oidcauthlib 3.0.2__tar.gz → 3.0.4__tar.gz

{oidcauthlib-3.0.2/oidcauthlib.egg-info → oidcauthlib-3.0.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oidcauthlib
-Version: 3.0.2
+Version: 3.0.4
 Summary: oidcauthlib
 Home-page: https://github.com/icanbwell/oidc-auth-lib
 Author: Imran Qureshi

oidcauthlib-3.0.4/VERSION

@@ -0,0 +1 @@
+3.0.4

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/auth_manager.py

@@ -18,6 +18,7 @@ from oidcauthlib.auth.config.auth_config import AuthConfig
 from oidcauthlib.auth.config.auth_config_reader import (
     AuthConfigReader,
 )
+from oidcauthlib.auth.dcr.dcr_manager import DcrManager
 from oidcauthlib.auth.exceptions.authorization_needed_exception import (
     AuthorizationNeededException,
 )
@@ -52,23 +53,17 @@ class AuthManager:
         auth_config_reader: AuthConfigReader,
         token_reader: TokenReader,
         well_known_configuration_manager: WellKnownConfigurationManager,
+        dcr_manager: DcrManager | None = None,
     ) -> None:
         """
         Initialize the AuthManager with the necessary configuration for OIDC PKCE.
-        It sets up the OAuth cache, reads environment variables for the OIDC provider,
-        and configures the OAuth client.
-        The environment variables required are:
-        - MONGO_URL: The connection string for the MongoDB database.
-        - MONGO_DB_NAME: The name of the MongoDB database.
-        - MONGO_DB_TOKEN_COLLECTION_NAME: The name of the MongoDB collection for tokens.
-        It also initializes the OAuth cache based on the OAUTH_CACHE environment variable,
-        which can be set to "memory" for in-memory caching or "mongo" for MongoDB caching.
-        If the OAUTH_CACHE environment variable is not set, it defaults to "memory".
 
         Args:
-            environment_variables (AbstractEnvironmentVariables): The environment variables for the application.
-            auth_config_reader (AuthConfigReader): The reader for authentication configurations.
-            token_reader (TokenReader): The reader for tokens.
+            environment_variables: The environment variables for the application.
+            auth_config_reader: The reader for authentication configurations.
+            token_reader: The reader for tokens.
+            well_known_configuration_manager: Manager for well-known OIDC discovery.
+            dcr_manager: Optional RFC 7591 Dynamic Client Registration manager.
         """
         self.environment_variables: AbstractEnvironmentVariables = environment_variables
         if self.environment_variables is None:
@@ -103,6 +98,9 @@ class AuthManager:
             raise TypeError(
                 "well_known_configuration_manager must be an instance of WellKnownConfigurationManager"
             )
+
+        self._dcr_manager: DcrManager | None = dcr_manager
+
         oauth_cache_type = environment_variables.oauth_cache
         self.cache: OAuthCache = (
             OAuthMemoryCache()
@@ -120,7 +118,6 @@ class AuthManager:
         # https://docs.authlib.org/en/latest/client/frameworks.html#frameworks-clients
         self._oauth: OAuth = OAuth(cache=self.cache)
         self._registered_dynamic_providers: set[str] = set()
-        # read AUTH_PROVIDERS comma separated list from the environment variable and register the OIDC provider for each provider
         self.auth_configs: List[AuthConfig] = (
             self.auth_config_reader.get_auth_configs_for_all_auth_providers()
         )
@@ -141,13 +138,41 @@ class AuthManager:
     ) -> None:
         """Register an OAuth provider dynamically at runtime.
 
-        Handles explicit endpoints, discovery, configurable PKCE, and deduplication.
+        Handles DCR (RFC 7591), explicit endpoints, discovery, configurable PKCE,
+        and deduplication.
         """
         provider_name = auth_config.auth_provider.lower()
 
         if provider_name in self._registered_dynamic_providers:
             return
 
+        # --- DCR: resolve client_id if not provided ---
+        client_id = auth_config.client_id
+        client_secret = auth_config.client_secret
+
+        if not client_id:
+            if not self._dcr_manager:
+                raise ValueError(
+                    f"AuthConfig for '{auth_config.auth_provider}' has no client_id "
+                    f"and no DcrManager is configured to perform DCR"
+                )
+            dcr_result = await self._dcr_manager.resolve_dcr_credentials(
+                auth_provider=provider_name,
+                registration_url=auth_config.registration_url,
+            )
+            if dcr_result is None or not dcr_result.client_id:
+                raise ValueError(
+                    f"DCR failed to obtain client_id for '{auth_config.auth_provider}'"
+                )
+            client_id = dcr_result.client_id
+            client_secret = dcr_result.client_secret
+            logger.info(
+                "DCR resolved client_id=%s for provider '%s'",
+                client_id,
+                auth_config.auth_provider,
+            )
+
+        # --- Build client kwargs ---
         client_kwargs: dict[str, Any] = {
             "scope": auth_config.scope,
             "transport": LoggingTransport(httpx.AsyncHTTPTransport()),
@@ -168,8 +193,8 @@ class AuthManager:
 
         register_kwargs: dict[str, Any] = {
             "name": provider_name,
-            "client_id": auth_config.client_id,
-            "client_secret": auth_config.client_secret,
+            "client_id": client_id,
+            "client_secret": client_secret,
             "client_kwargs": client_kwargs,
         }
 
@@ -194,7 +219,7 @@ class AuthManager:
             "Dynamically registered OAuth provider '%s' "
             "(client_id=%s, well_known=%s, authorize=%s, token=%s, pkce=%s/%s)",
             auth_config.auth_provider,
-            auth_config.client_id,
+            client_id,
             auth_config.well_known_uri,
             auth_config.authorization_endpoint,
             auth_config.token_endpoint,

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/config/auth_config.py

@@ -1,5 +1,5 @@
-from pydantic import BaseModel, ConfigDict, Field
-from typing import Optional, Any, Literal
+from pydantic import BaseModel, ConfigDict, Field, model_validator
+from typing import Optional, Any, Literal, Self
 
 
 class AuthConfig(BaseModel):
@@ -25,9 +25,9 @@ class AuthConfig(BaseModel):
         default=None,
         description="The issuer of the token, typically the URL of the auth provider.",
     )
-    client_id: str = Field(
-        ...,
-        description="The client ID for the auth provider, used to identify the application making the request.",
+    client_id: Optional[str] = Field(
+        default=None,
+        description="The client ID for the auth provider. Optional when using DCR (registration_url).",
     )
     client_secret: Optional[str] = Field(
         default=None,
@@ -72,3 +72,12 @@ class AuthConfig(BaseModel):
         default=None,
         description="RFC 7591 Dynamic Client Registration endpoint URL.",
     )
+
+    @model_validator(mode="after")
+    def _require_client_id_or_registration_url(self) -> Self:
+        if not self.client_id and not self.registration_url:
+            raise ValueError(
+                f"AuthConfig for '{self.auth_provider}' must have either "
+                f"client_id or registration_url (for DCR)"
+            )
+        return self

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/config/auth_config_reader.py

@@ -69,8 +69,11 @@ class AuthConfigReader:
                 return self._auth_configs
             auth_providers: list[str] | None = self.environment_variables.auth_providers
             if auth_providers is None:
-                logger.error("auth_providers environment variable is not set")
-                raise ValueError("auth_providers environment variable must be set")
+                logger.info(
+                    "AUTH_PROVIDERS environment variable is not set. "
+                    "Starting with empty provider list (can be populated via register_auth_configs)."
+                )
+                auth_providers = []
             logger.info(f"Loading auth configs for providers: {auth_providers}")
             auth_configs: list[AuthConfig] = []
             for auth_provider in auth_providers:
@@ -110,6 +113,48 @@ class AuthConfigReader:
         logger.warning(f"No config found for auth provider: {auth_provider}")
         return None
 
+    def register_auth_configs(self, *, configs: list[AuthConfig]) -> None:
+        """Register auth configs from an external source (e.g. .mcp.json).
+
+        Merges with any configs already loaded from environment variables.
+        Duplicate auth_provider names (case-insensitive) are skipped.
+        Thread-safe.
+        """
+        if not configs:
+            return
+        with self._lock:
+            if self._auth_configs is None:
+                auth_providers: list[str] | None = (
+                    self.environment_variables.auth_providers
+                )
+                if auth_providers is None:
+                    auth_providers = []
+                env_configs: list[AuthConfig] = []
+                for auth_provider in auth_providers:
+                    auth_config = self.read_config_for_auth_provider(
+                        auth_provider=auth_provider
+                    )
+                    if auth_config is not None:
+                        env_configs.append(auth_config)
+                self._auth_configs = env_configs
+
+            existing_names: set[str] = {
+                c.auth_provider.lower() for c in self._auth_configs
+            }
+            for config in configs:
+                if config.auth_provider.lower() not in existing_names:
+                    self._auth_configs.append(config)
+                    existing_names.add(config.auth_provider.lower())
+                    logger.info(
+                        "Registered external auth provider: %s",
+                        config.auth_provider,
+                    )
+                else:
+                    logger.debug(
+                        "Skipping duplicate auth provider: %s",
+                        config.auth_provider,
+                    )
+
     # noinspection PyMethodMayBeStatic
     def read_config_for_auth_provider(self, *, auth_provider: str) -> AuthConfig | None:
         """
@@ -130,13 +175,6 @@ class AuthConfigReader:
         logger.debug(f"Standardized auth provider name to: {auth_provider_upper}")
         # read client_id and client_secret from the environment variables
         auth_client_id: str | None = os.getenv(f"AUTH_CLIENT_ID_{auth_provider_upper}")
-        if auth_client_id is None:
-            logger.error(
-                f"AUTH_CLIENT_ID_{auth_provider_upper} environment variable is not set"
-            )
-            raise ValueError(
-                f"AUTH_CLIENT_ID_{auth_provider_upper} environment variable must be set"
-            )
         auth_client_secret: str | None = os.getenv(
             f"AUTH_CLIENT_SECRET_{auth_provider_upper}"
         )
@@ -147,13 +185,6 @@ class AuthConfigReader:
         auth_well_known_uri: str | None = os.getenv(
             f"AUTH_WELL_KNOWN_URI_{auth_provider_upper}"
         )
-        if auth_well_known_uri is None:
-            logger.error(
-                f"AUTH_WELL_KNOWN_URI_{auth_provider_upper} environment variable is not set"
-            )
-            raise ValueError(
-                f"AUTH_WELL_KNOWN_URI_{auth_provider_upper} environment variable must be set"
-            )
         issuer: str | None = os.getenv(f"AUTH_ISSUER_{auth_provider_upper}")
         logger.debug(
             f"Issuer for {auth_provider_upper}: {issuer if issuer else 'not set'}"
@@ -201,6 +232,16 @@ class AuthConfigReader:
             extra_info_dict = {str(key): value for key, value in extra_info_raw.items()}
         else:
             extra_info_dict = None
+        authorization_endpoint: str | None = os.getenv(
+            f"AUTH_AUTHORIZATION_ENDPOINT_{auth_provider_upper}"
+        )
+        token_endpoint: str | None = os.getenv(
+            f"AUTH_TOKEN_ENDPOINT_{auth_provider_upper}"
+        )
+        registration_url: str | None = os.getenv(
+            f"AUTH_REGISTRATION_URL_{auth_provider_upper}"
+        )
+
         return AuthConfig(
             auth_provider=auth_provider,
             friendly_name=friendly_name,
@@ -211,6 +252,9 @@ class AuthConfigReader:
             well_known_uri=auth_well_known_uri,
             scope=scope,
             extra_info=extra_info_dict,
+            authorization_endpoint=authorization_endpoint,
+            token_endpoint=token_endpoint,
+            registration_url=registration_url,
         )
 
     def get_audience_for_provider(self, *, auth_provider: str) -> str:

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/dcr/dcr_client.py

@@ -4,14 +4,21 @@ from typing import Any
 import httpx
 
 from oidcauthlib.utilities.logger.log_levels import SRC_LOG_LEVELS
+from oidcauthlib.utilities.url_validator import validate_url
 
 logger = logging.getLogger(__name__)
 logger.setLevel(SRC_LOG_LEVELS["AUTH"])
 
 
+_DEFAULT_TIMEOUT_SECONDS: int = 10
+
+
 class DcrClient:
     """RFC 7591 Dynamic Client Registration HTTP client."""
 
+    def __init__(self, *, timeout_seconds: int = _DEFAULT_TIMEOUT_SECONDS) -> None:
+        self._timeout_seconds = timeout_seconds
+
     async def register(
         self,
         *,
@@ -22,6 +29,8 @@ class DcrClient:
         logo_uri: str | None = None,
         contacts: list[str] | None = None,
     ) -> dict[str, Any]:
+        validate_url(registration_url)
+
         payload: dict[str, Any] = {
             "redirect_uris": [redirect_uri],
             "grant_types": ["authorization_code", "refresh_token"],
@@ -39,7 +48,7 @@ class DcrClient:
 
         logger.info("Performing DCR at '%s'", registration_url)
 
-        async with httpx.AsyncClient(timeout=10) as client:
+        async with httpx.AsyncClient(timeout=self._timeout_seconds) as client:
             response = await client.post(
                 registration_url,
                 json=payload,

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/dcr/dcr_manager.py

@@ -13,6 +13,7 @@ from oidcauthlib.utilities.environment.abstract_environment_variables import (
     AbstractEnvironmentVariables,
 )
 from oidcauthlib.utilities.logger.log_levels import SRC_LOG_LEVELS
+from oidcauthlib.utilities.url_validator import validate_url
 
 logger = logging.getLogger(__name__)
 logger.setLevel(SRC_LOG_LEVELS["AUTH"])
@@ -59,6 +60,8 @@ class DcrManager:
                 f"provided (auth_provider='{auth_provider}')"
             )
 
+        validate_url(registration_url)
+
         cached = await self._find_cached(
             auth_provider=auth_provider,
             registration_url=registration_url,
@@ -136,7 +139,7 @@ class DcrManager:
             item.updated = now
             return item
 
-        await self._repository.insert_or_update(
+        persisted_id = await self._repository.insert_or_update(
             collection_name=self._collection_name,
             item=registration,
             keys={
@@ -148,4 +151,5 @@ class DcrManager:
             on_update=on_update,
         )
 
-        return registration
+        # Return with the actual persisted ID (may differ on update)
+        return registration.model_copy(update={"id": persisted_id})

oidcauthlib-3.0.4/oidcauthlib/auth/well_known_configuration/auth_server_metadata.py

@@ -0,0 +1,18 @@
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class AuthServerMetadata:
+    """Parsed OAuth 2.0 Authorization Server Metadata (RFC 8414) or
+    OpenID Connect Discovery metadata.
+
+    Contains the subset of fields needed to configure an OAuth client:
+    authorization and token endpoints (required), plus optional registration
+    endpoint, issuer, and supported scopes.
+    """
+
+    authorization_endpoint: str
+    token_endpoint: str
+    registration_endpoint: str | None = None
+    issuer: str | None = None
+    scopes_supported: list[str] | None = None

oidcauthlib-3.0.4/oidcauthlib/auth/well_known_configuration/auth_server_metadata_discovery.py

