Authentication Context Class (acr_values) specifies the Policy that authentications are being requested to satisfy. The Policy can often be satisfied by using a number of different specific Authentication Method Reference Values, either singly or in combination.
Relationship to "acr" (Authentication Context Class Reference)
The "acr" (Authentication Context Class Reference) claim and "acr_values" request parameter are related to the "amr" (Authentication Methods References) claim and "amr_values" request parameter, but with important differences. Authentication Context Classes specify a set of business rules that authentications are being requested to satisfy. These rules can often be satisfied by using a number of different specific authentication methods, either singly or in combination. Interactions using "acr" request that specified Authentication Context Classes be used and reply saying which Authentication Context Class was satisfied. The reply states that it was satisfied -- not how it was satisfied.
In contrast, interactions using "amr" make statements about the particular authentication methods that are used. This tends to be more brittle than using "acr" since the authentication methods that may be appropriate for a given authentication will vary over time, both because of the evolution of attacks on existing methods and the creation of new authentication methods.
More Information#There might be more information for this subject on one of the following:
- [#1] - https://tools.ietf.org/html/draft-jones-oauth-amr-values-05 - based on information obtained 2017-04-04-