Hello Keycloak users.
Did anybody tried to do something with the amr claim sent by an IdP to Keycloak on
identity brokering?
We did a POC using Azure AD as an IdP with Keycloak. Azure AD is configured to force user
to do a multi factor authentication (MFA).
When I log to my application secured by Keycloak using my Azure AD identity The access
token recieved by Keycloak from Azure AD contains the following amr claim:
"amr": [
"pwd",
"mfa"
],
This claim tell that I was authentified using a password and mfa.
When I look to the access Token Keycloak gave me, there is no such amr claim?
Is there a way other than creating an SPI to propagate this claim from Azure AD access
token to Keycloak Access Token?
What we want to do is to ask a user that was not authentified by an external multi factor
authenticfiation to use the Keycloak OTP when accessing sensible applications.
Thankyou.