2i9ddlZ ddlmZddlZej eZdZdZ dZ dZ dZ dZ dZeed d d e d d dede e e g ZgdZdZdZdZGddeZGddeZdZdZdZy#e$r ddlmZYrwxYw)N)urlparsezlogin.microsoftonline.uszlogin.chinacloudapi.cnzlogin.microsoftonline.comzlogin.sovcloud-identity.frzlogin.sovcloud-identity.dezlogin.sovcloud-identity.sgzlogin.microsoft.comzlogin.windows.netzsts.windows.netz login.partner.microsoftonline.cnzlogin.microsoftonline.dezlogin-us.microsoftonline.comzlogin.usgovcloudapi.net)z b2clogin.comz b2clogin.cnz b2clogin.usz b2clogin.dez ciamlogin.comz.ciamlogin.comc"|tvr|StS)N)WELL_KNOWN_AUTHORITY_HOSTS WORLD_WIDEinstances D/var/www/html/qr/venv/lib/python3.12/site-packages/msal/authority.py_get_instance_discovery_hostr -s#==8M:Mc6djt|S)Nz$https://{}/common/discovery/instance)formatr rs r _get_instance_discovery_endpointr1s 1 8 8$X. 00r ceZdZdZdZy)AuthorityBuilderc\|jd|_|jd|_y)zA helper to save caller from doing string concatenation. Usage is documented in :func:`application.ClientApplication.__init__`. /N)rstrip _instancestrip_tenant)selfrtenants r __init__zAuthorityBuilder.__init__7s$ "-||C( r cNdj|j|jS)Nz https://{}/{})r rr)rs r __str__zAuthorityBuilder.__str__?s%%dnndllCCr N)__name__ __module__ __qualname__rrr r rr6s )Dr rcHeZdZdZegZ ddZdZdZd dZ dZ y) AuthorityzThis class represents an (already-validated) authority. Once constructed, it contains members named "*_endpoint" for this instance. TODO: It will also cache the previously-validated authority instances. Nc^||_||_|r|j|}n|j|||} t ||j}|jd|_|d|_ |d|_ |jd|_ t|j\} } |_ |jr7|js&t d j |j| y y #t $r4|rdj |ndj |dz}t |wxYw) a`Creates an authority instance, and also validates it. :param validate_authority: The Authority validation process actually checks two parts: instance (a.k.a. host) and tenant. We always do a tenant discovery. This parameter only controls whether an instance discovery will be performed. zUnable to get OIDC authority configuration for {url} because its OIDC Discovery endpoint is unavailable at {url}/.well-known/openid-configuration )urlzUnable to get authority configuration for {}. Authority would typically be in a format of https://login.microsoftonline.com/your_tenant or https://tenant_name.ciamlogin.com or https://tenant_name.b2clogin.com/tenant.onmicrosoft.com/policy. z> Also please double check your tenant name or GUID is correct.issuerauthorization_endpointtoken_endpointdevice_authorization_endpointavThe issuer '{iss}' does not match the authority '{auth}' or a known pattern. When using the 'oidc_authority' parameter in ClientApplication, the authority will be validated against the issuer from {auth}/.well-known/openid-configuration .If using a known Entra authority (e.g. login.microsoftonline.com) the 'authority' parameter should be used instead of 'oidc_authority'. )issauthN) _http_client_oidc_authority_url_initialize_oidc_authority_initialize_entra_authoritytenant_discovery ValueErrorr get_issuerr%r&r' canonicalizerhas_valid_issuer) r authority_url http_clientvalidate_authorityinstance_discoveryoidc_authority_urltenant_discovery_endpoint openid_config error_message_s r rzAuthority.__init__KsZ(#5 (,(G(G")$ %)-(H(H13E)G % ,,)!!#M"%((2 &34L&M#+,<=-:->->?^-_*()<)<=1dk  # #D,A,A,C f,>f?A A-D #+ , &::@&EW&:XV  &T UM]+ + ,s C//=D,ct|\}|_}|jdk(|_d|_d|_|dzS)NadfsTz!/.well-known/openid-configuration)r2rloweris_adfs_is_b2c_is_known_to_developer)rr8 authorityrs r r,z$Authority._initialize_oidc_authoritysE+78J+K( 4=&||~/  '+#!