mcs-auth-oauth 0.1.0__tar.gz

mcs_auth_oauth-0.1.0/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

mcs_auth_oauth-0.1.0/PKG-INFO

@@ -0,0 +1,99 @@
+Metadata-Version: 2.4
+Name: mcs-auth-oauth
+Version: 0.1.0
+Summary: OAuth 2.0 Authorization Code adapter for the Model Context Standard.
+Author-email: Danny Gerst <danny@dannygerst.de>
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://www.modelcontextstandard.io
+Project-URL: Source, https://github.com/modelcontextstandard/python-sdk
+Keywords: mcs,modelcontextstandard,auth,oauth2,authorization-code
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcs-auth>=0.1
+Dynamic: license-file
+
+# mcs-auth-oauth
+
+**Zero-dependency OAuth 2.0 for AI agents.** Authorization Code Flow with
+PKCE for the **Model Context Standard (MCS)**.
+
+No `requests`. No `authlib`. No heavyweight SDK. Just the Python standard
+library, a 5-second localhost callback server, and your agent has an OAuth
+token. Works with any OAuth 2.0 provider -- Google, Auth0, Microsoft,
+GitHub, you name it.
+
+## Installation
+
+```bash
+pip install mcs-auth-oauth
+```
+
+## Quick start
+
+```python
+from mcs.auth.oauth import OAuthProvider
+
+provider = OAuthProvider(
+    authorize_url="https://accounts.google.com/o/oauth2/v2/auth",
+    token_url="https://oauth2.googleapis.com/token",
+    client_id="...",
+    client_secret="...",
+    scopes={"gmail": "https://mail.google.com/"},
+)
+
+# Opens browser, user logs in, token returned
+token = provider.get_token("gmail")
+```
+
+## How it works
+
+1. Agent calls `get_token("gmail")`
+2. Browser opens with the provider's consent screen
+3. User logs in and grants access
+4. Localhost callback receives the authorization code
+5. Code is exchanged for tokens (with PKCE)
+6. Token returned to agent -- done
+
+The entire flow happens in a single `get_token()` call. The localhost
+server lives for exactly one request and shuts down immediately.
+
+## Use with Auth0 Token Vault
+
+```python
+from mcs.auth.auth0 import Auth0Provider
+from mcs.auth.oauth import OAuthAdapter
+
+provider = Auth0Provider(
+    domain="my-tenant.auth0.com",
+    client_id="...",
+    client_secret="...",
+    _auth=OAuthAdapter(
+        authorize_url="https://my-tenant.auth0.com/authorize",
+        token_url="https://my-tenant.auth0.com/oauth/token",
+        client_id="...",
+        client_secret="...",
+        extra_params={"connection": "google-oauth2", "audience": "..."},
+    ),
+)
+```
+
+## Links
+
+- **Homepage:** <https://www.modelcontextstandard.io>
+- **Source:** <https://github.com/modelcontextstandard/python-sdk>
+
+## License
+
+Apache-2.0

