The Documentation says that I need to set a scope to do this.
In a delegated authorization scenario where a third-party client wants to call your API, **you must not use an ID token to call the API** . In addition to the lack of mechanisms to bind it to the client, there are several other reasons not to do this
So is there a way to do this without breaking the specs?
Hi @nicholas.irving, and welcome to the Auth0 Community!
You will have to set a custom claim on the Access Token with the amr you obtain from the ID Token using an action. Please take a look at this doc on how to set it up. Also, pay attention to the naming of the custom claim, as the key “amr” is restricted.
I hope this helps you, but let me know if you need more help!
Sincerely,
Teodor
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.