Take note once the login request initiates a request with the claims parameter requesting acr as crucial assert, then Keycloak will normally returnPushing the not-just before policy ensures that client applications don't take the present tokens signed via the compromised key. The consumer application is compelled to download new critical pairs from