mcs_auth_oauth-0.1.0/README.md

@@ -0,0 +1,73 @@
+# mcs-auth-oauth
+
+**Zero-dependency OAuth 2.0 for AI agents.** Authorization Code Flow with
+PKCE for the **Model Context Standard (MCS)**.
+
+No `requests`. No `authlib`. No heavyweight SDK. Just the Python standard
+library, a 5-second localhost callback server, and your agent has an OAuth
+token. Works with any OAuth 2.0 provider -- Google, Auth0, Microsoft,
+GitHub, you name it.
+
+## Installation
+
+```bash
+pip install mcs-auth-oauth
+```
+
+## Quick start
+
+```python
+from mcs.auth.oauth import OAuthProvider
+
+provider = OAuthProvider(
+    authorize_url="https://accounts.google.com/o/oauth2/v2/auth",
+    token_url="https://oauth2.googleapis.com/token",
+    client_id="...",
+    client_secret="...",
+    scopes={"gmail": "https://mail.google.com/"},
+)
+
+# Opens browser, user logs in, token returned
+token = provider.get_token("gmail")
+```
+
+## How it works
+
+1. Agent calls `get_token("gmail")`
+2. Browser opens with the provider's consent screen
+3. User logs in and grants access
+4. Localhost callback receives the authorization code
+5. Code is exchanged for tokens (with PKCE)
+6. Token returned to agent -- done
+
+The entire flow happens in a single `get_token()` call. The localhost
+server lives for exactly one request and shuts down immediately.
+
+## Use with Auth0 Token Vault
+
+```python
+from mcs.auth.auth0 import Auth0Provider
+from mcs.auth.oauth import OAuthAdapter
+
+provider = Auth0Provider(
+    domain="my-tenant.auth0.com",
+    client_id="...",
+    client_secret="...",
+    _auth=OAuthAdapter(
+        authorize_url="https://my-tenant.auth0.com/authorize",
+        token_url="https://my-tenant.auth0.com/oauth/token",
+        client_id="...",
+        client_secret="...",
+        extra_params={"connection": "google-oauth2", "audience": "..."},
+    ),
+)
+```
+
+## Links
+
+- **Homepage:** <https://www.modelcontextstandard.io>
+- **Source:** <https://github.com/modelcontextstandard/python-sdk>
+
+## License
+
+Apache-2.0

mcs_auth_oauth-0.1.0/pyproject.toml

@@ -0,0 +1,39 @@
+[build-system]
+requires = ["setuptools>=63", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name            = "mcs-auth-oauth"
+version         = "0.1.0"
+description     = "OAuth 2.0 Authorization Code adapter for the Model Context Standard."
+readme          = "README.md"
+requires-python = ">=3.9"
+license         = "Apache-2.0"
+keywords        = ["mcs", "modelcontextstandard", "auth", "oauth2", "authorization-code"]
+authors         = [{ name = "Danny Gerst", email = "danny@dannygerst.de" }]
+license-files   = ["LICENSE"]
+classifiers     = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries",
+    "Typing :: Typed",
+]
+
+urls = {"Homepage" = "https://www.modelcontextstandard.io", "Source" = "https://github.com/modelcontextstandard/python-sdk"}
+
+dependencies = [
+    "mcs-auth>=0.1",
+]
+
+[tool.uv.sources]
+mcs-auth = { workspace = true }
+
+[tool.setuptools.packages.find]
+where = ["src"]

mcs_auth_oauth-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

mcs_auth_oauth-0.1.0/src/mcs/auth/oauth/__init__.py

@@ -0,0 +1,6 @@
+"""OAuth 2.0 Authorization Code adapter and provider for MCS."""
+
+from .oauth_adapter import OAuthAdapter
+from .oauth_provider import OAuthProvider
+
+__all__ = ["OAuthAdapter", "OAuthProvider"]

