fastmcp 2.14.4__py3-none-any.whl → 3.0.0b1__py3-none-any.whl

fastmcp/server/auth/providers/github.py

@@ -23,45 +23,17 @@ from __future__ import annotations
 
 import httpx
 from key_value.aio.protocols import AsyncKeyValue
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 
 from fastmcp.server.auth import TokenVerifier
 from fastmcp.server.auth.auth import AccessToken
 from fastmcp.server.auth.oauth_proxy import OAuthProxy
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class GitHubProviderSettings(BaseSettings):
-    """Settings for GitHub OAuth provider."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_GITHUB_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    base_url: AnyHttpUrl | str | None = None
-    issuer_url: AnyHttpUrl | str | None = None
-    redirect_path: str | None = None
-    required_scopes: list[str] | None = None
-    timeout_seconds: int | None = None
-    allowed_client_redirect_uris: list[str] | None = None
-    jwt_signing_key: str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class GitHubTokenVerifier(TokenVerifier):
     """Token verifier for GitHub OAuth tokens.
 
@@ -198,16 +170,16 @@ class GitHubProvider(OAuthProxy):
     def __init__(
         self,
         *,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
-        redirect_path: str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
-        timeout_seconds: int | NotSetT = NotSet,
-        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        client_id: str,
+        client_secret: str,
+        base_url: AnyHttpUrl | str,
+        issuer_url: AnyHttpUrl | str | None = None,
+        redirect_path: str | None = None,
+        required_scopes: list[str] | None = None,
+        timeout_seconds: int = 10,
+        allowed_client_redirect_uris: list[str] | None = None,
         client_storage: AsyncKeyValue | None = None,
-        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        jwt_signing_key: str | bytes | None = None,
         require_authorization_consent: bool = True,
     ):
         """Initialize GitHub OAuth provider.
@@ -220,7 +192,7 @@ class GitHubProvider(OAuthProxy):
                 to avoid 404s during discovery when mounting under a path.
             redirect_path: Redirect path configured in GitHub OAuth app (defaults to "/auth/callback")
             required_scopes: Required GitHub scopes (defaults to ["user"])
-            timeout_seconds: HTTP request timeout for GitHub API calls
+            timeout_seconds: HTTP request timeout for GitHub API calls (defaults to 10)
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 If None (default), all URIs are allowed. If empty list, no URIs are allowed.
             client_storage: Storage backend for OAuth state (client registrations, encrypted tokens).
@@ -234,71 +206,35 @@ class GitHubProvider(OAuthProxy):
                 When False, authorization proceeds directly without user confirmation.
                 SECURITY WARNING: Only disable for local development or testing environments.
         """
-
-        settings = GitHubProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "client_id": client_id,
-                    "client_secret": client_secret,
-                    "base_url": base_url,
-                    "issuer_url": issuer_url,
-                    "redirect_path": redirect_path,
-                    "required_scopes": required_scopes,
-                    "timeout_seconds": timeout_seconds,
-                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
-                    "jwt_signing_key": jwt_signing_key,
-                }.items()
-                if v is not NotSet
-            }
+        # Parse scopes if provided as string
+        required_scopes_final = (
+            parse_scopes(required_scopes) if required_scopes is not None else ["user"]
         )
 
-        # Validate required settings
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_ID"
-            )
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GITHUB_CLIENT_SECRET"
-            )
-
-        # Apply defaults
-
-        timeout_seconds_final = settings.timeout_seconds or 10
-        required_scopes_final = settings.required_scopes or ["user"]
-        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
-
         # Create GitHub token verifier
         token_verifier = GitHubTokenVerifier(
             required_scopes=required_scopes_final,
-            timeout_seconds=timeout_seconds_final,
-        )
-
-        # Extract secret string from SecretStr
-        client_secret_str = (
-            settings.client_secret.get_secret_value() if settings.client_secret else ""
+            timeout_seconds=timeout_seconds,
         )
 
         # Initialize OAuth proxy with GitHub endpoints
         super().__init__(
             upstream_authorization_endpoint="https://github.com/login/oauth/authorize",
             upstream_token_endpoint="https://github.com/login/oauth/access_token",
-            upstream_client_id=settings.client_id,
-            upstream_client_secret=client_secret_str,
+            upstream_client_id=client_id,
+            upstream_client_secret=client_secret,
             token_verifier=token_verifier,
-            base_url=settings.base_url,
-            redirect_path=settings.redirect_path,
-            issuer_url=settings.issuer_url
-            or settings.base_url,  # Default to base_url if not specified
-            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            base_url=base_url,
+            redirect_path=redirect_path,
+            issuer_url=issuer_url or base_url,  # Default to base_url if not specified
+            allowed_client_redirect_uris=allowed_client_redirect_uris,
             client_storage=client_storage,
-            jwt_signing_key=settings.jwt_signing_key,
+            jwt_signing_key=jwt_signing_key,
             require_authorization_consent=require_authorization_consent,
         )
 
         logger.debug(
             "Initialized GitHub OAuth provider for client %s with scopes: %s",
-            settings.client_id,
+            client_id,
             required_scopes_final,
         )

fastmcp/server/auth/providers/google.py

@@ -25,45 +25,17 @@ import time
 
 import httpx
 from key_value.aio.protocols import AsyncKeyValue
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl
 
 from fastmcp.server.auth import TokenVerifier
 from fastmcp.server.auth.auth import AccessToken
 from fastmcp.server.auth.oauth_proxy import OAuthProxy
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
 
-class GoogleProviderSettings(BaseSettings):
-    """Settings for Google OAuth provider."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_GOOGLE_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    base_url: AnyHttpUrl | str | None = None
-    issuer_url: AnyHttpUrl | str | None = None
-    redirect_path: str | None = None
-    required_scopes: list[str] | None = None
-    timeout_seconds: int | None = None
-    allowed_client_redirect_uris: list[str] | None = None
-    jwt_signing_key: str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
-
-
 class GoogleTokenVerifier(TokenVerifier):
     """Token verifier for Google OAuth tokens.
 
@@ -214,16 +186,16 @@ class GoogleProvider(OAuthProxy):
     def __init__(
         self,
         *,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT = NotSet,
-        issuer_url: AnyHttpUrl | str | NotSetT = NotSet,
-        redirect_path: str | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT = NotSet,
-        timeout_seconds: int | NotSetT = NotSet,
-        allowed_client_redirect_uris: list[str] | NotSetT = NotSet,
+        client_id: str,
+        client_secret: str,
+        base_url: AnyHttpUrl | str,
+        issuer_url: AnyHttpUrl | str | None = None,
+        redirect_path: str | None = None,
+        required_scopes: list[str] | None = None,
+        timeout_seconds: int = 10,
+        allowed_client_redirect_uris: list[str] | None = None,
         client_storage: AsyncKeyValue | None = None,
-        jwt_signing_key: str | bytes | NotSetT = NotSet,
+        jwt_signing_key: str | bytes | None = None,
         require_authorization_consent: bool = True,
         extra_authorize_params: dict[str, str] | None = None,
     ):
@@ -240,7 +212,7 @@ class GoogleProvider(OAuthProxy):
                 - "openid" for OpenID Connect (default)
                 - "https://www.googleapis.com/auth/userinfo.email" for email access
                 - "https://www.googleapis.com/auth/userinfo.profile" for profile info
-            timeout_seconds: HTTP request timeout for Google API calls
+            timeout_seconds: HTTP request timeout for Google API calls (defaults to 10)
             allowed_client_redirect_uris: List of allowed redirect URI patterns for MCP clients.
                 If None (default), all URIs are allowed. If empty list, no URIs are allowed.
             client_storage: Storage backend for OAuth state (client registrations, encrypted tokens).
@@ -258,50 +230,16 @@ class GoogleProvider(OAuthProxy):
                 refresh tokens are returned. You can override these defaults or add additional parameters.
                 Example: {"prompt": "select_account"} to let users choose their Google account.
         """
-
-        settings = GoogleProviderSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "client_id": client_id,
-                    "client_secret": client_secret,
-                    "base_url": base_url,
-                    "issuer_url": issuer_url,
-                    "redirect_path": redirect_path,
-                    "required_scopes": required_scopes,
-                    "timeout_seconds": timeout_seconds,
-                    "allowed_client_redirect_uris": allowed_client_redirect_uris,
-                    "jwt_signing_key": jwt_signing_key,
-                }.items()
-                if v is not NotSet
-            }
-        )
-
-        # Validate required settings
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_ID"
-            )
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or FASTMCP_SERVER_AUTH_GOOGLE_CLIENT_SECRET"
-            )
-
-        # Apply defaults
-        timeout_seconds_final = settings.timeout_seconds or 10
+        # Parse scopes if provided as string
         # Google requires at least one scope - openid is the minimal OIDC scope
-        required_scopes_final = settings.required_scopes or ["openid"]
-        allowed_client_redirect_uris_final = settings.allowed_client_redirect_uris
+        required_scopes_final = (
+            parse_scopes(required_scopes) if required_scopes is not None else ["openid"]
+        )
 
         # Create Google token verifier
         token_verifier = GoogleTokenVerifier(
             required_scopes=required_scopes_final,
-            timeout_seconds=timeout_seconds_final,
-        )
-
-        # Extract secret string from SecretStr
-        client_secret_str = (
-            settings.client_secret.get_secret_value() if settings.client_secret else ""
+            timeout_seconds=timeout_seconds,
         )
 
