About AMR and ACR Claims
When a user gets authenticated with their identity provider, the IDP passes information about them
to Cloudentity using JSON Web Tokens (JWTs) or opaque tokens. Additional information
can also be fetched, either from the OIDC userinfo
endpoint or an IDP-specific endpoint, such as Azure
Graph API or GitHub Get User API.
The tokens consist of claims that
provide useful context information about the user and their authentication. Two of those claims are
the amr
and acr
claims.
The amr
(Authentication Methods Reference) claim is a JSON array of strings that are identifiers
for all authentication methods used in the users authentication. It can provide, for example, a
reference that the user used facial recognition or multiple-factor authentication. To check possible
values for the amr
claim, see the RFC8176 specification on Authentication Method Reference Values.
The acr
claim is a string that specifies the Authentication Context Class Reference value that
identifies the Authentication Context Class that the authentication performed satisfied. The acr
possible values are provided to Cloudentity during the OIDC IDP discovery with the
acr_values_supported
parameters.
For Open Banking compliance, both the amr
and the acr
claims are mandatory.
Some IDPs do not support using the amr
or acr
claim, but, for example, pass information about
the authentication methods reference in a custom attribute.
With Cloudentity’s
Extensions you can dynamically map the value of a custom attribute that comes from the IDP to the
value of either the amr
or acr
claim.
Map Custom Attributes to ACR or AMR Claims
Learn More
For the instructions on how to create custom scripts and how to assign them to a specific identity provider, see Managing extensions documentation.
To map the value of incoming custom attribute to the value of the amr
or acr
claim, use the
following post-authentication script. Change the {custom_acr_attribute_name}
and
{custom_amr_attribute_name}
variables to names of the custom attributes that come from your
identity provider.
module.exports = async function(context) {
return {
acr: context.authn_ctx.{custom_acr_attribute_name},
amr: [context.authn_ctx.{custom_amr_attribute_name}],
};
}
If you wish to provide explicit values for the acr
and amr
claims, you can do it by using the
following script where you change the {explicit_value}
variables to the values of your choice:
module.exports = async function(context) {
return {
acr: "{explicit_value}",
amr: ["{explicit_value}", "{explicit_value}"],
};
}
Static vs Dynamic Configuration
Values set to the
amr
andacr
claims using Cloudentity Extensions take precedence over any values set for those attributes using IDPs advanced settings.