Open sglebs opened 8 months ago
For the record, the value that must replace the {tenantid} is stored in self in 'tid'.
Hello ! I'm trying to integrate azure SSO into my flask application, and I suspect that this is the cause of my troubles =( Do you have any news on this 🙏 ?
Describe the bug
When using Azure OAuth via https://login.microsoftonline.com/common/v2.0/.well-known/openid-configuration , eventually you get a InvalidClaimError (iss). Debugging the code I can see that _validate_claim_value in claims.py shows self with a slot with value 'https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0' (correct) but "options" is populated with {'values': ['https://login.microsoftonline.com/{tenantid}/v2.0']}
Note how in one value the {tenantid} is expanded but not in the other. This causes the bug.
Error Stacks
To Reproduce
You can implement a simple app like in https://blog.hanchon.live/guides/google-login-with-fastapi/ and provide, instead of Google, Microsoft values (secret ID etc) as described at https://learn.microsoft.com/en-us/entra/identity-platform/quickstart-register-app
With Google, things work fine. With Microsoft, perhaps because of this templating trick {tenantid}, you will get this error.
Expected behavior
It should work just like with the Google OAuth and not throw this exception. The "iss" validation is not correct in this case. The templated value should be expanded so that this does not trigger an error:
When I debug, I see these values:
This causes the exception.
Environment:
Additional context