Enabling OIDC Web: The faceauth Scopes
A scope activates the in-browser face verification. Add exactly one of the following to your authorization request (alongside openid):
| Scope | Verification level | User experience |
|---|---|---|
faceauth_dynamic_only | Dynamic Liveness (Genuine Presence Assurance) | Straight to the in-browser face scan. Recommended. |
faceauth_express_only | Express Liveness | Straight to the in-browser face scan. |
Notes:
- Both scopes take the user straight to the in-browser verification page — the pure OIDC Web experience.
- Choose the level deliberately. Dynamic Liveness is iProov's strongest assurance: a short screen-illuminated scan that defeats photos, videos, masks, deepfakes, and injected imagery. Use Dynamic Liveness where impersonation must be ruled out. Express Liveness is faster and lighter; use it for low-risk, high-frequency checks. The ID token's
acrclaim (see Reading the Result) reports the level performed:face_present:iproov:gpafor Dynamic,face_present:iproov:lafor Express. - iProov can also pre-configure scopes on your client via the Extra scopes field of your iPortal application (see Registering Your Application), so every request from that client gets them automatically. Pre-configuration helps when the software initiating the login does not let you customize scopes — identity and access management (IAM) products are a common example.
Face-verification requests are face-only. When a
faceauth_*scope is present, OIDC Web treats the request as a pure verification. Identity-data scopes you may add (profile,address, …) are ignored. No refresh tokens are issued, andoffline_accessis ignored: by design, every authentication is a fresh live verification. The claims you do receive are listed in Reading the Result.