Authentication Context Class Reference (acr) is an OPTIONAL parameter within the Identity Token or the userinfo_endpoint for OpenID Connect for Authentication Context Class Reference.
The Authentication Context Class Reference is case-sensitive string specifying a list of Authentication Context Class values that identifies the Authentication Context Class Values that the authentication performed satisfied implying a Level Of Assurance.
An absolute URI or an entry from An IANA Registry for Level of Assurance (LoA) Profiles (RFC 6711) SHOULD be used as the acr value.
Authentication using a long-lived browser cookie, for instance, is one example where the use of "level 0" is appropriate.
Authentications with level 0 SHOULD NOT be used to authorize access to any resource of any monetary value. (This corresponds to the OpenID 2.0 PAPE OpenID.PAPE nist_auth_level 0.)
acr_values_supported parameter within the openid-configuration MAY provide which Authentication Context Class Reference are supported by the OpenID Connect Provider
If the Relying Party provides the acr_values parameter, the id_token or the userinfo_endpoint MUST include a OpenID Connect Claim named acr that equals the same value of acr_values or equals one of the OpenID Connect Provider values.
Relying Party MAY using the Authorization Request request the acr Claim using the Authorization Request acr_values parameter as either a as either:
If the client requests the acr OpenID Connect Claims using both the acr_values request parameter and an individual acr Claim request for the id_token listing specific requested values, the resulting behavior is unspecified.
The Client SHOULD check that the asserted Claim acr Value is appropriate. The meaning and processing of acr Claim Values is out of scope OpenID.Core.
default_acr_values can be provide the Relying Party's default Authentication Context Class Values within the OAuth Dynamic Client Registration Metadata entry.