[Authlib] Update return types (#15153)

* Remove return types for not implemented methods * Add some obvious return types * Fix some incorrect types found
2026-06-23 09:18:44 +08:00 · 2025-12-19 22:55:43 +00:00
parent cc1c684fe5
commit bf5b55d746
74 changed files with 310 additions and 233 deletions
@@ -13,7 +13,7 @@ def url_decode(query: str) -> _ExplodedQueryString: ...
 def add_params_to_qs(query: str, params: _ExplodedQueryString) -> str: ...
 def add_params_to_uri(uri: str, params: _ExplodedQueryString, fragment: bool = False): ...
 def quote(s: str, safe: bytes = b"/") -> str: ...
-def unquote(s: str) -> str: ...
+def unquote(s: str | bytes) -> str: ...
 def quote_url(s: str) -> str: ...
 def extract_params(raw: dict[str, str] | _ExplodedQueryString) -> _ExplodedQueryString: ...
 def is_valid_url(url: str, fragments_allowed: bool = True) -> bool: ...
@@ -1,3 +1,4 @@
+from _typeshed import Incomplete
 from logging import Logger

 from authlib.integrations.base_client.sync_app import OAuth1Base, OAuth2Base
@@ -8,11 +9,11 @@ __all__ = ["AsyncOAuth1Mixin", "AsyncOAuth2Mixin"]

 class AsyncOAuth1Mixin(OAuth1Base):
    async def request(self, method, url, token=None, **kwargs): ...
-    async def create_authorization_url(self, redirect_uri=None, **kwargs): ...
+    async def create_authorization_url(self, redirect_uri=None, **kwargs) -> dict[Incomplete, Incomplete]: ...
    async def fetch_access_token(self, request_token=None, **kwargs): ...

 class AsyncOAuth2Mixin(OAuth2Base):
-    async def load_server_metadata(self): ...
+    async def load_server_metadata(self) -> dict[Incomplete, Incomplete]: ...
    async def request(self, method, url, token=None, **kwargs): ...
-    async def create_authorization_url(self, redirect_uri=None, **kwargs): ...
+    async def create_authorization_url(self, redirect_uri=None, **kwargs) -> dict[Incomplete, Incomplete]: ...
    async def fetch_access_token(self, redirect_uri=None, **kwargs): ...
@@ -1,6 +1,8 @@
+from authlib.oidc.core.claims import UserInfo
+
 __all__ = ["AsyncOpenIDMixin"]

 class AsyncOpenIDMixin:
    async def fetch_jwk_set(self, force: bool = False): ...
-    async def userinfo(self, **kwargs): ...
-    async def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120): ...
+    async def userinfo(self, **kwargs) -> UserInfo: ...
+    async def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120) -> UserInfo: ...
@@ -8,6 +8,6 @@ class FrameworkIntegration:
    def get_state_data(self, session, state): ...
    def set_state_data(self, session, state, data): ...
    def clear_state_data(self, session, state): ...
-    def update_token(self, token, refresh_token=None, access_token=None) -> None: ...
+    def update_token(self, token, refresh_token=None, access_token=None): ...
    @staticmethod
    def load_config(oauth, name, params): ...
@@ -14,6 +14,6 @@ class BaseOAuth:
    def __init__(self, cache=None, fetch_token=None, update_token=None) -> None: ...
    def create_client(self, name): ...
    def register(self, name, overwrite: bool = False, **kwargs): ...
-    def generate_client_kwargs(self, name, overwrite, **kwargs): ...
+    def generate_client_kwargs(self, name, overwrite, **kwargs) -> dict[Incomplete, Incomplete]: ...
    def load_config(self, name, params): ...
    def __getattr__(self, key): ...
@@ -50,7 +50,7 @@ class OAuth1Base:

 class OAuth1Mixin(_RequestMixin, OAuth1Base):
    def request(self, method, url, token=None, **kwargs): ...
-    def create_authorization_url(self, redirect_uri=None, **kwargs): ...
+    def create_authorization_url(self, redirect_uri=None, **kwargs) -> dict[Incomplete, Incomplete]: ...
    def fetch_access_token(self, request_token=None, **kwargs): ...

 class OAuth2Base:
@@ -91,6 +91,6 @@ class OAuth2Base:

 class OAuth2Mixin(_RequestMixin, OAuth2Base):
    def request(self, method, url, token=None, **kwargs): ...
-    def load_server_metadata(self): ...
-    def create_authorization_url(self, redirect_uri=None, **kwargs): ...
+    def load_server_metadata(self) -> dict[Incomplete, Incomplete]: ...
+    def create_authorization_url(self, redirect_uri=None, **kwargs) -> dict[Incomplete, Incomplete]: ...
    def fetch_access_token(self, redirect_uri=None, **kwargs): ...
@@ -1,5 +1,7 @@
+from authlib.oidc.core.claims import UserInfo
+
 class OpenIDMixin:
    def fetch_jwk_set(self, force: bool = False): ...
-    def userinfo(self, **kwargs): ...
-    def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120): ...
+    def userinfo(self, **kwargs) -> UserInfo: ...
+    def parse_id_token(self, token, nonce, claims_options=None, claims_cls=None, leeway: int = 120) -> UserInfo | None: ...
    def create_load_key(self): ...
@@ -1,6 +1,6 @@
 from _typeshed import Incomplete
 from collections.abc import Iterable
-from typing import ClassVar
+from typing import ClassVar, Final

 from authlib.jose.rfc7516 import JWEAlgorithmWithTagAwareKeyAgreement

@@ -13,17 +13,19 @@ class ECDH1PUAlgorithm(JWEAlgorithmWithTagAwareKeyAgreement):
    aeskw: Incomplete
    def __init__(self, key_size=None) -> None: ...
    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
+    def generate_preset(self, enc_alg, key) -> dict[str, Incomplete]: ...
    def compute_shared_key(self, shared_key_e, shared_key_s): ...
-    def compute_fixed_info(self, headers, bit_size, tag): ...
-    def compute_derived_key(self, shared_key, fixed_info, bit_size): ...
-    def deliver_at_sender(self, sender_static_key, sender_ephemeral_key, recipient_pubkey, headers, bit_size, tag): ...
-    def deliver_at_recipient(self, recipient_key, sender_static_pubkey, sender_ephemeral_pubkey, headers, bit_size, tag): ...
-    def generate_keys_and_prepare_headers(self, enc_alg, key, sender_key, preset=None): ...
+    def compute_fixed_info(self, headers, bit_size, tag) -> bytes: ...
+    def compute_derived_key(self, shared_key, fixed_info, bit_size) -> bytes: ...
+    def deliver_at_sender(self, sender_static_key, sender_ephemeral_key, recipient_pubkey, headers, bit_size, tag) -> bytes: ...
+    def deliver_at_recipient(
+        self, recipient_key, sender_static_pubkey, sender_ephemeral_pubkey, headers, bit_size, tag
+    ) -> bytes: ...
+    def generate_keys_and_prepare_headers(self, enc_alg, key, sender_key, preset=None) -> dict[str, Incomplete]: ...
    def agree_upon_key_and_wrap_cek(self, enc_alg, headers, key, sender_key, epk, cek, tag): ...
-    def wrap(self, enc_alg, headers, key, sender_key, preset=None): ...
-    def unwrap(self, enc_alg, ek, headers, key, sender_key, tag=None): ...
+    def wrap(self, enc_alg, headers, key, sender_key, preset=None) -> dict[str, Incomplete]: ...
+    def unwrap(self, enc_alg, ek, headers, key, sender_key, tag=None) -> bytes: ...

