i!SSKJr SSKrSSKrSSKJr SSKJr SSK J r SSK J r J r SSKJrJr SS KJr SS KJrJr SS KJr "S S 5rg)) annotationsN) lru_cache) SSLContext)Any) HTTPErrorURLError)PyJWKPyJWKSet)decode_complete)PyJWKClientConnectionErrorPyJWKClientError) JWKSetCachec\rSrSrS S SjjrS SjrSSSjjrSSSjjrSSjrSSjr \ SS j5r S r g) PyJWKClientNc Uc0nXlSUlX`lXplXlU(a&US::a[ SUS35e[ U5UlOSUlU(a [US9"UR5n Xlgg)uA client for retrieving signing keys from a JWKS endpoint. ``PyJWKClient`` uses a two-tier caching system to avoid unnecessary network requests: **Tier 1 — JWK Set cache** (enabled by default): Caches the entire JSON Web Key Set response from the endpoint. Controlled by: - ``cache_jwk_set``: Set to ``True`` (the default) to enable this cache. When enabled, the JWK Set is fetched from the network only when the cache is empty or expired. - ``lifespan``: Time in seconds before the cached JWK Set expires. Defaults to ``300`` (5 minutes). Must be greater than 0. **Tier 2 — Signing key cache** (disabled by default): Caches individual signing keys (looked up by ``kid``) using an LRU cache with **no time-based expiration**. Keys are evicted only when the cache reaches its maximum size. Controlled by: - ``cache_keys``: Set to ``True`` to enable this cache. Defaults to ``False``. - ``max_cached_keys``: Maximum number of signing keys to keep in the LRU cache. Defaults to ``16``. :param uri: The URL of the JWKS endpoint. :type uri: str :param cache_keys: Enable the per-key LRU cache (Tier 2). :type cache_keys: bool :param max_cached_keys: Max entries in the signing key LRU cache. :type max_cached_keys: int :param cache_jwk_set: Enable the JWK Set response cache (Tier 1). :type cache_jwk_set: bool :param lifespan: TTL in seconds for the JWK Set cache. :type lifespan: float :param headers: Optional HTTP headers to include in requests. :type headers: dict or None :param timeout: HTTP request timeout in seconds. :type timeout: float :param ssl_context: Optional SSL context for the request. :type ssl_context: ssl.SSLContext or None Nrz/Lifespan must be greater than 0, the input is "")maxsize) uri jwk_set_cacheheaderstimeout ssl_contextrrrget_signing_key) selfr cache_keysmax_cached_keys cache_jwk_setlifespanrrrrs Z/home/maestro/MAESTRO/maestro-backend/venv/lib/python3.13/site-packages/jwt/jwks_client.py__init__PyJWKClient.__init__sj ?G15  & 1}&EhZqQ"-X!6D !%D  '@AUAUVO#2 c|Sn[RRURURS9n[RR X R URS9n[R"U5nSSS5 UURbURRU5 $$!,(df  N9=f![[4a:n[U[5(aUR!5 [#SUS35UeSnAff=f!URbURRU5 ff=f)a5Fetch the JWK Set from the JWKS endpoint. Makes an HTTP request to the configured ``uri`` and returns the parsed JSON response. If the JWK Set cache is enabled, the response is stored in the cache. :returns: The parsed JWK Set as a dictionary. :raises PyJWKClientConnectionError: If the HTTP request fails. N)urlr)rcontextz'Fail to fetch data from the url, err: "r)urllibrequestRequestrrurlopenrrjsonloadrputr TimeoutError isinstancercloser )rjwk_setrresponsees r! fetch_dataPyJWKClient.fetch_data_s 0&&488T\\&JA''<<1A1A())H-!!-""&&w/.,' !Y'' ,9!A>  !!-""&&w/.sBA$C(B2?CD2 C<CD 5DD  D+D;cSnURb!U(dURR5nUcUR5n[U[5(d [ S5e[ R"U5$)aReturn the JWK Set, using the cache when available. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: The JWK Set. :rtype: PyJWKSet :raises PyJWKClientError: If the endpoint does not return a JSON object. Nz.The JWKS endpoint did not return a JSON object)rgetr6r0dictrr from_dict)rrefreshdatas r! get_jwk_setPyJWKClient.get_jwk_set|sf    )'%%))+D <??$D$%%"#ST T!!$''r$cURU5nURVs/sH*nURS;dMUR(dM(UPM, nnU(d [ S5eU$s snf)a_Return all signing keys from the JWK Set. Filters the JWK Set to keys whose ``use`` is ``"sig"`` (or unspecified) and that have a ``kid``. :param refresh: Force a fresh fetch from the endpoint, bypassing the cache. :type refresh: bool :returns: A list of signing keys. :rtype: list[PyJWK] :raises PyJWKClientError: If no signing keys are found. )sigNz2The JWKS endpoint did not contain any signing keys)r>keyspublic_key_usekey_idr)rr<r2 jwk_set_key signing_keyss r!get_signing_keysPyJWKClient.get_signing_keyssr""7+ '|| + ))]: ?J?Q?Q +  "#WX X sA'A' A'cUR5nURX!5nU(d6URSS9nURX!5nU(d[SUS35eU$)aYReturn the signing key matching the given ``kid``. If no match is found in the current JWK Set, the set is refreshed from the endpoint and the lookup is retried once. :param kid: The key ID to look up. :type kid: str :returns: The matching signing key. :rtype: PyJWK :raises PyJWKClientError: If no matching key is found after refreshing. T)r<z,Unable to find a signing key that matches: "r)rG match_kidr)rkidrF signing_keys r!rPyJWKClient.get_signing_keysh,,. nn\7 000>L..;K&B3%qIr$cd[USS0S9nUSnURURS55$)aReturn the signing key for a JWT by reading its ``kid`` header. Extracts the ``kid`` from the token's unverified header and delegates to :meth:`get_signing_key`. :param token: The encoded JWT. :type token: str or bytes :returns: The matching signing key. :rtype: PyJWK verify_signatureF)optionsheaderrK) decode_tokenrr9)rtoken unverifiedrQs r!get_signing_key_from_jwt$PyJWKClient.get_signing_key_from_jwts:"%2De1LM H%##FJJu$566r$cFSnUHnURU:XdMUn U$ U$)zFind a key in *signing_keys* that matches *kid*. :param signing_keys: The list of keys to search. :type signing_keys: list[PyJWK] :param kid: The key ID to match. :type kid: str :returns: The matching key, or ``None`` if not found. :rtype: PyJWK or None N)rD)rFrKrLkeys r!rJPyJWKClient.match_kids5 CzzS !   r$)rrrrrr)FrTi,NN)rstrrboolrintrr\r floatrzdict[str, Any] | Nonerr^rzSSLContext | None)returnr)F)r<r\r_r )r<r\r_ list[PyJWK])rKr[r_r )rSz str | bytesr_r )rFr`rKr[r_z PyJWK | None) __name__ __module__ __qualname____firstlineno__r"r6r>rGrrU staticmethodrJ__static_attributes__r$r!rrs!!")-)-L3 L3L3 L3  L3  L3'L3L3'L3\0:(.28 7r$r) __future__rr,urllib.requestr( functoolsrsslrtypingr urllib.errorrrapi_jwkr r api_jwtr rR exceptionsr rrrrrgr$r!rqs2" ,$4D&YYr$