r| ¦«|d<n| ¦«|d< | |||¦«|d<| |¦«x}r||d<|  |¦«x} r| |d<|  |¦«x} r| |d<|  |  ||||¦«¦«|j dd œ} tj| || ¦«d¬ ¦«} |  ¦«S) N)ÚissÚexpÚ client_idÚiatÚjtir"ÚsubFÚaudÚ auth_timeÚacrÚamrzat+jwt)rÚtyp)ÚkeyÚcheck)ÚintÚtimeÚ_get_expires_inrr&r2Ú get_user_idr'r,r*r/Úupdater#rrÚencoderÚdecode) rrr r!r"ÚnowÚ expires_inÚ token_datar;r<r=ÚheaderÚ access_tokens rrz.JWTBearerTokenGenerator.access_token_generators¸€Ý•$”)‘+”+ÑԈؘ4×/Ò/°¸ ÑCÔCÑCˆ ð”;ØØ×-Ò-Ñ/Ô/ØØ—<’< ¨ °D¸%Ñ@Ô@Øð  ð ˆ ð ð 7Ø $× 0Ò 0Ñ 2Ô 2ˆJuÑ Ð ð!'× 4Ò 4Ñ 6Ô 6ˆJuÑ ð Hð!%× 2Ò 2°6¸4ÀÑ GÔ GˆJuÑ ð×*Ò*¨4Ñ0Ô0Ð 0ˆ9ð 0Ø&/ˆJ{Ñ #ð —,’,˜tÑ$Ô$Ð $ˆ3ð $Ø #ˆJuÑ ð —,’,˜tÑ$Ô$Ð $ˆ3ð $Ø #ˆJuÑ ð ×Ò˜$×/Ò/°¸ ÀDÈ%ÑPÔPÑQÔQÐQðœ¨(Ð3Ð3ˆå”zØ Ø Ø— ’ ‘”Øð  ñ ô ˆ ð ×"Ò"Ñ$Ô$Ð$r)r NN)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrr#rÚstrrr'rr*rAr,r/r2rÚ __classcell__)rs@rr r s+ø€€€€€ððð2 Ø $Øð ð ð ð ð ð ð$ð$ð$ðððð &°E¸#¸tÀC¼y¸.Ô4Ið &ð &ð &ð &ð˜x¨œ}ððððð$  X¨c¤]ð ð ð ð ð ˜x¨¨S¬ Ô2ð ð ð ð ð"¸#ð"ð"ð"ð"ðY%ðY%ðY%ðY%ðY%ðY%ðY%rr ) rBÚtypingrrrÚauthlib.common.securityrÚ authlib.joserÚauthlib.oauth2.rfc6750.tokenr r rrrúrWs¹ðØ € € € ØÐÐÐÐÐØÐÐÐÐÐØÐÐÐÐÐà2Ð2Ð2Ð2Ð2Ð2ØÐÐÐÐÐØ=Ð=Ð=Ð=Ð=Ð=ðO%ðO%ðO%ðO%ðO%Ð2ñO%ôO%ðO%ðO%ðO%r