| 62 | |
| 63 | |
| 64 | def create_auth_routes( |
| 65 | provider: OAuthAuthorizationServerProvider[Any, Any, Any], |
| 66 | issuer_url: AnyHttpUrl, |
| 67 | service_documentation_url: AnyHttpUrl | None = None, |
| 68 | client_registration_options: ClientRegistrationOptions | None = None, |
| 69 | revocation_options: RevocationOptions | None = None, |
| 70 | ) -> list[Route]: |
| 71 | validate_issuer_url(issuer_url) |
| 72 | |
| 73 | client_registration_options = client_registration_options or ClientRegistrationOptions() |
| 74 | revocation_options = revocation_options or RevocationOptions() |
| 75 | metadata = build_metadata( |
| 76 | issuer_url, |
| 77 | service_documentation_url, |
| 78 | client_registration_options, |
| 79 | revocation_options, |
| 80 | ) |
| 81 | client_authenticator = ClientAuthenticator(provider) |
| 82 | |
| 83 | # Create routes |
| 84 | # Allow CORS requests for endpoints meant to be hit by the OAuth client |
| 85 | # (with the client secret). This is intended to support things like MCP Inspector, |
| 86 | # where the client runs in a web browser. |
| 87 | routes = [ |
| 88 | Route( |
| 89 | "/.well-known/oauth-authorization-server", |
| 90 | endpoint=cors_middleware( |
| 91 | MetadataHandler(metadata).handle, |
| 92 | ["GET", "OPTIONS"], |
| 93 | ), |
| 94 | methods=["GET", "OPTIONS"], |
| 95 | ), |
| 96 | Route( |
| 97 | AUTHORIZATION_PATH, |
| 98 | # do not allow CORS for authorization endpoint; |
| 99 | # clients should just redirect to this |
| 100 | endpoint=AuthorizationHandler(provider).handle, |
| 101 | methods=["GET", "POST"], |
| 102 | ), |
| 103 | Route( |
| 104 | TOKEN_PATH, |
| 105 | endpoint=cors_middleware( |
| 106 | TokenHandler(provider, client_authenticator).handle, |
| 107 | ["POST", "OPTIONS"], |
| 108 | ), |
| 109 | methods=["POST", "OPTIONS"], |
| 110 | ), |
| 111 | ] |
| 112 | |
| 113 | if client_registration_options.enabled: # pragma: no branch |
| 114 | registration_handler = RegistrationHandler( |
| 115 | provider, |
| 116 | options=client_registration_options, |
| 117 | ) |
| 118 | routes.append( |
| 119 | Route( |
| 120 | REGISTRATION_PATH, |
| 121 | endpoint=cors_middleware( |