belgie-oauth 0.1.0a4__py3-none-any.whl → 0.2.0__py3-none-any.whl

belgie_oauth/__init__.py

@@ -1,2 +1,10 @@
-def hello() -> str:
-    return "Hello from belgie-oauth!"
+from belgie_oauth.metadata import build_oauth_metadata, build_oauth_metadata_well_known_path
+from belgie_oauth.plugin import OAuthPlugin
+from belgie_oauth.settings import OAuthSettings
+
+__all__ = [
+    "OAuthPlugin",
+    "OAuthSettings",
+    "build_oauth_metadata",
+    "build_oauth_metadata_well_known_path",
+]

belgie_oauth/metadata.py

@@ -0,0 +1,43 @@
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
+from urllib.parse import urlparse
+
+from pydantic import AnyHttpUrl
+
+from belgie_oauth.models import OAuthMetadata
+from belgie_oauth.utils import join_url
+
+if TYPE_CHECKING:
+    from belgie_oauth.settings import OAuthSettings
+
+
+def build_oauth_metadata(issuer_url: str, settings: OAuthSettings) -> OAuthMetadata:
+    authorization_endpoint = AnyHttpUrl(join_url(issuer_url, "authorize"))
+    token_endpoint = AnyHttpUrl(join_url(issuer_url, "token"))
+    registration_endpoint = AnyHttpUrl(join_url(issuer_url, "register"))
+    revocation_endpoint = AnyHttpUrl(join_url(issuer_url, "revoke"))
+    introspection_endpoint = AnyHttpUrl(join_url(issuer_url, "introspect"))
+
+    return OAuthMetadata(
+        issuer=AnyHttpUrl(issuer_url),
+        authorization_endpoint=authorization_endpoint,
+        token_endpoint=token_endpoint,
+        registration_endpoint=registration_endpoint,
+        scopes_supported=[settings.default_scope],
+        response_types_supported=["code"],
+        grant_types_supported=["authorization_code"],
+        token_endpoint_auth_methods_supported=["client_secret_post"],
+        code_challenge_methods_supported=["S256"],
+        revocation_endpoint=revocation_endpoint,
+        revocation_endpoint_auth_methods_supported=["client_secret_post"],
+        introspection_endpoint=introspection_endpoint,
+    )
+
+
+def build_oauth_metadata_well_known_path(issuer_url: str) -> str:
+    parsed = urlparse(issuer_url)
+    path = parsed.path.rstrip("/")
+    if path and path != "/":
+        return f"/.well-known/oauth-authorization-server{path}"
+    return "/.well-known/oauth-authorization-server"

belgie_oauth/models.py

@@ -0,0 +1,111 @@
+from __future__ import annotations
+
+from typing import Any, Literal
+
+from pydantic import AnyHttpUrl, AnyUrl, BaseModel, Field, field_validator
+
+
+class OAuthToken(BaseModel):
+    access_token: str
+    token_type: Literal["Bearer"] = "Bearer"  # noqa: S105
+    expires_in: int | None = None
+    scope: str | None = None
+    refresh_token: str | None = None
+
+    @field_validator("token_type", mode="before")
+    @classmethod
+    def normalize_token_type(cls, value: str | None) -> str | None:
+        if isinstance(value, str):
+            return value.title()
+        return value
+
+
+class InvalidScopeError(Exception):
+    def __init__(self, message: str) -> None:
+        self.message = message
+
+
+class InvalidRedirectUriError(Exception):
+    def __init__(self, message: str) -> None:
+        self.message = message
+
+
+class OAuthClientMetadata(BaseModel):
+    redirect_uris: list[AnyUrl] | None = Field(..., min_length=1)
+    token_endpoint_auth_method: (
+        Literal[
+            "none",
+            "client_secret_post",
+            "client_secret_basic",
+            "private_key_jwt",
+        ]
+        | None
+    ) = None
+    grant_types: list[str] = ["authorization_code", "refresh_token"]
+    response_types: list[str] = ["code"]
+    scope: str | None = None
+
+    client_name: str | None = None
+    client_uri: AnyHttpUrl | None = None
+    logo_uri: AnyHttpUrl | None = None
+    contacts: list[str] | None = None
+    tos_uri: AnyHttpUrl | None = None
+    policy_uri: AnyHttpUrl | None = None
+    jwks_uri: AnyHttpUrl | None = None
+    jwks: Any | None = None
+    software_id: str | None = None
+    software_version: str | None = None
+
+    def validate_scope(self, requested_scope: str | None) -> list[str] | None:
+        if requested_scope is None:
+            return None
+        requested_scopes = requested_scope.split(" ")
+        allowed_scopes = [] if self.scope is None else self.scope.split(" ")
+        for scope in requested_scopes:
+            if scope not in allowed_scopes:
+                message = f"Client was not registered with scope {scope}"
+                raise InvalidScopeError(message)
+        return requested_scopes
+
+    def validate_redirect_uri(self, redirect_uri: AnyUrl | None) -> AnyUrl:
+        if redirect_uri is not None:
+            if self.redirect_uris is None or redirect_uri not in self.redirect_uris:
+                message = f"Redirect URI '{redirect_uri}' not registered for client"
+                raise InvalidRedirectUriError(message)
+            return redirect_uri
+        if self.redirect_uris is not None and len(self.redirect_uris) == 1:
+            return self.redirect_uris[0]
+        message = "redirect_uri must be specified when client has multiple registered URIs"
+        raise InvalidRedirectUriError(message)
+
+
+class OAuthClientInformationFull(OAuthClientMetadata):
+    client_id: str | None = None
+    client_secret: str | None = None
+    client_id_issued_at: int | None = None
+    client_secret_expires_at: int | None = None
+
+
+class OAuthMetadata(BaseModel):
+    issuer: AnyHttpUrl
+    authorization_endpoint: AnyHttpUrl
+    token_endpoint: AnyHttpUrl
+    registration_endpoint: AnyHttpUrl | None = None
+    scopes_supported: list[str] | None = None
+    response_types_supported: list[str] = ["code"]
+    response_modes_supported: list[str] | None = None
+    grant_types_supported: list[str] | None = None
+    token_endpoint_auth_methods_supported: list[str] | None = None
+    token_endpoint_auth_signing_alg_values_supported: list[str] | None = None
+    service_documentation: AnyHttpUrl | None = None
+    ui_locales_supported: list[str] | None = None
+    op_policy_uri: AnyHttpUrl | None = None
+    op_tos_uri: AnyHttpUrl | None = None
+    revocation_endpoint: AnyHttpUrl | None = None
+    revocation_endpoint_auth_methods_supported: list[str] | None = None
+    revocation_endpoint_auth_signing_alg_values_supported: list[str] | None = None
+    introspection_endpoint: AnyHttpUrl | None = None
+    introspection_endpoint_auth_methods_supported: list[str] | None = None
+    introspection_endpoint_auth_signing_alg_values_supported: list[str] | None = None
+    code_challenge_methods_supported: list[str] | None = None
+    client_id_metadata_document_supported: bool | None = None

