Improve the code in security-oidc-bearer-token-authentication.adoc to include a list in AcrValueValidator

Author: jcarranzan

docs/src/main/asciidoc/security-oidc-bearer-token-authentication.adoc

@@ -1706,10 +1706,13 @@ Or, if you need more flexibility, write a <<jose4j-validator-bearer>>:
 ----
 package io.quarkus.it.oidc;
 
+import java.util.Collections;
+import java.util.List;
 import java.util.Map;
 
 import jakarta.enterprise.context.ApplicationScoped;
 
+import org.eclipse.microprofile.jwt.Claims;
 import org.jose4j.jwt.MalformedClaimException;
 import org.jose4j.jwt.consumer.JwtContext;
 import org.jose4j.jwt.consumer.Validator;
@@ -1727,9 +1730,19 @@ public class AcrValueValidator implements Validator {
     @Override
     public String validate(JwtContext jwtContext) throws MalformedClaimException {
         var jwtClaims = jwtContext.getJwtClaims();
-        if (jwtClaims.hasClaim("acr")) {
-            var acrClaim = jwtClaims.getStringListClaimValue("acr");
-            if (acrClaim.contains("myACR") && acrClaim.contains("yourACR")) {
+        var acrClaimName = Claims.acr.name();
+
+        if (jwtClaims.hasClaim(acrClaimName)) {
+            // The claim 'acr' could be a String or a list
+            List<String> acrClaimValues;
+            if (jwtClaims.isClaimValueStringList(acrClaimName)) {
+               acrClaimValues = jwtClaims.getStringListClaimValue(acrClaimName);
+            } else if (jwtClaims.isClaimValueString(acrClaimName)) {
+               acrClaimValues = List.of(jwtClaims.getStringClaimValue(acrClaimName));
+            } else {
+                throw new MalformedClaimException("Claim '" + acrClaimName + "' is not a String or List of Strings.");
+            }
+            if (acrClaimValues.contains("myACR") && acrClaimValues.contains("yourACR")) {
                 return null;
             }
         }