Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidClaimError "iss" because "options" inconsistent with "option_values" when using Azure's OAuth (templated endpoint) #605

Open
sglebs opened this issue Dec 17, 2023 · 1 comment
Open

InvalidClaimError "iss" because "options" inconsistent with "option_values" when using Azure's OAuth (templated endpoint) #605

sglebs opened this issue Dec 17, 2023 · 1 comment
Assignees
@lepture
Labels
bug

Comments

@sglebs
Copy link

sglebs commented Dec 17, 2023

Describe the bug

When using Azure OAuth via https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration ,
eventually you get a InvalidClaimError (iss). Debugging the code I can see that _validate_claim_value in claims.py shows self with a slot with value 'https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0' (correct) but "options" is populated with {'values': ['https://login.microsoftonline.com/{tenantid}/v2.0']}

Note how in one value the {tenantid} is expanded but not in the other. This causes the bug.

Error Stacks

  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/starlette_client/apps.py", line 84, in authorize_access_token
    userinfo = await self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/base_client/async_openid.py", line 78, in parse_id_token
    claims.validate(leeway=120)
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 35, in validate
    self.validate_iss()
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 117, in validate_iss
    self._validate_claim_value('iss')
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 74, in _validate_claim_value
    raise InvalidClaimError(claim_name)
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"

To Reproduce

You can implement a simple app like in https://blog.hanchon.live/guides/google-login-with-fastapi/ and provide, instead of Google, Microsoft values (secret ID etc) as described at https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

With Google, things work fine. With Microsoft, perhaps because of this templating trick {tenantid}, you will get this error.

Expected behavior

It should work just like with the Google OAuth and not throw this exception. The "iss" validation is not correct in this case. The templated value should be expanded so that this does not trigger an error:

        if option_values and value not in option_values:
            raise InvalidClaimError(claim_name)

When I debug, I see these values:

This causes the exception.

Environment:

  • OS: MacOS Ventura 13.6.3, MacBook Air M2
  • Python Version: 3.11.6
  • Authlib Version: 1.2.1

Additional context
@sglebs sglebs added the bug label Dec 17, 2023
@sglebs
Copy link
Author

sglebs commented Dec 17, 2023

For the record, the value that must replace the {tenantid} is stored in self in 'tid'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lepture lepture

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lepture @sglebs