惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Vercel News
Vercel News
O
OpenAI News
Engineering at Meta
Engineering at Meta
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
月光博客
月光博客
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
WordPress大学
WordPress大学
宝玉的分享
宝玉的分享
GbyAI
GbyAI
T
The Blog of Author Tim Ferriss
Google DeepMind News
Google DeepMind News
B
Blog RSS Feed
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
云风的 BLOG
云风的 BLOG
罗磊的独立博客
S
SegmentFault 最新的问题
The Register - Security
The Register - Security
Hugging Face - Blog
Hugging Face - Blog
D
DataBreaches.Net
U
Unit 42
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
B
Blog
阮一峰的网络日志
阮一峰的网络日志
P
Proofpoint News Feed
雷峰网
雷峰网
V
Visual Studio Blog
小众软件
小众软件
aimingoo的专栏
aimingoo的专栏
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
博客园 - 【当耐特】
G
Google Developers Blog
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
I
InfoQ
Martin Fowler
Martin Fowler
F
Fortinet All Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
The Cloudflare Blog
AI
AI
Google Online Security Blog
Google Online Security Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
博客园 - Franky
Blog — PlanetScale
Blog — PlanetScale
Webroot Blog
Webroot Blog
PCI Perspectives
PCI Perspectives
爱范儿
爱范儿
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org

Google Developers Blog

LiteRT.js, Google's high performance Web AI Inference- Google Developers Blog Bridging the Domain Gap: AI Race Coach built with Antigravity and Gemini- Google Developers Blog We terminated a TPU mid-training and it recovered in seconds: Introduction to elastic training with MaxText- Google Developers Blog ML Development in VS Code with Google Cloud Power: Workbench Extension Now Available- Google Developers Blog Why we built ADK 2.0- Google Developers Blog Build agentic full-stack apps with Genkit- Google Developers Blog Driving the Agent Quality Flywheel from Your Coding Agent- Google Developers Blog Build reliable multi-agent applications with ADK Go 2.0. Discover our new graph-based workflow engine, built-in human-in-the-loop, and dynamic orchestration- Google Developers Blog Measuring What Matters with Jules- Google Developers Blog Build Cross-Language Multi-Agent Team with Google’s Agent Development Kit and A2A- Google Developers Blog How A2A is Building a World of Collaborative Agents- Google Developers Blog A2UI + MCP Apps: Combining the best of declarative and custom agentic UIs- Google Developers Blog Announcing the Agentic Resource Discovery specification- Google Developers Blog Unlocking the Power of the TPU Stack: Introducing our new Developer Hub- Google Developers Blog DiffusionGemma: The Developer Guide Introducing the Google Colab CLI Gemma 4 12B: The Developer Guide Bringing Gemma 4 12B to your Laptop: Unlocking Local, Agentic Workflows with Google AI Edge Supercharge your integration workflow with the Google Pay & Wallet Developer MCP server How the community trained Gemma to "Think" with Tunix and TPUs
Enhance Security and Trust: New Session Metadata in Sign in with Google- Google Developers Blog
Sergei Akulich · 2026-06-16 · via Google Developers Blog

With the rise of phishing and online abuse, it’s more important than ever that you’re keeping your platform and users as safe as possible. That’s why we’re introducing new session metadata claims within Sign in with Google, designed to provide you deeper insights into how and when a user authenticates.

Available for verified apps, these OpenID Connect (OIDC) standard claims are added to the ID Token your backend systems receive, allowing you to make informed security decisions and move towards more dynamic, risk-based access controls. These enhancements benefit users signing in with any type of Google Account, including personal Gmail accounts and those managed by Google Workspace.

The Value of Federated Identity Signals

By using Sign in with Google, you're leveraging Google's robust, secure authentication infrastructure. Google has already vetted the user's session. The new OIDC claims allow your application to benefit from that vetting, taking the burden of certain aspects of strong authentication off your plate. Google manages the intricacies of the authentication event and provides your platform with the useful signals to make informed decisions.

What's New: auth_time and amr Claims

When a user signs into a Google Account and later signs into an app using Sign in with Google, these claims are shared in the ID token. There are two authentication moments and two user sessions:

  1. User <-> Google Session: Established when a user signs into their Google Account. Google manages this session's lifecycle and security. The new auth_time and amr claims provide you insights into this session.
  2. User <-> Your Application Session: Established after the user signs in to your application, often initiated via Sign in with Google. Your application manages this session using the claims to improve session and account management decisions.

The two new claims are available within the ID Token:

  • auth_time (Authentication Time):
    • What it is: This claim is a standard OIDC timestamp indicating the last time the user successfully authenticated and created a session with Google. This is different from when an ID Token or access token was issued to your app or website.
    • Why it's important: auth_time provides a clear signal of the freshness of the user's Google session, offering greater confidence that the user is actively present. This allows your platform to better enforce risk-based session policies, such as requiring re-authentication for sensitive actions after a set time.
  • amr (Authentication Methods Reference):
    • What it is: This standard OIDC claim is a JSON array of strings that identifies the method(s) the user employed to authenticate their Google Account during the session indicated by auth_time.
      • Supported Values:
        • pwd: When the user authenticated using a password.
        • mfa: When the user completed a Multi-Factor Authentication challenge, such as using a recovery factor.
        • hwk: When the user authenticated using a hardware-secured key.
        • swk: When the user authenticated using a software-secured key.
        • tel: When the user authenticated using a phone.
        • sms: When the user authenticated using a text message.
    • Why it's important: amr offers crucial context on the strength of the authentication event. Knowing how a user authenticated allows you to implement finer-grained access controls.

These claims work on Android, iOS, and Web client and server applications.

Advanced Security Benefits

Static authentication policies are often insufficient in today's threat landscape. More dynamic, granular session insights help to more accurately identify and prevent account takeover, fake account usage, and other fraudulent activities; you can more confidently permit sensitive or high-value action when there's strong evidence of a recent and securely authenticated session. Fewer security incidents and fraudulent accounts lead to reduced support calls, investigation time, and potential financial losses.

Other new security capabilities enabled by these claims that your platform may include:

  • Audit Logging: Log the amr values to maintain a record of the authentication methods used to access sensitive data or functions.
  • Step-up Authentication: Use auth_time to determine session age and trigger step-up authentication challenges within your application for sensitive operations if the session is stale, even if the Google session is still valid.
  • Authorization Policies: Incorporate amr into your authorization logic. For example, denying access to critical admin functions unless mfa is present or a security key (hwk) is used.

Getting Started

These new claims are available for verified applications. If you're already using Sign in with Google with OpenID Connect, you can add these security enhancements without significantly changing your existing auth flow. Simply request the claims via the standard OIDC claims parameter in the authentication request. For example:

https://accounts.google.com/o/oauth2/v2/auth?
response_type=id_token&
client_id=YOUR_CLIENT_ID&
scope=openid email profile&
redirect_uri=https://example.com/user-login&
nonce=RANDOM_VALUE&
claims={ "id_token": {
    "amr": { "essential": true },
    "auth_time": { "essential": true }
  }
}

Plain text

Copied

Visit Google Identity developer documentation for additional detail and cross-platform examples of working with these claims.