...
As of today, there is no standard way for an API to indication to a client that step-up should be performed. However, a proposal for doing this was launched at OSW2021, and is being worked on. It is recommended that new APIs consider using this pattern.
The API should look at the claims in the incoming access token, and determine whether a step-up is necessary. Look at the claims described in “The application has requirements where a step-up has to be performed”.
If a step-up should be performed, the API should:
Return a response code 401 Unauthorized.
Add a http header “WWW-Authenticate”:
Code Block WWW-Authenticate: Bearer error="insufficient_authentication_level", error_description="Security level 'high' is required", acr_values="idp:idporten-oidc Level4"
The acr_values directive is optional, and may be used if the API has specific requirements regarding which IDP should be used.
...