mcs_auth_oauth-0.1.0/src/mcs/auth/oauth/oauth_adapter.py

@@ -0,0 +1,201 @@
+"""OAuth 2.0 Authorization Code Flow adapter for MCS.
+
+Implements ``AuthPort`` using the standard Authorization Code Flow with
+PKCE (RFC 7636).  Spins up a temporary local HTTP server to receive the
+callback, opens the user's browser, exchanges the code for tokens, and
+returns the result.
+
+This adapter uses only the Python standard library -- no external
+dependencies beyond ``mcs-auth``.
+"""
+
+from __future__ import annotations
+
+import hashlib
+import http.server
+import json
+import secrets
+import urllib.parse
+import urllib.request
+import webbrowser
+from base64 import urlsafe_b64encode
+from typing import Any
+
+class OAuthAdapter:
+    """Auth transport adapter that performs OAuth 2.0 Authorization Code Flow.
+
+    Satisfies ``AuthPort.authenticate(scope) -> str``.
+
+    Parameters
+    ----------
+    authorize_url :
+        Provider's authorization endpoint
+        (e.g. ``"https://accounts.google.com/o/oauth2/v2/auth"``).
+    token_url :
+        Provider's token endpoint
+        (e.g. ``"https://oauth2.googleapis.com/token"``).
+    client_id :
+        OAuth client ID.
+    client_secret :
+        OAuth client secret (empty string for public clients with PKCE).
+    scopes :
+        OAuth scopes to request.  Can be a dict mapping MCS scope names
+        to OAuth scope strings, or a single string applied to all scopes.
+    callback_port :
+        Local port for the redirect callback (default 3000).
+    callback_path :
+        Path on the local server for the callback (default ``"/callback"``).
+    extra_params :
+        Extra query params to include in the authorization URL
+        (e.g. ``{"connection": "google-oauth2"}`` for Auth0).
+    """
+
+    def __init__(
+        self,
+        *,
+        authorize_url: str,
+        token_url: str,
+        client_id: str,
+        client_secret: str = "",
+        scopes: dict[str, str] | str = "",
+        callback_port: int = 3000,
+        callback_path: str = "/callback",
+        extra_params: dict[str, str] | None = None,
+        on_auth_start: Any | None = None,
+    ) -> None:
+        self._authorize_url = authorize_url
+        self._token_url = token_url
+        self._client_id = client_id
+        self._client_secret = client_secret
+        self._scopes = scopes
+        self._callback_port = callback_port
+        self._callback_path = callback_path
+        self._extra_params = extra_params or {}
+        self._on_auth_start = on_auth_start
+
+        # Cache: scope → token dict
+        self._tokens: dict[str, dict[str, Any]] = {}
+
+    def authenticate(self, scope: str) -> str:
+        """Run OAuth Authorization Code Flow and return the token.
+
+        Opens a browser window for the user to log in, blocks until
+        the callback is received, then returns the token.
+
+        Returns the ``refresh_token`` if available, otherwise the
+        ``access_token``.
+        """
+        if scope in self._tokens:
+            tokens = self._tokens[scope]
+            return tokens.get("refresh_token", tokens["access_token"])
+
+        if self._on_auth_start:
+            self._on_auth_start(scope)
+
+        # Resolve OAuth scopes
+        if isinstance(self._scopes, dict):
+            oauth_scope = self._scopes.get(scope, "openid email offline_access")
+        else:
+            oauth_scope = self._scopes or "openid email offline_access"
+
+        # PKCE (RFC 7636)
+        code_verifier = secrets.token_urlsafe(64)
+        code_challenge = urlsafe_b64encode(
+            hashlib.sha256(code_verifier.encode()).digest()
+        ).rstrip(b"=").decode()
+
+        redirect_uri = f"http://localhost:{self._callback_port}{self._callback_path}"
+        state = secrets.token_urlsafe(16)
+
+        # Build authorization URL
+        params: dict[str, str] = {
+            "response_type": "code",
+            "client_id": self._client_id,
+            "redirect_uri": redirect_uri,
+            "scope": oauth_scope,
+            "state": state,
+            "code_challenge": code_challenge,
+            "code_challenge_method": "S256",
+            **self._extra_params,
+        }
+        auth_url = f"{self._authorize_url}?{urllib.parse.urlencode(params)}"
+
+        # Start callback server and open browser
+        code = self._run_callback_server(auth_url, state)
+
+        # Exchange code for tokens
+        tokens = self._exchange_code(code, redirect_uri, code_verifier)
+        self._tokens[scope] = tokens
+
+        return tokens.get("refresh_token", tokens["access_token"])
+
+    def _run_callback_server(self, auth_url: str, expected_state: str) -> str:
+        """Open browser and wait for OAuth callback. Returns authorization code."""
+        result: dict[str, str] = {}
+
+        class Handler(http.server.BaseHTTPRequestHandler):
+            def do_GET(self) -> None:
+                params = urllib.parse.parse_qs(
+                    urllib.parse.urlparse(self.path).query
+                )
+                if "code" in params:
+                    result["code"] = params["code"][0]
+                    result["state"] = params.get("state", [""])[0]
+                if "error" in params:
+                    result["error"] = params["error"][0]
+                    result["error_description"] = params.get(
+                        "error_description", [""]
+                    )[0]
+                self.send_response(200)
+                self.send_header("Content-Type", "text/html")
+                self.end_headers()
+                self.wfile.write(
+                    b"<h1>OK! You can close this window.</h1>"
+                )
+
+            def log_message(self, *args: Any) -> None:
+                pass  # suppress logs
+
+        server = http.server.HTTPServer(
+            ("localhost", self._callback_port), Handler
+        )
+        webbrowser.open(auth_url)
+        server.handle_request()
+        server.server_close()
+
+        if "error" in result:
+            raise RuntimeError(
+                f"OAuth authorization failed: {result['error']} -- "
+                f"{result.get('error_description', '')}"
+            )
+        if "code" not in result:
+            raise RuntimeError("OAuth callback did not contain an authorization code.")
+        if result.get("state") != expected_state:
+            raise RuntimeError("OAuth state mismatch -- possible CSRF attack.")
+
+        return result["code"]
+
+    def _exchange_code(
+        self, code: str, redirect_uri: str, code_verifier: str
+    ) -> dict[str, Any]:
+        """Exchange authorization code for tokens."""
+        body = json.dumps({
+            "grant_type": "authorization_code",
+            "client_id": self._client_id,
+            "client_secret": self._client_secret,
+            "code": code,
+            "redirect_uri": redirect_uri,
+            "code_verifier": code_verifier,
+        }).encode()
+        req = urllib.request.Request(
+            self._token_url,
+            data=body,
+            headers={"Content-Type": "application/json"},
+        )
+        try:
+            resp = urllib.request.urlopen(req)
+            return json.loads(resp.read())
+        except Exception as exc:
+            read_fn = getattr(exc, "read", None)
+            detail = read_fn().decode() if read_fn and callable(read_fn) else str(exc)
+            raise RuntimeError(f"OAuth token exchange failed: {detail}") from exc

