Background... I want to restrict end-user’s authentication by authentication request to AuthZ Server. For example, the AuthZ Server provides multi authentication methods and a RP wants end-user to authenticate by specific authentication method. At first, I was thinking that the

acr_values

is proper request parameter to specify which authentication is required. But, when reading ory/fosite and OpenID Connect Core, using claims request parameter is looks proper option. However, currently, fosite does not support claims request parameter. https://openid.net/specs/openid-connect-core-1_0.html#acrSemantics

Then, what I want to know is that, • Is it correct understanding to implement claims request parameter on fosite to realize that? • Or Is there any way to specified authentication method on the RP?

or you could just use any custom request parameter (added to auth request, like

&auth_type=someth

) and then parse it in login app via

request_uri

parameter in login request retrieved from Hydra

Then you add "amr" claim to context of access/id tokens (upon auth completion) and you are able to distinguish tokens issued with different auth methods and your RP is able to request re-authentication in case of insufficient auth level