Add support for acr Claim

[chamathns]

Description:

The rule 12 of the ID Token Validation section [1] states,

If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate.

The acr claim can be requested in the authentication request sent to the OIDC provider [2] by the OPTIONAL parameter acr_values.
This relates to Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value.

ACR values is a set of arbitrary values that the client and idp agreed upon to communicate the level of authentication that happened. There are no "official" values for them. They should be communicated via the acr_values_supported parameter of OIDC discovery response. [3]

Usually, this means if the client provides a value that the IDP understands, it will be respected. However, if an unsupported value is provided, there is no guarantee that it will be interpreted (nor it should result in error either), and the IDP may just resort to a default authentication process and return the corresponding ACR value to the client.

The client, on the other hand, may elect to inspect the acr_values field in the ID token and decide if the level of authentication that happened truly satisfies what the client needs to perform. If so, carry on with the identity; if not, reject the identity assertion.

[1] - https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
[2] - https://openid.net/specs/openid-connect-core-1_0.html#AuthenticationRequest
[3] - https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse