+ ~j1 .^RIHt^RIt^RIt^RIHtHtHtHt^RI H t ^RI H t H t ^RIt^RIHtHtHt^RIHtRtR tR tR R R R/t!RR]4t!RR]4tR#RRlltR$RRRRRRRRRRRR/RRllltR%RRRR/RR lllt!R!R"4tR#)&) annotationsN)AnyCallable TypedDictcast)Path)Literal NotRequired) OAuthError OpenAIErrorSubjectTokenProviderError) to_threadz/urn:ietf:params:oauth:grant-type:token-exchangez#https://auth.openai.com/oauth/tokenijwtz$urn:ietf:params:oauth:token-type:jwtidz)urn:ietf:params:oauth:token-type:id_tokenc,]tRt^t$R]R&R]R&RtR#)SubjectTokenProviderzLiteral['jwt', 'id'] token_typezCallable[[], str] get_tokenN)__name__ __module__ __qualname____firstlineno____annotations____static_attributes__rj/Users/mitch_tango/dev/rabbit-r1-livekit/agent/.venv/lib/python3.14/site-packages/openai/auth/_workload.pyrrs$$  rrcJ]tRt^t$RtR]R&R]R&R]R&R]R&R tR #) WorkloadIdentityz(Identity provider resource id in WIFAPI.stridentity_provider_idservice_account_idrproviderzNotRequired[float]refresh_buffer_secondsrN)rrrr__doc__rrrrrrrs&2GE""..rrc V^8dQhRRRR/#)token_file_pathz str | Pathreturnrr)formats"r __annotate__r++s9999rc"aRV3RllpRRRV/#)a7 Get a subject token provider for Kubernetes clusters with Workload Identity configured. Cloud providers typically mount the subject token as a file in the container. Args: token_file_path: path to the mounted service account token file. Defaults to `/var/run/secrets/kubernetes.io/serviceaccount/token`. cV^8dQhRR/#r'r)r r)r*s"rr+8k8s_service_account_token_provider..__annotate__7soosorc$<\SR4;_uu_4pVP4P4pV'g\RS R24hVuuRRR4# +'giR#;i \dp\RS RT 24ThRp?ii;i)rzThe token file at z is empty.Nz!Failed to read the token file at z: )openreadstripr Exception)ftokener(s rr5k8s_service_account_token_provider..get_token7s oos++q(36HHYYc4dee ,+++  o+.OP_O``bcdbe,fgmn n os4A-7A A- A* $A-*A-- B8B  Brrrr)r(rsf r"k8s_service_account_token_providerr:+s oo %i 88r object_id client_id msi_res_id api_versionz 2018-02-01timeout$@ http_clientc8V^8dQhRRRRRRRRRRRR R R R R /#)r'resourcer r;z str | Noner<r=r>r?floatrAhttpx.Client | Noner)rr)r*s"rr+r+DsZ99999999 99  99  9999%9999rc:aaaaaaaRVVVVVVV3RllpRRRV/#)ab Get a subject token provider for Azure Managed Identities. See: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http Args: resource: the resource URI to request a token for. Defaults to `https://management.azure.com/` (Azure Resource Manager). object_id: the object ID of the managed identity to use, when multiple are assigned. client_id: the client ID of the managed identity to use, when multiple are assigned. msi_res_id: the ARM resource ID of the managed identity to use, when multiple are assigned. api_version: the Azure IMDS API version. Defaults to `2018-02-01`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. cV^8dQhRR/#r.r)r*s"rr+;azure_managed_identity_token_provider..