@@ -0,0 +1,112 @@
+import logging
+from typing import Protocol, Any
+from urllib.parse import urlparse
+
+import httpx
+
+from oidcauthlib.auth.well_known_configuration.auth_server_metadata import (
+    AuthServerMetadata,
+)
+from oidcauthlib.utilities.logger.log_levels import SRC_LOG_LEVELS
+
+logger = logging.getLogger(__name__)
+logger.setLevel(SRC_LOG_LEVELS["AUTH"])
+
+_DISCOVERY_TIMEOUT = httpx.Timeout(10.0)
+
+
+class AuthServerMetadataDiscoveryProtocol(Protocol):
+    """Protocol for discovering OAuth authorization server metadata from a resource URL."""
+
+    async def discover(self, *, resource_url: str) -> AuthServerMetadata | None: ...
+
+
+class AuthServerMetadataDiscovery:
+    """Discovers OAuth authorization server metadata from a resource server URL.
+
+    Implements RFC 8414 (OAuth 2.0 Authorization Server Metadata) with a
+    fallback to OpenID Connect Discovery.  Given a resource URL, extracts
+    the origin (scheme + host + port) and attempts to fetch:
+
+    1. ``{origin}/.well-known/oauth-authorization-server`` (RFC 8414)
+    2. ``{origin}/.well-known/openid-configuration`` (OIDC Discovery)
+
+    Returns an ``AuthServerMetadata`` with the discovered endpoints, or
+    ``None`` if neither well-known URL returns valid metadata.
+    """
+
+    @staticmethod
+    def _extract_base_url(url: str) -> str:
+        parsed = urlparse(url)
+        port_suffix = f":{parsed.port}" if parsed.port else ""
+        return f"{parsed.scheme}://{parsed.hostname}{port_suffix}"
+
+    @staticmethod
+    def _parse_metadata(metadata: dict[str, Any]) -> AuthServerMetadata | None:
+        authorization_endpoint = metadata.get("authorization_endpoint")
+        token_endpoint = metadata.get("token_endpoint")
+        if not authorization_endpoint or not token_endpoint:
+            logger.warning(
+                "Discovered metadata missing required endpoints "
+                "(authorization_endpoint=%s, token_endpoint=%s)",
+                authorization_endpoint,
+                token_endpoint,
+            )
+            return None
+
+        scopes: list[str] | None = None
+        scopes_supported = metadata.get("scopes_supported")
+        if isinstance(scopes_supported, list):
+            scopes = [s for s in scopes_supported if isinstance(s, str)]
+
+        return AuthServerMetadata(
+            authorization_endpoint=authorization_endpoint,
+            token_endpoint=token_endpoint,
+            registration_endpoint=metadata.get("registration_endpoint"),
+            issuer=metadata.get("issuer"),
+            scopes_supported=scopes,
+        )
+
+    async def discover(self, *, resource_url: str) -> AuthServerMetadata | None:
+        """Discover OAuth authorization server metadata for a resource URL.
+
+        Args:
+            resource_url: The URL of the resource server (e.g. an MCP server).
+
+        Returns:
+            AuthServerMetadata if discovery succeeds, None otherwise.
+        """
+        base_url = self._extract_base_url(resource_url)
+
+        well_known_urls = [
+            f"{base_url}/.well-known/oauth-authorization-server",
+            f"{base_url}/.well-known/openid-configuration",
+        ]
+
+        async with httpx.AsyncClient(timeout=_DISCOVERY_TIMEOUT) as client:
+            for url in well_known_urls:
+                try:
+                    response = await client.get(url)
+                    if response.status_code != 200:
+                        logger.debug(
+                            "Discovery fetch %s returned status %s, skipping",
+                            url,
+                            response.status_code,
+                        )
+                        continue
+                    metadata = response.json()
+                    result = self._parse_metadata(metadata)
+                    if result is not None:
+                        logger.info(
+                            "Discovered auth server metadata from %s for resource %s",
+                            url,
+                            resource_url,
+                        )
+                        return result
+                except httpx.TimeoutException:
+                    logger.debug("Discovery fetch %s timed out", url)
+                except (httpx.HTTPError, ValueError) as e:
+                    logger.debug("Discovery fetch %s failed: %s", url, e)
+
+        logger.info("No auth server metadata discovered for resource %s", resource_url)
+        return None

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib/auth/well_known_configuration/well_known_configuration_cache.py

@@ -92,10 +92,11 @@ class WellKnownConfigurationCache:
     async def read_list_async(self, *, auth_configs: list[AuthConfig]) -> None:
         """Fetch and cache discovery documents for multiple auth configs.
 
