Hello folks, Is it possible to add custom claims in JWT token for client credentials grant that is M2M flow. There is no consent step in this M2M flow and no OIDC server. All documentation seems to point to adding custom claims on consent acceptance. Auth0 supports this through Actions, Ory Actions don't seem to support custom claims for M2M grants either. For context, we want to send an admin generated userid as custom claim that we are setting in client metadata. This userid helps us identify the client in our system.

Hello @wooden-manchester-52124 Did you see the OAuth2 webhooks? Maybe those can help https://www.ory.sh/docs/hydra/guides/claims-at-refresh We recommend to not use OAuth2 for first-party user IAM for this reason (see here: https://www.ory.sh/docs/hydra/concepts/before-oauth2) - the OAuth2 spec is not intended for this use case and you need some additional custom code on top to make this work (like Auth0 implemented a lot of custom abstractions on top of tbe OAuth2 spec) That being said, there is probably a way to make this work 🤔 Not too familiar with that flow myself tbh...

@magnificent-energy-493

Did you see the OAuth2 webhooks?

Yes but the webhook request requires a specific payload with session and id token details. I only have access token for m2m clients, is there a way to construct webhook payload with access token?

you need some additional custom code on top to make this work

I think this is what we do with Auth0 Actions, we define custom code in the actions itself to inject custom claims. Ory Actions dont seem to support creating actions for client credential grants. And the webhook option seems unusable as well as it needs id token in request payload. So how do you suggest I add custom code in Ory?

Hey @wooden-manchester-52124 I see the issue now. Also thanks for the information you shared via email. I will talk to the team what the best solution is and will follow up via email 👍

@magnificent-energy-493 @wooden-manchester-52124 Did you find a solution for this? I am in the same boat, where I need to set a custom claim for some OAuth Clients using the client_credentials flow. Regards Michael

Hey @miniature-morning-2235, I am still trying to figure this out with @magnificent-energy-493. TLDR we should be able to use token webhooks but the documentation is unclear on how to use it with access tokens without id_tokens. Waiting to hear back from Ory team for an example for webhook request payload for access token.

@wooden-manchester-52124 Thank you for a reply. Exiting if it's possible to do with a web hook, that's the solution which was listed here as well: https://github.com/ory/hydra/issues/1383 But couldn't figure out if it was implemented / merged yet, hopeful it is 🙂

Hello @wooden-manchester-52124 @miniature-morning-2235 I just got an response from one of my colleagues:

Just tried this out, works as documented:

Copy code

eyJhbGciOiJSUzI1NiIsImtpZCI6ImZjNmY4YmRhLWU2OTYtNDYwNi1iZDJlLWNiZDFiMmVmNGUwYSIsInR5cCI6IkpXVCJ9.eyJhdWQiOltdLCJjbGllbnRfaWQiOiJjOWUyNzBhMi02M2MzLTRjMzctODlhZS1kYTYyOTRjYmEzMzEiLCJleHAiOjE3MTI4NTQwNDcsImV4dCI6eyJmb28iOiJiYXIifSwiaWF0IjoxNzEyODUwNDQ3LCJpc3MiOiJodHRwczovL2ZvY3VzZWQtZ2Fsb2lzLWVueGIxdXpxazkucHJvamVjdHMub3J5YXBpcy5jb20iLCJqdGkiOiIwY2Y2OGZlMi05OTlkLTQ2Y2MtOGQ2Yy03MDUyNDBkMjFhZGMiLCJuYmYiOjE3MTI4NTA0NDcsInNjcCI6W10sInN1YiI6ImM5ZTI3MGEyLTYzYzMtNGMzNy04OWFlLWRhNjI5NGNiYTMzMSJ9.Kfugf4OMEuKWPCLVE4mIkpmljqf-NeuWY5-yFH5hCMhiu4FP227ZWbz2Mtb5uvM3p4mJPAdUsERHMqgMZLBLDLIFETSfW9ZfjoBfvRNlu-j3txCDv4uR6ivzhVHEZK3MuIOtGDGObh6eKTSJhDHIKYzm5cvCRSkgROZbo5lt7yy7gPBMt2EG3mrmd8qxq1wBZZcfAA7jyn41ULj3jrY8jQPjjcL5l0_i3pXeYW1tMTIPLOsvOi4pxUROBOhFzYML9idrq9UcZmUifoYsxQ_cGCIeO32badyFI-ON3f6WRDSlydaQfRoBb9vBLYPgWeSqJp4awiU8k-DW4KpuUTriSq4PjqVrYCzYqTEvWD3m-A-3BkYdFvA2QZ4tWT0l9fNjhl4E9Y4nJ9HJaAwVwD7j9tuPKk82dMqYjOYiRr14zDdKlMyxoGTSYOmuyB2bh3P-xL3pYJfw0MmajENTj7ibbUJpafBJDwShYZAtPPCMIikKPhe7S8SLp4N33bIhoq0pfpna6YX2QRitRRUelkmasgdmkUVeM6emBX-cjJWJbpN6jTMvnoLQqqtVZ-l4mKI0zNn-Ls1eiV5RS8vMlI8VbcNSXQyc2wVD7DsaqbZ8GHRviRoeoOIFNuC5TWjIQirpGfq6Jlm_GI3HNVPc-z6fDQ9IYioHQlzveWH0YsCWCZI

```{

"aud": [],

"client_id": "c9e270a2-63c3-4c37-89ae-da6294cba331",

"exp": 1712854047,

"ext": {

"foo": "bar"

},

"iat": 1712850447,

"iss": "https://focused-galois-enxb1uzqk9.projects.oryapis.com",

"jti": "0cf68fe2-999d-46cc-8d6c-705240d21adc",

"nbf": 1712850447,

"scp": [],

"sub": "c9e270a2-63c3-4c37-89ae-da6294cba331"

}```

```ory patch oauth2-config $project_id \

--add '/oauth2/token_hook/url="https://YOUR-WEBHOOK-ENDPOINT"' \

--add '/oauth2/token_hook/auth/type="api_key"' \

--add '/oauth2/token_hook/auth/config/in="header"'

# or cookie

\

--add '/oauth2/token_hook/auth/config/name="X-API-Key"' \

--add '/oauth2/token_hook/auth/config/value="MY API KEY"' \

--format yaml```

<https://your-webhook-endpoint>

must return such a payload:

```{

"session": {

"access_token": {

"foo": "bar"

}

}

}```

Success I got to make it work with top_level_claims as well. { "client_id": "xxx", "exp": 1712928095, "ext": { "mokOnlineUserId": "42", "realm_roles": { "roles": [ "supporter", "admin" ] } }, "iat": 1712924495, "iss": "", "jti": "", "nbf": 1712924495, "realm_roles": { "roles": [ "supporter", "admin" ] }, "scp": [], "sub": "" }