OpenID Connect: amr value

The amr value, as described in the OpenID Connect Core section 2. ID Token, reveals what authentication methods were used in the authentication. onePortal includes the amr JSON array value in the ID token by default.

The OpenID Connect specification does not specify the possible string values included in the amr value. RFC-8176 establishes a number of suggested values. onePortal supports a subset of those suggestions.

Value	Description
mfa	Multiple factor authentication. Returned if "pwd" and one other method was used to sign-in.
otp	One-time password (TOTP or HOTP) was used.
pwd	User entered password to sign-in.
sms	User entered a code they received via a SMS (text message) sent to user's registered mobile number.

ID token after password-only authentication

"id_token": {
    "amr": [
        "pwd"
    ],
    "at_hash": "UIejIhBKSrth201ZTTZrxA",
    "aud": [
        "6324127051294819"
    ],
    "auth_time": 1535616780,
    "azp": "6324127051294819",
    "exp": 1536221581,
    "iat": 1535616781,
    "iss": "https://devel3.t5.fi",
    "nonce": "9AzzrW8L5KOohBrk",
    "sub": "58cfb7353874e103fc81ec5f"
},

ID token after authenticating with password and OTP

"id_token": {
    "amr": [
        "mfa",
        "otp",
        "pwd"
    ],
    "at_hash": "RD3a9rZ6FuuGeEksQSR44g",
    "aud": [
        "6324127051294819"
    ],
    "auth_time": 1535618565,
    "azp": "6324127051294819",
    "exp": 1536223366,
    "iat": 1535618566,
    "iss": "https://devel3.t5.fi",
    "nonce": "DxZs70N05vJrKiLo",
    "sub": "5a325c543874e16a85710c5e"
},

NOTE: Trivore ID Documentation has moved to https://trivoreid.com

The content on this site IS OUT OF DATE!

This space has been archived!

Please go ahead to the new site!

NOTE: Trivore ID Documentation has moved to https://trivoreid.com

The content on this site IS OUT OF DATE!

This space has been archived!