Support default_acr_values

[apexskier]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

One of the OIDC specification's client metadata values is default_acr_values. I'd like to use these to configure required ACR (e.g. is MFA required) at the client registration level, so we can avoid depending on hardcoded rules or client-supplied requests (which could be spoofed).

I'm currently able to register a client with default_acr_values, but do not have access to this value in the client.OAuth2Client type (and I haven't seen a way to access it anywhere else).

Describe your ideal solution

I'd like the client.OAuth2Client type to contain default_acr_values supplied in a client registration.

Workarounds or alternatives

I can not rely on the OIDC spec, and instead just hardcode this per client or use an alternate configuration mechanism.

Version

v1.11.8

Additional Context

I'm pretty sure implementation would involve adding the field to the oidc client type and api client type, then plumbing the data to and from the DB layer.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️