ACR Session aside ACR ID Token

Hello there,

I build a system where a physical person is represented by an account, but they can have several profiles for a given account.
Using long-lived browser cookies, an account can switch to profiles which require an equivalent or inferior ACR to be selected with no re-authentication process.
The system performs a silent auth flow (authorization code flow) every time time the account changes the current identity since the access token authorized accesses depending of the identity.

In OpenID, the ACR is linked to an ID Token, so Hydra set it to 0 on silent auth since long-lived browser cookies are not considered a secure authentication (indeed).

Then it seems there is no possibility to know what the current login session ACR is. I think about building something around it. I see ACR session and related age relevant information to build nice UX and still keep secured and controlled exchanges (the ACR ID Token can be still taken into account of course).

Do you think there is a place in Ory ecosystem (Hydra, Kratos…) around this concept?

Thanks for reading,


Would it not be possible to store that in the login app (which ACR) and then re-send it on every silent refresh in the consent step?

Indeed, it is what the system is doing today, it works.

But since it is Hydra that has the authority on login session, I am not confident about the separation of concerns principle.

Does the login session will be stored on day in Kratos one day or is it definitely the responsability of Hydra to store/acknowledge it?

It is not that important to have my system working, it is more about having a clear visualisation of responsabilities of the services.

Thanks :slight_smile:


We think of it more like a proxy but in general you’re right. There have been ideas floating around on adding persistent values to the session long-term. Maybe we’ll get to that at some point!

1 Like