[keycloak-user] Using the amr claim in access token when brokering with Azure AD
Philippe Gauthier
philippe.gauthier at inspq.qc.ca
Thu Nov 28 08:27:53 EST 2019
Hello Keycloak users.
Did anybody tried to do something with the amr claim sent by an IdP to Keycloak on identity brokering?
We did a POC using Azure AD as an IdP with Keycloak. Azure AD is configured to force user to do a multi factor authentication (MFA).
When I log to my application secured by Keycloak using my Azure AD identity The access token recieved by Keycloak from Azure AD contains the following amr claim:
"amr": [
"pwd",
"mfa"
],
This claim tell that I was authentified using a password and mfa.
When I look to the access Token Keycloak gave me, there is no such amr claim?
Is there a way other than creating an SPI to propagate this claim from Azure AD access token to Keycloak Access Token?
What we want to do is to ask a user that was not authentified by an external multi factor authenticfiation to use the Keycloak OTP when accessing sensible applications.
Thankyou.
More information about the keycloak-user
mailing list