$GGGr c t|tr t|}t|\}_}jj t }|jdk(xr| _|jjd}tfdtDxs2t|dk(xr"|djjd_jxsjxs| _jt"v}|dvrt%jn|} | rr|spj sdt'dj)j|jj*| } | j-d d k(rt/d |z| d } | S|j1d j)|rt|jdkr|n |jjrdndj3} | S)Nr>rc3ZK|]"}jjd|z$yw.N)rendswith).0drs r z8Authority._initialize_entra_authority..s)01DMM " "37 +s(+b2c_)NTz"https://{}{}/oauth2/v2.0/authorizeerrorinvalid_instancezinvalid_instance: The authority you provided, %s, is not known. If it is a valid domain name known to you, you can turn off this check by passing in instance_discovery=Falser9z2{prefix}{version}/.well-known/openid-configurationz/v2.0)prefixversion)path) isinstancerstrr2rrH_CIAM_DOMAIN_SUFFIXr?r@rUsplitanyWELL_KNOWN_B2C_HOSTSlen startswithrArBrr_instance_discoveryr r*r0r/_replacegeturl) rr4r6r7rCris_ciampartsis_known_to_microsoftinstance_discovery_endpointpayloadr9s ` r r-z%Authority._initialize_entra_authoritys m%5 6 .M+7 +F( 4=&--(()<=||~/?K $$S)5IKe*/IeAhnn&6&A&A&&I '+ll&\dll&\J\F\# $ 1K K$|3'G MM'9K $ '%)D)D)4;;MM9>>3!!+ -G {{7#'99 / $ $%%)00K(L %)()2(:(:IPP%,Y^^1D1I6&^^"&,,BGQ);) &( &)(r c|j|jjvr|xs;|jj dj |j|d|d}|j dk7r/|jtj|jS|jjj|jiS)Nz 5 @D 3&%%'zz$)),, NN @ @ D DT]] S r c|jr |jsy|jjd|jjdk(ryt|j}t|j}|jr|jj ndsyt vryjd}|dkDrF|dzd}dd|vr7|t vry|jr|jj nd}||k(ry|j|jk(r|j|jk(rytfd tDryy) a] Returns True if the issuer from OIDC discovery is valid for this authority. An issuer is valid if one of the following is true: - It exactly matches the authority URL (with/without trailing slash) - It has the same scheme and host as the authority (path can be different) - The issuer host is a well-known Microsoft authority host - The issuer host is a regional variant of a well-known host (e.g., westus2.login.microsoft.com) - For CIAM, hosts that end with well-known B2C hosts (e.g., tenant.b2clogin.com) are accepted as valid issuers FrTNrGrrQrRc3FK|]}jd|zywrF)rH)rIh issuer_hosts r rKz-Authority.has_valid_issuer..s K{##C!G,Ks!) r1r+rrhostnamer?rfindschemergrZr[)r issuer_parsedauthority_parsed dot_indexpotential_baseauthority_hostrzs @r r3zAuthority.has_valid_issuersM||4#;#; <<  s #t'?'?'F'Fs'K K . #D$<$<=8E8N8Nm,,224TX  4 4 $$S) q=(Q8N+jy11!%??GWF_F_!1!:!:!@!@!Beg!^3  # #}';'; ;  # #}';'; ; K6JK Kr )TNN)NN) rrr__doc__setrlrr,r-rvr3rr r r!r!Cs; -0G) $## 7ApH-)^ 7r r!ct|}|jdk(r|jr|jj d}t |dk\r |dr|dnd}|jj trE|r|n1dj|jjtdd}||j|fSt |dk\r|dr||j|dfStd|z)NhttpsrrMrQz{}.onmicrosoft.comraYour given address (%s) should consist of an https url with hostname and a minimum of one segment in a path: e.g. https://login.microsoftonline.com/{tenant} or https://{tenant_name}.ciamlogin.com/{tenant} or https://{tenant_name}.b2clogin.com/{tenant_name}.onmicrosoft.com/policy) rr}r{rUrYr\rHrXr rsplitr/)authority_or_auth_endpointrCrb first_partrs r r2r2s34I7"y'9'9$$S)!$UqU1XU1X4    & &': ;#-Z3G3N3N""))*=qA!D4FFi00&8 8 u:?uQxi00%(: :  U %  % &&r c p|j|fd|ddi|}tj|jS)Nparamsz1.0)r%z api-version)r0rorprq)r#r5rdkwargsrus r r^r^sA ;??# *-eD   D ::dii  r c ||j|fi|}|jdk(rtj|jSd|jcxkrdkr3nn0t dj ||j|j|jtd|j|jfz)Niiz7OIDC Discovery failed on {}. HTTP status: {}, Error: {}z)Unable to complete OIDC Discovery: %d, %s) r0rmrorprqr/r rn RuntimeError)r9r5rrus r r.r."s ;??4 ? ?D 3zz$))$$ d$$RYY %    II    3t7G7G6SS UUr )ro urllib.parser ImportErrorlogging getLoggerrloggerAZURE_US_GOVERNMENTDEPRECATED_AZURE_CHINA AZURE_PUBLIC AZURE_GOV_FR AZURE_GOV_DE AZURE_GOV_SGr frozensetrr[rXr robjectrr!r2r^r.rr r rs "%   8 $11* + + + ( &&"( 'N0 Dv DB&.!U}"!"sA11 A?>A?