Skip to main content
Version: v2.0 (latest)

Reading the Result: Claims, acr, and Retries

A face-verification login deliberately returns verification metadata, not personal data. The ID token and the userinfo response carry these claims:

ClaimContent
subUnique per authentication session — never repeats. Do not use it to correlate logins; use the identifier you sent in login_hint.
acrThe verification level performed: face_present:iproov:gpa (Dynamic Liveness) or face_present:iproov:la (Express Liveness). Always check the value against the level you required.
amrThe methods used; includes face.
login_hintEcho of the identifier you sent — your binding between this result and your user.
email, preferred_usernameIf your login_hint was an email address, it is echoed back here.
id.iproov:face_presentAudit metadata about the verification: method, verifying server, and timestamp. Cryptographically bound to this request's state, so a result cannot be replayed into another login. No personal data.
id.iproov:validation_portrait_present(On request — ask via the claims request parameter.) A portrait captured during the scan as a data-URI image (Dynamic: passport-style crop; Express: wide-angle frame). Lets you run your own additional face matching without sharing a reference photo with iProov.

OIDC Web ignores any other requested claim and issues no refresh tokens.

Verify What You Received

Enforce a minimum acr in code — do not just trust that a token was issued:

claims = validated_id_token_claims
assert "face" in claims.get("amr", [])
assert claims.get("acr") == "face_present:iproov:gpa" # Dynamic Liveness

Retries

A login request gives the user up to 3 attempts at the face scan. After the third failure, the browser returns to your redirect_uri with a standard OIDC error response instead of a code. If the user cancels, the browser returns immediately with the same error response.

Issuing a new login request grants 3 new attempts. Whether and when to do that is your application's policy, as is locking the account or rate-limiting the source. OIDC Web does not enforce a global retry cap for you.