Skip to main content
Version: v2.0 (latest)

Enabling OIDC Web: The faceauth Scopes

A scope activates the in-browser face verification. Add exactly one of the following to your authorization request (alongside openid):

ScopeVerification levelUser experience
faceauth_dynamic_onlyDynamic Liveness (Genuine Presence Assurance)Straight to the in-browser face scan. Recommended.
faceauth_express_onlyExpress LivenessStraight to the in-browser face scan.

Notes:

  • Both scopes take the user straight to the in-browser verification page — the pure OIDC Web experience.
  • Choose the level deliberately. Dynamic Liveness is iProov's strongest assurance: a short screen-illuminated scan that defeats photos, videos, masks, deepfakes, and injected imagery. Use Dynamic Liveness where impersonation must be ruled out. Express Liveness is faster and lighter; use it for low-risk, high-frequency checks. The ID token's acr claim (see Reading the Result) reports the level performed: face_present:iproov:gpa for Dynamic, face_present:iproov:la for Express.
  • iProov can also pre-configure scopes on your client via the Extra scopes field of your iPortal application (see Registering Your Application), so every request from that client gets them automatically. Pre-configuration helps when the software initiating the login does not let you customize scopes — identity and access management (IAM) products are a common example.

Face-verification requests are face-only. When a faceauth_* scope is present, OIDC Web treats the request as a pure verification. Identity-data scopes you may add (profile, address, …) are ignored. No refresh tokens are issued, and offline_access is ignored: by design, every authentication is a fresh live verification. The claims you do receive are listed in Reading the Result.