-JWE_DRAFT_ALG_ALGORITHMS: Incomplete
+JWE_DRAFT_ALG_ALGORITHMS: Final[list[ECDH1PUAlgorithm]]

 def register_jwe_alg_draft(cls) -> None: ...
@@ -9,5 +9,5 @@ class C20PEncAlgorithm(JWEEncAlgorithm):
    key_size: Incomplete
    CEK_SIZE: Incomplete
    def __init__(self, key_size) -> None: ...
-    def encrypt(self, msg, aad, iv, key): ...
-    def decrypt(self, ciphertext, aad, iv, tag, key): ...
+    def encrypt(self, msg, aad, iv, key) -> tuple[bytes, bytes]: ...
+    def decrypt(self, ciphertext, aad, iv, tag, key) -> bytes: ...
@@ -1,2 +1,7 @@
+from _typeshed import Incomplete
+from typing_extensions import deprecated
+
+@deprecated("Please use `JsonWebKey` directly.")
 def loads(obj, kid=None): ...
-def dumps(key, kty=None, **params): ...
+@deprecated("Please use `JsonWebKey` directly.")
+def dumps(key, kty=None, **params) -> dict[Incomplete, Incomplete]: ...
@@ -1,5 +1,7 @@
 from _typeshed import Incomplete

+from .models import JWSObject
+
 class JsonWebSignature:
    REGISTERED_HEADER_PARAMETER_NAMES: frozenset[str]
    MAX_CONTENT_LENGTH: int
@@ -7,9 +9,9 @@ class JsonWebSignature:
    def __init__(self, algorithms=None, private_headers=None) -> None: ...
    @classmethod
    def register_algorithm(cls, algorithm) -> None: ...
-    def serialize_compact(self, protected, payload, key): ...
-    def deserialize_compact(self, s, key, decode=None): ...
+    def serialize_compact(self, protected, payload, key) -> bytes: ...
+    def deserialize_compact(self, s, key, decode=None) -> JWSObject: ...
    def serialize_json(self, header_obj, payload, key): ...
-    def deserialize_json(self, obj, key, decode=None): ...
+    def deserialize_json(self, obj, key, decode=None) -> JWSObject: ...
    def serialize(self, header, payload, key): ...
-    def deserialize(self, s, key, decode=None): ...
+    def deserialize(self, s, key, decode=None) -> JWSObject: ...
@@ -1,11 +1,12 @@
 from _typeshed import Incomplete
+from typing_extensions import Self

 class JWSAlgorithm:
    name: Incomplete
    description: Incomplete
    algorithm_type: str
    algorithm_location: str
-    def prepare_key(self, raw_data) -> None: ...
+    def prepare_key(self, raw_data): ...
    def sign(self, msg, key): ...
    def verify(self, msg, sig, key) -> bool: ...

@@ -14,7 +15,7 @@ class JWSHeader(dict[str, object]):
    header: Incomplete
    def __init__(self, protected, header) -> None: ...
    @classmethod
-    def from_dict(cls, obj): ...
+    def from_dict(cls, obj) -> Self: ...

 class JWSObject(dict[str, object]):
    header: Incomplete
@@ -1,21 +1,22 @@
 from _typeshed import Incomplete
+from collections import OrderedDict

 class JsonWebEncryption:
-    REGISTERED_HEADER_PARAMETER_NAMES: Incomplete
-    ALG_REGISTRY: Incomplete
-    ENC_REGISTRY: Incomplete
-    ZIP_REGISTRY: Incomplete
+    REGISTERED_HEADER_PARAMETER_NAMES: frozenset[str]
+    ALG_REGISTRY: dict[Incomplete, Incomplete]
+    ENC_REGISTRY: dict[Incomplete, Incomplete]
+    ZIP_REGISTRY: dict[Incomplete, Incomplete]
    def __init__(self, algorithms=None, private_headers=None) -> None: ...
    @classmethod
    def register_algorithm(cls, algorithm) -> None: ...
-    def serialize_compact(self, protected, payload, key, sender_key=None): ...
-    def serialize_json(self, header_obj, payload, keys, sender_key=None): ...
+    def serialize_compact(self, protected, payload, key, sender_key=None) -> bytes: ...
+    def serialize_json(self, header_obj, payload, keys, sender_key=None) -> OrderedDict[Incomplete, Incomplete]: ...
    def serialize(self, header, payload, key, sender_key=None): ...
    def deserialize_compact(self, s, key, decode=None, sender_key=None): ...
-    def deserialize_json(self, obj, key, decode=None, sender_key=None): ...
+    def deserialize_json(self, obj, key, decode=None, sender_key=None) -> dict[str, Incomplete]: ...
    def deserialize(self, obj, key, decode=None, sender_key=None): ...
    @staticmethod
-    def parse_json(obj): ...
+    def parse_json(obj) -> dict[Incomplete, Incomplete]: ...
    def get_header_alg(self, header): ...
    def get_header_enc(self, header): ...
    def get_header_zip(self, header): ...
@@ -2,6 +2,7 @@ from _typeshed import Incomplete
 from abc import ABCMeta
 from collections.abc import Iterable
 from typing import ClassVar
+from typing_extensions import Self

 class JWEAlgorithmBase(metaclass=ABCMeta):
    EXTRA_HEADERS: ClassVar[Iterable[str] | None]
@@ -9,18 +10,18 @@ class JWEAlgorithmBase(metaclass=ABCMeta):
    description: str | None
    algorithm_type: str
    algorithm_location: str
-    def prepare_key(self, raw_data) -> None: ...
-    def generate_preset(self, enc_alg, key) -> None: ...
+    def prepare_key(self, raw_data): ...
+    def generate_preset(self, enc_alg, key): ...

 class JWEAlgorithm(JWEAlgorithmBase, metaclass=ABCMeta):
-    def wrap(self, enc_alg, headers, key, preset=None) -> None: ...
-    def unwrap(self, enc_alg, ek, headers, key) -> None: ...
+    def wrap(self, enc_alg, headers, key, preset=None): ...
+    def unwrap(self, enc_alg, ek, headers, key): ...

 class JWEAlgorithmWithTagAwareKeyAgreement(JWEAlgorithmBase, metaclass=ABCMeta):
-    def generate_keys_and_prepare_headers(self, enc_alg, key, sender_key, preset=None) -> None: ...
-    def agree_upon_key_and_wrap_cek(self, enc_alg, headers, key, sender_key, epk, cek, tag) -> None: ...
-    def wrap(self, enc_alg, headers, key, sender_key, preset=None) -> None: ...
-    def unwrap(self, enc_alg, ek, headers, key, sender_key, tag=None) -> None: ...
+    def generate_keys_and_prepare_headers(self, enc_alg, key, sender_key, preset=None): ...
+    def agree_upon_key_and_wrap_cek(self, enc_alg, headers, key, sender_key, epk, cek, tag): ...
+    def wrap(self, enc_alg, headers, key, sender_key, preset=None): ...
+    def unwrap(self, enc_alg, ek, headers, key, sender_key, tag=None): ...

