1. `grant_type=password` ... this is not OpenID, it is OAuth. So your interception script is certainly not being invoked (you are not even calling the authorization endpoint... you are calling the token endpoint).
2. acr value would not be invoked for an OAuth flow
Please read the [Basic Client Implementer’s Guide](https://openid.net/connect/) and probably the Core spec as well if you are going to use a low level client like curl.