belgie_oauth/plugin.py

@@ -0,0 +1,444 @@
+from __future__ import annotations
+
+import secrets
+import time
+from typing import TYPE_CHECKING, Any
+from urllib.parse import urlparse, urlunparse
+
+from belgie_core.core.protocols import Plugin
+from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi.responses import JSONResponse, RedirectResponse, Response
+from fastapi.security import SecurityScopes
+from pydantic import AnyUrl, ValidationError
+
+from belgie_oauth.metadata import build_oauth_metadata, build_oauth_metadata_well_known_path
+from belgie_oauth.models import (
+    InvalidRedirectUriError,
+    InvalidScopeError,
+    OAuthClientInformationFull,
+    OAuthClientMetadata,
+    OAuthMetadata,
+)
+from belgie_oauth.provider import AuthorizationParams, SimpleOAuthProvider
+from belgie_oauth.utils import construct_redirect_uri, create_code_challenge, join_url
+
+if TYPE_CHECKING:
+    from collections.abc import Mapping
+
+    from belgie_core.core.belgie import Belgie
+    from belgie_core.core.client import BelgieClient
+
+    from belgie_oauth.settings import OAuthSettings
+
+
+class OAuthPlugin(Plugin):
+    def __init__(self, settings: OAuthSettings) -> None:
+        self._settings = settings
+        self._provider: SimpleOAuthProvider | None = None
+        self._metadata_router: APIRouter | None = None
+
+    def router(self, belgie: Belgie) -> APIRouter:
+        issuer_url = (
+            str(self._settings.issuer_url) if self._settings.issuer_url else _build_issuer_url(belgie, self._settings)
+        )
+        if self._provider is None:
+            self._provider = SimpleOAuthProvider(self._settings, issuer_url=issuer_url)
+        provider = self._provider
+
+        self._metadata_router = self.metadata_router(belgie)
+
+        router = APIRouter(prefix=self._settings.route_prefix, tags=["oauth"])
+        metadata = build_oauth_metadata(issuer_url, self._settings)
+
+        router = self._add_metadata_route(router, metadata)
+        router = self._add_authorize_route(router, belgie, provider, self._settings, issuer_url)
+        router = self._add_token_route(router, provider)
+        router = self._add_register_route(router, provider)
+        router = self._add_revoke_route(router, provider)
+        router = self._add_login_route(router, belgie, issuer_url, self._settings)
+        router = self._add_login_callback_route(router, belgie, provider)
+        return self._add_introspect_route(router, provider)
+
+    def metadata_router(self, belgie: Belgie) -> APIRouter:
+        issuer_url = (
+            str(self._settings.issuer_url) if self._settings.issuer_url else _build_issuer_url(belgie, self._settings)
+        )
+        metadata = build_oauth_metadata(issuer_url, self._settings)
+        well_known_path = build_oauth_metadata_well_known_path(issuer_url)
+
+        def create_oauth_metadata_router() -> APIRouter:
+            router = APIRouter(tags=["oauth"])
+
+            async def metadata_handler(_: Request) -> Response:
+                return JSONResponse(metadata.model_dump(mode="json"))
+
+            router.add_api_route(well_known_path, metadata_handler, methods=["GET"])
+            return router
+
+        return create_oauth_metadata_router()
+
+    def public_router(self, belgie: Belgie) -> APIRouter:
+        if self._metadata_router is None:
+            self._metadata_router = self.metadata_router(belgie)
+        return self._metadata_router
+
+    @staticmethod
+    def _add_metadata_route(router: APIRouter, metadata: OAuthMetadata) -> APIRouter:
+        async def metadata_handler(_: Request) -> Response:
+            return JSONResponse(metadata.model_dump(mode="json"))
+
+        router.add_api_route(
+            "/.well-known/oauth-authorization-server",
+            metadata_handler,
+            methods=["GET"],
+        )
+        return router
+
+    @staticmethod
+    def _add_authorize_route(
+        router: APIRouter,
+        belgie: Belgie,
+        provider: SimpleOAuthProvider,
+        settings: OAuthSettings,
+        issuer_url: str,
+    ) -> APIRouter:
+        async def authorize_handler(
+            request: Request,
+            client: BelgieClient = Depends(belgie),  # noqa: B008
+        ) -> Response:
+            data = await _get_request_params(request)
+            oauth_client, params = await _parse_authorize_params(data, provider, settings)
+
+            try:
+                await client.get_user(SecurityScopes(), request)
+            except HTTPException as exc:
+                if exc.status_code == status.HTTP_401_UNAUTHORIZED:
+                    if not settings.login_url:
+                        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="login_required") from exc
+
+                    state_value = await _authorize_state(provider, oauth_client, params)
+                    login_url = _build_login_redirect(issuer_url, state_value)
+                    return RedirectResponse(url=login_url, status_code=status.HTTP_302_FOUND)
+                raise
+
+            state_value = await _authorize_state(provider, oauth_client, params)
+            redirect_url = await _issue_authorization_code(provider, state_value)
+            return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+
+        router.add_api_route("/authorize", authorize_handler, methods=["GET", "POST"])
+        return router
+
+    @staticmethod
+    def _add_token_route(router: APIRouter, provider: SimpleOAuthProvider) -> APIRouter:  # noqa: C901
+        async def token_handler(request: Request) -> Response:  # noqa: C901, PLR0911
+            form = await request.form()
+            grant_type = _get_str(form, "grant_type")
+            if grant_type != "authorization_code":
+                return _oauth_error("unsupported_grant_type", status_code=400)
+
+            code = _get_str(form, "code")
+            if not code:
+                return _oauth_error("invalid_request", "missing code", status_code=400)
+
+            client_id = _get_str(form, "client_id")
+            if not client_id:
+                return _oauth_error("invalid_client", status_code=401)
+
+            oauth_client = await provider.get_client(client_id)
