When performing an authorize request with a authorized session using a different ACR (either specified in the request or defined as default by the client) that is of equal or less "level" then the ACR which was first used to authorize the session, I have observed that the authorize endpoint will redirect to authorize.htm which will then redirect back to the authorize endpoint but this time with the clientId, redirect_uri, acr etc of that which was initially used to authorize the session rather then the current request. The end result is that the authorize request which was used to authorize the session initially is replayed rather then the request which was just made. To reproduce, configure oxtrust to use passport_socal as its default ACR (level 40). Configure a new OIDC client and specify the client default ACR of basic (level 10). Log into oxtrust to acquire a session, and then using the same session make an authorize request using the new OIDC client (not sure it matters, but I used code grant). Observe the authorize request instead redirects you back into oxtrust. I have noticed that this issue goes away if the client default ACR contains both the desired default ACR and the ACR that was used to first authorize the session.