Scopes for Step-Up authentication

I want to add Step-Up authentication to my single-page web application that uses Auth0 lock widget.
The MFA should be triggered on certain action e.g. “Sign contract”.

In Auth0 documentation I have found two ways to do that:

• scope: ‘openid step_up’ that is described here
• scope: ‘openid nonce’, acr_values: ‘http://schemas.openid.net/pape/policies/2007/06/multi-factor’ that I found in this example.

Could you please explain what is the difference and which one is preferable for single-page web app.

As somewhat hinted in the notice available in the first link you mentioned given that acr_values are now supported that should be your choice as they are standardized while the step_up flag was a custom implementation. In addition, to my knowledge the fact that the client application is a SPA should not affect this decision in any way.