 class JWEEncAlgorithm:
    name: str | None
@@ -32,8 +33,8 @@ class JWEEncAlgorithm:
    def generate_cek(self): ...
    def generate_iv(self): ...
    def check_iv(self, iv) -> None: ...
-    def encrypt(self, msg, aad, iv, key) -> None: ...
-    def decrypt(self, ciphertext, aad, iv, tag, key) -> None: ...
+    def encrypt(self, msg, aad, iv, key): ...
+    def decrypt(self, ciphertext, aad, iv, tag, key): ...

 class JWEZipAlgorithm:
    name: Incomplete
@@ -49,7 +50,7 @@ class JWESharedHeader(dict[str, object]):
    def __init__(self, protected, unprotected) -> None: ...
    def update_protected(self, addition) -> None: ...
    @classmethod
-    def from_dict(cls, obj): ...
+    def from_dict(cls, obj) -> Self: ...

 class JWEHeader(dict[str, object]):
    protected: Incomplete
@@ -1 +1,35 @@
-def load_pem_key(raw, ssh_type=None, key_type=None, password=None): ...
+from _typeshed import ReadableBuffer
+from collections.abc import Iterable
+from typing import Literal, SupportsBytes, SupportsIndex, overload
+
+from cryptography.hazmat.primitives.asymmetric.types import PrivateKeyTypes, PublicKeyTypes
+from cryptography.hazmat.primitives.serialization.ssh import SSHPublicKeyTypes
+
+@overload  # if ssh_type is None
+def load_pem_key(
+    raw: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer,
+    ssh_type: None = None,
+    key_type: str | None = None,
+    password: bytes | None = None,
+) -> PublicKeyTypes | PrivateKeyTypes: ...
+@overload  # if key_type == "public"
+def load_pem_key(
+    raw: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer,
+    ssh_type: ReadableBuffer | tuple[ReadableBuffer, ...] | None = None,
+    key_type: Literal["public"] = ...,
+    password: bytes | None = None,
+) -> PublicKeyTypes: ...
+@overload  # if key_type is not empty, but not "public"
+def load_pem_key(
+    raw: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer,
+    ssh_type: ReadableBuffer | tuple[ReadableBuffer, ...] | None = None,
+    key_type: str = ...,
+    password: bytes | None = None,
+) -> PrivateKeyTypes: ...
+@overload  # if ssh_type is not empty
+def load_pem_key(
+    raw: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer,
+    ssh_type: ReadableBuffer | tuple[ReadableBuffer, ...] = ...,
+    key_type: str | None = None,
+    password: bytes | None = None,
+) -> SSHPublicKeyTypes | PublicKeyTypes | PrivateKeyTypes: ...
@@ -1,5 +1,6 @@
 from _typeshed import Incomplete
 from typing import ClassVar
+from typing_extensions import Self

 from authlib.jose.rfc7517 import Key

@@ -13,7 +14,7 @@ class AsymmetricKey(Key):
    public_key: Incomplete
    def __init__(self, private_key=None, public_key=None, options=None) -> None: ...
    @property
-    def public_only(self): ...
+    def public_only(self) -> bool: ...
    def get_op_key(self, operation): ...
    def get_public_key(self): ...
    def get_private_key(self): ...
@@ -23,16 +24,16 @@ class AsymmetricKey(Key):
    def dumps_public_key(self): ...
    def load_private_key(self): ...
    def load_public_key(self): ...
-    def as_dict(self, is_private: bool = False, **params): ...
+    def as_dict(self, is_private: bool = False, **params) -> dict[Incomplete, Incomplete]: ...
    def as_key(self, is_private: bool = False): ...
    def as_bytes(self, encoding=None, is_private: bool = False, password=None): ...
    def as_pem(self, is_private: bool = False, password=None): ...
    def as_der(self, is_private: bool = False, password=None): ...
    @classmethod
-    def import_dict_key(cls, raw, options=None): ...
+    def import_dict_key(cls, raw, options=None) -> Self: ...
    @classmethod
-    def import_key(cls, raw, options=None): ...
+    def import_key(cls, raw, options=None) -> Self: ...
    @classmethod
-    def validate_raw_key(cls, key): ...
+    def validate_raw_key(cls, key) -> bool: ...
    @classmethod
    def generate_key(cls, crv_or_size, options=None, is_private: bool = False) -> AsymmetricKey: ...
@@ -10,20 +10,20 @@ class Key:
    options: Incomplete
    def __init__(self, options=None) -> None: ...
    @property
-    def tokens(self): ...
+    def tokens(self) -> dict[Incomplete, Incomplete]: ...
    @property
    def kid(self): ...
    def keys(self): ...
    def __getitem__(self, item): ...
    @property
-    def public_only(self) -> None: ...
-    def load_raw_key(self) -> None: ...
-    def load_dict_key(self) -> None: ...
+    def public_only(self): ...
+    def load_raw_key(self): ...
+    def load_dict_key(self): ...
    def check_key_op(self, operation) -> None: ...
-    def as_dict(self, is_private: bool = False, **params) -> None: ...
-    def as_json(self, is_private: bool = False, **params): ...
-    def thumbprint(self): ...
+    def as_dict(self, is_private: bool = False, **params): ...
+    def as_json(self, is_private: bool = False, **params) -> str: ...
+    def thumbprint(self) -> str: ...
    @classmethod
    def check_required_fields(cls, data) -> None: ...
    @classmethod
-    def validate_raw_key(cls, key) -> None: ...
+    def validate_raw_key(cls, key): ...
@@ -4,7 +4,7 @@ from collections.abc import Collection, Mapping
 from authlib.jose.rfc7517 import Key, KeySet

 class JsonWebKey:
-    JWK_KEY_CLS: Incomplete
+    JWK_KEY_CLS: dict[Incomplete, Incomplete]
    @classmethod
    def generate_key(cls, kty, crv_or_size, options=None, is_private: bool = False): ...
    @classmethod
@@ -1,3 +1,4 @@
+from _typeshed import Incomplete
 from collections.abc import Collection

 from authlib.jose.rfc7517 import Key
@@ -5,6 +6,6 @@ from authlib.jose.rfc7517 import Key
 class KeySet:
    keys: Collection[Key]
    def __init__(self, keys) -> None: ...
-    def as_dict(self, is_private: bool = False, **params): ...
-    def as_json(self, is_private: bool = False, **params): ...
+    def as_dict(self, is_private: bool = False, **params) -> dict[str, list[Incomplete]]: ...
+    def as_json(self, is_private: bool = False, **params) -> str: ...
    def find_by_kid(self, kid, **params): ...
@@ -1,15 +1,18 @@
-from _typeshed import Incomplete
+from _typeshed import Incomplete, ReadableBuffer
 from collections.abc import Iterable
-from typing import ClassVar, Final
+from typing import ClassVar, Final, SupportsBytes, SupportsIndex

 from authlib.jose.rfc7516 import JWEAlgorithm

+from .oct_key import OctKey
+from .rsa_key import RSAKey
+
 class DirectAlgorithm(JWEAlgorithm):
    name: str
    description: str
-    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
-    def wrap(self, enc_alg, headers, key, preset=None): ...
+    def prepare_key(self, raw_data) -> OctKey: ...
+    def generate_preset(self, enc_alg, key) -> dict[Incomplete, Incomplete]: ...
+    def wrap(self, enc_alg, headers, key, preset=None) -> dict[str, Incomplete]: ...
    def unwrap(self, enc_alg, ek, headers, key): ...

