You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| Generic OIDC | Yes | Yes | Works with any OIDC-compliant IdP that emits these claims (Keycloak, Microsoft Entra v1, PingFederate, Auth0 federation, Okta federation, and many others). |
46
-
| Microsoft (Entra ID / Azure AD) | v1.0 only | v1.0 only | v1.0 ID tokens include both. v2.0 tokens typically omit `acr` and `amr`. |
47
-
| Auth0 | Yes | Yes |`amr` contains `mfa` once the user completed an MFA challenge. The standard step-up `acr` value is `http://schemas.openid.net/pape/policies/2007/06/multi-factor`. |
48
-
| Okta (federation) | Yes | Yes | Predefined `acr` values such as `urn:okta:loa:1fa:any` and `urn:okta:loa:2fa:any`. `amr` values include `pwd`, `mfa`, `sms`, `hwk`, `fpt`, `face`. |
49
-
| Keycloak | Yes | Yes (recent versions) |`acr` is mapped from the Level-of-Authentication config. `amr` is populated by the dedicated AMR protocol mapper. |
50
-
| Ping Identity (PingAM, PingFederate, PingOne AIC) | Yes (opt-in) | Yes (opt-in) | Neither claim is added by default. Configure them through Authentication Journeys or "Force ACR in ID Token". |
51
-
| Google | No | No | Google's OIDC implementation does not issue `acr` or `amr`. |
52
-
| Apple (Sign in with Apple) | No | No | Not part of Apple's documented ID-token schema. |
53
-
| Facebook, GitHub, GitLab, Discord, Slack, Spotify, Amazon, LinkedIn, Yandex, VK, NetID, Dingtalk, Patreon | No | No | OAuth2-only or non-standard OIDC; no `acr` or `amr` surfaced. |
40
+
Not every OIDC provider returns `acr` or `amr`, and the values they emit vary widely. Check your provider's documentation to see
41
+
whether it includes these claims in the ID token and which values map to a multi-factor authentication.
54
42
55
43
You can still configure the allowlist for any provider — Ory simply records the upstream values and never matches when the
56
44
provider doesn't emit them.
@@ -194,14 +182,14 @@ still recorded under `upstream_acr` / `upstream_amr` for auditing.
194
182
195
183
## Troubleshooting
196
184
197
-
**The session is still AAL1 after a successful login.** Check that the upstream provider actually emits the claim. You can inspect
185
+
The session is still AAL1 after a successful login:Check that the upstream provider actually emits the claim. You can inspect
198
186
the raw ID token claims from the Jsonnet data mapper through `std.extVar('claims').raw_claims.acr` and
199
187
`std.extVar('claims').raw_claims.amr`. If the provider doesn't surface the claim, request it explicitly through `acr_values` or
200
188
`requested_claims`.
201
189
202
-
**The `upstream_acr` field is empty even though the upstream sent it.** Make sure your provider config has
190
+
The `upstream_acr` field is empty even though the upstream sent it:Make sure your provider config has
203
191
`claims_source: id_token` (the default) or, if you set `claims_source: userinfo`, that the userinfo endpoint also returns the
204
192
`acr`claim. Some providers only include `acr`/`amr` in the ID token.
205
193
206
-
**The session is AAL2 but the user never completed MFA.** Audit the configured allowlists carefully. An `acr` value such as `0` or
194
+
The session is AAL2 but the user never completed MFA:Audit the configured allowlists carefully. An `acr` value such as `0` or
207
195
`urn:mace:incommon:iap:bronze`typically means "no MFA was performed" — do not include those values in `aal2_acr_values`.
0 commit comments