How-tos

Dynamically Setting AMR and ACR Claims Using Cloudentity Extensions

Learn what are the authentication methods reference and authentication context class references. Find out how you can map custom attributes with AMR and ACR when an IDP does not support those claims.

About AMR and ACR Claims

When a user gets authenticated with their identity provider, the IDP passes information about them to Cloudentity using JSON Web Tokens (JWTs) or opaque tokens. Additional information can also be fetched, either from the OIDC userinfo endpoint or an IDP-specific endpoint, such as Azure Graph API or GitHub Get User API.

The tokens consist of claims that provide useful context information about the user and their authentication. Two of those claims are the amr and acr claims.

The amr (Authentication Methods Reference) claim is a JSON array of strings that are identifiers for all authentication methods used in the users authentication. It can provide, for example, a reference that the user used facial recognition or multiple-factor authentication. To check possible values for the amr claim, see the RFC8176 specification on Authentication Method Reference Values.

The acr claim is a string that specifies the Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The acr possible values are provided to Cloudentity during the OIDC IDP discovery with the acr_values_supported parameters.

For Open Banking compliance, both the amr and the acr claims are mandatory. Some IDPs do not support using the amr or acr claim, but, for example, pass information about the authentication methods reference in a custom attribute. With Cloudentity’s Extensions you can dynamically map the value of a custom attribute that comes from the IDP to the value of either the amr or acr claim.

Map Custom Attributes to ACR or AMR Claims

Learn More

For the instructions on how to create custom scripts and how to assign them to a specific identity provider, see Managing extensions documentation.

To map the value of incoming custom attribute to the value of the amr or acr claim, use the following post-authentication script. Change the {custom_acr_attribute_name} and {custom_amr_attribute_name} variables to names of the custom attributes that come from your identity provider.

module.exports = async function(context) {
      return {
        acr: context.authn_ctx.{custom_acr_attribute_name},
        amr: [context.authn_ctx.{custom_amr_attribute_name}],
      };
  }

If you wish to provide explicit values for the acr and amr claims, you can do it by using the following script where you change the {explicit_value} variables to the values of your choice:

module.exports = async function(context) {
      return {
        acr: "{explicit_value}",
        amr: ["{explicit_value", "{explicit_value"}],
      };
  }

Static vs Dynamic Configuration

Values set to the amr and acr claims using Cloudentity Extensions take precedence over any values set for those attributes using IDPs advanced settings.