Authentication Context Claims Value Provider

The Authentication Context claims value provider accesses contextual information about the authentication session. This provider retrieves details like the authentication method (ACR), client information, and other context-specific attributes that describe how and by whom the authentication request was made.

The Authentication Context claims provider retrieves claims from the current authentication session context. These claims provide information about the authentication flow itself rather than the authenticated user, enabling authorization decisions based on how the user authenticated and which client initiated the request.

Use Cases#

The Authentication Context claims value provider enables authorization and auditing scenarios that require information about the authentication session.

Common use cases include:

  • Authentication Strength: Include the Authentication Context Class Reference (ACR) value in tokens to indicate the authentication method used, enabling step-up authentication policies
  • Client Context: Add requesting client information to tokens so APIs can apply client-specific authorization rules or track usage by application
  • Audit Trail: Include authentication context in tokens for comprehensive audit logging that tracks both the user and the authentication method
  • Conditional Access: Enable APIs to make authorization decisions based on authentication context, such as requiring stronger authentication for sensitive operations
  • Multi-Factor Verification: Expose which authentication factors were used during login to downstream services for compliance verification

Getting Started#

To create an Authentication Context claims value provider, sign in to the Admin UI and navigate to ProfilesToken ServiceScopesClaims Providers.

Claims value providers in Admin UI
Claims Value Providers. (Admin UI version: 10.6)

Select + New Claims Value Provider, give the provider a unique identifier and choose the Authentication Context type.

New claims value providers for authentication context in Admin UI
New claims value provider for authentication context in Admin UI. (Admin UI version: 10.6)

The provider automatically accesses the authentication session context when tokens are issued. No external connections or additional configuration is required.

Available Attributes#

The Authentication Context claims value provider can expose the following attributes:

  • acr — The Authentication Context Class Reference used to authenticate the subject, indicating the authentication method strength
  • client — Information about the requesting client, containing:
    • id — The client identifier
    • name — The friendly name of the client
    • properties — Client configuration properties as a map

The Authentication Context claims value provider only returns attributes that exist in the current authentication session. The available attributes depend on the authentication flow and client configuration.

Was this helpful?