The Documentation says that I need to set a scope to do this.
In a delegated authorization scenario where a third-party client wants to call your API, **you must not use an ID token to call the API** . In addition to the lack of mechanisms to bind it to the client, there are several other reasons not to do this
So is there a way to do this without breaking the specs?
Hi @nicholas.irving, and welcome to the Auth0 Community!
You will have to set a custom claim on the Access Token with the amr you obtain from the ID Token using an action. Please take a look at this doc on how to set it up. Also, pay attention to the naming of the custom claim, as the key “amr” is restricted.
I hope this helps you, but let me know if you need more help!
Sincerely,
Teodor