+            if not oauth_client:
+                return _oauth_error("invalid_client", status_code=401)
+
+            client_secret = _get_str(form, "client_secret")
+            if oauth_client.client_secret and client_secret != oauth_client.client_secret:
+                return _oauth_error("invalid_client", status_code=401)
+
+            authorization_code = await provider.load_authorization_code(code)
+            if not authorization_code:
+                return _oauth_error("invalid_grant", status_code=400)
+
+            if authorization_code.expires_at < time.time():
+                return _oauth_error("invalid_grant", "code expired", status_code=400)
+
+            redirect_uri_raw = _get_str(form, "redirect_uri")
+            if client_id != authorization_code.client_id:
+                return _oauth_error("invalid_grant", "client_id mismatch", status_code=400)
+
+            if authorization_code.redirect_uri_provided_explicitly and not redirect_uri_raw:
+                return _oauth_error("invalid_request", "missing redirect_uri", status_code=400)
+            if redirect_uri_raw and redirect_uri_raw != str(authorization_code.redirect_uri):
+                return _oauth_error("invalid_grant", "redirect_uri mismatch", status_code=400)
+
+            code_verifier = _get_str(form, "code_verifier")
+            if not code_verifier:
+                return _oauth_error("invalid_request", "missing code_verifier", status_code=400)
+
+            expected_challenge = create_code_challenge(code_verifier)
+            if expected_challenge != authorization_code.code_challenge:
+                return _oauth_error("invalid_grant", "invalid code_verifier", status_code=400)
+
+            token = await provider.exchange_authorization_code(authorization_code)
+            return JSONResponse(token.model_dump())
+
+        router.add_api_route("/token", token_handler, methods=["POST"])
+        return router
+
+    @staticmethod
+    def _add_register_route(router: APIRouter, provider: SimpleOAuthProvider) -> APIRouter:
+        async def register_handler(request: Request) -> Response:
+            try:
+                payload = await request.json()
+                metadata = OAuthClientMetadata.model_validate(payload)
+            except ValidationError as exc:
+                return _oauth_error(
+                    "invalid_request",
+                    _format_validation_error(exc),
+                    status_code=400,
+                )
+            except ValueError as exc:
+                description = str(exc) or "invalid client metadata"
+                return _oauth_error("invalid_request", description, status_code=400)
+
+            try:
+                client_info = await provider.register_client(metadata)
+            except ValueError as exc:
+                description = str(exc) or "invalid client metadata"
+                return _oauth_error("invalid_request", description, status_code=400)
+            return JSONResponse(client_info.model_dump(mode="json"))
+
+        router.add_api_route("/register", register_handler, methods=["POST"])
+        return router
+
+    @staticmethod
+    def _add_revoke_route(router: APIRouter, provider: SimpleOAuthProvider) -> APIRouter:
+        async def revoke_handler(request: Request) -> Response:
+            form = await request.form()
+            client_id: str | None = _get_str(form, "client_id")
+            if not client_id:
+                return _oauth_error("invalid_request", "missing client_id", status_code=400)
+
+            oauth_client = await provider.get_client(client_id)
+            if not oauth_client:
+                return _oauth_error("invalid_client", status_code=401)
+
+            client_secret: str | None = _get_str(form, "client_secret")
+            if oauth_client.client_secret:
+                if not client_secret:
+                    return _oauth_error("invalid_request", "missing client_secret", status_code=400)
+                if client_secret != oauth_client.client_secret:
+                    return _oauth_error("invalid_client", status_code=401)
+
+            token: str | None = _get_str(form, "token")
+            if not token:
+                return _oauth_error("invalid_request", "missing token", status_code=400)
+
+            access_token = await provider.load_access_token(token)
+            if access_token:
+                await provider.revoke_token(access_token)
+            return JSONResponse({})
+
+        router.add_api_route("/revoke", revoke_handler, methods=["POST"])
+        return router
+
+    @staticmethod
+    def _add_login_route(
+        router: APIRouter,
+        belgie: Belgie,
+        issuer_url: str,
+        settings: OAuthSettings,
+    ) -> APIRouter:
+        async def login_handler(request: Request) -> Response:
+            state = request.query_params.get("state")
+            if not state:
+                raise HTTPException(status_code=400, detail="missing state")
+
+            if not settings.login_url:
+                raise HTTPException(status_code=400, detail="login_url not configured")
+
+            parsed_login_url = urlparse(settings.login_url)
+            if parsed_login_url.scheme in {"http", "https"}:
+                login_url = settings.login_url
+            else:
+                login_url = join_url(belgie.settings.base_url, settings.login_url)
+
+            return_to_base = join_url(issuer_url, "login/callback")
+            # Build a callback URL with state, then wrap it into the login redirect as return_to.
+            return_to_url = construct_redirect_uri(return_to_base, state=state)
+            redirect_url = construct_redirect_uri(login_url, return_to=return_to_url)
+            return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+
+        router.add_api_route("/login", login_handler, methods=["GET"])
+        return router
+
+    @staticmethod
+    def _add_login_callback_route(
+        router: APIRouter,
+        belgie: Belgie,
+        provider: SimpleOAuthProvider,
+    ) -> APIRouter:
+        async def login_callback_handler(
+            request: Request,
+            client: BelgieClient = Depends(belgie),  # noqa: B008
+        ) -> Response:
+            state = request.query_params.get("state")
+            if not state:
+                raise HTTPException(status_code=400, detail="missing state")
+
+            try:
+                await client.get_user(SecurityScopes(), request)
+            except HTTPException as exc:
+                if exc.status_code == status.HTTP_401_UNAUTHORIZED:
+                    raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="login_required") from exc
+                raise
+
+            try:
+                redirect_url = await provider.issue_authorization_code(state)
+            except ValueError as exc:
+                raise HTTPException(status_code=400, detail=str(exc)) from exc
+            return RedirectResponse(url=redirect_url, status_code=status.HTTP_302_FOUND)
+
+        router.add_api_route("/login/callback", login_callback_handler, methods=["GET"])
+        return router
+
+    @staticmethod
+    def _add_introspect_route(router: APIRouter, provider: SimpleOAuthProvider) -> APIRouter:
+        async def introspect_handler(request: Request) -> Response:
+            form = await request.form()
+            token = _get_str(form, "token")
+            if not token:
+                return JSONResponse({"active": False}, status_code=400)
+
+            access_token = await provider.load_access_token(token)
+            if not access_token:
+                return JSONResponse({"active": False})
+
+            return JSONResponse(
+                {
+                    "active": True,
+                    "client_id": access_token.client_id,
+                    "scope": " ".join(access_token.scopes),
+                    "exp": access_token.expires_at,
+                    "iat": access_token.created_at,
+                    "token_type": "Bearer",
+                    "aud": access_token.resource,
+                },
+            )
+
+        router.add_api_route("/introspect", introspect_handler, methods=["POST"])
+        return router
+
+
+def _build_issuer_url(belgie: Belgie, settings: OAuthSettings) -> str:
+    parsed = urlparse(belgie.settings.base_url)
+    base_path = parsed.path.rstrip("/")
+    prefix = settings.route_prefix.strip("/")
+    auth_path = "auth"
+    full_path = f"{base_path}/{auth_path}/{prefix}" if prefix else f"{base_path}/{auth_path}"
+    return urlunparse(parsed._replace(path=full_path, query="", fragment=""))
+
+
+async def _parse_authorize_params(
+    data: dict[str, str],
+    provider: SimpleOAuthProvider,
+    settings: OAuthSettings,
+) -> tuple[OAuthClientInformationFull, AuthorizationParams]:
+    response_type = _get_str(data, "response_type")
+    if response_type != "code":
+        raise HTTPException(status_code=400, detail="unsupported_response_type")
+
+    client_id = _get_str(data, "client_id")
+    if not client_id:
+        raise HTTPException(status_code=400, detail="missing client_id")
+
+    oauth_client = await provider.get_client(client_id)
+    if not oauth_client:
+        raise HTTPException(status_code=400, detail="invalid_client")
+
+    redirect_uri_raw = _get_str(data, "redirect_uri")
+    redirect_uri = AnyUrl(redirect_uri_raw) if redirect_uri_raw else None
+    try:
+        validated_redirect_uri = oauth_client.validate_redirect_uri(redirect_uri)
+    except InvalidRedirectUriError as exc:
+        raise HTTPException(status_code=400, detail=exc.message) from exc
+
+    scope_raw = _get_str(data, "scope")
+    try:
+        scopes = oauth_client.validate_scope(scope_raw)
+    except InvalidScopeError as exc:
+        raise HTTPException(status_code=400, detail=exc.message) from exc
+    if scopes is None:
+        scopes = [settings.default_scope]
+
+    code_challenge = _get_str(data, "code_challenge")
+    if not code_challenge:
+        raise HTTPException(status_code=400, detail="missing code_challenge")
+
+    code_challenge_method = _get_str(data, "code_challenge_method") or settings.code_challenge_method
+    if code_challenge_method != "S256":
+        raise HTTPException(status_code=400, detail="unsupported code_challenge_method")
+
+    resource = _get_str(data, "resource")
+    state = _get_str(data, "state") or secrets.token_hex(16)
+
+    params = AuthorizationParams(
+        state=state,
+        scopes=scopes,
+        code_challenge=code_challenge,
+        redirect_uri=validated_redirect_uri,
+        redirect_uri_provided_explicitly=redirect_uri_raw is not None,
+        resource=resource,
+    )
+    return oauth_client, params
+
+
+async def _authorize_state(
+    provider: SimpleOAuthProvider,
+    oauth_client: OAuthClientInformationFull,
+    params: AuthorizationParams,
+) -> str:
+    try:
+        return await provider.authorize(oauth_client, params)
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
+
+
+async def _issue_authorization_code(provider: SimpleOAuthProvider, state: str) -> str:
+    try:
+        return await provider.issue_authorization_code(state)
+    except ValueError as exc:
+        raise HTTPException(status_code=400, detail=str(exc)) from exc
+
+
+def _build_login_redirect(issuer_url: str, state: str) -> str:
+    return construct_redirect_uri(join_url(issuer_url, "login"), state=state)
+
+
+def _oauth_error(error: str, description: str | None = None, status_code: int = 400) -> JSONResponse:
+    payload: dict[str, Any] = {"error": error}
+    if description:
+        payload["error_description"] = description
+    return JSONResponse(payload, status_code=status_code)
+
+
+def _format_validation_error(error: ValidationError) -> str:
+    entries = error.errors()
+    if not entries:
+        return "invalid client metadata"
+    entry = entries[0]
+    loc = ".".join(str(part) for part in entry.get("loc", []) if part is not None)
+    msg = entry.get("msg", "invalid client metadata")
+    if loc:
+        return f"{loc}: {msg}"
+    return msg
+
+
+async def _get_request_params(request: Request) -> dict[str, str]:
+    if request.method == "GET":
+        return dict(request.query_params)
+    return dict(await request.form())
+
+
+def _get_str(data: Mapping[str, Any], key: str) -> str | None:
+    value = data.get(key)
+    if isinstance(value, str):
+        return value
+    return None