 class RSAAlgorithm(JWEAlgorithm):
@@ -18,9 +21,9 @@ class RSAAlgorithm(JWEAlgorithm):
    description: str
    padding: Incomplete
    def __init__(self, name, description, pad_fn) -> None: ...
-    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
-    def wrap(self, enc_alg, headers, key, preset=None): ...
+    def prepare_key(self, raw_data) -> RSAKey: ...
+    def generate_preset(self, enc_alg, key) -> dict[str, Incomplete]: ...
+    def wrap(self, enc_alg, headers, key, preset=None) -> dict[str, Incomplete]: ...
    def unwrap(self, enc_alg, ek, headers, key): ...

 class AESAlgorithm(JWEAlgorithm):
@@ -28,11 +31,11 @@ class AESAlgorithm(JWEAlgorithm):
    description: str
    key_size: Incomplete
    def __init__(self, key_size) -> None: ...
-    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
-    def wrap_cek(self, cek, key): ...
-    def wrap(self, enc_alg, headers, key, preset=None): ...
-    def unwrap(self, enc_alg, ek, headers, key): ...
+    def prepare_key(self, raw_data) -> OctKey: ...
+    def generate_preset(self, enc_alg, key) -> dict[str, Incomplete]: ...
+    def wrap_cek(self, cek, key) -> dict[str, Incomplete]: ...
+    def wrap(self, enc_alg, headers, key, preset=None) -> dict[str, Incomplete]: ...
+    def unwrap(self, enc_alg, ek, headers, key) -> bytes: ...

 class AESGCMAlgorithm(JWEAlgorithm):
    EXTRA_HEADERS: ClassVar[Iterable[str]]
@@ -40,10 +43,10 @@ class AESGCMAlgorithm(JWEAlgorithm):
    description: str
    key_size: Incomplete
    def __init__(self, key_size) -> None: ...
-    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
-    def wrap(self, enc_alg, headers, key, preset=None): ...
-    def unwrap(self, enc_alg, ek, headers, key): ...
+    def prepare_key(self, raw_data) -> OctKey: ...
+    def generate_preset(self, enc_alg, key) -> dict[str, Incomplete]: ...
+    def wrap(self, enc_alg, headers, key, preset=None) -> dict[str, Incomplete]: ...
+    def unwrap(self, enc_alg, ek, headers, key) -> bytes: ...

 class ECDHESAlgorithm(JWEAlgorithm):
    EXTRA_HEADERS: ClassVar[Iterable[str]]
@@ -54,13 +57,15 @@ class ECDHESAlgorithm(JWEAlgorithm):
    aeskw: Incomplete
    def __init__(self, key_size=None) -> None: ...
    def prepare_key(self, raw_data): ...
-    def generate_preset(self, enc_alg, key): ...
+    def generate_preset(self, enc_alg, key) -> dict[str, Incomplete]: ...
    def compute_fixed_info(self, headers, bit_size): ...
-    def compute_derived_key(self, shared_key, fixed_info, bit_size): ...
-    def deliver(self, key, pubkey, headers, bit_size): ...
-    def wrap(self, enc_alg, headers, key, preset=None): ...
-    def unwrap(self, enc_alg, ek, headers, key): ...
+    def compute_derived_key(self, shared_key, fixed_info, bit_size) -> bytes: ...
+    def deliver(self, key, pubkey, headers, bit_size) -> bytes: ...
+    def wrap(self, enc_alg, headers, key, preset=None) -> dict[str, Incomplete]: ...
+    def unwrap(self, enc_alg, ek, headers, key) -> bytes: ...

-def u32be_len_input(s, base64: bool = False): ...
+def u32be_len_input(
+    s: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer, base64: bool = False
+) -> bytes: ...

 JWE_ALG_ALGORITHMS: Final[list[JWEAlgorithm]]
@@ -1,4 +1,5 @@
 from _typeshed import Incomplete
+from typing import Final

 from authlib.jose.rfc7516 import JWEEncAlgorithm

@@ -11,8 +12,8 @@ class CBCHS2EncAlgorithm(JWEEncAlgorithm):
    CEK_SIZE: Incomplete
    hash_alg: Incomplete
    def __init__(self, key_size, hash_type) -> None: ...
-    def encrypt(self, msg, aad, iv, key): ...
-    def decrypt(self, ciphertext, aad, iv, tag, key): ...
+    def encrypt(self, msg, aad, iv, key) -> tuple[bytes, bytes]: ...
+    def decrypt(self, ciphertext, aad, iv, tag, key) -> bytes: ...

 class GCMEncAlgorithm(JWEEncAlgorithm):
    IV_SIZE: int
@@ -21,7 +22,7 @@ class GCMEncAlgorithm(JWEEncAlgorithm):
    key_size: Incomplete
    CEK_SIZE: Incomplete
    def __init__(self, key_size) -> None: ...
-    def encrypt(self, msg, aad, iv, key): ...
-    def decrypt(self, ciphertext, aad, iv, tag, key): ...
+    def encrypt(self, msg, aad, iv, key) -> tuple[bytes, bytes]: ...
+    def decrypt(self, ciphertext, aad, iv, tag, key) -> bytes: ...

-JWE_ENC_ALGORITHMS: Incomplete
+JWE_ENC_ALGORITHMS: Final[list[CBCHS2EncAlgorithm | GCMEncAlgorithm]]
@@ -6,7 +6,7 @@ from authlib.jose.rfc7515 import JWSAlgorithm
 class NoneAlgorithm(JWSAlgorithm):
    name: str
    description: str
-    def prepare_key(self, raw_data) -> None: ...
+    def prepare_key(self, raw_data): ...
    def sign(self, msg, key): ...
    def verify(self, msg, sig, key) -> bool: ...

@@ -1,5 +1,6 @@
 from _typeshed import Incomplete
 from typing import ClassVar, Final
+from typing_extensions import Self

 from authlib.jose.rfc7517 import Key

@@ -15,10 +16,10 @@ class OctKey(Key):
    def get_op_key(self, operation): ...
    def load_raw_key(self) -> None: ...
    def load_dict_key(self) -> None: ...
-    def as_dict(self, is_private: bool = False, **params): ...
+    def as_dict(self, is_private: bool = False, **params) -> dict[Incomplete, Incomplete]: ...
    @classmethod
-    def validate_raw_key(cls, key): ...
+    def validate_raw_key(cls, key) -> bool: ...
    @classmethod
-    def import_key(cls, raw, options=None): ...
+    def import_key(cls, raw, options=None) -> Self: ...
    @classmethod
-    def generate_key(cls, key_size: int = 256, options=None, is_private: bool = True): ...
+    def generate_key(cls, key_size: int = 256, options=None, is_private: bool = True) -> Self: ...
@@ -1,4 +1,5 @@
 from typing import ClassVar
+from typing_extensions import Self

 from authlib.jose.rfc7517 import AsymmetricKey
 from cryptography.hazmat.primitives.asymmetric.rsa import RSAPrivateKey, RSAPublicKey
@@ -18,6 +19,6 @@ class RSAKey(AsymmetricKey):
    @classmethod
    def generate_key(cls, key_size: int = 2048, options=None, is_private: bool = False) -> RSAKey: ...
    @classmethod
-    def import_dict_key(cls, raw, options=None): ...
+    def import_dict_key(cls, raw, options=None) -> Self: ...

 def has_all_prime_factors(obj) -> bool: ...
@@ -1,2 +1,4 @@
-def encode_int(num, bits): ...
-def decode_int(b): ...
+from _typeshed import ReadableBuffer
+
+def encode_int(num, bits) -> bytes: ...
+def decode_int(b: ReadableBuffer) -> int: ...
@@ -17,7 +17,7 @@ class JsonWebToken:

    def __init__(self, algorithms, private_headers=None) -> None: ...
    def check_sensitive_data(self, payload) -> None: ...
-    def encode(self, header, payload, key, check: bool = True): ...
+    def encode(self, header, payload, key, check: bool = True) -> bytes: ...
    @overload
    def decode(
        self,
@@ -37,7 +37,7 @@ class JsonWebToken:
        claims_params=None,
    ) -> _T: ...

