惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
C
Cybersecurity and Infrastructure Security Agency CISA
N
News and Events Feed by Topic
C
Cisco Blogs
Cisco Talos Blog
Cisco Talos Blog
A
Arctic Wolf
Scott Helme
Scott Helme
P
Palo Alto Networks Blog
S
Schneier on Security
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog
量子位
G
Google Developers Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
B
Blog RSS Feed
NISL@THU
NISL@THU
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
AWS News Blog
AWS News Blog
爱范儿
爱范儿
Last Week in AI
Last Week in AI
Y
Y Combinator Blog
L
LINUX DO - 最新话题
Security Archives - TechRepublic
Security Archives - TechRepublic
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
S
Secure Thoughts
Cloudbric
Cloudbric
aimingoo的专栏
aimingoo的专栏
L
Lohrmann on Cybersecurity
TaoSecurity Blog
TaoSecurity Blog
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Hacker News: Ask HN
Hacker News: Ask HN
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
有赞技术团队
有赞技术团队
S
Security @ Cisco Blogs
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
C
Cyber Attacks, Cyber Crime and Cyber Security
G
GRAHAM CLULEY
P
Proofpoint News Feed
V
V2EX
Martin Fowler
Martin Fowler
C
CERT Recently Published Vulnerability Notes
Attack and Defense Labs
Attack and Defense Labs
C
CXSECURITY Database RSS Feed - CXSecurity.com
The Cloudflare Blog
SecWiki News
SecWiki News
罗磊的独立博客
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
小众软件
小众软件
The Last Watchdog
The Last Watchdog

Google Developers Blog

Expanding Choice in Gemini Enterprise Agent Platform: Introducing Grounding with Parallel Web Search- Google Developers Blog Building scalable AI agents with modular prompt transpilation- Google Developers Blog Systems Engineering Playbook: Optimizing Qwen 3.5-397B MoE on Ironwood (TPU7x)- Google Developers Blog Unlocking the Next Era of On-Device AI with Google Tensor and Pixel- Google Developers Blog LiteRT.js, Google's high performance Web AI Inference- Google Developers Blog Bridging the Domain Gap: AI Race Coach built with Antigravity and Gemini- Google Developers Blog We terminated a TPU mid-training and it recovered in seconds: Introduction to elastic training with MaxText- Google Developers Blog ML Development in VS Code with Google Cloud Power: Workbench Extension Now Available- Google Developers Blog Why we built ADK 2.0- Google Developers Blog Build agentic full-stack apps with Genkit- Google Developers Blog Driving the Agent Quality Flywheel from Your Coding Agent- Google Developers Blog Build reliable multi-agent applications with ADK Go 2.0. Discover our new graph-based workflow engine, built-in human-in-the-loop, and dynamic orchestration- Google Developers Blog Measuring What Matters with Jules- Google Developers Blog Build Cross-Language Multi-Agent Team with Google’s Agent Development Kit and A2A- Google Developers Blog How A2A is Building a World of Collaborative Agents- Google Developers Blog A2UI + MCP Apps: Combining the best of declarative and custom agentic UIs- Google Developers Blog Announcing the Agentic Resource Discovery specification- Google Developers Blog Unlocking the Power of the TPU Stack: Introducing our new Developer Hub- Google Developers Blog DiffusionGemma: The Developer Guide Introducing the Google Colab CLI Gemma 4 12B: The Developer Guide Bringing Gemma 4 12B to your Laptop: Unlocking Local, Agentic Workflows with Google AI Edge Supercharge your integration workflow with the Google Pay & Wallet Developer MCP server How the community trained Gemma to "Think" with Tunix and TPUs The latest updates to Google Pay Enhancing Android Checkout with Dynamic Callbacks in Google Pay Empowering Service Providers and Hardware Partners with Gemini for Home Announcing ADK for Kotlin and ADK for Android 0.1.0: Building AI Agents on Android and Beyond Blazing fast on-device GenAI with LiteRT-LM One Year of Innovation: Celebrating 100k Members in the Google Cloud x NVIDIA Developer Community All the news from the Google I/O 2026 Developer keynote A Smarter Google AI Edge Gallery: MCP integration, notifications, and session continuity Google Tensor SDK Beta with LiteRT An important update: Transitioning Gemini CLI to Antigravity CLI Accelerating on-device AI: A look at Arm and Google AI Edge optimization Announcing Genkit Middleware: Intercept, extend, and harden your agentic apps Build Long-running AI agents that pause, resume, and never lose context with ADK Supercharging LLM inference on Google TPUs: Achieving 3X speedups with diffusion-style speculative decoding Building with Gemini Embedding 2: Agentic multimodal RAG and beyond Speeding Up AI: Bringing Google Colossus to PyTorch via GCSFS and Rapid Bucket Building real-world on-device AI with LiteRT and NPU Agents CLI in Agent Platform: create to production in one CLI
Enhance Security and Trust: New Session Metadata in Sign in with Google- Google Developers Blog
Sergei Akulich · 2026-06-16 · via Google Developers Blog

With the rise of phishing and online abuse, it’s more important than ever that you’re keeping your platform and users as safe as possible. That’s why we’re introducing new session metadata claims within Sign in with Google, designed to provide you deeper insights into how and when a user authenticates.