belgie_oauth/provider.py

@@ -0,0 +1,223 @@
+from __future__ import annotations
+
+import secrets
+import time
+from dataclasses import dataclass
+from typing import TYPE_CHECKING
+
+from pydantic import AnyUrl
+
+from belgie_oauth.models import OAuthClientInformationFull, OAuthClientMetadata, OAuthToken
+from belgie_oauth.utils import construct_redirect_uri
+
+if TYPE_CHECKING:
+    from belgie_oauth.settings import OAuthSettings
+
+
+@dataclass(frozen=True, slots=True, kw_only=True)
+class AuthorizationParams:
+    state: str | None
+    scopes: list[str] | None
+    code_challenge: str
+    redirect_uri: AnyUrl
+    redirect_uri_provided_explicitly: bool
+    resource: str | None = None
+
+
+@dataclass(frozen=True, slots=True, kw_only=True)
+class AuthorizationCode:
+    code: str
+    scopes: list[str]
+    expires_at: float
+    client_id: str
+    code_challenge: str
+    redirect_uri: AnyUrl
+    redirect_uri_provided_explicitly: bool
+    resource: str | None = None
+
+
+@dataclass(frozen=True, slots=True, kw_only=True)
+class RefreshToken:
+    token: str
+    client_id: str
+    scopes: list[str]
+    expires_at: int | None = None
+
+
+@dataclass(frozen=True, slots=True, kw_only=True)
+class AccessToken:
+    token: str
+    client_id: str
+    scopes: list[str]
+    created_at: int
+    expires_at: int | None = None
+    resource: str | None = None
+
+
+@dataclass(frozen=True, slots=True, kw_only=True)
+class StateEntry:
+    redirect_uri: str
+    code_challenge: str
+    redirect_uri_provided_explicitly: bool
+    client_id: str
+    resource: str | None
+    scopes: list[str] | None
+    created_at: float
+
+
+class SimpleOAuthProvider:
+    def __init__(self, settings: OAuthSettings, issuer_url: str) -> None:
+        self.settings = settings
+        self.issuer_url = issuer_url
+        self.clients: dict[str, OAuthClientInformationFull] = {}
+        self.auth_codes: dict[str, AuthorizationCode] = {}
+        self.tokens: dict[str, AccessToken] = {}
+        self.state_mapping: dict[str, StateEntry] = {}
+
+        client_secret = settings.client_secret.get_secret_value() if settings.client_secret is not None else None
+        self.clients[settings.client_id] = OAuthClientInformationFull(
+            client_id=settings.client_id,
+            client_secret=client_secret,
+            redirect_uris=settings.redirect_uris,
+            scope=settings.default_scope,
+        )
+
+    async def get_client(self, client_id: str) -> OAuthClientInformationFull | None:
+        return self.clients.get(client_id)
+
+    async def register_client(self, metadata: OAuthClientMetadata) -> OAuthClientInformationFull:
+        token_endpoint_auth_method = metadata.token_endpoint_auth_method or "client_secret_post"
+        if token_endpoint_auth_method not in {"client_secret_post", "none"}:
+            msg = f"unsupported token_endpoint_auth_method: {token_endpoint_auth_method}"
+            raise ValueError(msg)
+        client_secret = None
+        if token_endpoint_auth_method != "none":  # noqa: S105
+            client_secret = secrets.token_hex(16)
+
+        client_id = f"belgie_client_{secrets.token_hex(8)}"
+        while client_id in self.clients:
+            client_id = f"belgie_client_{secrets.token_hex(8)}"
+
+        metadata_payload = metadata.model_dump()
+        metadata_payload["token_endpoint_auth_method"] = token_endpoint_auth_method
+        client_info = OAuthClientInformationFull(
+            **metadata_payload,
+            client_id=client_id,
+            client_secret=client_secret,
+            client_id_issued_at=int(time.time()),
+            client_secret_expires_at=None,
+        )
+        self.clients[client_id] = client_info
+        return client_info
+
+    async def authorize(self, client: OAuthClientInformationFull, params: AuthorizationParams) -> str:
+        self._purge_state_mapping()
+        state = params.state or secrets.token_hex(16)
+        if state in self.state_mapping:
+            msg = "Authorization state already exists"
+            raise ValueError(msg)
+        self.state_mapping[state] = StateEntry(
+            redirect_uri=str(params.redirect_uri),
