# h:FSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKrSSKJ r \R"\ 5r SSjr \ rSr"SS\5r"SS \5r"S S \5r"S S \5r"SS\5rSSjrSr"SS\5r"SS\ R45rg)N)oauth2cUS[U5*S--- n[U5n[R"U5nU(aUR U5nU$)aDecode a part of the JWT. JWT is encoded by padding-less base64url, based on `JWS specs `_. :param encoding: If you are going to decode the first 2 parts of a JWT, i.e. the header or the payload, the default value "utf-8" would work fine. If you are going to decode the last part i.e. the signature part, it is a binary string so you should use `None` as encoding here. =)lenstrbase64urlsafe_b64decodedecode)rawencodingoutputs E/var/www/html/env/lib/python3.13/site-packages/msal/oauth2cli/oidc.py decode_partrsT33s8)a-  C   C % %c *Fx( McX[R"S[R"U55$)Nz%Y-%m-%d %H:%M:%S)timestrftime localtime)epochs r_epoch_to_localr's ==,dnnU.C DDrc,^\rSrSrSrU4SjrSrU=r$) IdTokenError*zMIn unlikely event of an ID token is malformed, this exception will be raised.c>[[U] U<S[U5<S[R "[ UURS5(a[US5OSURS5(a[US5OSS9SS9<35 g)Nz Current epoch = z#. The id_token was approximately: iatexp)rrindent)superr__init__rjsondumpsdictgetselfreasonnowclaims __class__s rr#IdTokenError.__init__,ss lD* OC($**T6Make sure your computer's time and time zone are both correct.cN>[[U] US-UR-X#5 g)N )r"r9r# _SUGGESTIONr(s rr#_IdTokenTimeError.__init__7s% / d>N>N0NPS\rc@[R[U55 gN)loggerwarningr )r)s rlog_IdTokenTimeError.log9s s4y!rr/) r0r1r2r3r=r#rCr5r6r7s@rr9r95sRK] " "rr9c\rSrSrSrg)IdTokenIssuerErrorEr/Nr0r1r2r3r5r/rrrFrFErrFc\rSrSrSrg)IdTokenAudienceErrorHr/NrHr/rrrKrKHrIrrKc\rSrSrSrg)IdTokenNonceErrorKr/NrHr/rrrNrNKrIrrNc[R"[URS5S55n[ U=(d [ R "55nSnXg-UR SUS- 5:a[SXe5R5 U(aX%S:wa[SU-UU5eU(a=[US[5(aXS;OXS:HnU(d[S U-UU5eXg- US :a[S Xe5R5 U(a!X5R S 5:wa [S UU5eU$)axDecodes and validates an id_token and returns its claims as a dictionary. ID token claims would at least contain: "iss", "sub", "aud", "exp", "iat", per `specs `_ and it may contain other optional content such as "preferred_username", `maybe more `_ .rxnbfz!0. The ID token is not yet valid.issz2. The Issuer Identifier for the OpenID Provider, "%s", (which is typically obtained during Discovery), MUST exactly match the value of the iss (issuer) Claim.audz|3. The aud (audience) claim must contain this client's client_id "%s", case-sensitively. Was your client_id in wrong casing?rz 9. The ID token already expires.noncezX11. Nonce must be the same value as the one that was sent in the Authentication Request.)r$loadsrsplitintrr'r9rCrF isinstancelistrKrN) id_token client_idissuerrVr+decoded_nowskew valid_auds rdecode_id_tokenrcNsNjjX^^C%8%;<=G s!diik "D D {W[[q11 =tMQQS &EN*  FHN O    3= END4"4"I/'0EN'B &N   {WU^#>%,,w/ 0 : : <[[U] "U/UQ70UD6nSU;aURUS5US'U$)zThe result will also contain one more key "id_token_claims", whose value will be a dictionary returned by :func:`~decode_id_token`. r\id_token_claims)r"ry _obtain_tokenrc)r) grant_typeargskwargsretr-s rrClient._obtain_tokensGFD/ LTLVL  %)%9%9#j/%JC! " rc h>[R"S[5 [[U]"U4SU0UD6$)afGenerate an authorization uri to be visited by resource owner. Return value and all other parameters are the same as :func:`oauth2.Client.build_auth_request_uri`, plus new parameter(s): :param nonce: A hard-to-guess string used to mitigate replay attacks. See also `OIDC specs `_. z%Use initiate_auth_code_flow() insteadrV)warningswarnDeprecationWarningr"rybuild_auth_request_uri)r) response_typerVrr-s rrClient.build_auth_request_uris<  =?QRVT9 2!