docs: document upstream MFA carry-over for OIDC social sign-in

[hperl]

Summary

Documents the new upstream OIDC acr / amr carry-over feature shipped in ory-corp/cloud#11499.

When a user signs in through a social sign-in provider that already enforces MFA, Ory can now trust the upstream factor instead of asking the user to complete a second factor again. This PR adds:

• A new page Upstream MFA carry-over (docs/kratos/social-signin/93_upstream-mfa.mdx) covering:
  • How Ory reads the upstream acr / amr claims and decides the resulting session AAL.
  • A provider support matrix (Generic OIDC, Auth0, Okta, Keycloak, Microsoft Entra v1, Ping Identity, Google, Apple, and others).
  • Console and CLI configuration examples for aal2_acr_values and aal2_amr_values.
  • How to ask the upstream provider for a specific acr value via acr_values or requested_claims.
  • A sample /sessions/whoami payload showing the new upstream_acr / upstream_amr audit fields.
  • Troubleshooting tips for empty upstream claims and accidental AAL2 elevation.
• A short cross-link section on the Dynamic Multi-Factor Authentication page so customers enforcing AAL2 discover the option.
• A sidebar entry for the new page under OpenID Connect SSO.

Test plan

• npx prettier --check passes for changed files
• Local docusaurus build (npm run build) — please verify in CI

Related

• ory-corp/cloud#11499 — implementation PR
• ory-corp/cloud#11494 — issue

🤖 Generated with Claude Code

Summary by CodeRabbit

• Documentation
  • Added documentation for upstream multi-factor authentication in social sign-in workflows under OpenID Connect SSO resources.

[vinckr]

small formatting changes

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 957d953a-21e1-4234-87b4-38f591c8f650

📥 Commits

Reviewing files that changed from the base of the PR and between 8134465 and e491eb7.

⛔ Files ignored due to path filters (2)

• docs/kratos/mfa/05_step-up-authentication.mdx is excluded by !**/*.mdx
• docs/kratos/social-signin/93_upstream-mfa.mdx is excluded by !**/*.mdx

📒 Files selected for processing (1)

• src/sidebar-old.ts

---

📝 Walkthrough

Walkthrough

A new documentation page link, "kratos/social-signin/upstream-mfa", is added to the OpenID Connect SSO sidebar category within the documentation configuration, inserted among related social sign-in documentation references.

Changes

Cohort / File(s)	Summary
OpenID Connect SSO Sidebar Configuration src/sidebar-old.ts	Added new documentation page reference kratos/social-signin/upstream-mfa to the oidcSSO category under OpenID Connect SSO items.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

• aeneasr
• unatasha8

Poem

🐰 A link to upstream-mfa is here,
In the sidebar, crisp and clear,
Documentation grows with care,
For SSO, beyond compare!
One line added, knowledge shared,
With love, the docs are all prepared! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding documentation for upstream MFA carry-over functionality in OIDC social sign-in, which directly corresponds to the PR's primary objective.
Description check	✅ Passed	The description includes a comprehensive summary, clear explanation of the feature, detailed breakdown of changes, test plan with checkmarks, and related issue references. It fully addresses the template requirements for documentation improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/oidc-upstream-mfa-carryover

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}