Authentication Method Reference


Authentication Method Reference (amr) is an attribute within the OpenID Connect Identity Token.

Authentication Method Reference (amr) claim is defined and registered in the IANA "JSON Web Token Claims" registry. Additionally, JSON Web Token Claims also defines the "amr_values" Authentication Request parameter for requesting that a set of Authentication Method Reference Values be used for processing the Authentication Request.

The initial set of Authentication Method Reference Values and IANA Registry is defined within RFC 8176.

Relationship to Authentication Context Class Reference (acr)#

The Authentication Context Class Reference (acr) claim and acr_values request parameter are related to the Authentication Method Reference (amr) claim, but with important differences.

An Authentication Context Class specifies a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific Authentication Methods, either singly or in combination. Interactions using acr_values request that the specified Authentication Context Class be used and that the result should contain an acr claim saying which Authentication Context Class was satisfied. The acr claim in the reply states that the business rules for the class were satisfied -- not how they were satisfied.

In contrast, interactions using the amr claim make statements about the particular Authentication Methods that were used. This tends to be more brittle than using acr, since the Authentication Methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the deployment of new Authentication Methods.

More Information#

There might be more information for this subject on one of the following: