� u��g�:��`�ddlZddlZddlZddlZddlZddlZddlZddlZddlm Z ej e��Zdd�Z e Zd�ZGd�de��ZGd �d e��ZGd�de��ZGd �de��ZGd�de��Zdd�Zd�ZGd�de��ZGd�de j��ZdS)�N�)�oauth2�utf-8c��|dt|��dzzz }t|��}tj|��}|r|�|��}|S)a�Decode a part of the JWT. JWT is encoded by padding-less base64url, based on `JWS specs <https://tools.ietf.org/html/rfc7515#appendix-C>`_. :param encoding: If you are going to decode the first 2 parts of a JWT, i.e. the header or the payload, the default value "utf-8" would work fine. If you are going to decode the last part i.e. the signature part, it is a binary string so you should use `None` as encoding here. �=�)�len�str�base64�urlsafe_b64decode�decode)�raw�encoding�outputs �c/home/asafur/pinokio/api/open-webui.git/app/env/lib/python3.11/site-packages/msal/oauth2cli/oidc.py�decode_partrsc��3�3�s�8�8�)�a�-� � �C� � � � �C�� %�c� *� *�F��)��x�(�(��M�c�P�tjdtj|��S)Nz%Y-%m-%d %H:%M:%S)�time�strftime� localtime)�epochs r�_epoch_to_localr's��=�,�d�n�U�.C�.C�D�D�Drc�"��eZdZdZ�fd�Z�xZS)�IdTokenErrorzMIn unlikely event of an ID token is malformed, this exception will be raised.c�r��tt|��|�dt|��dt jt ||�d��rt|d��nd|�d��rt|d��nd��d��dS)Nz Current epoch = z#. The id_token was approximately: �iat�exp)rr��indent)�superr�__init__r�json�dumps�dict�get��self�reason�now�claims� __class__s �rr#zIdTokenError.__init__,s�� l�D�!�!�*�*��F�F�O�C�(�(�(�(�$�*�T��6<�j�j��6G�6G�Q�O�F�5�M�2�2�2�T�6<�j�j��6G�6G�Q�O�F�5�M�2�2�2�T�6�6�6�� +�+�+�+� � � � � � r)�__name__� __module__�__qualname__�__doc__r#� __classcell__�r-s@rrr*s>��W�W��rrc�(��eZdZdZ�fd�Zd�Z�xZS)�_IdTokenTimeErrorz>Make sure your computer's time and time zone are both correct.c�r��tt|��|dz|jz||��dS)N� )r"r5r#�_SUGGESTIONr(s �rr#z_IdTokenTimeError.__init__7s:�� &�&�/�/��d�>N�0N�PS�U[�\�\�\�\�\rc�T�t�t|��dS�N)�logger�warningr )r)s r�logz_IdTokenTimeError.log9s"�� s�4�y�y�!�!�!�!�!r)r.r/r0r8r#r=r2r3s@rr5r55sQ��R�K�]�]�]�]�]� "� "� "� "� "� "� "rr5c��eZdZdS)�IdTokenIssuerErrorN�r.r/r0�rrr?r?E��Drr?c��eZdZdS)�IdTokenAudienceErrorNr@rArrrDrDHrBrrDc��eZdZdS)�IdTokenNonceErrorNr@rArrrFrFKrBrrFc��tjt|�d��d��}t |ptj��}d}||z|�d|dz ��kr#td||��|r ||dkrtd|z||��|rGt|dt��r ||dvn||dk}|std |z||��||z |d kr#td||��|r*||�d��krtd ||��|S)a�Decodes and validates an id_token and returns its claims as a dictionary. ID token claims would at least contain: "iss", "sub", "aud", "exp", "iat", per `specs <https://openid.net/specs/openid-connect-core-1_0.html#IDToken>`_ and it may contain other optional content such as "preferred_username", `maybe more <https://openid.net/specs/openid-connect-core-1_0.html#Claims>`_ �.r�x�nbfz!0. The ID token is not yet valid.�issz�2. The Issuer Identifier for the OpenID Provider, "%s", (which is typically obtained during Discovery), MUST exactly match the value of the iss (issuer) Claim.�audz|3. The aud (audience) claim must contain this client's client_id "%s", case-sensitively. Was your client_id in wrong casing?rz 9. The ID token already expires.�noncezX11. Nonce must be the same value as the one that was sent in the Authentication Request.)r$�loadsr�split�intrr'r5r=r?� isinstance�listrDrF) �id_token� client_id�issuerrMr+�decoded�_now�skew� valid_auds r�decode_id_tokenrZNs��j��X�^�^�C�%8�%8��%;�<�<�=�=�G��s�!