+        Configs without a ``well_known_uri`` (e.g. explicit-endpoint configs)
+        are silently skipped.
+
         Args:
-            auth_configs: List of OIDC authorization configurations (must have well_known_uri).
-        Returns:
-            A list of WellKnownConfigurationCacheResult for successfully fetched configs.
+            auth_configs: List of OIDC authorization configurations.
         Notes:
             - Populates the in-memory cache and optional backing store.
             - Aggregates JWKS into the class-level jwks KeySet.

oidcauthlib-3.0.4/oidcauthlib/utilities/url_validator.py

@@ -0,0 +1,112 @@
+"""SSRF-safe URL validation for outbound HTTP requests.
+
+Validates URLs before making HTTP requests to prevent Server-Side Request
+Forgery (SSRF) attacks.  Enforces HTTPS-only, rejects private/reserved IP
+ranges, and resolves hostnames to verify the target is not internal.
+"""
+
+import ipaddress
+import logging
+import socket
+from urllib.parse import urlparse
+
+from oidcauthlib.utilities.logger.log_levels import SRC_LOG_LEVELS
+
+logger = logging.getLogger(__name__)
+logger.setLevel(SRC_LOG_LEVELS["AUTH"])
+
+_BLOCKED_NETWORKS = [
+    ipaddress.ip_network("127.0.0.0/8"),  # loopback
+    ipaddress.ip_network("10.0.0.0/8"),  # RFC 1918
+    ipaddress.ip_network("172.16.0.0/12"),  # RFC 1918
+    ipaddress.ip_network("192.168.0.0/16"),  # RFC 1918
+    ipaddress.ip_network("169.254.0.0/16"),  # link-local
+    ipaddress.ip_network("0.0.0.0/8"),  # "this" network
+    ipaddress.ip_network("100.64.0.0/10"),  # carrier-grade NAT
+    ipaddress.ip_network("192.0.0.0/24"),  # IETF protocol assignments
+    ipaddress.ip_network("198.18.0.0/15"),  # benchmark testing
+    ipaddress.ip_network("::1/128"),  # IPv6 loopback
+    ipaddress.ip_network("fc00::/7"),  # IPv6 unique-local
+    ipaddress.ip_network("fe80::/10"),  # IPv6 link-local
+    ipaddress.ip_network("::ffff:0:0/96"),  # IPv4-mapped IPv6
+]
+
+_BLOCKED_HOSTNAMES = frozenset(
+    {
+        "localhost",
+        "localhost.localdomain",
+        "metadata.google.internal",  # GCP metadata
+        "169.254.169.254",  # AWS/Azure/GCP metadata endpoint
+    }
+)
+
+
+def _is_ip_address(value: str) -> bool:
+    """Return True if the string is a valid IPv4 or IPv6 address."""
+    try:
+        ipaddress.ip_address(value)
+    except ValueError:
+        return False
+    return True
+
+
+def _is_private_ip(addr: str) -> bool:
+    """Check whether an IP address falls in a blocked network range."""
+    try:
+        ip = ipaddress.ip_address(addr)
+    except ValueError:
+        return True  # unparseable → reject
+    return any(ip in network for network in _BLOCKED_NETWORKS)
+
+
+def validate_url(url: str, *, allow_http: bool = False) -> str:
+    """Validate a URL for safe outbound HTTP requests.
+
+    Args:
+        url: The URL to validate.
+        allow_http: If True, permit ``http://`` in addition to ``https://``.
+            Defaults to False (HTTPS only).
+
+    Returns:
+        The validated URL (unchanged).
+
+    Raises:
+        ValueError: If the URL fails any validation check.
+    """
+    parsed = urlparse(url)
+
+    # --- scheme ---
+    allowed_schemes = {"https"} if not allow_http else {"https", "http"}
+    if parsed.scheme not in allowed_schemes:
+        raise ValueError(
+            f"URL scheme must be {' or '.join(sorted(allowed_schemes))}, "
+            f"got '{parsed.scheme}' in '{url}'"
+        )
+
+    # --- hostname ---
+    hostname = parsed.hostname
+    if not hostname:
+        raise ValueError(f"URL is missing a hostname: '{url}'")
+
+    if hostname.lower() in _BLOCKED_HOSTNAMES:
+        raise ValueError(f"URL hostname '{hostname}' is blocked")
+
+    # --- reject raw IP addresses as hostnames ---
+    # SSL/TLS certificates are issued for domain names, not IPs.
+    # A raw IP bypasses proper certificate validation.
+    if _is_ip_address(hostname):
+        raise ValueError(f"URL must use a hostname, not a raw IP address: '{hostname}'")
+
+    # --- resolve DNS and check all IPs ---
+    try:
+        addr_infos = socket.getaddrinfo(hostname, parsed.port or 443)
+    except socket.gaierror as exc:
+        raise ValueError(f"Cannot resolve hostname '{hostname}': {exc}") from exc
+
+    for _family, _type, _proto, _canonname, sockaddr in addr_infos:
+        ip_str = str(sockaddr[0])
+        if _is_private_ip(ip_str):
+            raise ValueError(f"URL '{url}' resolves to blocked IP {ip_str}")
+
+    logger.debug("URL validated: %s", url)
+    return url

