The CIBA core profile says this about acr:
OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the OpenID Provider is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The actual means of authenticating the end-user, however, are ultimately at the discretion of the OP and the Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value of the ID Token. When the acr_values parameter is present in the authentication request, it is highly RECOMMENDED that the resulting ID Token contain an acr Claim.
FAPI RW goes quite a bit further with this:
- shall request user authentication at LoA 3 or greater by requesting the acr claim as an essential claim as defined in section 184.108.40.206 of OIDC;
- shall require JWS signed ID Token be returned from endpoints;
- shall verify that the acr claim in an ID Token indicates that user authentication was performed at LoA3 or greater;
- shall verify that the amr claim in an ID Token contains values appropriate for the LoA indicated by the acr claim;
Should we bring the FAPI CIBA profile into alignment with FAPI RW? Are there any issues with this?