add check for null/missing AMR claim, fix tests

dauglyon · dauglyon · commit 591dbbb311aa · 2025-07-18T15:35:16.000-07:00
diff --git a/src/main/java/us/kbase/auth2/providers/OrcIDIdentityProviderFactory.java b/src/main/java/us/kbase/auth2/providers/OrcIDIdentityProviderFactory.java
@@ -269,7 +269,10 @@ private MfaStatus parseAmrClaim(final String jwt) throws IdentityRetrievalExcept
 					final Map<String, Object> claims = MAPPER.readValue(payload, Map.class);
 					
 					final Object amrClaim = claims.get("amr");
-					if (amrClaim instanceof List) {
+					if (amrClaim == null) {
+						// No AMR claim present - MFA status unknown
+						return MfaStatus.UNKNOWN;
+					} else if (amrClaim instanceof List) {
 						// OpenID Connect spec: AMR should be an array of strings
 						@SuppressWarnings("unchecked")
 						final List<String> amrList = (List<String>) amrClaim;
diff --git a/src/test/java/us/kbase/test/auth2/lib/identity/RemoteIdentityTest.java b/src/test/java/us/kbase/test/auth2/lib/identity/RemoteIdentityTest.java
@@ -22,7 +22,7 @@ public void remoteDetailsWithAllFields() throws Exception {
 		assertThat("incorrect fullname", dets.getFullname(), is("full"));
 		assertThat("incorrect email", dets.getEmail(), is("email"));
 		assertThat("incorrect mfa authenticated", dets.getMfa(), is(MfaStatus.UNKNOWN));
-		assertThat("incorrect hashcode", dets.hashCode(), is(-497844993));
+		assertThat("incorrect hashcode", dets.hashCode(), is(1166981462));
 		assertThat("incorrect toString()", dets.toString(),
 				is("RemoteIdentityDetails [username=user, fullname=full, email=email, mfa=UNKNOWN]"));
 	}
@@ -34,7 +34,7 @@ public void remoteDetailsWithEmptyFields() throws Exception {
 		assertThat("incorrect fullname", dets.getFullname(), is((String) null));
 		assertThat("incorrect email", dets.getEmail(), is((String) null));
 		assertThat("incorrect mfa authenticated", dets.getMfa(), is(MfaStatus.UNKNOWN));
-		assertThat("incorrect hashcode", dets.hashCode(), is(4522828));
+		assertThat("incorrect hashcode", dets.hashCode(), is(1669349283));
 		assertThat("incorrect toString()", dets.toString(),
 				is("RemoteIdentityDetails [username=user, fullname=null, email=null, mfa=UNKNOWN]"));
 		
@@ -43,7 +43,7 @@ public void remoteDetailsWithEmptyFields() throws Exception {
 		assertThat("incorrect fullname", dets2.getFullname(), is((String) null));
 		assertThat("incorrect email", dets2.getEmail(), is((String) null));
 		assertThat("incorrect mfa authenticated", dets2.getMfa(), is(MfaStatus.UNKNOWN));
-		assertThat("incorrect hashcode", dets2.hashCode(), is(4522828));
+		assertThat("incorrect hashcode", dets2.hashCode(), is(1669349283));
 		assertThat("incorrect toString()", dets2.toString(),
 				is("RemoteIdentityDetails [username=user, fullname=null, email=null, mfa=UNKNOWN]"));
 	}
@@ -116,7 +116,7 @@ public void identity() throws Exception {
 		final RemoteIdentity ri = new RemoteIdentity(id, dets);
 		assertThat("incorrect id", ri.getRemoteID(), is(id));
 		assertThat("incorrect details", ri.getDetails(), is(dets));
-		assertThat("incorrect hashcode", ri.hashCode(), is(124952370));
+		assertThat("incorrect hashcode", ri.hashCode(), is(194964923));
 		assertThat("incorrect toString()", ri.toString(),
 				is("RemoteIdentity [remoteID=RemoteIdentityID [provider=p, id=i], " +
 						"details=RemoteIdentityDetails [username=u, fullname=f, email=e, mfa=UNKNOWN]]"));
diff --git a/src/test/java/us/kbase/test/auth2/providers/OrcIDIdentityProviderTest.java b/src/test/java/us/kbase/test/auth2/providers/OrcIDIdentityProviderTest.java
@@ -573,7 +573,7 @@ public void getIdentityWithInvalidJWT() throws Exception {
 			fail("Expected IdentityRetrievalException");
 		} catch (IdentityRetrievalException e) {
 			assertThat("incorrect exception message", e.getMessage(), 
-					containsString("Unable to decode JWT from ORCID"));
+					containsString("Unable to parse JWT payload from ORCID"));
 		}
 	}
 	
diff --git a/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java b/src/test/java/us/kbase/test/auth2/service/api/TokenEndpointTest.java
@@ -232,7 +232,7 @@ userName, userUuid, new DisplayName("Test User"), inst(10000))
 		assertThat("incorrect response code for token2", res2.getStatus(), is(200));
 		@SuppressWarnings("unchecked")
 		final Map<String, Object> response2 = res2.readEntity(Map.class);
-		assertThat("token2 should have MFA=false", response2.get("mfa"), is(MfaStatus.NOT_USED));
+		assertThat("token2 should have MFA=false", response2.get("mfa"), is(MfaStatus.NOT_USED.toString()));
 	}
 	
 	@Test

Original file line number	Diff line number	Diff line change
`@@ -573,7 +573,7 @@ public void getIdentityWithInvalidJWT() throws Exception {`
`573`	`573`	`fail("Expected IdentityRetrievalException");`
`574`	`574`	`} catch (IdentityRetrievalException e) {`
`575`	`575`	`assertThat("incorrect exception message", e.getMessage(),`
`576`		`- containsString("Unable to decode JWT from ORCID"));`
	`576`	`+ containsString("Unable to parse JWT payload from ORCID"));`
`577`	`577`	`}`
`578`	`578`	`}`
`579`	`579`
Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ userName, userUuid, new DisplayName("Test User"), inst(10000))`
`232`	`232`	`assertThat("incorrect response code for token2", res2.getStatus(), is(200));`
`233`	`233`	`@SuppressWarnings("unchecked")`
`234`	`234`	`final Map<String, Object> response2 = res2.readEntity(Map.class);`
`235`		`- assertThat("token2 should have MFA=false", response2.get("mfa"), is(MfaStatus.NOT_USED));`
	`235`	`+ assertThat("token2 should have MFA=false", response2.get("mfa"), is(MfaStatus.NOT_USED.toString()));`
`236`	`236`	`}`
`237`	`237`
`238`	`238`	`@Test`