+            code_challenge=params.code_challenge,
+            redirect_uri_provided_explicitly=params.redirect_uri_provided_explicitly,
+            client_id=client.client_id,
+            resource=params.resource,
+            scopes=params.scopes,
+            created_at=time.time(),
+        )
+        return state
+
+    async def issue_authorization_code(self, state: str) -> str:
+        self._purge_state_mapping()
+        state_data = self.state_mapping.get(state)
+        if not state_data:
+            msg = "Invalid state parameter"
+            raise ValueError(msg)
+
+        redirect_uri = state_data.redirect_uri
+        code_challenge = state_data.code_challenge
+        redirect_uri_provided_explicitly = state_data.redirect_uri_provided_explicitly
+        client_id = state_data.client_id
+        resource = state_data.resource
+        scopes = state_data.scopes or [self.settings.default_scope]
+
+        if redirect_uri is None or code_challenge is None or client_id is None:
+            msg = "Invalid authorization state"
+            raise ValueError(msg)
+
+        new_code = f"belgie_{secrets.token_hex(16)}"
+        auth_code = AuthorizationCode(
+            code=new_code,
+            client_id=client_id,
+            redirect_uri=AnyUrl(redirect_uri),
+            redirect_uri_provided_explicitly=bool(redirect_uri_provided_explicitly),
+            expires_at=time.time() + self.settings.authorization_code_ttl_seconds,
+            scopes=scopes,
+            code_challenge=code_challenge,
+            resource=resource,
+        )
+        self.auth_codes[new_code] = auth_code
+
+        del self.state_mapping[state]
+        return construct_redirect_uri(redirect_uri, code=new_code, state=state)
+
+    async def load_authorization_code(self, authorization_code: str) -> AuthorizationCode | None:
+        return self.auth_codes.get(authorization_code)
+
+    async def exchange_authorization_code(self, authorization_code: AuthorizationCode) -> OAuthToken:
+        if authorization_code.code not in self.auth_codes:
+            msg = "Invalid authorization code"
+            raise ValueError(msg)
+
+        mcp_token = f"belgie_{secrets.token_hex(32)}"
+        self.tokens[mcp_token] = AccessToken(
+            token=mcp_token,
+            client_id=authorization_code.client_id,
+            scopes=authorization_code.scopes,
+            created_at=int(time.time()),
+            expires_at=int(time.time()) + self.settings.access_token_ttl_seconds,
+            resource=authorization_code.resource,
+        )
+
+        del self.auth_codes[authorization_code.code]
+
+        return OAuthToken(
+            access_token=mcp_token,
+            token_type="Bearer",  # noqa: S106
+            expires_in=self.settings.access_token_ttl_seconds,
+            scope=" ".join(authorization_code.scopes),
+        )
+
+    async def load_access_token(self, token: str) -> AccessToken | None:
+        access_token = self.tokens.get(token)
+        if not access_token:
+            return None
+
+        if access_token.expires_at is not None and access_token.expires_at < time.time():
+            del self.tokens[token]
+            return None
+
+        return access_token
+
+    def _purge_state_mapping(self, now: float | None = None) -> None:
+        if not self.state_mapping:
+            return
+        current = time.time() if now is None else now
+        ttl_seconds = self.settings.state_ttl_seconds
+        if ttl_seconds <= 0:
+            return
+        expired_states = [
+            state for state, entry in self.state_mapping.items() if entry.created_at + ttl_seconds < current
+        ]
+        for state in expired_states:
+            self.state_mapping.pop(state, None)
+
+    async def load_refresh_token(self, _refresh_token: str) -> RefreshToken | None:
+        return None
+
+    async def exchange_refresh_token(self, refresh_token: RefreshToken, scopes: list[str]) -> OAuthToken:
+        raise NotImplementedError
+
+    async def revoke_token(self, token: AccessToken | RefreshToken) -> None:
+        if isinstance(token, AccessToken):
+            self.tokens.pop(token.token, None)

