diff --git a/pkg/router/router.go b/pkg/router/router.go
index 13d7947..f79097b 100644
--- a/pkg/router/router.go
+++ b/pkg/router/router.go
@@ -268,7 +268,15 @@ func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens)
+	parseOpts := []jwt.ParseOption{
+		jwt.WithRequiredClaim("sid"),
+	}
+
+	if h.Config.SecurityLevel.Enabled {
+		parseOpts = append(parseOpts, jwt.WithRequiredClaim("acr"))
+	}
+
+	idToken, err := token.ParseIDToken(r.Context(), h.jwkSet, tokens, parseOpts...)
 	if err != nil {
 		log.Error(err)
 		w.WriteHeader(http.StatusUnauthorized)
diff --git a/pkg/token/token.go b/pkg/token/token.go
index c2dca8d..96967b5 100644
--- a/pkg/token/token.go
+++ b/pkg/token/token.go
@@ -37,7 +37,7 @@ func (in *IDToken) Validate(opts ...jwt.ValidateOption) error {
 	return nil
 }
 
-func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDToken, error) {
+func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token, opts ...jwt.ParseOption) (*IDToken, error) {
 	raw, ok := token.Extra("id_token").(string)
 	if !ok {
 		return nil, fmt.Errorf("missing id_token in token response")
@@ -50,8 +50,10 @@ func ParseIDToken(ctx context.Context, jwks jwk.Set, token *oauth2.Token) (*IDTo
 
 	parseOpts := []jwt.ParseOption{
 		jwt.WithKeySet(jwks),
-		jwt.WithRequiredClaim("sid"),
+		jwt.WithValidate(true),
 	}
+	parseOpts = append(parseOpts, opts...)
+
 	idToken, err := jwt.Parse([]byte(raw), parseOpts...)
 	if err != nil {
 		return nil, fmt.Errorf("parsing jwt: %w", err)