-def decode_payload(bytes_payload): ...
+def decode_payload(bytes_payload) -> dict[Incomplete, Incomplete]: ...

 _TL = TypeVar("_TL", bound=tuple[Any, ...] | list[Any])

@@ -1,10 +1,12 @@
 from authlib.jose.rfc7515 import JWSAlgorithm

+from .okp_key import OKPKey
+
 class EdDSAAlgorithm(JWSAlgorithm):
    name: str
    description: str
-    def prepare_key(self, raw_data): ...
+    def prepare_key(self, raw_data) -> OKPKey: ...
    def sign(self, msg, key): ...
-    def verify(self, msg, sig, key): ...
+    def verify(self, msg, sig, key) -> bool: ...

 def register_jws_rfc8037(cls) -> None: ...
@@ -17,9 +17,9 @@ class OKPKey(AsymmetricKey):
    PUBLIC_KEY_CLS: ClassVar[tuple[type, ...]]
    PRIVATE_KEY_CLS: ClassVar[tuple[type, ...]]
    SSH_PUBLIC_PREFIX: ClassVar[bytes]
-    def exchange_shared_key(self, pubkey): ...
+    def exchange_shared_key(self, pubkey) -> bytes: ...
    @staticmethod
-    def get_key_curve(key): ...
+    def get_key_curve(key) -> str | None: ...
    def load_private_key(self) -> Ed25519PrivateKey | Ed448PrivateKey | X25519PrivateKey | X448PrivateKey: ...
    def load_public_key(self) -> Ed25519PublicKey | Ed448PublicKey | X25519PublicKey | X448PublicKey: ...
    def dumps_private_key(self) -> dict[str, str | None]: ...
@@ -1,5 +1,5 @@
 from _typeshed import Incomplete
-from typing import Any
+from typing import Any, NoReturn

 from authlib.oauth1 import ClientAuth

@@ -37,5 +37,5 @@ class OAuth1Client:
    def parse_authorization_response(self, url): ...
    def parse_response_token(self, status_code, text): ...
    @staticmethod
-    def handle_error(error_type, error_description) -> None: ...
+    def handle_error(error_type, error_description) -> NoReturn: ...
    def __del__(self) -> None: ...
@@ -32,10 +32,10 @@ class ClientAuth:
        realm=None,
        force_include_body: bool = False,
    ) -> None: ...
-    def get_oauth_signature(self, method, uri, headers, body): ...
-    def get_oauth_params(self, nonce, timestamp): ...
-    def sign(self, method, uri, headers, body): ...
-    def prepare(self, method, uri, headers, body): ...
+    def get_oauth_signature(self, method, uri, headers, body) -> str: ...
+    def get_oauth_params(self, nonce, timestamp) -> list[Incomplete]: ...
+    def sign(self, method, uri, headers, body) -> tuple[Incomplete, Incomplete, Incomplete]: ...
+    def prepare(self, method, uri, headers, body) -> tuple[Incomplete, ...]: ...

-def generate_nonce(): ...
-def generate_timestamp(): ...
+def generate_nonce() -> str: ...
+def generate_timestamp() -> str: ...
@@ -2,7 +2,7 @@ from authlib.common.errors import AuthlibHTTPError

 class OAuth1Error(AuthlibHTTPError):
    def __init__(self, description=None, uri=None, status_code=None) -> None: ...
-    def get_headers(self): ...
+    def get_headers(self) -> list[tuple[str, str]]: ...

 class InsecureTransportError(OAuth1Error):
    error: str
@@ -1,16 +1,16 @@
 class ClientMixin:
-    def get_default_redirect_uri(self) -> None: ...
-    def get_client_secret(self) -> None: ...
-    def get_rsa_public_key(self) -> None: ...
+    def get_default_redirect_uri(self): ...
+    def get_client_secret(self): ...
+    def get_rsa_public_key(self): ...

 class TokenCredentialMixin:
-    def get_oauth_token(self) -> None: ...
-    def get_oauth_token_secret(self) -> None: ...
+    def get_oauth_token(self): ...
+    def get_oauth_token_secret(self): ...

 class TemporaryCredentialMixin(TokenCredentialMixin):
-    def get_client_id(self) -> None: ...
-    def get_redirect_uri(self) -> None: ...
-    def check_verifier(self, verifier) -> None: ...
+    def get_client_id(self): ...
+    def get_redirect_uri(self): ...
+    def check_verifier(self, verifier) -> bool: ...

 class TemporaryCredential(dict[str, object], TemporaryCredentialMixin):
    def get_client_id(self): ...
@@ -1,3 +1,3 @@
 def prepare_headers(oauth_params, headers=None, realm=None): ...
-def prepare_form_encoded_body(oauth_params, body): ...
+def prepare_form_encoded_body(oauth_params, body) -> str: ...
 def prepare_request_uri_query(oauth_params, uri): ...
@@ -1,5 +1,7 @@
 from authlib.oauth1.rfc5849.base_server import BaseServer

+from .wrapper import OAuth1Request
+
 class ResourceProtector(BaseServer):
-    def validate_request(self, method, uri, body, headers): ...
-    def get_token_credential(self, request) -> None: ...
+    def validate_request(self, method, uri, body, headers) -> OAuth1Request: ...
+    def get_token_credential(self, request): ...
@@ -1,2 +1,2 @@
 def sign_sha1(msg, rsa_private_key): ...
-def verify_sha1(sig, msg, rsa_public_key): ...
+def verify_sha1(sig, msg, rsa_public_key) -> bool: ...
@@ -1,20 +1,22 @@
-SIGNATURE_HMAC_SHA1: str
-SIGNATURE_RSA_SHA1: str
-SIGNATURE_PLAINTEXT: str
-SIGNATURE_TYPE_HEADER: str
-SIGNATURE_TYPE_QUERY: str
-SIGNATURE_TYPE_BODY: str
+from typing import Final