         # Set Google-specific defaults for extra authorize params
@@ -320,22 +258,21 @@ class GoogleProvider(OAuthProxy):
         super().__init__(
             upstream_authorization_endpoint="https://accounts.google.com/o/oauth2/v2/auth",
             upstream_token_endpoint="https://oauth2.googleapis.com/token",
-            upstream_client_id=settings.client_id,
-            upstream_client_secret=client_secret_str,
+            upstream_client_id=client_id,
+            upstream_client_secret=client_secret,
             token_verifier=token_verifier,
-            base_url=settings.base_url,
-            redirect_path=settings.redirect_path,
-            issuer_url=settings.issuer_url
-            or settings.base_url,  # Default to base_url if not specified
-            allowed_client_redirect_uris=allowed_client_redirect_uris_final,
+            base_url=base_url,
+            redirect_path=redirect_path,
+            issuer_url=issuer_url or base_url,  # Default to base_url if not specified
+            allowed_client_redirect_uris=allowed_client_redirect_uris,
             client_storage=client_storage,
-            jwt_signing_key=settings.jwt_signing_key,
+            jwt_signing_key=jwt_signing_key,
             require_authorization_consent=require_authorization_consent,
             extra_authorize_params=extra_authorize_params_final,
         )
 
         logger.debug(
             "Initialized Google OAuth provider for client %s with scopes: %s",
-            settings.client_id,
+            client_id,
             required_scopes_final,
         )

fastmcp/server/auth/providers/introspection.py

@@ -25,41 +25,18 @@ from __future__ import annotations
 
 import base64
 import time
-from typing import Any
+from typing import Any, Literal, get_args
 
 import httpx
-from pydantic import AnyHttpUrl, SecretStr, field_validator
-from pydantic_settings import BaseSettings, SettingsConfigDict
+from pydantic import AnyHttpUrl, SecretStr
 
 from fastmcp.server.auth import AccessToken, TokenVerifier
-from fastmcp.settings import ENV_FILE
 from fastmcp.utilities.auth import parse_scopes
 from fastmcp.utilities.logging import get_logger
-from fastmcp.utilities.types import NotSet, NotSetT
 
 logger = get_logger(__name__)
 
-
-class IntrospectionTokenVerifierSettings(BaseSettings):
-    """Settings for OAuth 2.0 Token Introspection verification."""
-
-    model_config = SettingsConfigDict(
-        env_prefix="FASTMCP_SERVER_AUTH_INTROSPECTION_",
-        env_file=ENV_FILE,
-        extra="ignore",
-    )
-
-    introspection_url: str | None = None
-    client_id: str | None = None
-    client_secret: SecretStr | None = None
-    timeout_seconds: int = 10
-    required_scopes: list[str] | None = None
-    base_url: AnyHttpUrl | str | None = None
-
-    @field_validator("required_scopes", mode="before")
-    @classmethod
-    def _parse_scopes(cls, v):
-        return parse_scopes(v)
+ClientAuthMethod = Literal["client_secret_basic", "client_secret_post"]
 
 
 class IntrospectionTokenVerifier(TokenVerifier):
@@ -70,8 +47,11 @@ class IntrospectionTokenVerifier(TokenVerifier):
     endpoint. Unlike JWT verification which is stateless, token introspection requires
     a network call to the authorization server for each token validation.
 
-    The verifier authenticates to the introspection endpoint using HTTP Basic Auth
-    with the provided client_id and client_secret, as specified in RFC 7662.
+    The verifier authenticates to the introspection endpoint using either:
+    - HTTP Basic Auth (client_secret_basic, default): credentials in Authorization header
+    - POST body authentication (client_secret_post): credentials in request body
+
+    Both methods are specified in RFC 6749 (OAuth 2.0) and RFC 7662 (Token Introspection).
 