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4/oidcauthlib.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: oidcauthlib
-Version: 3.0.2
+Version: 3.0.4
 Summary: oidcauthlib
 Home-page: https://github.com/icanbwell/oidc-auth-lib
 Author: Imran Qureshi

{oidcauthlib-3.0.2 → oidcauthlib-3.0.4}/oidcauthlib.egg-info/SOURCES.txt

@@ -53,6 +53,8 @@ oidcauthlib/auth/repository/mongo/mongo_repository.py
 oidcauthlib/auth/routers/__init__.py
 oidcauthlib/auth/routers/auth_router.py
 oidcauthlib/auth/well_known_configuration/__init__.py
+oidcauthlib/auth/well_known_configuration/auth_server_metadata.py
+oidcauthlib/auth/well_known_configuration/auth_server_metadata_discovery.py
 oidcauthlib/auth/well_known_configuration/well_known_configuration_cache.py
 oidcauthlib/auth/well_known_configuration/well_known_configuration_cache_result.py
 oidcauthlib/auth/well_known_configuration/well_known_configuration_manager.py
@@ -72,6 +74,7 @@ oidcauthlib/storage/storage_factory_creator.py
 oidcauthlib/utilities/__init__.py
 oidcauthlib/utilities/cached.py
 oidcauthlib/utilities/mongo_url_utils.py
+oidcauthlib/utilities/url_validator.py
 oidcauthlib/utilities/environment/__init__.py
 oidcauthlib/utilities/environment/abstract_environment_variables.py
 oidcauthlib/utilities/environment/oidc_environment_variables.py
@@ -85,7 +88,6 @@ tests/test_mongo_url_utils.py
 tests/test_simple.py
 tests/auth/__init__.py
 tests/auth/conftest.py
-tests/auth/test_auth_config_explicit_endpoints.py
 tests/auth/test_auth_helper.py
 tests/auth/test_auth_helper2.py
 tests/auth/test_auth_manager.py
@@ -95,9 +97,9 @@ tests/auth/cache/test_oauth_memory_cache.py
 tests/auth/config/__init__.py
 tests/auth/config/test_auth_config.py
 tests/auth/config/test_auth_config_reader.py
+tests/auth/config/test_auth_config_reader_register.py
 tests/auth/config/test_auth_config_reader_thread_safety.py
 tests/auth/dcr/__init__.py
-tests/auth/dcr/conftest.py
 tests/auth/dcr/test_dcr_client.py
 tests/auth/dcr/test_dcr_manager.py
 tests/auth/middleware/__init__.py
@@ -115,6 +117,7 @@ tests/auth/repository/mongo/__init__.py
 tests/auth/repository/mongo/test_mongo_repository.py
 tests/auth/repository/mongo/test_mongo_repository_real.py
 tests/auth/well_known_configuration/__init__.py
+tests/auth/well_known_configuration/test_auth_server_metadata_discovery.py
 tests/auth/well_known_configuration/test_well_known_configuration_cache.py
 tests/auth/well_known_configuration/test_well_known_configuration_manager.py
 tests/storage/__init__.py
@@ -124,4 +127,5 @@ tests/storage/test_mongo_store_factory.py
 tests/storage/test_storage_factory_security.py
 tests/utilities/__init__.py
 tests/utilities/test_cached.py
-tests/utilities/test_mongo_url_utils.py
+tests/utilities/test_mongo_url_utils.py
+tests/utilities/test_url_validator.py