2i1fddlZddlZddlZddlZddlZddlZddlZddlmZddl m Z m Z ddl m Z ejeZdZehdZdZd Zd ZGd d eZGd deZy)N) canonicalize) decode_partdecode_id_token)Clientbroker>codescopeclaimskey_idreq_cnfpasswordusername assertion client_id grant_type token_type device_code redirect_uri client_secret code_verifier refresh_tokenclient_assertionrequested_token_useclient_assertion_typec|sy|jDcic]\}}|tvr|r |t|c}}sydjfdt j D}t j|jdj}tj|jdjdjScc}}w)a2Compute an extended cache key hash from extra body parameters in *data*. All fields in *data* that go on the wire are included in the hash, EXCEPT those listed in ``_EXT_CACHE_KEY_EXCLUDED_FIELDS``. This ensures tokens acquired with different parameter values (e.g., different FMI paths) are cached separately. Returns an empty string when *data* has no hashable fields. The algorithm matches the Go MSAL implementation (CacheExtKeyGenerator): sorted key+value pairs are concatenated and SHA256 hashed, then base64url encoded. c3.K|] }||zywN).0kcache_componentss F/var/www/html/qr/venv/lib/python3.12/site-packages/msal/token_cache.py z)_compute_ext_cache_key..]s!$% Q szutf-8=ascii)items_EXT_CACHE_KEY_EXCLUDED_FIELDSstrjoinsortedkeyshashlibsha256encodedigestbase64urlsafe_b64encoderstripdecodelower)datar"vkey_str hash_bytesr#s @r$_compute_ext_cache_keyr;Gs "jjla 2 2q 3q6  gg)/0@0E0E0G)HGw 78??AJ  # #J / 6 6t < C CG L R R TTs C#c t|fi||k(Sr)dict)smallbigs r$ is_subdict_ofr@ds  u  $$cD|jd|jdS)Npreferred_usernameupn)get)id_token_claimss r$ _get_usernamerGgs&   E" $$rAc eZdZdZGddZGddZdZ ddZdd Zdd Z e dd e d e d e de fdZddddZddddZddZdZddZddZdZdZdZdZdZy) TokenCacheaThis is considered as a base class containing minimal cache behavior. Although it maintains tokens using unified schema across all MSAL libraries, this class does not serialize/persist them. See subclass :class:`SerializableTokenCache` for details on serialization. c$eZdZdZdZdZdZdZdZy)TokenCache.CredentialType AccessTokenatext RefreshTokenAccountIdToken AppMetadataN) __name__ __module__ __qualname__ ACCESS_TOKENACCESS_TOKEN_EXTENDED REFRESH_TOKENACCOUNTID_TOKEN APP_METADATAr rAr$CredentialTyperKts!$ '& $ rAr[ceZdZdZdZy)TokenCache.AuthorityTypeADFSMSSTSN)rRrSrTr^r_r rAr$ AuthorityTyper]|s rAr`c Ztj_i_jj dfd jj ddjj dfd jjddjjd di_ y) Nc dj|xsd|xsdjj|xsdd|xsdgjSN-r)r+r[rWr6)home_account_id environmentrtarget!ignored_payload_from_a_real_tokenselfs r$z%TokenCache.__init__..sRHH'-2#)r++99!R " !57rAc dj|xsd|xsd|rdnd|xsd|xsd|xsdg|r|gngzjS)NrdrrMrLr+r6)rerfrrealmrg ext_cache_keyrhs r$rjz%TokenCache.__init__..sb HH'-2#)r$1m!R  " 1>m_2 G  %'#rAcdj|xsd|xsdjj|xsd|xsddgjSrc)r+r[rYr6)rerfrrmrhris r$rjz%TokenCache.__init__..sRHH'-2#)r++44!R  !57rAc^dj|xsd|xsd|xsdgjSrcrl)rerfrm!ignored_payload_from_a_real_entrys r$rjz%TokenCache.__init__..s8HH'-2#)r !57 rAc6dj|xsd|xsdS)Nzappmetadata-{}-{}r)format)rfrkwargss r$rjz%TokenCache.__init__..s '..{/@b)/rRrA)NNNN)NNNNNN)NNNNN) threadingRLock_lock_cacher[rWrUrYrXrZ key_makersris`r$__init__zTokenCache.