Available for verified apps, these OpenID Connect (OIDC) standard claims are added to the ID Token your backend systems receive, allowing you to make informed security decisions and move towards more dynamic, risk-based access controls. These enhancements benefit users signing in with any type of Google Account, including personal Gmail accounts and those managed by Google Workspace.

The Value of Federated Identity Signals

By using Sign in with Google, you're leveraging Google's robust, secure authentication infrastructure. Google has already vetted the user's session. The new OIDC claims allow your application to benefit from that vetting, taking the burden of certain aspects of strong authentication off your plate. Google manages the intricacies of the authentication event and provides your platform with the useful signals to make informed decisions.

What's New: auth_time and amr Claims

When a user signs into a Google Account and later signs into an app using Sign in with Google, these claims are shared in the ID token. There are two authentication moments and two user sessions:

  1. User <-> Google Session: Established when a user signs into their Google Account. Google manages this session's lifecycle and security. The new auth_time and amr claims provide you insights into this session.
  2. User <-> Your Application Session: Established after the user signs in to your application, often initiated via Sign in with Google. Your application manages this session using the claims to improve session and account management decisions.

The two new claims are available within the ID Token:

  • auth_time (Authentication Time):
    • What it is: This claim is a standard OIDC timestamp indicating the last time the user successfully authenticated and created a session with Google. This is different from when an ID Token or access token was issued to your app or website.
    • Why it's important: auth_time provides a clear signal of the freshness of the user's Google session, offering greater confidence that the user is actively present. This allows your platform to better enforce risk-based session policies, such as requiring re-authentication for sensitive actions after a set time.
  • amr (Authentication Methods Reference):
    • What it is: This standard OIDC claim is a JSON array of strings that identifies the method(s) the user employed to authenticate their Google Account during the session indicated by auth_time.
      • Supported Values:
        • pwd: When the user authenticated using a password.
        • mfa: When the user completed a Multi-Factor Authentication challenge, such as using a recovery factor.
        • hwk: When the user authenticated using a hardware-secured key.
        • swk: When the user authenticated using a software-secured key.
        • tel: When the user authenticated using a phone.
        • sms: When the user authenticated using a text message.
    • Why it's important: amr offers crucial context on the strength of the authentication event. Knowing how a user authenticated allows you to implement finer-grained access controls.

These claims work on Android, iOS, and Web client and server applications.

Advanced Security Benefits

Static authentication policies are often insufficient in today's threat landscape. More dynamic, granular session insights help to more accurately identify and prevent account takeover, fake account usage, and other fraudulent activities; you can more confidently permit sensitive or high-value action when there's strong evidence of a recent and securely authenticated session. Fewer security incidents and fraudulent accounts lead to reduced support calls, investigation time, and potential financial losses.

Other new security capabilities enabled by these claims that your platform may include:

  • Audit Logging: Log the amr values to maintain a record of the authentication methods used to access sensitive data or functions.
  • Step-up Authentication: Use auth_time to determine session age and trigger step-up authentication challenges within your application for sensitive operations if the session is stale, even if the Google session is still valid.
  • Authorization Policies: Incorporate amr into your authorization logic. For example, denying access to critical admin functions unless mfa is present or a security key (hwk) is used.

Getting Started

These new claims are available for verified applications. If you're already using Sign in with Google with OpenID Connect, you can add these security enhancements without significantly changing your existing auth flow. Simply request the claims via the standard OIDC claims parameter in the authentication request. For example:

https://accounts.google.com/o/oauth2/v2/auth?
response_type=id_token&
client_id=YOUR_CLIENT_ID&
scope=openid email profile&
redirect_uri=https://example.com/user-login&
nonce=RANDOM_VALUE&
claims={ "id_token": {
    "amr": { "essential": true },
    "auth_time": { "essential": true }
  }
}

Plain text

Copied

Visit Google Identity developer documentation for additional detail and cross-platform examples of working with these claims.