Dynamically Setting AMR and ACR Claims Using Cloudentity Extensions
Learn what are the authentication methods reference and authentication context class references. Find out how you can map custom attributes with AMR and ACR when an IDP does not support those claims.
About AMR and ACR Claims
When a user gets authenticated with their identity provider, the IDP passes information about them to Cloudentity using JSON Web Tokens (JWTs) or opaque tokens. Additional information can also be fetched, either from the OIDC userinfo
endpoint or an IDP-specific endpoint, such as Azure Graph API or GitHub Get User API.
The tokens consist of claims that provide useful context information about the user and their authentication. Two of those claims are the amr
and acr
claims.
The amr
(Authentication Methods Reference) claim is a JSON array of strings that are identifiers for all authentication methods used in the users authentication. It can provide, for example, a reference that the user used facial recognition or multiple-factor authentication. To check possible values for the amr
claim, see the RFC8176 specification on Authentication Method Reference Values.
The acr
claim is a string that specifies the Authentication Context Class Reference value that identifies the Authentication Context Class that the authentication performed satisfied. The acr
possible values are provided to Cloudentity during the OIDC IDP discovery with the acr_values_supported
parameters.
For Open Banking compliance, both the amr
and the acr
claims are mandatory. Some IDPs do not support using the amr
or acr
claim, but, for example, pass information about the authentication methods reference in a custom attribute. With Cloudentity's Extensions you can dynamically map the value of a custom attribute that comes from the IDP to the value of either the amr
or acr
claim.
Map Custom Attributes to ACR or AMR Claims
Learn more
For the instructions on how to create custom scripts and how to assign them to a specific identity provider, see Managing extensions documentation.
To map the value of incoming custom attribute to the value of the amr
or acr
claim, use the following post-authentication script. Change the {custom_acr_attribute_name}
and {custom_amr_attribute_name}
variables to names of the custom attributes that come from your identity provider.
module.exports = async function(context) { return { acr: context.authn_ctx.{custom_acr_attribute_name}, amr: [context.authn_ctx.{custom_amr_attribute_name}], }; }
If you wish to provide explicit values for the acr
and amr
claims, you can do it by using the following script where you change the {explicit_value}
variables to the values of your choice:
module.exports = async function(context) { return { acr: "{explicit_value}", amr: ["{explicit_value}", "{explicit_value}"], }; }
Static vs Dynamic Configuration
Values set to the amr
and acr
claims using Cloudentity Extensions take precedence over any values set for those attributes using IDPs advanced settings.