Include claim in id_token when MFA was used?

nicolas_sabena · October 24, 2018, 12:59am

Hi @martin.pain
When a user uses MFA to authenticate, the ID Token will have an amr (authentication method reference) claim in the payload with an mfa value in it. Note that amr is an array and there could be other possible values in the future, so the check should be something like:

mfaUsed = payload.amr && payload.amr.indexOf('mfa') >= 0;

This is a sample ID token payload with MFA used:

{
  "iss": "https://nico-sabena.auth0.com/",
  "sub": "xxxxxxxx",
  "aud": "xxxxxxxx",
  "iat": 1540342205,
  "exp": 1540345805,
  "acr": "http://schemas.openid.net/pape/policies/2007/06/multi-factor",
  "amr": [
    "mfa"
  ],
  "nonce": "nonce"
}

Take a look at Step-up authentication for details on this exact scenario.

Topic		Replies	Views
Determine MFA method used during user login Get Help jwt , mfa , login	4	3544	March 11, 2023
"amr" and "acr" Claims Omitted from ID Token on Renewal Knowledge Articles mfa , sso , id-token , claim	1	2888	August 10, 2022
Step up authentication not working Get Help mfa , push-via-auth0-guardian-factor	2	2473	December 21, 2022
Cannot determine if MFA was enrolled during first login Get Help login-experience , new-universal-login-experience	0	98	September 5, 2024
Request MFA with an already MFA authenticated token? Get Help	1	1779	July 26, 2022

Include claim in id_token when MFA was used?

Related topics