Possible incorrect documentation on ACR

22 views

Skip to first unread message

Francis Augusto Medeiros-Logeay

unread,

Oct 16, 2025, 3:11:11 AMOct 16

to 'Alexander Schwartz' via Keycloak User

Hi,

Following a thread here on the list about ACR, I checked the documentation here:

https://www.keycloak.org/docs/latest/server_admin/index.html#_client-policy-auth-flow

The flow example for using LoA is this (see picture attached):

However, the Cookie authenticator is on the same level as the conditions.

My question is, won’t this prevent any evaluation of LoA for existent sessions, since both flows (Cookie and Auth Flow) are on the same level on that flow?

I’m thinking specifically about the item number 5 under “Example scenario” when it says:

Another login request is sent, but now it will explicitly request ACR of level 1 in the claims parameter. User will be asked to re-authenticate with username/password and then acr=1 will be returned in the token.”

Even when an explicit ACR request is sent, won’t the cookie authenticator hit here and any evaluation of ACR won’t happen? Or am I missing something?

Best,
Francis

Reply all

Reply to author

Forward

0 new messages