Build `AuthSettings` for the co-hosted authorization + resource server. The issuer and resource URLs use the suite's loopback origin, which `validate_issuer_url` accepts in lieu of HTTPS. Dynamic client registration is enabled. `valid_scopes` defaults to `required_scopes` so a client re
(
*, required_scopes: Sequence[str] = ("mcp",), valid_scopes: Sequence[str] | None = None
)
| 178 | |
| 179 | |
| 180 | def auth_settings( |
| 181 | *, required_scopes: Sequence[str] = ("mcp",), valid_scopes: Sequence[str] | None = None |
| 182 | ) -> AuthSettings: |
| 183 | """Build `AuthSettings` for the co-hosted authorization + resource server. |
| 184 | |
| 185 | The issuer and resource URLs use the suite's loopback origin, which `validate_issuer_url` |
| 186 | accepts in lieu of HTTPS. Dynamic client registration is enabled. `valid_scopes` defaults |
| 187 | to `required_scopes` so a client requesting exactly those passes registration scope |
| 188 | validation; tests pass a wider set when they need the protected-resource metadata's |
| 189 | `scopes_supported` (which mirrors `required_scopes`) to differ from what the client may |
| 190 | register or when AS metadata should advertise additional scopes such as `offline_access`. |
| 191 | """ |
| 192 | required = list(required_scopes) |
| 193 | valid = list(valid_scopes) if valid_scopes is not None else required |
| 194 | return AuthSettings( |
| 195 | issuer_url=AnyHttpUrl(BASE_URL), |
| 196 | resource_server_url=AnyHttpUrl(f"{BASE_URL}/mcp"), |
| 197 | required_scopes=required, |
| 198 | client_registration_options=ClientRegistrationOptions( |
| 199 | enabled=True, valid_scopes=valid, default_scopes=required |
| 200 | ), |
| 201 | revocation_options=RevocationOptions(enabled=False), |
| 202 | ) |
| 203 | |
| 204 | |
| 205 | def oauth_client_metadata() -> OAuthClientMetadata: |