diff --git a/services/src/main/java/org/keycloak/authentication/AuthenticatorUtil.java b/services/src/main/java/org/keycloak/authentication/AuthenticatorUtil.java
index e5deb35613..baf1f20186 100755
--- a/services/src/main/java/org/keycloak/authentication/AuthenticatorUtil.java
+++ b/services/src/main/java/org/keycloak/authentication/AuthenticatorUtil.java
@@ -17,8 +17,10 @@
 
 package org.keycloak.authentication;
 
+import org.keycloak.models.AuthenticatedClientSessionModel;
 import org.keycloak.models.Constants;
 import org.keycloak.sessions.AuthenticationSessionModel;
+import org.keycloak.sessions.CommonClientSessionModel;
 
 public class AuthenticatorUtil {
 
@@ -40,4 +42,9 @@ public class AuthenticatorUtil {
         return AuthenticatorUtil.getRequestedLevelOfAuthentication(authSession)
             <= AuthenticatorUtil.getCurrentLevelOfAuthentication(authSession);
     }
+
+    public static int getCurrentLevelOfAuthentication(AuthenticatedClientSessionModel clientSession) {
+        String clientSessionLoaNote = clientSession.getNote(Constants.LEVEL_OF_AUTHENTICATION);
+        return clientSessionLoaNote == null ? Constants.NO_LOA : Integer.parseInt(clientSessionLoaNote);
+    }
 }
diff --git a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
index fabc30c02d..616156caaa 100755
--- a/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
+++ b/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java
@@ -854,7 +854,7 @@ public class TokenManager {
     }
 
     private String getAcr(AuthenticatedClientSessionModel clientSession) {
-        int loa = Integer.parseInt(clientSession.getNote(Constants.LEVEL_OF_AUTHENTICATION));
+        int loa = AuthenticatorUtil.getCurrentLevelOfAuthentication(clientSession);
         if (loa < Constants.MINIMUM_LOA) {
             loa = AuthenticationManager.isSSOAuthentication(clientSession) ? 0 : 1;
         }