5.2.3. - 6 Is `amr` always required?

Issue #301 invalid
Nat Sakimura created an issue

The current text says:

6. shall verify that the amr claim in an ID Token contains values appropriate for the LoA indicated by the acr claim;

Question: is OB always returning amr? If so, what values are returned?

Comment: Generally speaking, just relying on acr is considered a good practice. I was pointed out of this on twitter by @Nov Matake

Comments (2)

  1. Joseph Heenan

    That text has I believe been removed from the current master version, at the same time the acr clauses were removed.

    I don’t think OB generally returns amr, and the current FAPI conformance suite doesn’t do any checks on amr.

  2. Log in to comment