belgie_oauth/settings.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+from functools import cached_property
+from typing import Literal
+from urllib.parse import urlparse, urlunparse
+
+from pydantic import AnyHttpUrl, AnyUrl, Field, SecretStr
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class OAuthSettings(BaseSettings):
+    model_config = SettingsConfigDict(env_prefix="BELGIE_OAUTH_")
+
+    base_url: AnyHttpUrl | None = None
+    route_prefix: str = "/oauth"
+    login_url: str | None = None
+
+    client_id: str = "belgie_client"
+    client_secret: SecretStr | None = None
+    redirect_uris: list[AnyUrl] = Field(..., min_length=1)
+    default_scope: str = "user"
+
+    authorization_code_ttl_seconds: int = 300
+    access_token_ttl_seconds: int = 3600
+    state_ttl_seconds: int = 600
+    code_challenge_method: Literal["S256"] = "S256"
+
+    @cached_property
+    def issuer_url(self) -> AnyHttpUrl | None:
+        if self.base_url is None:
+            return None
+
+        parsed = urlparse(str(self.base_url))
+        base_path = parsed.path.rstrip("/")
+        prefix = self.route_prefix.strip("/")
+        auth_path = "auth"
+        full_path = f"{base_path}/{auth_path}/{prefix}" if prefix else f"{base_path}/{auth_path}"
+        return AnyHttpUrl(urlunparse(parsed._replace(path=full_path, query="", fragment="")))

