More TOTP questions

I was referring to what I was asking before: 1) if the user needs to be enrolled into 2FA now, before this feature is built into it, and before Sphinx redirects the user anywhere with a code or token, it would be good to be able to redirect the user to a separate 2FA registration page, plus 2) once the user has completed self-registration and the account has been created in a disabled state, again without redirecting it with a token, can the user be redirected to another information page? - self-registration is a single place in this process, where the user should not be treated as authenticated and no tokens should be issued.

So, in 1) I would put the user through a separate registration for 2FA and in 2) will terminate this process without authenticating the user and without issuing any tokens. Next, the user will not be able to sign in until after the account has been manually enabled by admins. But once it has been, then the normal processing would work, with the user being authenticated (twice, with 2FA, which Sphinx already does) and normally redirected as per Client setup, with a token, to the normal redirect URL.

Does this make sense?

But you can do that already now. Yes, token will be created and user will be "logged in", but the token will not have the amr claim. If you reject tokens without amr claim, it will act as if your user is not logged in.

In the redirect URL Sphinx calls after login, just check for that and redirect the user to a 2fa registration if amr is not in the token.

Just reconfigured the Demo Simple Server for 2FA, but after signing with a code prompt, the demo app displays a JWT without his amr claim:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sb2NhbGhvc3Q6MjAwMVwvdG1zXC9zcGhpbngiLCJhdWQiOiJ3ZWIiLCJleHAiOjE3MzI5NTE0NzgsImlhdCI6MTczMjk1MTE3OCwiZW1haWxfdmVyaWZpZWQiOnRydWUsInN1YiI6IjNhMTY4ZWEzLWZkMGQtNDFiMC1hOThjLTY3M2Q3NWFmMTJiYiIsImp0aSI6ImRjNGI0ODg1LWI0MzEtNDYzYi04YzQxLTQzYTgwYzMwNjI3YyIsImVtYWlsIjoiaGFuc0B0bXNzb2Z0d2FyZS5sb2NhbCIsIm5vbmNlIjoiVHZnVkFDQU1lMDBhclprYTFRcVREMDVSUlhQZVRNTmg3dlJTSEFwSFFiSSIsInRlbmFudElkIjoiSGFucyJ9.b4kwNfe8O7Vg8SRY2YReHnqyAIEZT4ge6LInNkLcn6s

Is this supposed to be automatic, or does it need to be added in the TokenConfig?

BTW, if I specify nonce, it's returned to me back in the id_token, which is great, but can I also pass in any additional parameters and also be able to see them in any of the Sphinx events in the Server DataModule?