__annotate__]sjjsjrc H<RpRSRS /pS eS VR&SeSVR&S eS VR&S eS PWRR/S R 7pM<\P!4;_uu_4pVPWRR/S R 7pRRR4XP'd\ R VP 2VR 7hVP 4pVPR 4pV'g\ R VR 7h\\V4# +'giL;i \dp\ RT 24ThRp?ii;i)z5http://169.254.169.254/metadata/identity/oauth2/tokenz api-versionrCNr;r<r=Metadatatrueparamsheadersr?z4Failed to fetch Azure subject token from IMDS: HTTP response access_tokenz3Azure IMDS response did not include an access_tokenz/Failed to fetch Azure subject token from IMDS: ) gethttpxClientis_errorr status_codejsonrr r5)urlrMrPclientdatar7r8r>r<rAr=r;rCr?s rr8azure_managed_identity_token_provider..get_token]s< jIC&3[*h%WF$&/{#$&/{#%'1|$&&??3 TZG[el?m\\^^v%zz#zSYFZdkzlH$   /J8K_K_J`a%==?DHH^,E/IT\U# #$^ j+.]^_]`,abhi i js=ADC/5DADD/ C? :D D! DD!rrrr)rCr;r<r=r>r?rArsfdddddd r%azure_managed_identity_token_providerr\Ds!2jj@ %i 88rc(V^8dQhRRRRRRRR/#) r'audiencer r?rDrArEr)rr)r*s"rr+r+s2)8)8)8)8% )8  )8rc*aaaRVVV3RllpRRRV/#)a Get a subject token provider for GCP VM instances using the instance metadata server. See: https://cloud.google.com/compute/docs/instances/verifying-instance-identity Args: audience: the unique URI agreed upon by both the instance and the system verifying the instance's identity. Defaults to `https://api.openai.com/v1`. timeout: the request timeout in seconds. Defaults to 10.0. http_client: optional httpx.Client instance to use for requests. If not provided, a new client will be created for each request. cV^8dQhRR/#r.r)r*s"rr++gcp_id_token_provider..__annotate__sssssrc <RpRS/pSeSPWRR/SR7pM<\P!4;_uu_4pVPWRR/SR7pRRR4XP'd\ RVP 2VR7hVP P4pV'g\ RVR7hV# +'giLm;i \dp\ R T 24ThRp?ii;i) z]http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identityr^NzMetadata-FlavorGooglerLz=Failed to fetch GCP subject token from metadata server: HTTP rOz+GCP metadata server returned an empty tokenz8Failed to fetch GCP subject token from metadata server: ) rRrSrTrUr rVtextr4r5) rXrMrPrYr7r8r^rAr?s rr(gcp_id_token_provider..get_tokens sqC (+F&&??3HY[cGdnu?v\\^^v%zz#GXZbFcmtzuH$   /ST\ThThSij%MM'')E/0]hpqqL$^ s+.fghfi,jkqr r ss;>CB=C2;C.C= C C C/C**C/rrrr)r^r?rArsfdd rgcp_id_token_providerrfs $ss. $ Y 77rc]tRt^tR]/RRlltRRltRRltRR ltR R lt R R lt RRlt RRlt RRlt RRltRRltRRltRtR#)WorkloadIdentityAuthtoken_exchange_urlc V^8dQhRRRR/#)r'workload_identityrrir r)r*s"rr+!WorkloadIdentityAuth.__annotate__s ::,: :rc WnW nRVnRVnRVnRVn\ P!4Vn\ P!VP4Vn R#NF) rkri _cached_token"_cached_token_expires_at_monotonic"_cached_token_refresh_at_monotonic _refreshing threadingLock_lock Condition _condition)selfrkris&$$r__init__WorkloadIdentityAuth.