     Use this when:
     - Your authorization server issues opaque (non-JWT) tokens
@@ -93,12 +73,13 @@ class IntrospectionTokenVerifier(TokenVerifier):
     def __init__(
         self,
         *,
-        introspection_url: str | NotSetT = NotSet,
-        client_id: str | NotSetT = NotSet,
-        client_secret: str | NotSetT = NotSet,
-        timeout_seconds: int | NotSetT = NotSet,
-        required_scopes: list[str] | NotSetT | None = NotSet,
-        base_url: AnyHttpUrl | str | NotSetT | None = NotSet,
+        introspection_url: str,
+        client_id: str,
+        client_secret: str | SecretStr,
+        client_auth_method: ClientAuthMethod = "client_secret_basic",
+        timeout_seconds: int = 10,
+        required_scopes: list[str] | None = None,
+        base_url: AnyHttpUrl | str | None = None,
     ):
         """
         Initialize the introspection token verifier.
@@ -107,49 +88,38 @@ class IntrospectionTokenVerifier(TokenVerifier):
             introspection_url: URL of the OAuth 2.0 token introspection endpoint
             client_id: OAuth client ID for authenticating to the introspection endpoint
             client_secret: OAuth client secret for authenticating to the introspection endpoint
+            client_auth_method: Client authentication method. "client_secret_basic" (default)
+                uses HTTP Basic Auth header, "client_secret_post" sends credentials in POST body
             timeout_seconds: HTTP request timeout in seconds (default: 10)
             required_scopes: Required scopes for all tokens (optional)
             base_url: Base URL for TokenVerifier protocol
         """
-        settings = IntrospectionTokenVerifierSettings.model_validate(
-            {
-                k: v
-                for k, v in {
-                    "introspection_url": introspection_url,
-                    "client_id": client_id,
-                    "client_secret": client_secret,
-                    "timeout_seconds": timeout_seconds,
-                    "required_scopes": required_scopes,
-                    "base_url": base_url,
-                }.items()
-                if v is not NotSet
-            }
+        # Parse scopes if provided as string
+        parsed_required_scopes = (
+            parse_scopes(required_scopes) if required_scopes is not None else None
         )
 
-        if not settings.introspection_url:
-            raise ValueError(
-                "introspection_url is required - set via parameter or "
-                "FASTMCP_SERVER_AUTH_INTROSPECTION_INTROSPECTION_URL"
-            )
-        if not settings.client_id:
-            raise ValueError(
-                "client_id is required - set via parameter or "
-                "FASTMCP_SERVER_AUTH_INTROSPECTION_CLIENT_ID"
-            )
-        if not settings.client_secret:
-            raise ValueError(
-                "client_secret is required - set via parameter or "
-                "FASTMCP_SERVER_AUTH_INTROSPECTION_CLIENT_SECRET"
-            )
+        super().__init__(base_url=base_url, required_scopes=parsed_required_scopes)
 
-        super().__init__(
-            base_url=settings.base_url, required_scopes=settings.required_scopes
+        self.introspection_url = introspection_url
+        self.client_id = client_id
+        self.client_secret = (
+            client_secret.get_secret_value()
+            if isinstance(client_secret, SecretStr)
+            else client_secret
         )
 
-        self.introspection_url = settings.introspection_url
-        self.client_id = settings.client_id
-        self.client_secret = settings.client_secret.get_secret_value()
-        self.timeout_seconds = settings.timeout_seconds
+        # Validate client_auth_method to catch typos/invalid values early
+        valid_methods = get_args(ClientAuthMethod)
+        if client_auth_method not in valid_methods:
+            options = " or ".join(f"'{m}'" for m in valid_methods)
+            raise ValueError(
+                f"Invalid client_auth_method: {client_auth_method!r}. "
+                f"Must be {options}."
+            )
+        self.client_auth_method: ClientAuthMethod = client_auth_method
+
+        self.timeout_seconds = timeout_seconds
         self.logger = get_logger(__name__)
 
     def _create_basic_auth_header(self) -> str:
@@ -186,7 +156,8 @@ class IntrospectionTokenVerifier(TokenVerifier):
         Verify a bearer token using OAuth 2.0 Token Introspection (RFC 7662).
 
         This method makes a POST request to the introspection endpoint with the token,
-        authenticated using HTTP Basic Auth with the client credentials.
+        authenticated using the configured client authentication method (client_secret_basic
+        or client_secret_post).
 
         Args:
             token: The opaque token string to validate
@@ -197,19 +168,29 @@ class IntrospectionTokenVerifier(TokenVerifier):
         try:
             async with httpx.AsyncClient(timeout=self.timeout_seconds) as client:
                 # Prepare introspection request per RFC 7662
-                auth_header = self._create_basic_auth_header()
+                # Build request data with token and token_type_hint
+                data = {
+                    "token": token,
+                    "token_type_hint": "access_token",
+                }
+
+                # Build headers
+                headers = {
+                    "Content-Type": "application/x-www-form-urlencoded",
+                    "Accept": "application/json",
+                }
+
+                # Add client authentication based on method
+                if self.client_auth_method == "client_secret_basic":
+                    headers["Authorization"] = self._create_basic_auth_header()
+                elif self.client_auth_method == "client_secret_post":
+                    data["client_id"] = self.client_id
+                    data["client_secret"] = self.client_secret
 
                 response = await client.post(
                     self.introspection_url,
-                    data={
-                        "token": token,
-                        "token_type_hint": "access_token",
-                    },
-                    headers={
-                        "Authorization": auth_header,
-                        "Content-Type": "application/x-www-form-urlencoded",
-                        "Accept": "application/json",
-                    },
+                    data=data,
+                    headers=headers,
                 )
 
                 # Check for HTTP errors