I have an IdentityServer4 and a javascript client which is using the oidc-client.js library to authenticate with my IdentityServer. I have a specific case where I need to pass both acr values: idp:{providerName} and tenant:{tenantName}. Using the oidc-client.js library in the configuration object I am passing the arc_values string to be either acr_values: "tenant:lado" or acr_values: "idp:Google". If I try sending a list of strings acr_values: ["idp:Google","tenant:lado"] and try to access it in IdentityServer, I get only the tenant and it has the value: Google,tenant:lado. As you can see only the idp is being detected but it merges everything. How can I achieve the desired effect of sending 2 separate acr_values ?

The acr values must be space separated as a single string like so: "idp:Google tenant:lado". This is also described in the spec here under the 'acr_values' request parameter listing.

The reason everything after the first colon is being parsed as the 'idp' acr value is because the oidc client library serializes the array using 'encodeURIComponent' and causes the array values to be joined with a comma delimiter. IdentityServer parses acr values assuming they're space separated so it's unable to break the value apart.