If you upgrade an anonymous session to a user session, and then get an id_token, the acr claim does not reflect the authentication context used when the session was upgraded.
- Create anonymous tree (Start > Anonymous > Success)
- Create anonymousUpgrade tree
- Create OAuth2 Provider service and add OpenID Connect acr_values to Auth Chain Mappings for both trees (anonymous:anonymous and anonymousUpgrade:anonymousUpgrade)
- Create OAuth2 Client (nothing special required here)
- Authenticate to anonymous tree
- Upgrade session by authenticating to anonymousUpgrade using demo user
- Call authorize endpoint
- Use authorization code to get an id_token
- View decoded JWT
This seems to work fine when upgrading the session for a user that isn't anonymous. Customer also discovered this does work if you name the anonymous acr_value to acr-1 and the anonymousUpgrade tree to acr-2 so acr_value naming convention has an impact on the behaviour.