mcs_auth_oauth-0.1.0/src/mcs/auth/oauth/oauth_provider.py

@@ -0,0 +1,57 @@
+"""OAuth credential provider for MCS.
+
+A simple ``CredentialProvider`` that delegates to an ``AuthPort``
+adapter (defaults to ``OAuthAdapter``).  For direct OAuth access
+without a Token Vault intermediary (e.g. Google API directly).
+"""
+
+from __future__ import annotations
+
+import time
+from typing import Any
+
+
+class OAuthProvider:
+    """Credential provider using direct OAuth tokens.
+
+    Wraps an ``AuthPort`` adapter and caches the returned tokens.
+    Use this when you want to use OAuth tokens directly (no Auth0
+    Token Vault exchange).
+
+    Parameters
+    ----------
+    _auth :
+        Auth transport adapter satisfying ``AuthPort``.  If not
+        provided, you must supply ``OAuthAdapter`` kwargs to build
+        one automatically.
+    **oauth_kwargs :
+        Keyword arguments forwarded to ``OAuthAdapter`` if ``_auth``
+        is not provided.
+    """
+
+    def __init__(self, *, _auth: Any | None = None, **oauth_kwargs: Any) -> None:
+        if _auth is not None:
+            self._auth = _auth
+        else:
+            from .oauth_adapter import OAuthAdapter
+            self._auth = OAuthAdapter(**oauth_kwargs)
+
+        # Cache: scope → (token, expires_at)
+        self._cache: dict[str, tuple[str, float]] = {}
+
+    def get_token(self, scope: str) -> str:
+        """Return a valid token for *scope* via OAuth.
+
+        Delegates to the ``AuthPort`` adapter and caches the result.
+        """
+        if scope in self._cache:
+            token, expires_at = self._cache[scope]
+            if time.time() < expires_at:
+                return token
+
+        token = self._auth.authenticate(scope)
+
+        # Cache for 50 minutes (typical OAuth token lifetime is 1 hour)
+        self._cache[scope] = (token, time.time() + 3000)
+
+        return token

