`acr_values` not compatible with FAPI?

[ajmcmiddlin]

My understanding from FAPI Part 2 §5.2.3 is that the authorisation request must make an acr claim as an essential claim. OIDC §5.5.1.1 and OIDC §3.1.2.1 both suggest that acr_values, which is currently optional in this spec, is a voluntary claim.

It seems to me that to comply with FAPI we must include an acr claim as part of the ID Token claims in the request object as per OIDC §5.5 (noting sections 5.5.1 and 5.5.1.1).

Furthermore, including both acr_values and an acr claim as part of the ID token claims is unspecified according to OIDC §5.5.1.1.

Taken together, this suggests to me that if we want to comply with FAPI (I don't see a good reason not to) we should remove the acr_values parameter and instead require the acr claim be made within the ID token claims.

[ajmcmiddlin]

Related: if I'm correct then I believe the acr claim in the ID token should change from CONDITIONAL to REQUIRED.

[lukepopp]

That's true for write operations. From my understand read ops do not have such a requirement https://openid.net/specs/openid-financial-api-part-1.html 5.2.2.1 However, I think this a good example of why the profile needs to make it clear what's normative and not be overly prescriptive.