[Openid-specs-ipsie] amr and auth_time claims usage in the real world
Dean H. Saxe
dean at thesax.es
Wed Jul 9 18:41:10 UTC 2025
I’m sharing this issue and comment via email for wide visibility to ensure
we can collect feedback from as many IdPs as possible on their use of the
amr and auth_time claims.
Please see https://github.com/openid/ipsie/issues/96#issuecomment-3053621466
to provide your feedback on how these claims are issued today by IdPs.
“If you are an IdP or have implemented an IdP, can you please document how
your service issues the amr and auth_time claims. Specifically, we want to
know:
-
Do you issue one or more values for the amr claim?
-
If so, is there any structure to the order of the values?
-
After primary authentication (e.g. password, passkey, MFA) do you later
perform any risk based authentication?
-
If so, do you change the amr after RBA, either by changing it to rba
or adding rba to the list of amr values?
-
Does your service change the auth_time value to match the time of the
RBA or does the value match the time of the initial authentication event?
We want to understand what the common patterns in use are in order to
minimize any disruption of existing services.”
Thanks,
-dhs
--
Dean H. Saxe
dean at thesax.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250709/2f84e757/attachment.htm>
More information about the Openid-specs-ipsie
mailing list