`amr` and `acr` claims omitted from ID token on renewal

Problem Statement:

amr and acr claims are added to the ID token issued when a user authenticates via MFA. When SSO is performed to renew the token, the new ID token does not contain these claims.

Symptoms:

amr and acr present in the first issued ID token where MFA authentication was performed but not in subsequent ID tokens issued from the same session.

Solution:

This is intentional behavior. The user is not authenticating via MFA on the second authorize call as they already have an existing session.

Although the new token issued via the second call may be derived from a session that involved MFA, it’s not considered relevant since MFA did not occur in this particular exchange.