Auth_time using cilogon oidc triggering "Invalid claim"

Trying to test out OIDC from CILOGON with Indico 2.3 using Apache. Seems to be failing to pass validation of “auth_time”.

It looks like the file venv/lib/python2.7/site-packages/authlib/oidc/core/ is throwing an exception when “validate_auth_time” is called. The integer check is failing due to auth_time coming in as type = unicode. I was able to check the actual numbers are being passed but oddly the type isn’t integer.

If I just comment out the check or make it ignore the exception and just “pass” that block of code everything works fine.

Any idea if this can be related to cilogon? Apache? or just something I might have fat fingered?

OIDC did work with keycloak just fine.

Thanks in advance.

I have no idea what cilogon is… but it sounds more like a problem with cilogon or authlib than with indico or flask-multipass.

Since the oidc spec describes auth_time as something that sounds a lot like a number, I’d assume it’s a bug if it’s sent as a string…

Thanks for the clarification @ThiefMaster.

I will reach out to both parties and see if I can determine the root cause.