PWD is not found in AMR claim if login in the following method:
- {{oktaUrl}}/api/v1/authn - Post with username and password as RAW in JSON to get session token.
- {{oktaUrl}}/oauth2/default/v1/authorize - Exchange for Authorization Code with session token and following params
- client_id
- response_type = code
- scope = openid offline_access
- redirect_uri
- state = state-XYZ1234
- code_challenge_method = S256
- code_challenge
- sessionToken
- {{oktaUrl}}/oauth2/default/v1/token - Exchange for all tokens with Authorization Code
{
"sub": "<okta user id>",
"name": "DEV USER",
"email": "devuser@XYZ.com",
"ver": 1,
"iss": "https://dev-82409540.okta.com/oauth2/default",
"aud": "<client_id>",
"iat": 1669360791,
"exp": 1669364391,
"jti": "........",
"amr": [],
"idp": "<idp id>",
"sid": "......",
"preferred_username": "devuser@XYZ.com",
"auth_time": 1669360778,
"at_hash": "......",
"ds_hash": "......."
}
PWD is available in AMR claim if login in the following method:
- {{oktaUrl}}/oauth2/default/v1/authorize - paste in browser with all the required params and it will be redirect to Okta Hosted page for username and password.
- client_id
- response_type = code
- scope = openid offline_access
- redirect_uri
- state = state-XYZ1234
- code_challenge_method = S256
- code_challenge
- {{oktaUrl}}/oauth2/default/v1/token - Exchange for all tokens with Authorization Code
{
<same as above except for amr>
"amr": [
"pwd"
],
<same as above except for amr>
}
This is happening when I am using embedded SDK (not widget) to perform login too. Is it due to authentication polices settings?
- In Authentication Policies → Rules, User must authenticate with Password/IdP option only.
- In Authenticators → Enrollment, password is set as required and the rest is set as optional (email, okta verify, phone and FIDO2)