Skip to main content

'amr' value

The amr value, as described in the OpenID Connect Core section 2. ID Token, reveals what authentication methods were used in the authentication. onePortal includes the amr JSON array value in the ID token by default.

The OpenID Connect specification does not specify the possible string values included in the amr value. RFC-8176 establishes a number of suggested values. onePortal supports a subset of those suggestions.

ValueDescription
mfaMultiple factor authentication. Returned if "pwd" and one other method was used to sign-in.
otpOne-time password (TOTP or HOTP) was used.
pwdUser entered password to sign-in.
smsUser entered a code they received via a SMS (text message) sent to user's registered mobile number.

ID token after password-only authentication

{
"id_token": {
"amr": [
"pwd"
],
"at_hash": "UIejIhBKSrth201ZTTZrxA",
"aud": [
"6324127051294819"
],
"auth_time": 1535616780,
"azp": "6324127051294819",
"exp": 1536221581,
"iat": 1535616781,
"iss": "https://devel3.t5.fi",
"nonce": "9AzzrW8L5KOohBrk",
"sub": "58cfb7353874e103fc81ec5f"
}
}

ID token after authenticating with password and OTP

{
"id_token": {
"amr": [
"mfa",
"otp",
"pwd"
],
"at_hash": "RD3a9rZ6FuuGeEksQSR44g",
"aud": [
"6324127051294819"
],
"auth_time": 1535618565,
"azp": "6324127051294819",
"exp": 1536223366,
"iat": 1535618566,
"iss": "https://devel3.t5.fi",
"nonce": "DxZs70N05vJrKiLo",
"sub": "5a325c543874e16a85710c5e"
}
}