belgie_oauth/utils.py

@@ -0,0 +1,27 @@
+from __future__ import annotations
+
+import base64
+import hashlib
+from urllib.parse import parse_qs, urlencode, urlparse, urlunparse
+
+
+def construct_redirect_uri(redirect_uri_base: str, **params: str | None) -> str:
+    parsed_uri = urlparse(redirect_uri_base)
+    query_params = [(key, value) for key, values in parse_qs(parsed_uri.query).items() for value in values]
+    for key, value in params.items():
+        if value is not None:
+            query_params.append((key, value))
+    return urlunparse(parsed_uri._replace(query=urlencode(query_params)))
+
+
+def join_url(base_url: str, path: str) -> str:
+    parsed = urlparse(base_url)
+    base_path = parsed.path.rstrip("/")
+    append_path = path.lstrip("/")
+    joined_path = f"{base_path}/{append_path}" if append_path else base_path
+    return urlunparse(parsed._replace(path=joined_path))
+
+
+def create_code_challenge(code_verifier: str) -> str:
+    digest = hashlib.sha256(code_verifier.encode("utf-8")).digest()
+    return base64.urlsafe_b64encode(digest).rstrip(b"=").decode("utf-8")

belgie_oauth-0.2.0.dist-info/METADATA

@@ -0,0 +1,22 @@
+Metadata-Version: 2.3
+Name: belgie-oauth
+Version: 0.2.0
+Summary: Add your description here
+Author: Matt LeMay
+Author-email: Matt LeMay <mplemay@users.noreply.github.com>
+Requires-Dist: belgie-core
+Requires-Dist: fastapi>=0.100
+Requires-Dist: pydantic>=2.0
+Requires-Dist: pydantic-settings>=2.0
+Requires-Dist: python-multipart>=0.0.20
+Requires-Python: >=3.12, <3.15
+Description-Content-Type: text/markdown
+
+# belgie-oauth
+
+OAuth 2.1 authorization server package for Belgie.
+
+## Persistence
+
+`SimpleOAuthProvider` keeps clients and tokens in memory. For production deployments, replace or extend the provider
+with persistent storage.

belgie_oauth-0.2.0.dist-info/RECORD

@@ -0,0 +1,11 @@
+belgie_oauth/__init__.py,sha256=1YmZH1Q4wkMQyfVMd1VM3YijIHOH7cG7DfLSeZhrXxw,312
+belgie_oauth/metadata.py,sha256=8EEyRIwnkWWVGZCwcRyVjwyqy8gVbKItR94k1t6054Q,1687
+belgie_oauth/models.py,sha256=LlL0WcygCj3j2G-mgN5pWQrCwArwEMwffpiuUFaNyU0,4256
+belgie_oauth/plugin.py,sha256=QZ1xh0QddHnKsMT2p2w3QRcHhAljCg5v-8Cw9fMweuE,18402
+belgie_oauth/provider.py,sha256=BatRC7Qfh0k2Gg8ctzM4oHBjgSbDDTWwZDyQSuy2i-s,8125
+belgie_oauth/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+belgie_oauth/settings.py,sha256=4adaIWyqjhQjL5YCGpKA3AmaZiVWIiXaD8Ub3VqRYtQ,1306
+belgie_oauth/utils.py,sha256=WvDIqayL4ImT1AZFMOXAlYSfYqopLF6TJtYv6p8DD0E,1043
+belgie_oauth-0.2.0.dist-info/WHEEL,sha256=5DEXXimM34_d4Gx1AuF9ysMr1_maoEtGKjaILM3s4w4,80
+belgie_oauth-0.2.0.dist-info/METADATA,sha256=s6Vj7gzkwh5n96-Itq-OIdO4MSRwDNVjT8vsaBk0-K0,632
+belgie_oauth-0.2.0.dist-info/RECORD,,

{belgie_oauth-0.1.0a4.dist-info → belgie_oauth-0.2.0.dist-info}/WHEEL

@@ -1,4 +1,4 @@
 Wheel-Version: 1.0
-Generator: uv 0.9.28
+Generator: uv 0.9.29
 Root-Is-Purelib: true
 Tag: py3-none-any

belgie_oauth-0.1.0a4.dist-info/METADATA

@@ -1,9 +0,0 @@
-Metadata-Version: 2.3
-Name: belgie-oauth
-Version: 0.1.0a4
-Summary: Add your description here
-Author: Matt LeMay
-Author-email: Matt LeMay <mplemay@users.noreply.github.com>
-Requires-Python: >=3.12
-Description-Content-Type: text/markdown
-

belgie_oauth-0.1.0a4.dist-info/RECORD

@@ -1,5 +0,0 @@
-belgie_oauth/__init__.py,sha256=crKgik8PePX0Wb6zdDT-8Jkqx9saSZBI36h0f-4JYls,58
-belgie_oauth/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-belgie_oauth-0.1.0a4.dist-info/WHEEL,sha256=fAguSjoiATBe7TNBkJwOjyL1Tt4wwiaQGtNtjRPNMQA,80
-belgie_oauth-0.1.0a4.dist-info/METADATA,sha256=PlbU6decb9odKWfzrIvDOCBHMZDbio7n9kmdDSWJB2w,237
-belgie_oauth-0.1.0a4.dist-info/RECORD,,