InvalidClaimError "iss" because "options" inconsistent with "option_values" when using Azure's OAuth (templated endpoint)

[sglebs]

Describe the bug

When using Azure OAuth via https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration , eventually you get a InvalidClaimError (iss). Debugging the code I can see that _validate_claim_value in claims.py shows self with a slot with value 'https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0' (correct) but "options" is populated with {'values': ['https://login.microsoftonline.com/{tenantid}/v2.0']}

Note how in one value the {tenantid} is expanded but not in the other. This causes the bug.

Error Stacks

  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/starlette_client/apps.py", line 84, in authorize_access_token
    userinfo = await self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/integrations/base_client/async_openid.py", line 78, in parse_id_token
    claims.validate(leeway=120)
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 35, in validate
    self.validate_iss()
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 117, in validate_iss
    self._validate_claim_value('iss')
  File "/Users/mqm/git/OC/SB/venv/lib/python3.11/site-packages/authlib/jose/rfc7519/claims.py", line 74, in _validate_claim_value
    raise InvalidClaimError(claim_name)
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "iss"

To Reproduce

You can implement a simple app like in https://blog.hanchon.live/guides/google-login-with-fastapi/ and provide, instead of Google, Microsoft values (secret ID etc) as described at https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app

With Google, things work fine. With Microsoft, perhaps because of this templating trick {tenantid}, you will get this error.

Expected behavior

It should work just like with the Google OAuth and not throw this exception. The "iss" validation is not correct in this case. The templated value should be expanded so that this does not trigger an error:

        if option_values and value not in option_values:
            raise InvalidClaimError(claim_name)

When I debug, I see these values:

• option_values: ['https://login.microsoftonline.com/{tenantid}/v2.0']
• value: 'https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0'

This causes the exception.

Environment:

• OS: MacOS Ventura 13.6.3, MacBook Air M2
• Python Version: 3.11.6
• Authlib Version: 1.2.1

Additional context

[sglebs]

For the record, the value that must replace the {tenantid} is stored in self in 'tid'.

[AlexandreSev]

Hello ! I'm trying to integrate azure SSO into my flask application, and I suspect that this is the cause of my troubles =( Do you have any news on this 🙏 ?