Yes, you can add custom claims to the OIDC ID token without setting up a webhook action. This can be done by using the

session.id_token

when accepting the consent request. Any information included in

session.id_token

will also be included in the response. Here is an example of how you can do this:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(    new Configuration({    basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,    accessToken: process.env.ORY_API_KEY,    }),   )      export async function acceptConsent(consentChallenge: string) {    const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })       return await ory    .acceptOAuth2ConsentRequest({    consentChallenge: consentChallenge,    acceptOAuth2ConsentRequest: {    session: {    access_token: {    some_custom_claim: "some_custom_value",    },    id_token: {    id_custom_claim: "some_value",    },    },    },    })    .then(({ data }) => data)   }

In this example,

id_custom_claim

is a custom claim added to the ID token. The value of this claim is

"some_value"

. Please note that the

/userinfo

endpoint is publicly available. Its contents are thus as visible as those of ID Tokens. It is therefore imperative to not expose sensitive information without user consent. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response).

Based on the provided knowledge sources, there isn't a direct way to include parts of the

identity.metadata_public

in the userinfo response through configuration. The userinfo response is determined by the OpenID Connect protocol and typically includes standard claims as defined by the protocol. However, Ory allows adding custom claims to the userinfo response when accepting the consent request, as shown in the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response). This is done programmatically and may not be applicable if you're using the Apache APISIX OpenID Connect plugin and can't modify the consent request. For more specific or advanced configurations, you might need to refer to the documentation of the Apache APISIX OpenID Connect plugin or Ory's own documentation for possible extensions or customizations.