I build a system where a physical person is represented by an account, but they can have several profiles for a given account.
Using long-lived browser cookies, an account can switch to profiles which require an equivalent or inferior ACR to be selected with no re-authentication process.
The system performs a silent auth flow (authorization code flow) every time time the account changes the current identity since the access token authorized accesses depending of the identity.
In OpenID, the ACR is linked to an ID Token, so Hydra set it to 0 on silent auth since long-lived browser cookies are not considered a secure authentication (indeed).
Then it seems there is no possibility to know what the current login session ACR is. I think about building something around it. I see ACR session and related age relevant information to build nice UX and still keep secured and controlled exchanges (the ACR ID Token can be still taken into account of course).
Do you think there is a place in Ory ecosystem (Hydra, Kratos…) around this concept?
Thanks for reading,