__init__s__&      - -IM# #    , ,IM+/&*"$    ( (IM" #    ' '#    , ,Sk7rANc |j|jj|jtjj||||dj |||S)N )rerfrrmrgrndefault)_getr[rUrzrIr+)rirerfrrmrgrnrs r$_get_access_tokenzTokenCache._get_access_tokensh yy    , , CDOOJ55BB C /'#xx'+    rAc|j|jj|jtjj|||S)N)rfrr)rr[rZrzrI)rirfrrs r$_get_app_metadatazTokenCache._get_app_metadatasQyy    , , CDOOJ55BB C'#   rAc|j5|jj|ij||cdddS#1swYyxYwr)rxryrE)ricredential_typekeyrs r$rzTokenCache._getsA ZZ J;;???B7;;CI J J Js ,AA entryquery target_setreturnc $|rI|jDcic]-\}}||dk(r t|tr|jn|/c}}ni}t ||xr0|r,|t |j ddjkSdScc}}w)NrfrgrT)r( isinstancer*r6r@setrEsplit)rrrr"r8 query_with_lowercase_environments r$ _is_matchingzTokenCache._is_matchings , 1 A.:a3Eqwwy1 L,  ) =uE% #eii"5;;=> > %# % , s2B nowc #Kt|xsg}t|tsJdd}||jjk(rlt|t r\d|vrXd|vrTd|vrPd|vrL|rJ|j |d|d|d|d||jd}|r|j||r|t|}|j5t|tjn|}g}|jj|ijD]}||jjk(r#t|d |kr|j|?||k7sE|j||| sZ||jjk(r d|vr d|xsivr||D]} |j!|  dddy#1swYyxYww) zReturns a generator of matching entries. It is O(1) for AT hits, and O(n) for other types. Note that it holds a lock during the entire search. zInvalid parameter typeNrerfrrmrn)rn expires_on)r)r,rlistr[rUr=rrErrrxinttimeryvaluesappend remove_at) rirrgrrpreferred_resultrexpired_access_tokensrats r$searchzTokenCache.searchs  "%&$'A)AA' t22?? ?5$'!U*}/Eu$E)9f#55'(% *>k"E'NF#ii8 6 :  D$5$5 %%'&[ ZZ #S[diikc:C% ! "=DDF #t':':'G'GGE,/036)007--))%:)N(4+>+>+K+KK+u4+EKR@ K# $, #r" #5 # # #s,CG BF=F=/AF=4 G =GG crtjdtt|j ||||S)z Equivalent to list(search(...)).z7Use list(search(...)) instead to explicitly get a list.)rgrr)warningswarnDeprecationWarningrr)rirrgrrs r$findzTokenCache.finds3 E  DKKeQTKUVVrAc d}t|||jdid||jdid}tjdt j |dd t |j|| S) z:Handle a token obtaining event, and add tokens into cache.cb|jDcic]\}}|||vrdn|c}}Scc}}w)Nz********)r() dictionarysensitive_fieldsr"r8s r$make_clean_copyz'TokenCache.add..make_clean_copy's@',,.Aq&6!6:A= s+r7)rrrrresponse)rF access_tokenrid_tokenr)r7rzevent=%sT)indent sort_keysrr)r=rEloggerdebugjsondumpsr*_TokenCache__add)rieventrr clean_events r$addzTokenCache.add%s    62!69%UYYz2%>A    Z  "  zz%Sz))rAcd|vr=tjt|d}d|vrd|vr|djdi|fS|r |d}d|i|fSidfS)z&Return client_info and home_account_id client_infouidutidz {uid}.{utid}subNr )rloadsrrs)rirrFrrs r$__parse_accountzTokenCache.__parse_account?sr H $**[-1H%IJK #+(="$9N$9$9$HK$HHH !%(C3<$ $4xrAcB dx}}d|vrt|d\}}}d|vr|d}|jdi}|jdi}|jd}|jd} |jd} |jdxs| rt| |d  ni} |j|| \} } d j t |jd xsg}|j 5t|tjn|}|rC|jd rt|jd |z nd}t|jd|}t|jd|}|jj|| ||jd |||jddt|t||zt||zd }|j|Dcic] }|dvs|||c}t|}|r||d<d|vr|d}t||z|d<|j|jj||| r|jds| |||jd| jd| jdt| xs(|jdxs|jdxsd|jd|dk(r|j j"n|j j$d }t&d!d"t(j*d#f}|jd$|vr|d$|d%<|j|jj,||| rS|jj.| | |||jd d&}|j|jj.