When running VIP Authentication Hub, and passing an ExistingIDToken (JWT token signed with a certificate) to the Authenticate API, then, the VIP Authentication Hub API returns PASSWORD_AUTH, instead of AUTH_ALLOWED.

POST https://{{sspHost}}/{{apiPathTenant}}/auth/v1/authenticate

{

  "existingIDToken":"euJ0 [...omitted for brevity...]",

Body

{

  "nextaction": "PASSWORD_AUTH",

The JWT has:

  HEADER

  {
    "typ": "JWT",
    "alg": "RS256"
  }

  PAYLOAD:DATA

  {
    "sub": "<user>",
    "idp_name": "<idpname>",
    "user_universalid": "<user>",
    "amr": [
      "PWD"
    ],
    "iss": "https://api.example.com",
    "exp": <exp_number>
  }

  VIP Authentication Hub 2.2.5;

Some mandatory headers and claims are missing from the JWT.

Mandatory claims are:

• Must contain an "amr" claim with values corresponding to Authentication Hub's AMR values  --> show "amr" claim format and table of supported values;
• Must contain a "sub" with the value of user's login id, or have "user_loginid" claim;
• Must have a certificate imported into Authentication Hub matching the token's header (kid, x5c, x5t, x5t#S256).

Add the mandatory claims and headers to the JSON token to solve the issue.