__init__sT "3"4)-@D/@D/!&^^% #--djj9rcV^8dQhRR/#r.r)r*s"rr+rls--3-rc  VP;_uu_4VP'd3VP4'dVPP 4KDVP4'g;VP 4'g%\ \VP4uuRRR4#VP'dvVP'dVPP 4K.VPpVP4'd \R4h\ \V4uuRRR4#RVnRRR4VP4VP;_uu_4VP4'd \R4h\ \VP4uuRRR4VP;_uu_4RVnVPP4RRR4# +'giL;i +'gi#;i +'giM;iTP;_uu_4RTnTPP4RRR4R# +'giR#;i TP;_uu_4RTnTPP4RRR4i +'gii;i;i)Nz)Token is unusable after refresh completedTF) rurr_token_unusablerwwait_needs_refreshrr ro RuntimeError_perform_refresh notify_all)rxr7s& rrWorkloadIdentityAuth.get_tokens ZZZ"""t';';'='=$$&''))$2E2E2G2GC!3!34 Z&&&OO((***''))&'RSSC'Z $D " -  ! ! #''))&'RSSC!3!34 #( **,1Z0  #( **,#( **,sG)G)1G)0G)G)*G)<G)=G) G)1G)$I7%;H I7>"G<) G9 < H  H I77"I## I4 7K  "J7 . K 7 K K cV^8dQhRR/#r.r)r*s"rr+rls//s/rc H"\VP4GRjxL #L5iN)rrrxs&rget_token_async$WorkloadIdentityAuth.get_token_asyncst~~....s " "cV^8dQhRR/#r'r)Noner)r*s"rr+rls;;$;rc VP;_uu_4RVnRVnRVnRRR4R# +'giR#;ir)rurorprqrs&rinvalidate_token%WorkloadIdentityAuth.invalidate_tokens/ ZZZ!%D 6:D 36:D 3ZZZs 5 A cV^8dQhRR/#rr)r*s"rr+rlsdd$drc 2VP4p\P!4pVR,pVP;_uu_4VR,VnW#,VnW P V4,VnRRR4R# +'giR#;i) expires_inrQN)_fetch_token_from_exchangetime monotonicrurorp_refresh_delay_secondsrq)rx token_datanowrs& rr%WorkloadIdentityAuth._perform_refreshsj446 nn - ZZZ!+N!;D 696FD 369> D c V^8dQhRRRR/#)r'rPzhttpx.Responser)rr)r*s"rr+rls  ~ . rc VP'dVP4MRpVPR9d \ WR7hVP 'dVf \ R4hVPR4pVPR4p\V\4'd V'g \ R4h\V\\34'g \ R4hRVR\V4/#\ RVP 24h \dRpLi;i) N)rPbodyz4Token exchange succeeded but response body was emptyrQrzThe workload identity provider returned an empty subject token)rkr )rxr#rs& rr'WorkloadIdentityAuth._get_subject_tokens4))*5 -/ ^_ _rcV^8dQhRR/#r'r)boolr)r*s"rr+rl$sCCCrc NVPRJ;'gVP4#r)ro_token_expiredrs&rr}$WorkloadIdentityAuth._token_unusable$s$!!T)BBT-@-@-BBrcV^8dQhRR/#rr)r*s"rr+rl'KKKrc fVPfR#\P!4VP8#)NT)rprrrs&rr#WorkloadIdentityAuth._token_expired's)  2 2 :~~4#J#JJJrcV^8dQhRR/#rr)r*s"rr+rl,rrc fVPfR#\P!4VP8#rn)rqrrrs&rr#WorkloadIdentityAuth._needs_refresh,s)  2 2 :~~4#J#JJJrc V^8dQhRRRR/#)r'rrDr)r)r*s"rr+rl1s77757rc VPPR\4p\W!^, 4p\ W, R4#)r$g)rkrRDEFAULT_REFRESH_BUFFER_SECONDSminmax)rxrconfigured_buffereffective_buffers&& rr+WorkloadIdentityAuth._refresh_delay_seconds1s= 22667OQop0q.A:0#66r)rorprqrwrurrrirkN)rrrrDEFAULT_TOKEN_EXCHANGE_URLryrrrrrrrr}rrrrrrrrhrhsQ:#= : -:/; d90 0CK K 77rrh)z3/var/run/secrets/kubernetes.io/serviceaccount/token)zhttps://management.azure.com/)zhttps://api.openai.com/v1) __future__rrrstypingrrrrpathlibrtyping_extensionsr r rS _exceptionsr r r _utils._syncrrrrrrrr:r\rfrhrrrrs" 112 LL$MB!% 1 5 !9! /y /9299!99! 99 " 99 $ 9999(,9999x)8)8(, )8)8XH7H7r