Overview#Authentication Context Class Reference (acr) is an OPTIONAL parameter within the Identity Token for OpenID Connect for Authentication Context Class Reference.
The Authentication Context Class Reference is case sensitive string specifying a list of Authentication Context Class values that identifies the Authentication Context Class that the authentication performed satisfied implying a Level Of Assurance.
An absolute URI or an entry from An IANA Registry for Level of Assurance (LoA) Profiles (RFC 6711) SHOULD be used as the acr value.
- registered names MUST NOT be used with a different meaning than that which is registered.
- Parties using this claim will need to agree upon the meanings of the values used, which may be context specific.
The value "0"#The value "0" indicates the End-User authentication did not meet the requirements of ISO/IEC 29115 ISO 29115 level 1.
Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.OpenID Connect Providers MUST support requests for specific Authentication Context Class Reference values via the acr_values parameter, as defined in OpenID.Core Section 3.1.2.
- a Voluntary Claim - where if a requested value cannot be provided, the Authorization Server SHOULD return the session's current acr as the value of the acr Claim.
- the Authorization Server is not required to provide this Claim in its response.
- an Essential Claim - where if a requested value cannot be provided, then the Authorization Server MUST treat that outcome as a failed authentication attempt.
- acr_values_supported - populated by the Identity Provider (IDP)
- acr - Authorization Server as a Claim value returned in the Identity Token
- acr_values - request by the OAuth Client in the Authorization Request