[Openid-specs-fapi] Issue #301: 5.2.3. - 6 Is `amr` always required? (openid/fapi)

Nat issues-reply at bitbucket.org
Wed Jul 15 10:08:28 UTC 2020

New issue 301: 5.2.3. - 6 Is `amr` always required?

Nat Sakimura:

The current text says: 

6\. shall verify that the `amr` claim in an ID Token contains values appropriate for the LoA indicated by the `acr` claim;

Question: is OB always returning `amr`? If so, what values are returned? 

Comment: Generally speaking, just relying on `acr` is considered a good practice. I was pointed out of this on twitter by @{557058:f2531241-0a68-460b-a90c-d09dee7554c3}

More information about the Openid-specs-fapi mailing list