Step-up authentication

Step-up authentication is a standard Login flow where the "remember me in browser" functionality is disabled. The user will always be required to confirm the login in their Vipps or MobilePay app.

note

Step-up authentication is only available to merchants on the advanced pricing tier.

Making the authorization request

Add acr_values=urn:vipps:acr:app_auth to the standard OAuth 2.0 authorize request:

GET {authorization_endpoint}
  ?client_id={client_id}
  &response_type=code
  &scope=openid
  &state={state}
  &redirect_uri={redirect_uri}
  &acr_values=urn:vipps:acr:app_auth

The `acr` claim

The returned ID token will include an acr claim confirming that step-up was used:

{
  "sub": "c06c4afe-d9e1-4c5d-939a-177d752a0944",
  "acr": "urn:vipps:acr:app_auth",
  ...
}

You can use this claim to verify that the user went through the step-up flow.

Making the authorization request​

The acr claim​

Making the authorization request

The `acr` claim