�d�i�k�k�"�"�D��D��d�{�W�[�[��q��1�1�1�1� �=�t�W�M�M�Q�Q�S�S�S� ��&�G�E�N�*�*� � F�HN� O� �� 3=��E�N�D�4"�4"�C�I��/�/�'0�G�E�N�'B� �� &�N�� d�{�W�U�^�#�#��<�d�G�L�L�P�P�R�R�R��'�+�+�g�.�.�.�.�� F�� Nrc�t�tj|�d��S)N�ascii)�hashlib�sha256�encode� hexdigest)rMs r�_nonce_hashra�s*��>�%�,�,�w�/�/�0�0�:�:�<�<�<rc�&�eZdZdZdZdZdZdZdZdS)�Promptz�This class defines the constant strings for prompt parameter. The values are based on https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest �none�login�consent�select_account�createN) r.r/r0r1�NONE�LOGIN�CONSENT�SELECT_ACCOUNT�CREATErArrrcrc�s3�� D��E��G�%�N� �F�F�Frrcc�t��eZdZdZd d�Z�fd�Zd �fd� Zd �fd� Z d �fd� Z�fd�Z d�fd � Z �xZS)�ClientzfOpenID Connect is a layer on top of the OAuth2. See its specs at https://openid.net/connect/ Nc�b�t|||j|j�d��S)zSee :func:`~decode_id_token`.rU)rMrTrU)rZrT� configurationr')r)rSrMs rrZzClient.decode_id_token�s:��E��n�T�-?�-C�-C�H�-M�-M�O�O�O� Orc��tt|��j|g|�Ri|��}d|vr|�|d��|d<|S)z�The result will also contain one more key "id_token_claims", whose value will be a dictionary returned by :func:`~decode_id_token`. rS�id_token_claims)r"ro� _obtain_tokenrZ)r)� grant_type�args�kwargs�retr-s �rrtzClient._obtain_token�s^��0�e�F�D�!�!�/� �L�T�L�L�L�V�L�L��%)�%9�%9�#�j�/�%J�%J�C�!�"�� rc�~��tjdt��tt|��j|fd|i|��S)a�Generate an authorization uri to be visited by resource owner. Return value and all other parameters are the same as :func:`oauth2.Client.build_auth_request_uri`, plus new parameter(s): :param nonce: A hard-to-guess string used to mitigate replay attacks. See also `OIDC specs <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. z%Use initiate_auth_code_flow() insteadrM)�warnings�warn�DeprecationWarningr"ro�build_auth_request_uri)r)� response_typerMrwr-s �rr}zClient.build_auth_request_uri�sR�� =�?Q�R�R�R�9�u�V�T�"�"�9��2�2�!&�2�*0�2�2� 2rc��tjdt��tt|��j|fi|��}|�di��d��}d|vr|r||krtd|�d|�d��|S)a�Get a token via authorization code. a.k.a. Authorization Code Grant. Return value and all other parameters are the same as :func:`oauth2.Client.obtain_token_by_authorization_code`, plus new parameter(s): :param nonce: If you provided a nonce when calling :func:`build_auth_request_uri`, same nonce should also be provided here, so that we'll validate it. An exception will be raised if the nonce in id token mismatches. z,Use obtain_token_by_auth_code_flow() insteadrsrM�The nonce in id token ("z") should match your nonce ("�"))rzr{r|r"ro�"obtain_token_by_authorization_coder'� ValueError)r)�coderMrw�result�nonce_in_id_tokenr-s �rr�z)Client.obtain_token_by_authorization_code�s�� :�<N� P� P� P�G��v�t�$�$�G��"�J�J�'8�"�=�=�A�A�'�J�J��&�&�5�&�U�>O�5O�5O��*�"�"�"�E�E�E�+�,�,� ,�� rc��d|�dd��vrtd��|rt|��ng}d|vr|�d��d�tjtjd��}tt|��jd|t|��d�|��}||d<|�d ��|d |d <|S)a�Initiate an auth code flow. It provides nonce protection automatically. :param list scope: A list of strings, e.g. ["profile", "email", ...]. This method will automatically send ["openid"] to the wire, although it won't modify your input list. See :func:`oauth2.Client.initiate_auth_code_flow` in parent class for descriptions on other parameters and return value. rSr~�z+response_type="id_token ..." is not allowed�openid�)�scoperMrM�max_ageNrA) r'r�rR�append�join�random�sample�string� ascii_lettersr"ro�initiate_auth_code_flowra)r)r�rw�_scoperM�flowr-s �rr�zClient.initiate_auth_code_flow�s�� O�R�8�8�8�8��J�K�K�K� %�-��e��2��6�!�!� �M�M�(�#�#�#�� f�&:�B�?�?�@�@��:�u�V�T�"�"�:�>��E� 2� 2�>�>�6<�>�>��W� ��:�:�i� � �,�$�Y�/�D��O��rc��tt|��j||fi|��}d|v�r#|�di��d��}t |d��}||krtd|�d|�d��|�d��|�di��d��}|std ��t tj��}d } || z ||dzkrFtd�||d|tj |dd� ��|S)a�Validate the auth_response being redirected back, and then obtain tokens, including ID token which can be used for user sign in. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. See :func:`oauth2.Client.obtain_token_by_auth_code_flow` in parent class for descriptions on other parameters and return value. rsrMr�z") should match our nonce ("r�r�N� auth_timez<13. max_age was requested, ID token should contain auth_timerIz�13. auth_time ({auth_time}) was requested, by using max_age ({max_age}) parameter, and now ({now}) too much time has elasped since last end-user authentication. The ID token was: {id_token}rr )r�r�r+rS)r"ro�obtain_token_by_auth_code_flowr'ra�RuntimeErrorrPr�formatr$r%)r)�auth_code_flow� auth_responserwr�r�� expected_hashr�r+rXr-s �rr�z%Client.obtain_token_by_auth_code_flow�s��D��v�t�$�$�C��M�5�5�-3�5�5��&�&� &� � �+<�b� A� A� E� E�g� N� N��'��w�(?�@�@�M� �M�1�1�"�l�&�&�&� � � �7�8�8�8��!�!�)�,�,�8�"�J�J�'8�"�=�=�A�A�+�N�N� � �X�&�V�X�X�X��$�)�+�+�&�&��:� �N�9�,E� E�E�E�&�;�<B�6�"+� .�y� 9��!%��F�3D�,E�a�!P�!P�!P� <B�<�<� � � �� rc �L��d�tt|ttf��rd�|��n|||||||��D��} t t|��jddt|� di��fi| ��i|��S)a_A native app can use this method to obtain token via a local browser. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. :param string display: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. :param string prompt: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. You can find the valid string values defined in :class:`oidc.Prompt`. :param int max_age: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. :param string ui_locales: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. :param string id_token_hint: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. :param string login_hint: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. :param string acr_values: Defined in `OIDC <https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest>`_. See :func:`oauth2.Client.obtain_token_by_browser` in parent class for descriptions on other parameters and return value. c��i|] \}}|�||��Sr:rA)�.0�k�vs r� <dictcomp>z2Client.obtain_token_by_browser.<locals>.<dictcomp>Fs.��(�(�(�4�1�a��Q�'��rr7)�prompt�displayr�� ui_locales� id_token_hint� login_hint� acr_values�auth_paramsrA) r&rQrR�tupler��itemsr"ro�obtain_token_by_browser�pop)r)r�r�r�r�r�r�r�rw�filtered_paramsr-s �rr�zClient.obtain_token_by_browser"s��H(�(�4�'1�&�4��-�'H�'H�T�3�8�8�F�#�#�#�f��!�'�!�!�,�,�,��e�g�g�(�(�(��;�u�V�T�"�"�:��V�Z�Z� �r�:�:�N�N�o�N�N�� rr:)NNNNNNN)r.r/r0r1rZrtr}r�r�r�r�r2r3s@rroro�s �� O�O�O�O��2�2�2�2�2�2��2�#�#�#�#�#�#�J'�'�'�'�'�V��/�/�/�/�/�/�/�/�/�/rro)r)NNNN)r$rrr�r�rzr]�loggingr�r� getLoggerr.r;r�base64decoderr�rr5r?rDrFrZra�objectrcrorArr�<module>r�s�� 8� $� $��,��E�E�E� � � � � �<� � � �"�"�"�"�"��"�"�"� � � � � �� <� � � � � � � � �� 7�7�7�7�t=�=�=� � � � � �V� � � �w�w�w�w�w�V�]�w�w�w�w�wr