-def construct_base_string(method, uri, params, host=None): ...
+SIGNATURE_HMAC_SHA1: Final = "HMAC-SHA1"
+SIGNATURE_RSA_SHA1: Final = "RSA-SHA1"
+SIGNATURE_PLAINTEXT: Final = "PLAINTEXT"
+SIGNATURE_TYPE_HEADER: Final = "HEADER"
+SIGNATURE_TYPE_QUERY: Final = "QUERY"
+SIGNATURE_TYPE_BODY: Final = "BODY"
+
+def construct_base_string(method, uri, params, host=None) -> str: ...
 def normalize_base_string_uri(uri, host=None): ...
-def normalize_parameters(params): ...
-def generate_signature_base_string(request): ...
-def hmac_sha1_signature(base_string, client_secret, token_secret): ...
-def rsa_sha1_signature(base_string, rsa_private_key): ...
-def plaintext_signature(client_secret, token_secret): ...
-def sign_hmac_sha1(client, request): ...
-def sign_rsa_sha1(client, request): ...
-def sign_plaintext(client, request): ...
-def verify_hmac_sha1(request): ...
-def verify_rsa_sha1(request): ...
-def verify_plaintext(request): ...
+def normalize_parameters(params) -> str: ...
+def generate_signature_base_string(request) -> str: ...
+def hmac_sha1_signature(base_string, client_secret, token_secret) -> str: ...
+def rsa_sha1_signature(base_string, rsa_private_key) -> str: ...
+def plaintext_signature(client_secret, token_secret) -> str: ...
+def sign_hmac_sha1(client, request) -> str: ...
+def sign_rsa_sha1(client, request) -> str: ...
+def sign_plaintext(client, request) -> str: ...
+def verify_hmac_sha1(request) -> bool: ...
+def verify_rsa_sha1(request) -> bool: ...
+def verify_plaintext(request) -> bool: ...
@@ -1,2 +1,2 @@
-def escape(s): ...
-def unescape(s): ...
+def escape(s) -> str: ...
+def unescape(s: str | bytes) -> str: ...
@@ -18,5 +18,5 @@ class OAuth2Error(AuthlibHTTPError):
        redirect_fragment: bool = False,
        error=None,
    ) -> None: ...
-    def get_body(self): ...
+    def get_body(self) -> list[Incomplete]: ...
    def __call__(self, uri=None): ...
@@ -42,7 +42,7 @@ class OAuth2Client:
        **metadata,
    ) -> None: ...
    def register_client_auth_method(self, auth) -> None: ...
-    def client_auth(self, auth_method): ...
+    def client_auth(self, auth_method) -> ClientAuth: ...
    @property
    def token(self): ...
    @token.setter
@@ -28,7 +28,7 @@ class AuthorizationServer(Hookable):
    def authenticate_client(self, request: OAuth2Request, methods: Collection[str], endpoint: str = "token") -> ClientMixin: ...
    def register_client_auth_method(self, method, func) -> None: ...
    def register_extension(self, extension) -> None: ...
-    def get_error_uri(self, request, error) -> None: ...
+    def get_error_uri(self, request, error): ...
    def send_signal(self, name, *args: object, **kwargs: object) -> None: ...
    def create_oauth2_request(self, request) -> OAuth2Request: ...
    def create_json_request(self, request) -> JsonRequest: ...
@@ -19,9 +19,9 @@ class AuthorizationCodeGrant(BaseGrant, AuthorizationEndpointMixin, TokenEndpoin
    def validate_token_request(self) -> None: ...
    def create_token_response(self) -> _ServerResponse: ...
    def generate_authorization_code(self) -> str: ...
-    def save_authorization_code(self, code: str, request: OAuth2Request) -> None: ...
+    def save_authorization_code(self, code: str, request: OAuth2Request): ...
    def query_authorization_code(self, code: str, client: ClientMixin): ...
-    def delete_authorization_code(self, authorization_code) -> None: ...
+    def delete_authorization_code(self, authorization_code): ...
    def authenticate_user(self, authorization_code): ...

 def validate_code_authorization_request(grant: AuthorizationCodeGrant) -> str: ...
@@ -36,7 +36,7 @@ class TokenEndpointMixin:
    TOKEN_ENDPOINT_HTTP_METHODS: Incomplete
    GRANT_TYPE: Incomplete
    @classmethod
-    def check_token_endpoint(cls, request: OAuth2Request): ...
+    def check_token_endpoint(cls, request: OAuth2Request) -> bool: ...
    def validate_token_request(self) -> None: ...
    def create_token_response(self) -> _ServerResponse: ...

@@ -8,4 +8,4 @@ class ResourceOwnerPasswordCredentialsGrant(BaseGrant, TokenEndpointMixin):
    GRANT_TYPE: str
    def validate_token_request(self) -> None: ...
    def create_token_response(self): ...
-    def authenticate_user(self, username, password) -> None: ...
+    def authenticate_user(self, username, password): ...
@@ -1,4 +1,6 @@
+from _typeshed import Incomplete
+
 def prepare_grant_uri(uri, client_id, response_type, redirect_uri=None, scope=None, state=None, **kwargs): ...
-def prepare_token_request(grant_type, body: str = "", redirect_uri=None, **kwargs): ...
-def parse_authorization_code_response(uri, state=None): ...
-def parse_implicit_response(uri, state=None): ...
+def prepare_token_request(grant_type, body: str = "", redirect_uri=None, **kwargs) -> str: ...
+def parse_authorization_code_response(uri, state=None) -> dict[Incomplete, Incomplete]: ...
+def parse_implicit_response(uri, state=None) -> dict[Incomplete, Incomplete]: ...
@@ -7,7 +7,7 @@ class TokenValidator:
    def __init__(self, realm=None, **extra_attributes) -> None: ...
    @staticmethod
    def scope_insufficient(token_scopes, required_scopes): ...
-    def authenticate_token(self, token_string) -> None: ...
+    def authenticate_token(self, token_string): ...
    def validate_request(self, request) -> None: ...
    def validate_token(self, token, scopes, request) -> None: ...

@@ -9,5 +9,5 @@ class TokenEndpoint:
    def __call__(self, request): ...
    def create_endpoint_request(self, request): ...
    def authenticate_endpoint_client(self, request): ...
-    def authenticate_token(self, request, client) -> None: ...
-    def create_endpoint_response(self, request) -> None: ...
+    def authenticate_token(self, request, client): ...
+    def create_endpoint_response(self, request): ...
@@ -1,5 +1,5 @@
 class OAuth2Token(dict[str, object]):
    def __init__(self, params) -> None: ...
-    def is_expired(self, leeway: int = 60): ...
+    def is_expired(self, leeway: int = 60) -> bool | None: ...
    @classmethod
    def from_dict(cls, token): ...
@@ -11,7 +11,7 @@ class InvalidTokenError(OAuth2Error):
    realm: Incomplete
    extra_attributes: Incomplete
    def __init__(self, description=None, uri=None, status_code=None, state=None, realm=None, **extra_attributes) -> None: ...
-    def get_headers(self): ...
+    def get_headers(self) -> list[tuple[str, str]]: ...

 class InsufficientScopeError(OAuth2Error):
    error: str
@@ -1,4 +1,4 @@
 def add_to_uri(token, uri): ...
 def add_to_headers(token, headers=None): ...
-def add_to_body(token, body=None): ...
+def add_to_body(token, body=None) -> str: ...
 def add_bearer_token(token, uri, headers, body, placement: str = "header"): ...
@@ -2,5 +2,5 @@ from authlib.oauth2.rfc6749 import TokenValidator

 class BearerTokenValidator(TokenValidator):
    TOKEN_TYPE: str
-    def authenticate_token(self, token_string) -> None: ...
+    def authenticate_token(self, token_string): ...
    def validate_token(self, token, scopes, request) -> None: ...
@@ -5,5 +5,5 @@ class RevocationEndpoint(TokenEndpoint):
    def authenticate_token(self, request, client): ...
    def check_params(self, request, client) -> None: ...
    def create_endpoint_response(self, request): ...
-    def query_token(self, token_string, token_type_hint) -> None: ...
-    def revoke_token(self, token, request) -> None: ...
+    def query_token(self, token_string, token_type_hint): ...
+    def revoke_token(self, token, request): ...
@@ -1,5 +1,5 @@
 def sign_jwt_bearer_assertion(
    key, issuer, audience, subject=None, issued_at=None, expires_at=None, claims=None, header=None, **kwargs
-): ...
-def client_secret_jwt_sign(client_secret, client_id, token_endpoint, alg: str = "HS256", claims=None, **kwargs): ...
-def private_key_jwt_sign(private_key, client_id, token_endpoint, alg: str = "RS256", claims=None, **kwargs): ...
+) -> bytes: ...
+def client_secret_jwt_sign(client_secret, client_id, token_endpoint, alg: str = "HS256", claims=None, **kwargs) -> bytes: ...
+def private_key_jwt_sign(private_key, client_id, token_endpoint, alg: str = "RS256", claims=None, **kwargs) -> bytes: ...
@@ -7,10 +7,10 @@ class ClientSecretJWT:
    claims: Incomplete
    headers: Incomplete
    def __init__(self, token_endpoint=None, claims=None, headers=None, alg=None) -> None: ...
-    def sign(self, auth, token_endpoint): ...
+    def sign(self, auth, token_endpoint) -> bytes: ...
    def __call__(self, auth, method, uri, headers, body): ...

 class PrivateKeyJWT(ClientSecretJWT):
    name: str
    alg: str
-    def sign(self, auth, token_endpoint): ...
+    def sign(self, auth, token_endpoint) -> bytes: ...
@@ -1,6 +1,8 @@
 from logging import Logger
 from typing import Final

+from authlib.jose.rfc7519.claims import JWTClaims
+
 ASSERTION_TYPE: Final[str]
 log: Logger

@@ -12,8 +14,8 @@ class JWTBearerClientAssertion:
    def __init__(self, token_url: str, validate_jti: bool = True, leeway: int = 60) -> None: ...
    def __call__(self, query_client, request): ...
    def create_claims_options(self): ...
-    def process_assertion_claims(self, assertion, resolve_key): ...
+    def process_assertion_claims(self, assertion, resolve_key) -> JWTClaims: ...
    def authenticate_client(self, client): ...
    def create_resolve_key_func(self, query_client, request): ...
-    def validate_jti(self, claims, jti) -> None: ...
-    def resolve_client_public_key(self, client, headers) -> None: ...
+    def validate_jti(self, claims, jti): ...
+    def resolve_client_public_key(self, client, headers): ...
@@ -1,6 +1,7 @@
 from logging import Logger
 from typing import ClassVar, Final

+from authlib.jose.rfc7519.claims import JWTClaims
 from authlib.oauth2.rfc6749 import BaseGrant, TokenEndpointMixin

 log: Logger
@@ -12,11 +13,11 @@ class JWTBearerGrant(BaseGrant, TokenEndpointMixin):
    LEEWAY: ClassVar[int]
    @staticmethod
    def sign(key, issuer, audience, subject=None, issued_at=None, expires_at=None, claims=None, **kwargs): ...
-    def process_assertion_claims(self, assertion): ...
+    def process_assertion_claims(self, assertion) -> JWTClaims: ...
    def resolve_public_key(self, headers, payload): ...
    def validate_token_request(self) -> None: ...
    def create_token_response(self): ...
-    def resolve_issuer_client(self, issuer) -> None: ...
-    def resolve_client_key(self, client, headers, payload) -> None: ...
-    def authenticate_user(self, subject) -> None: ...
-    def has_granted_permission(self, client, user) -> None: ...
+    def resolve_issuer_client(self, issuer): ...
+    def resolve_client_key(self, client, headers, payload): ...
+    def authenticate_user(self, subject): ...
+    def has_granted_permission(self, client, user) -> bool: ...
@@ -18,7 +18,7 @@ class ClientRegistrationEndpoint:
    def create_endpoint_request(self, request): ...
    def generate_client_id(self, request) -> str: ...
    def generate_client_secret(self, request) -> str: ...
-    def get_server_metadata(self) -> None: ...
-    def authenticate_token(self, request) -> None: ...
-    def resolve_public_key(self, request) -> None: ...
-    def save_client(self, client_info, client_metadata, request) -> None: ...
+    def get_server_metadata(self): ...
+    def authenticate_token(self, request): ...
+    def resolve_public_key(self, request): ...
+    def save_client(self, client_info, client_metadata, request): ...
@@ -14,11 +14,11 @@ class ClientConfigurationEndpoint:
    def create_update_client_response(self, client, request): ...
    def extract_client_metadata(self, request): ...
    def introspect_client(self, client): ...
-    def generate_client_registration_info(self, client, request) -> None: ...
-    def authenticate_token(self, request) -> None: ...
-    def authenticate_client(self, request) -> None: ...
-    def revoke_access_token(self, token, request) -> None: ...
-    def check_permission(self, client, request) -> None: ...
-    def delete_client(self, client, request) -> None: ...
-    def update_client(self, client, client_metadata, request) -> None: ...
-    def get_server_metadata(self) -> None: ...
+    def generate_client_registration_info(self, client, request): ...
+    def authenticate_token(self, request): ...
+    def authenticate_client(self, request): ...
+    def revoke_access_token(self, token, request): ...
+    def check_permission(self, client, request): ...
+    def delete_client(self, client, request): ...
+    def update_client(self, client, client_metadata, request): ...
+    def get_server_metadata(self): ...
@@ -6,6 +6,6 @@ class IntrospectionEndpoint(TokenEndpoint):
    def check_params(self, request, client) -> None: ...
    def create_endpoint_response(self, request): ...
    def create_introspection_payload(self, token): ...
-    def check_permission(self, token, client, request) -> None: ...
-    def query_token(self, token_string, token_type_hint) -> None: ...
-    def introspect_token(self, token) -> None: ...
+    def check_permission(self, token, client, request): ...
+    def query_token(self, token_string, token_type_hint): ...
+    def introspect_token(self, token): ...
@@ -2,6 +2,6 @@ from authlib.oauth2.rfc6749 import TokenValidator

 class IntrospectTokenValidator(TokenValidator):
    TOKEN_TYPE: str
-    def introspect_token(self, token_string) -> None: ...
+    def introspect_token(self, token_string): ...
    def authenticate_token(self, token_string): ...
    def validate_token(self, token, scopes, request) -> None: ...
@@ -1 +1 @@
-def get_well_known_url(issuer, external: bool = False, suffix: str = "oauth-authorization-server"): ...
+def get_well_known_url(issuer: str, external: bool = False, suffix: str = "oauth-authorization-server") -> str: ...
@@ -12,6 +12,6 @@ class DeviceCodeGrant(BaseGrant, TokenEndpointMixin):
    def validate_token_request(self) -> None: ...
    def create_token_response(self): ...
    def validate_device_credential(self, credential): ...
-    def query_device_credential(self, device_code) -> None: ...
-    def query_user_grant(self, user_code) -> None: ...
-    def should_slow_down(self, credential) -> None: ...
+    def query_device_credential(self, device_code): ...
+    def query_user_grant(self, user_code): ...
+    def should_slow_down(self, credential): ...
@@ -14,8 +14,8 @@ class DeviceAuthorizationEndpoint:
    def create_endpoint_response(self, request): ...
    def generate_user_code(self): ...
    def generate_device_code(self): ...
-    def get_verification_uri(self) -> None: ...
-    def save_device_credential(self, client_id, scope, data) -> None: ...
+    def get_verification_uri(self): ...
+    def save_device_credential(self, client_id, scope, data): ...

 def create_string_user_code(): ...
 def create_digital_user_code(): ...
@@ -1,8 +1,8 @@
 class DeviceCredentialMixin:
-    def get_client_id(self) -> None: ...
-    def get_scope(self) -> None: ...
-    def get_user_code(self) -> None: ...
-    def is_expired(self) -> None: ...
+    def get_client_id(self): ...
+    def get_scope(self): ...
+    def get_user_code(self): ...
+    def is_expired(self): ...

 class DeviceCredentialDict(dict[str, object], DeviceCredentialMixin):
    def get_client_id(self): ...
@@ -9,5 +9,5 @@ class JWTIntrospectionEndpoint(IntrospectionEndpoint):
    def create_endpoint_response(self, request): ...
    def authenticate_token(self, request, client): ...
    def create_introspection_payload(self, token): ...
-    def get_jwks(self) -> None: ...
+    def get_jwks(self): ...
    def get_username(self, user_id: str) -> str: ...
@@ -1,9 +1,10 @@
 from _typeshed import Incomplete
+from typing import NoReturn

 from authlib.oauth2.rfc7009 import RevocationEndpoint

 class JWTRevocationEndpoint(RevocationEndpoint):
    issuer: Incomplete
    def __init__(self, issuer, server=None, *args, **kwargs) -> None: ...
-    def authenticate_token(self, request, client) -> None: ...
-    def get_jwks(self) -> None: ...
+    def authenticate_token(self, request, client) -> NoReturn: ...
+    def get_jwks(self): ...
@@ -6,7 +6,7 @@ class JWTBearerTokenGenerator(BearerTokenGenerator):
    issuer: Incomplete
    alg: Incomplete
    def __init__(self, issuer, alg: str = "RS256", refresh_token_generator=None, expires_generator=None) -> None: ...
-    def get_jwks(self) -> None: ...
+    def get_jwks(self): ...
    def get_extra_claims(self, client, grant_type, user, scope): ...
    def get_audiences(self, client, user, scope) -> str | list[str]: ...
    def get_acr(self, user) -> str | None: ...
@@ -6,7 +6,7 @@ class JWTBearerTokenValidator(BearerTokenValidator):
    issuer: Incomplete
    resource_server: Incomplete
    def __init__(self, issuer, resource_server, *args, **kwargs) -> None: ...
-    def get_jwks(self) -> None: ...
+    def get_jwks(self): ...
    def validate_iss(self, claims, iss: str) -> bool: ...
    def authenticate_token(self, token_string): ...
    def validate_token(self, token, scopes, request, groups=None, roles=None, entitlements=None) -> None: ...
@@ -1,11 +1,9 @@
-from _typeshed import Incomplete
-
 from authlib.jose import JWTClaims

 __all__ = ["IDToken", "CodeIDToken", "ImplicitIDToken", "HybridIDToken", "UserInfo", "get_claim_cls_by_response_type"]

 class IDToken(JWTClaims):
-    ESSENTIAL_CLAIMS: Incomplete
+    ESSENTIAL_CLAIMS: list[str]
    def validate(self, now=None, leeway: int = 0) -> None: ...
    def validate_auth_time(self) -> None: ...
    def validate_nonce(self) -> None: ...
@@ -15,15 +13,15 @@ class IDToken(JWTClaims):
    def validate_at_hash(self) -> None: ...

 class CodeIDToken(IDToken):
-    RESPONSE_TYPES: Incomplete
+    RESPONSE_TYPES: tuple[str, ...]

 class ImplicitIDToken(IDToken):
-    RESPONSE_TYPES: Incomplete
-    ESSENTIAL_CLAIMS: Incomplete
+    RESPONSE_TYPES: tuple[str, ...]
+    ESSENTIAL_CLAIMS: list[str]
    def validate_at_hash(self) -> None: ...

 class HybridIDToken(ImplicitIDToken):
-    RESPONSE_TYPES: Incomplete
+    RESPONSE_TYPES: tuple[str, ...]
    def validate(self, now=None, leeway: int = 0) -> None: ...
    def validate_c_hash(self) -> None: ...

@@ -33,4 +31,4 @@ class UserInfo(dict[str, object]):
    def filter(self, scope: str) -> UserInfo: ...
    def __getattr__(self, key): ...

-def get_claim_cls_by_response_type(response_type): ...
+def get_claim_cls_by_response_type(response_type) -> type: ...
@@ -10,7 +10,7 @@ class OpenIDHybridGrant(OpenIDImplicitGrant):
    RESPONSE_TYPES: Incomplete
    GRANT_TYPE: str
    DEFAULT_RESPONSE_MODE: str
-    def generate_authorization_code(self): ...
-    def save_authorization_code(self, code, request) -> None: ...
-    def validate_authorization_request(self): ...
-    def create_granted_params(self, grant_user): ...
+    def generate_authorization_code(self) -> str: ...
+    def save_authorization_code(self, code, request): ...
+    def validate_authorization_request(self) -> str: ...
+    def create_granted_params(self, grant_user) -> list[tuple[str, str]]: ...
@@ -13,7 +13,7 @@ class OpenIDImplicitGrant(ImplicitGrant):
    def exists_nonce(self, nonce, request) -> bool: ...
    def get_jwt_config(self, client: OAuth2Client) -> dict[str, Incomplete]: ...
    def generate_user_info(self, user, scope) -> UserInfo: ...
-    def get_audiences(self, request): ...
+    def get_audiences(self, request) -> list[Incomplete]: ...
    def validate_authorization_request(self) -> str: ...
    def validate_consent_request(self) -> str: ...
    def create_authorization_response(self, redirect_uri, grant_user): ...
@@ -11,7 +11,7 @@ class UserInfoEndpoint:
    def __init__(
        self, server: AuthorizationServer | None = None, resource_protector: ResourceProtector | None = None
    ) -> None: ...
-    def create_endpoint_request(self, request: OAuth2Request): ...
+    def create_endpoint_request(self, request: OAuth2Request) -> OAuth2Request: ...
    def __call__(self, request: OAuth2Request) -> tuple[int, dict[str, str | None], list[tuple[str, str]]]: ...
    def generate_user_info(self, user, scope: str) -> UserInfo: ...
    def get_issuer(self) -> str: ...
@@ -1 +1,7 @@
-def create_half_hash(s: str, alg: str) -> str: ...
+from _typeshed import ReadableBuffer
+from collections.abc import Iterable
+from typing import SupportsBytes, SupportsIndex
+
+def create_half_hash(
+    s: str | bytes | float | Iterable[SupportsIndex] | SupportsIndex | SupportsBytes | ReadableBuffer, alg: str
+) -> bytes | None: ...
@@ -1,9 +1,7 @@
-from _typeshed import Incomplete
-
 from authlib.oauth2.rfc8414 import AuthorizationServerMetadata

 class OpenIDProviderMetadata(AuthorizationServerMetadata):
-    REGISTRY_KEYS: Incomplete
+    REGISTRY_KEYS: list[str]
    def validate_jwks_uri(self): ...
    def validate_acr_values_supported(self) -> None: ...
    def validate_subject_types_supported(self) -> None: ...
@@ -1 +1 @@
-def get_well_known_url(issuer, external: bool = False): ...
+def get_well_known_url(issuer: str, external: bool = False) -> str: ...