||| ri|jj0| | ||jd |t|d'}d(|vr|d(|d)<|j|jj0|||jd |d*}d(|vr|jd(|d)<|j|jj2||dddycc}w#1swYyxYw)+Ntoken_endpointrfrr7rrrrFr)rr~r riX expires_inext_expires_inrBearer) rsecretrerfrrgrmr cached_atrextended_expires_on>r rn refresh_in refresh_onskip_account_creation _account_idoidrrrauthority_typeadfs)rerfrmlocal_account_idrrauthorization_coder GRANT_TYPEraccount_source)rrrerfrmr)rrrerfrrglast_modification_timefoci family_id)rrf)rrEr_TokenCache__parse_accountr+r,rxrrr[rUr*updater;modifyrGr`r^r__GRANT_TYPE_BROKERr DEVICE_FLOWrXrYrWrZ)rirrrfrm_rr7rrrrFrrergdefault_expires_inrrrr"rnraccount%grant_types_that_establish_an_accountidtrt app_metadatas r$__addzTokenCache.__addLs#" e u $$07G1H$I !A{E E ! .K99Z,yy$||N3  _5 << +",,'89YGOOHk0B CUW (,';';Ho'V$ _&7!3!9r:; ZZb VS[diikc:C"l3 \23c99<#!LL/ABD !$ << *-"/(,':':'G'G*'6#.!&;!7$""*,,|X"F!$S"%cJ&6"7+.s^/C+D  t!q=81d1g:!7t <  *7B'8+!),!7J'*3+;'!88J/! 99Z0!&+ii(38F?**//!%!3!3!9!9';&'(J RRRc$|j|di|}|j5|r,|jj|i}t |fi|||<n,|jj|ij |ddddy#1swYyxYw)Nr )rzrxry setdefaultr=pop)rir old_entrynew_key_value_pairsrentriess r$rzTokenCache.modifys/dooo.;; ZZ K"++00"E# +) +  &&;??TJ K K Ks ABBc|jd|jjk(sJ|j|jj|SNr)rEr[rWr)rirt_items r$ remove_rtzTokenCache.remove_rtsC{{,-1D1D1R1RRRR{{4..<eZdZdZdZfdZdfd ZdZdZxZ S)SerializableTokenCacheaThis serialization can be a starting point to implement your own persistence. This class does NOT actually persist the cache on disk/db/etc.. Depending on your need, the following simple recipe for file-based, unencrypted persistence may be sufficient:: import os, atexit, msal cache_filename = os.path.join( # Persist cache into this file os.getenv( # Automatically wipe out the cache from Linux when user's ssh session ends. # See also https://github.com/AzureAD/microsoft-authentication-library-for-python/issues/690 "XDG_RUNTIME_DIR", ""), "my_cache.bin") cache = msal.SerializableTokenCache() if os.path.exists(cache_filename): cache.deserialize(open(cache_filename, "r").read()) atexit.register(lambda: open(cache_filename, "w").write(cache.serialize()) # Hint: The following optional line persists only when state changed if cache.has_state_changed else None ) app = msal.ClientApplication(..., token_cache=cache) ... Alternatively, you may use a more sophisticated cache persistence library, `MSAL Extensions `_, which provides token cache persistence with encryption, and more. :var bool has_state_changed: Indicates whether the cache state in the memory has changed since last :func:`~serialize` or :func:`~deserialize` call. Fc <tt| |fi|d|_yNT)superrrhas_state_changed)rirrt __class__s r$rzSerializableTokenCache.adds  $d/@@!%rAc>tt| |||d|_yr)rrrr)rirrrrs r$rzSerializableTokenCache.modifys# $d2 Y(; =!%rAc|j5|rtj|ni|_d|_dddy#1swYyxYw)zEDeserialize the cache from a state previously obtained by serialize()FN)rxrrryr)ristates r$ deserializez"SerializableTokenCache.deserializes<ZZ +/4$**U+"DK%*D " + + +s &<Ac|j5d|_tj|jdcdddS#1swYyxYw)z0Serialize the current cache state into a string.Fr)rN)rxrrrryr{s r$ serializez SerializableTokenCache.serialize!s:ZZ 5%*D "::dkk!4 5 5 5s (?Ar) rRrSrTrrrrrr __classcell__)rs@r$rrs%@&& +5rAr)r2r.rrvrloggingr authorityroauth2cli.oidcrroauth2cli.oauth2r getLoggerrRrr frozensetr)r;r@rGobjectrIrr rAr$rs|   #8$   8 $<"+,"4U:%$ FFD 85Z85rA