Is there any way to add an "email" claim in the jwt token on authorization_code flow? Without having to use webhooks. (We're using the ory network. Not self-hosting)

Hi @careful-room-94787 AFAIK it should add it to the jwt claims if you request the scope

email

. Since you are using ory network, use the #ory-network channel to have better visibility on your question 🙂 https://github.com/ory/kratos-selfservice-ui-node/blob/master/src/routes/consent.ts#L29-L48 https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#custom-consent-ui-and-custom-claims-for-jwt-access-token

@proud-plumber-24205 thanks for the answer, I might not have been descriptive enough. Indeed when "email" is within the requested scopes, the returned jwt contains scp: ['email',...]. What I am looking for though, is for the actual email of whoever is being authenticated to appear in the jwt. On the same level of "scp" to have "email: oslar.berenguer@something.com". We have been doing that with auth0 like this: https://auth0.com/docs/secure/tokens/json-web-tokens/create-custom-claims#create-custom-claims

Hi @careful-room-94787 I see, yes the values don't seem to be added inside the Account Experience, for this you would need to build your own consent UI https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow or use webhooks, and then allow top-level claims https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#custom-consent-ui-and-custom-claims-for-jwt-access-token

Hi @proud-plumber-24205, Thank you for your response 🙂. I'm afraid this is a deal-breaker.