Last Updated: Dec 3, 2024
Overview
“amr” and “acr” claims are added to the ID token issued when a user authenticates via MFA. When SSO is performed to renew the token, the new ID token does not contain these claims.
Applies To
- Claims
- ID Token
- Renew token
Solution
This is intentional behavior. The user is not authenticating via MFA on the second authorize call as they already have an existing session.
Although the new token issued via the second call may be derived from a session that involved MFA, it is not considered relevant since MFA did not occur in this particular exchange.