AMR attribute invalid format when coming from ORCID member API #725
Description
Describe the bug
The AMR attribute (Authentication Methods References) is defined to be a list of strings as per OpenID specs. However ORCID (and possible others?) is sending it as a string (usually "pwd" or "mfa"), which ultimately leads to:
2025-03-28 11:17:03,322 ERROR [apps] [app.py:875] Exception on /login/callback [GET]
Traceback (most recent call last):
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 1511, in wsgi_app
response = self.full_dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 919, in full_dispatch_request
rv = self.handle_user_exception(e)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 917, in full_dispatch_request
rv = self.dispatch_request()
^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 902, in dispatch_request
return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/apps/authentication/routes.py", line 106, in callback
token = oauth.provider.authorize_access_token().get("userinfo", {})
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 105, in authorize_access_token
userinfo = self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_openid.py", line 69, in parse_id_token
claims.validate(leeway=leeway)
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 44, in validate
self.validate_amr()
File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 114, in validate_amr
raise InvalidClaimError('amr')
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "amr"I fully understand this not comply with the specs and it should be fixed by ORCID, however I wonder if we can add a handler for this special case, to make it compatible.
To Reproduce
To reproduce this behavior you will need member API access (developer API does not include AMR attribute) on ORCID or access through CILogon.
Expected behavior
The expected behavior would be normal authentication (success), however the error above is being raised.
Environment:
- OS: Docker with debian:12
- Python Version: 3.12
- Authlib Version: 1.5.1
Additional context
N/A
Metadata
Metadata
Assignees
Labels
No labels