You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note how in one value the {tenantid} is expanded but not in the other. This causes the bug.
Error Stacks
File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/starlette_client/apps.py", line 84, in authorize_access_token
userinfo = await self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/base_client/async_openid.py", line 78, in parse_id_token
claims.validate(leeway=120)
File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 35, in validate
self.validate_iss()
File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 117, in validate_iss
self._validate_claim_value('iss')
File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 74, in _validate_claim_value
raise InvalidClaimError(claim_name)
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"
With Google, things work fine. With Microsoft, perhaps because of this templating trick {tenantid}, you will get this error.
Expected behavior
It should work just like with the Google OAuth and not throw this exception. The "iss" validation is not correct in this case. The templated value should be expanded so that this does not trigger an error:
if option_values and value not in option_values:
raise InvalidClaimError(claim_name)
Hello !
I'm trying to integrate azure SSO into my flask application, and I suspect that this is the cause of my troubles =(
Do you have any news on this 🙏 ?
Describe the bug
When using Azure OAuth via https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration ,
eventually you get a InvalidClaimError (iss). Debugging the code I can see that _validate_claim_value in claims.py shows self with a slot with value 'https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0' (correct) but "options" is populated with {'values': ['https://login.microsoftonline.com/{tenantid}/v2.0']}
Note how in one value the {tenantid} is expanded but not in the other. This causes the bug.
Error Stacks
To Reproduce
You can implement a simple app like in https://blog.hanchon.live/guides/google-login-with-fastapi/ and provide, instead of Google, Microsoft values (secret ID etc) as described at https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
With Google, things work fine. With Microsoft, perhaps because of this templating trick {tenantid}, you will get this error.
Expected behavior
It should work just like with the Google OAuth and not throw this exception. The "iss" validation is not correct in this case. The templated value should be expanded so that this does not trigger an error:
When I debug, I see these values:
This causes the exception.
Environment:
Additional context
The text was updated successfully, but these errors were encountered: