I'm having a bit of a trouble with OpenIDDict in combination with Python Authlib. The problem begins, when there's an amr claim with a single value, since the Python Authlib is applying the OIDC specs to the letter.
AMR - OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication.
Now OpenIDDict will write that claim as single value, when there's only a single value contained. Since I'm using OpenIDDict as "Protocol Translation Server" (e.g. make OIDC from anything else and pass through all amr claim values), I'm struggeling to find a way to force it to write amr as array always.
Can anyone provide insight here?
I'm struggeling to find a way to force it to write amr as array always.
You can force OpenIddict (or more exactly IdentityModel, the library it uses under the hood to generate JWT tokens) to produce a JSON array by explicitly using the "JSON_ARRAY"claim value type:
identity.AddClaim(new Claim(Claims.AuthenticationMethodReference, "[\"pwd\"]", JsonClaimValueTypes.JsonArray));
Note: future versions of OpenIddict (6.0 and higher) will automatically normalize the "amr" claim for you to ensure a JSON array is always returned, even if a single authentication method reference was added.