Home Original page

AMR attribute invalid format when coming from ORCID member API

Describe the bug

The AMR attribute (Authentication Methods References) is defined to be a list of strings as per OpenID specs. However ORCID (and possible others?) is sending it as a string (usually "pwd" or "mfa"), which ultimately leads to:

2025-03-28 11:17:03,322 ERROR [apps] [app.py:875] Exception on /login/callback [GET]
Traceback (most recent call last):
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 1511, in wsgi_app
    response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 919, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 917, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/flask/app.py", line 902, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)  # type: ignore[no-any-return]
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/apps/authentication/routes.py", line 106, in callback
    token = oauth.provider.authorize_access_token().get("userinfo", {})
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/integrations/flask_client/apps.py", line 105, in authorize_access_token
    userinfo = self.parse_id_token(token, nonce=state_data['nonce'], claims_options=claims_options)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/integrations/base_client/sync_openid.py", line 69, in parse_id_token
    claims.validate(leeway=leeway)
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 44, in validate
    self.validate_amr()
  File "/home/italo/dashboard/venv/lib/python3.11/site-packages/authlib/oidc/core/claims.py", line 114, in validate_amr
    raise InvalidClaimError('amr')
authlib.jose.errors.InvalidClaimError: invalid_claim: Invalid claim "amr"

I fully understand this not comply with the specs and it should be fixed by ORCID, however I wonder if we can add a handler for this special case, to make it compatible.

To Reproduce

To reproduce this behavior you will need member API access (developer API does not include AMR attribute) on ORCID or access through CILogon.

Expected behavior

The expected behavior would be normal authentication (success), however the error above is being raised.

Environment:

  • OS: Docker with debian:12
  • Python Version: 3.12
  • Authlib Version: 1.5.1

Additional context

N/A