Overview#Authentication Context Class Reference is a Identifier for an Authentication Context Class
The Authentication Context Class Reference is case-sensitive string specifying a list of Authentication Context Class values that identifies the Authentication Context Class Values that the authentication performed satisfied implying a Level Of Assurance.
An absolute URI or an entry from An IANA Registry for Level of Assurance (LoA) Profiles (RFC 6711) SHOULD be used as the acr value.
- registered names MUST NOT be used with a different meaning than that which is registered.
- Parties using this claim will need to agree upon the meanings of the values used, which MAY be context specific.
The value "0"#The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 ISO 29115 level 1.
Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.OpenID Connect Providers MUST support requests for specific Authentication Context Class Reference values via the acr_values parameter, as defined in OpenID.Core Section 3.1.2.
If the Relying Party provides the acr_values parameter, the id_token or the userinfo_endpoint MUST include a OpenID Connect Claim named acr that equals the same value of acr_values or equals one of the OpenID Connect Provider values.
- a Voluntary Claim - where if a requested value cannot be provided, the Authorization Server SHOULD return the session's current acr as the value of the acr Claim.
- the Authorization Server is not required to provide this Claim in its response.
- an Essential Claim - where if a requested value cannot be provided, then the Authorization Server MUST treat that outcome as a failed authentication attempt.
If the client requests the acr OpenID Connect Claims using both the acr_values request parameter and an individual acr Claim request for the id_token listing specific requested values, the resulting behavior is unspecified.