The subject of a token, represented by the

sub

field, is typically the identifier for the user in the system. In Ory, the tokens issued to the OAuth2 client will contain the data from your webhook response. However, it's important to note that you cannot override the token subject. This means that if the subject is not appearing in your token, it might be due to the configuration of your webhook response or the way your system handles user identities. If you're using Ory Hydra, the subject is usually included in the

id_token

and

access_token

issued by Ory to the OAuth2 client. Here's an example of what the tokens might look like:

json {     "aud": [       "my_client"     ],     "auth_time": 1647427485,     "your:custom:id-token-claim": "another value",     "your:second:id-token-claim": 2394123,     "iss": "<http://ory.hydra.example/>",     "sub": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)"   }

json {     "active": true,     "scope": "openid offline",     "client_id": "my_client",     "sub": "[[email protected]](<https://www.ory.sh/cdn-cgi/l/email-protection>)",     "aud": [],     "iss": "<http://ory.hydra.example/>",     "token_type": "Bearer",     "token_use": "access_token",     "ext": {         "your:custom:access-token-claim": "any value you like",         "your:second:access-token-claim": 124390123,       }   }

If the subject is not included in your tokens, you might want to check your webhook response and the way your system is handling user identities. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/hydra/guides/claims-at-refresh#updated-tokens).

The Resource Owner Password Credentials Grant (often referred to as the password grant) is not supported by Ory, as it prepares for OAuth 2.1 which has removed this grant type due to its high risk and potential for abuse ([source](https://www.ory.sh/docs/hydra/faq#why-is-the-resource-owner-password-credentials-grant-not-supported)). For the Client Credentials Grant, the

oauth2_client_credentials

authenticator in Ory's Oathkeeper uses the username from the HTTP Basic Authorization header as the subject for the request ([source](https://www.ory.sh/docs/oathkeeper/pipeline/authn#oauth2_client_credentials)). If you're not seeing a subject in the token when using the Client Credentials Grant, it might be because the username is not being correctly passed in the HTTP Basic Authorization header. You should ensure that the username and password are correctly encoded in base64 and included in the Authorization header of your request, like so:

Authorization: Basic base64(<username:password>)

. If you're unfamiliar with the OAuth 2.0 Client Credentials Grant, you might find [this guide](https://www.oauth.com/oauth2-servers/access-tokens/client-credentials/) helpful.