&2*02 2rc >[R"S[5 [[U]"U40UD6nUR S05R S5nSU;a U(aX%:wa[SU<SU<S35eU$)aGet a token via authorization code. a.k.a. Authorization Code Grant. Return value and all other parameters are the same as :func:`oauth2.Client.obtain_token_by_authorization_code`, plus new parameter(s): :param nonce: If you provided a nonce when calling :func:`build_auth_request_uri`, same nonce should also be provided here, so that we'll validate it. An exception will be raised if the nonce in id token mismatches. z,Use obtain_token_by_auth_code_flow() insteadrrVThe nonce in id token ("z") should match your nonce (""))rrrr"ry"obtain_token_by_authorization_coder' ValueError)r)coderVrresultnonce_in_id_tokenr-s rr)Client.obtain_token_by_authorization_codes~  :SURSS5;a [S5eU(a [U5O/nSU;aURS5 SR [ R "[RS55n[[U]."S U[U5S.UD6nXES'URS 5bUS US 'U$) a|Initiate an auth code flow. It provides nonce protection automatically. :param list scope: A list of strings, e.g. ["profile", "email", ...]. This method will automatically send ["openid"] to the wire, although it won't modify your input list. See :func:`oauth2.Client.initiate_auth_code_flow` in parent class for descriptions on other parameters and return value. r\rz+response_type="id_token ..." is not allowedopenid)scoperVrVmax_ager/) r'rr[appendjoinrandomsamplestring ascii_lettersr"ryinitiate_auth_code_flowrj)r)rr_scoperVflowr-s rrClient.initiate_auth_code_flows OR8 8JK K %e2 6 ! MM( # f&:&:B?@VT:> E 2>6<>W ::i ,$Y/DO rc >[[U] "X40UD6nSU;aURS05RS5n[ US5nXV:wa[ SU<SU<S35eURS5bURS05RS5nU(d [ S5e[ [R"55nS n X- XqS-:a4[ S RUUSU[R"USS S 9S 95eU$)aValidate the auth_response being redirected back, and then obtain tokens, including ID token which can be used for user sign in. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. See :func:`oauth2.Client.obtain_token_by_auth_code_flow` in parent class for descriptions on other parameters and return value. rrVrz") should match our nonce ("rr auth_timez<13. max_age was requested, ID token should contain auth_timerRz13. auth_time ({auth_time}) was requested, by using max_age ({max_age}) parameter, and now ({now}) too much time has elasped since last end-user authentication. The ID token was: {id_token}rr )rrr+r\) r"ryobtain_token_by_auth_code_flowr'rj RuntimeErrorrYrformatr$r%) r)auth_code_flow auth_responserrr expected_hashrr+rar-s rr%Client.obtain_token_by_auth_code_flows+vtC 5-35  & & +[[U[[45(aSR U5OUUUUUUUS9R 5V V s0sH upU cM X_M n n n [ [U]""SS[URS0540U D60UD6$s sn n f)aA native app can use this method to obtain token via a local browser. Internally, it implements nonce to mitigate replay attack. It also implements PKCE to mitigate the auth code interception attack. :param string display: Defined in `OIDC `_. :param string prompt: Defined in `OIDC `_. You can find the valid string values defined in :class:`oidc.Prompt`. :param int max_age: Defined in `OIDC `_. :param string ui_locales: Defined in `OIDC `_. :param string id_token_hint: Defined in `OIDC `_. :param string login_hint: Defined in `OIDC `_. :param string acr_values: Defined in `OIDC `_. See :func:`oauth2.Client.obtain_token_by_browser` in parent class for descriptions on other parameters and return value. r<)promptdisplayr ui_locales id_token_hint login_hint acr_values auth_paramsr/) r&rZr[tupleritemsr"ryobtain_token_by_browserpop) r)rrrrrrrrkvfiltered_paramsr-s rrClient.obtain_token_by_browser"sH,0'1&4-'H'H388F#f!'!!,eg,(,4113,(VT:VZZ r:NoN (s  BBr/r@)NNNNNNN)r0r1r2r3r4rcrrrrrrr5r6r7s@rryrysO O  22#J'V//rry)zutf-8)NNNN)r$r rrrrrfloggingrr getLoggerr0rAr base64decoderrrr9rFrKrNrcrjobjectrlryr/rrrs    8 $, E < " "    <   7t= V wV]]wr