mcs_auth_oauth-0.1.0/src/mcs_auth_oauth.egg-info/PKG-INFO

@@ -0,0 +1,99 @@
+Metadata-Version: 2.4
+Name: mcs-auth-oauth
+Version: 0.1.0
+Summary: OAuth 2.0 Authorization Code adapter for the Model Context Standard.
+Author-email: Danny Gerst <danny@dannygerst.de>
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://www.modelcontextstandard.io
+Project-URL: Source, https://github.com/modelcontextstandard/python-sdk
+Keywords: mcs,modelcontextstandard,auth,oauth2,authorization-code
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries
+Classifier: Typing :: Typed
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: mcs-auth>=0.1
+Dynamic: license-file
+
+# mcs-auth-oauth
+
+**Zero-dependency OAuth 2.0 for AI agents.** Authorization Code Flow with
+PKCE for the **Model Context Standard (MCS)**.
+
+No `requests`. No `authlib`. No heavyweight SDK. Just the Python standard
+library, a 5-second localhost callback server, and your agent has an OAuth
+token. Works with any OAuth 2.0 provider -- Google, Auth0, Microsoft,
+GitHub, you name it.
+
+## Installation
+
+```bash
+pip install mcs-auth-oauth
+```
+
+## Quick start
+
+```python
+from mcs.auth.oauth import OAuthProvider
+
+provider = OAuthProvider(
+    authorize_url="https://accounts.google.com/o/oauth2/v2/auth",
+    token_url="https://oauth2.googleapis.com/token",
+    client_id="...",
+    client_secret="...",
+    scopes={"gmail": "https://mail.google.com/"},
+)
+
+# Opens browser, user logs in, token returned
+token = provider.get_token("gmail")
+```
+
+## How it works
+
+1. Agent calls `get_token("gmail")`
+2. Browser opens with the provider's consent screen
+3. User logs in and grants access
+4. Localhost callback receives the authorization code
+5. Code is exchanged for tokens (with PKCE)
+6. Token returned to agent -- done
+
+The entire flow happens in a single `get_token()` call. The localhost
+server lives for exactly one request and shuts down immediately.
+
+## Use with Auth0 Token Vault
+
+```python
+from mcs.auth.auth0 import Auth0Provider
+from mcs.auth.oauth import OAuthAdapter
+
+provider = Auth0Provider(
+    domain="my-tenant.auth0.com",
+    client_id="...",
+    client_secret="...",
+    _auth=OAuthAdapter(
+        authorize_url="https://my-tenant.auth0.com/authorize",
+        token_url="https://my-tenant.auth0.com/oauth/token",
+        client_id="...",
+        client_secret="...",
+        extra_params={"connection": "google-oauth2", "audience": "..."},
+    ),
+)
+```
+
+## Links
+
+- **Homepage:** <https://www.modelcontextstandard.io>
+- **Source:** <https://github.com/modelcontextstandard/python-sdk>
+
+## License
+
+Apache-2.0

mcs_auth_oauth-0.1.0/src/mcs_auth_oauth.egg-info/SOURCES.txt

@@ -0,0 +1,11 @@
+LICENSE
+README.md
+pyproject.toml
+src/mcs/auth/oauth/__init__.py
+src/mcs/auth/oauth/oauth_adapter.py
+src/mcs/auth/oauth/oauth_provider.py
+src/mcs_auth_oauth.egg-info/PKG-INFO
+src/mcs_auth_oauth.egg-info/SOURCES.txt
+src/mcs_auth_oauth.egg-info/dependency_links.txt
+src/mcs_auth_oauth.egg-info/requires.txt
+src/mcs_auth_oauth.egg-info/top_level.txt

mcs_auth_oauth-0.1.0/src/mcs_auth_oauth.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

mcs_auth_oauth-0.1.0/src/mcs_auth_oauth.egg-info/requires.txt

@@ -0,0 +1 @@
+mcs-auth>=0.1

mcs_auth_oauth-0.1.0/src/mcs_auth_oauth.egg-info/top_level.txt

@@ -0,0 +1 @@
+mcs