Reading the Result: Claims, acr, and Retries
A face-verification login deliberately returns verification metadata, not personal data. The ID token and the userinfo response carry these claims:
| Claim | Content |
|---|---|
sub | Unique per authentication session — never repeats. Do not use it to correlate logins; use the identifier you sent in login_hint. |
acr | The verification level performed: face_present:iproov:gpa (Dynamic Liveness) or face_present:iproov:la (Express Liveness). Always check the value against the level you required. |
amr | The methods used; includes face. |
login_hint | Echo of the identifier you sent — your binding between this result and your user. |
email, preferred_username | If your login_hint was an email address, it is echoed back here. |
id.iproov:face_present | Audit metadata about the verification: method, verifying server, and timestamp. Cryptographically bound to this request's state, so a result cannot be replayed into another login. No personal data. |
id.iproov:validation_portrait_present | (On request — ask via the claims request parameter.) A portrait captured during the scan as a data-URI image (Dynamic: passport-style crop; Express: wide-angle frame). Lets you run your own additional face matching without sharing a reference photo with iProov. |
OIDC Web ignores any other requested claim and issues no refresh tokens.
Verify What You Received
Enforce a minimum acr in code — do not just trust that a token was issued:
claims = validated_id_token_claims
assert "face" in claims.get("amr", [])
assert claims.get("acr") == "face_present:iproov:gpa" # Dynamic Liveness
Retries
A login request gives the user up to 3 attempts at the face scan. After the third failure, the browser returns to your redirect_uri with a standard OIDC error response instead of a code. If the user cancels, the browser returns immediately with the same error response.
Issuing a new login request grants 3 new attempts. Whether and when to do that is your application's policy, as is locking the account or rate-limiting the source. OIDC Web does not enforce a global retry cap for you.