When using the OAuth2 JWT profile in Ory, the default required audience will be the domain associated with your Ory Network project, which is typically in the format

https://{project.slug}.<http://projects.oryapis.com|projects.oryapis.com>

. If you have multiple subdomains in your project and you want to use a custom domain as the audience instead, you can update the OAuth2 Issuer URL of your project to match your custom domain. To change the issuer URL, you can use the Ory CLI with the following command:

ory patch oauth2-config {project-id} \     --replace '/urls/self/issuer="<https://auth.myexample.org>"'

Replace

<https://auth.myexample.org>

with your custom domain. This URL should ideally be the primary custom domain you have set up for the Ory Network. If you have multiple custom domains connected to a single Ory Network project, it might cause issues with the issuer URL. In such cases, you can view the issuer URL of your Ory Network project using the Ory CLI:

ory get oauth2-config {project-id} --format json | jq '.urls.self.issuer'

Use this value to understand if the server is incorrectly configured or if the client is using the wrong issuer URL. For more details, refer to the following sources: - [Troubleshooting OAuth2 JWT Profile](https://www.ory.sh/docs/troubleshooting/oauth2-trust-audience) - [Change the OAuth2 issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url)

Yes, you can change the issuer for a single OAuth client. However, the issuer is typically set at the project level, not at the individual client level. If you want to change the issuer URL for your project, you can use the Ory CLI with the following command:

ory patch oauth2-config {project-id} \     --replace '/urls/self/issuer="<https://auth.myexample.org>"'

Replace

<https://auth.myexample.org>

with your custom domain. This URL should ideally be the primary custom domain you have set up for the Ory Network. For more details, refer to the following source: - [Change the OAuth2 issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url) If you want to update the configuration of a specific OAuth client, you can use the Ory SDK or the Ory CLI. However, these methods typically involve changing client-specific settings such as the client's redirect URIs, grant types, response types, and scopes, not the issuer URL. For more details, refer to the following sources: - [Update OAuth2 client](https://www.ory.sh/docs/hydra/guides/oauth2-clients#update-oauth2-client) - [Patch OAuth2 client](https://www.ory.sh/docs/hydra/guides/oauth2-clients#patch-oauth2-client)

I'm sorry for any confusion, but the issuer for an OAuth client is typically set at the project level, not at the individual client level. This means you can't directly change the issuer for a single OAuth client. However, you can change the issuer URL for your project, which will affect all OAuth clients within that project. You can do this using the Ory CLI with the following command:

bash ory patch oauth2-config {project-id} \     --replace '/urls/self/issuer="<https://auth.myexample.org>"'

Replace

<https://auth.myexample.org>

with your custom domain. This URL should ideally be the primary custom domain you have set up for the Ory Network. For more details, refer to the following source: - [Change the OAuth2 issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url) If you want to update the configuration of a specific OAuth client, you can use the Ory SDK or the Ory CLI. However, these methods typically involve changing client-specific settings such as the client's redirect URIs, grant types, response types, and scopes, not the issuer URL. For more details, refer to the following sources: - [Update OAuth2 client](https://www.ory.sh/docs/hydra/guides/oauth2-clients#update-oauth2-client) - [Patch OAuth2 client](https://www.ory.sh/docs/hydra/guides/oauth2-clients#patch-oauth2-client)

It seems like you're trying to change the issuer URL for your project using the Ory CLI. However, the error message suggests that the value you're providing is not valid JSON. The

--replace

flag in the

ory patch

command expects a JSON path and a valid JSON value. In your case, the JSON value should be a string, so it needs to be enclosed in double quotes (

"

). Here's how you can modify your command:

bash ory patch oauth2-config $project_id --replace '/urls/self/issuer="<https://bedrock-auth.weather.com>"'

Please replace

$project_id

with your actual project ID and

<https://bedrock-auth.weather.com>

with your actual custom domain. For more details, refer to the following source: - [Change the OAuth2 issuer URL](https://www.ory.sh/docs/oauth2-oidc/issuer-url)

To use the same JSON Web Key (JWK) for an Ory client and for the JSON Web Tokens (JWTs) returned from

toSession

, you would first need to create a JWK set and store it locally. Here's how you can do it using the Ory CLI:

bash ory create jwk some-example-set \     --alg ES256 --project {project.id} --format json-pretty \     > es256.jwks.json

Replace

{project.id}

with your actual project ID. Next, you would need to base64-encode the JWK set:

bash JWKS_B64_ENCODED=$(cat es256.jwks.json | base64)

Then, you can configure your Ory Network project's tokenizer templates to use this JWK set:

bash ory patch identity-config {project.id} \     --add '/session/whoami/tokenizer/templates/jwt_example_template1={"jwks_url":"base64://'$JWKS_B64_ENCODED'","claims_mapper_url":"base64://'$JSONNET_B64_ENCODED'","ttl":"10m"}' \     --format yaml

Replace

{project.id}

and

{JSONNET_B64_ENCODED}

with your actual project ID and the base64-encoded JsonNet template, respectively. Finally, you can use the

toSession

method to convert an Ory Session to a JWT, which will use the same JWK set:

javascript import { Configuration, FrontendApi } from "@ory/client"      const frontend = new FrontendApi(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,     }),   )      export async function toSessionWithJwt(sessionId: string) {     const session = await frontend.toSession({       tokenize_as: "jwt_example_template1",     })     const jwt = session.tokenized     return jwt   }

Replace

{ORY_PROJECT_SLUG}

with your actual Ory project slug. For more details, refer to the following sources: - [Convert Ory Sessions to JSON Web Tokens - End-to-end example Part 1](https://www.ory.sh/docs/identities/session-to-jwt-cors#end-to-end-example) - [Default cryptographic keys in Ory](https://www.ory.sh/docs/hydra/jwks#default-cryptographic-keys-in-ory)

To use the same JSON Web Key (JWK) for an OAuth client and for the JWTs returned from

toSession

, you would need to set the JWK for the OAuth client and then use the same JWK for the JWTs. Here's how you can set the JWK for an OAuth client: 1. Generate an RSA or ECDSA key pair. The private key will be used by the client to sign JWTs, and the public key will be used by the authorization server to verify the signatures. 2. Register the public key with the OAuth client. This can be done using the

jwks_uri

or

jwks

fields of the client. The

jwks_uri

is a URL that points to a JSON Web Key Set (JWKS) that contains the public key. The

jwks

field is a direct JSON object representation of the JWKS. Here is an example of how to register an RSA public key for an OAuth2 client:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: process.env.ORY_API_KEY,     }),   )      export async function createOAuth2Client() {     await ory.createOAuth2Client({       oAuth2Client: {         token_endpoint_auth_method: "private_key_jwt",         token_endpoint_auth_signing_alg: "RS256", // or ES256, EdDSA; ...         // ...            // define the public key directly:         jwks: {           keys: [             {               kty: "RSA",               n: "jL7h5wc-yeMUsHGJHc0xe9SbTdaLKXMHvcIHQck20Ji7SvrHPdTDQTvZtTDS_wJYbeShcCrliHvbJRSZhtEe0mPJpyWg3O_HkKy6_SyHepLK-_BR7HfcXYB6pVJCG3BW-lVMY7gl5sULFA74kNZH50h8hdmyWC9JgOHn0n3YLdaxSWlhctuwNPSwqwzY4qtN7_CZub81SXWpKiwj4UpyB10b8rM8qn35FS1hfsaFCVi0gQpd4vFDgFyqqpmiwq8oMr8RZ2mf0NMKCP3RXnMhy9Yq8O7lgG2t6g1g9noWbzZDUZNc54tv4WGFJ_rJZRz0jE_GR6v5sdqsDTdjFquPlQ",               e: "AQAB",               use: "sig",               kid: "some-key-id",             },           ],         },            // or alternatively tell Ory to fetch it from an URL:         jwks_uri: "<https://path-to-my-public/keys.json>",       },     })   }

(Source: [Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key)) To use the same JWK for the JWTs returned from

toSession

, you would need to use the same key pair when generating the JWTs. The specifics of this process would depend on the

To configure a tokenizer to use the default JSON Web Key Set (JWKS) that are generated for OAuth clients, you would need to point the tokenizer to the JWKS endpoint of your Ory project. This endpoint is typically in the format

https://{project.slug}.<http://projects.oryapis.com/.well-known/jwks.json|projects.oryapis.com/.well-known/jwks.json>

. Here's an example of how you can configure a tokenizer to use this JWKS:

bash ory patch identity-config {{project.id}} \   --add '/session/whoami/tokenizer/templates/jwt_example_template1={{"jwks_url":"https://{{project.slug}}.<http://projects.oryapis.com/.well-known/jwks.json%22,%22claims_mapper_url%22:%22base64://{{JSONNET_B64_ENCODED}}%22,%22ttl%22:%2210m%22|projects.oryapis.com/.well-known/jwks.json","claims_mapper_url":"base64://{{JSONNET_B64_ENCODED}}","ttl":"10m">}}' \   --format yaml

Replace

{{project.id}}

,

{{project.slug}}

, and

{{JSONNET_B64_ENCODED}}

with your actual project ID, project slug, and the base64-encoded JsonNet template, respectively. For more details, refer to the following sources: - [Convert Ory Sessions to JSON Web Tokens - End-to-end example Part 1](https://www.ory.sh/docs/identities/session-to-jwt-cors#end-to-end-example) - [The role of

/.well-known/jwks.json

](https://www.ory.sh/docs/hydra/jwks#the-role-of-well-knownjwksjson)

To get public JSON Web Keys (JWKs) using the Go SDK, you can use the

GetJsonWebKeySet

method provided by the

jwk

client in the Ory Hydra SDK. Here's an example:

go package main  import (  "fmt"  "<http://github.com/ory/hydra/sdk/go/hydra/client|github.com/ory/hydra/sdk/go/hydra/client>"  "<http://github.com/ory/hydra/sdk/go/hydra/client/jwk|github.com/ory/hydra/sdk/go/hydra/client/jwk>" )  func main() {  // Initialize the Hydra SDK  hydra := client.NewHTTPClientWithConfig(nil, &client.TransportConfig{   Host:     "<http://your-hydra-instance.com|your-hydra-instance.com>",   BasePath: "/",   Schemes:  []string{"https"},  })   // Get the JSON Web Key Set  response, err := hydra.Jwk.GetJsonWebKeySet(&jwk.GetJsonWebKeySetParams{   Set: "public",  })   if err != nil {   panic(err)  }   // Print the keys  for _, key := range response.Payload.Keys {   fmt.Printf("Key ID: %s\n", key.Kid)   fmt.Printf("Key Type: %s\n", key.Kty)   fmt.Printf("Key Use: %s\n", key.Use)   fmt.Println()  } }

In this example, replace

"<http://your-hydra-instance.com|your-hydra-instance.com>"

with the URL of your Hydra instance and

"public"

with the ID of the JWK set you want to retrieve. Please note that this example assumes that you have the Ory Hydra SDK installed in your Go environment. If you don't have it installed, you can add it to your project with the following command:

bash go get <http://github.com/ory/hydra/sdk/go/hydra|github.com/ory/hydra/sdk/go/hydra>

For more details, refer to the following sources: - [Ory Hydra API - jwk - Methods - getJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api#operation/getJsonWebKeySet) - [Ory Hydra SDK for Go](https://github.com/ory/hydra/tree/master/sdk/go/hydra)

To retrieve public JSON Web Keys (JWKs) using the Go SDK from the Ory Network, you would need to make a GET request to the

/.well-known/jwks.json

endpoint of your Ory Network project. This endpoint contains the public keys for verifying ID tokens and JWT access tokens. Here's an example of how you can do this in Go:

go package main  import (  "encoding/json"  "fmt"  "io/ioutil"  "net/http" )  type JWKS struct {  Keys []json.RawMessage `json:"keys"` }  func main() {  resp, err := http.Get("https://{{project.slug}}.<http://projects.oryapis.com/.well-known/jwks.json%22)|projects.oryapis.com/.well-known/jwks.json")>  if err != nil {   panic(err)  }  defer resp.Body.Close()   body, err := ioutil.ReadAll(resp.Body)  if err != nil {   panic(err)  }   var jwks JWKS  if err := json.Unmarshal(body, &jwks); err != nil {   panic(err)  }   for i, key := range jwks.Keys {   fmt.Printf("Key %d: %s\n", i, string(key))  } }

In this example, replace

{{project.slug}}

with your actual Ory project slug. Please note that this example assumes that you have the Go programming language installed in your environment. For more details, refer to the following source: - [The role of

/.well-known/jwks.json

](https://www.ory.sh/docs/hydra/jwks#the-role-of-well-knownjwksjson)

To achieve the equivalent of the Ory CLI command

ory get jwk my-set --public --project $project_id --format json-pretty

by calling a URL or API, you would need to make a GET request to the

/admin/keys/{set}

endpoint of the Ory Hydra API. Here's the equivalent API call:

GET <https://your-hydra-instance.com/admin/keys/my-set>

Replace

<http://your-hydra-instance.com|your-hydra-instance.com>

with the URL of your Hydra instance and

my-set

with the ID of the JWK set you want to retrieve. This API call will return a JSON Web Key Set. If you want to get only the public keys, you would need to filter the keys in the returned set based on the

"use": "sig"

field, which indicates a public key. Please note that this API call requires administrative privileges, so you would need to include an appropriate authorization token in your request. For more details, refer to the following sources: - [Ory Hydra API - jwk - Methods - getJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api#operation/getJsonWebKeySet) - [Ory CLI - ory get jwk](https://www.ory.sh/docs/cli/ory-get-jwk#ory-get-jwk)

The Ory Hydra API does not provide a direct way to filter and retrieve only the public keys from a JSON Web Key Set (JWKS) using the

/admin/keys/{set}

endpoint. When you call this endpoint, it returns the entire JWKS, which may include both public and private keys. However, you can identify the public keys in a JWKS by looking at the

"use"

field of each key. A

"use"

field with the value

"sig"

typically indicates a public key. Here's an example of how you can filter the public keys in a JWKS in Go:

go package main  import (  "encoding/json"  "fmt"  "io/ioutil"  "net/http" )  type JWK struct {  Use string `json:"use"` }  type JWKS struct {  Keys []JWK `json:"keys"` }  func main() {  resp, err := http.Get("<https://your-hydra-instance.com/admin/keys/my-set>")  if err != nil {   panic(err)  }  defer resp.Body.Close()   body, err := ioutil.ReadAll(resp.Body)  if err != nil {   panic(err)  }   var jwks JWKS  if err := json.Unmarshal(body, &jwks); err != nil {   panic(err)  }   for i, key := range jwks.Keys {   if key.Use == "sig" {    fmt.Printf("Public key %d: %v\n", i, key)   }  } }

In this example, replace

<http://your-hydra-instance.com|your-hydra-instance.com>

with the URL of your Hydra instance and

my-set

with the ID of the JWK set you want to retrieve. For more details, refer to the following source: - [Ory Hydra API - jwk - Methods - getJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api#operation/getJsonWebKeySet)

The Ory Hydra API does not provide a direct way to filter and retrieve only the public keys from a JSON Web Key Set (JWKS) using the

/admin/keys/{{set}}

endpoint. When you call this endpoint, it returns the entire JWKS, which may include both public and private keys. However, you can identify the public keys in a JWKS by looking at the

"use"

field of each key. A

"use"

field with the value

"sig"

typically indicates a public key. Here's an example of how you can filter the public keys in a JWKS in Python:

python import requests import json  response = requests.get('<https://your-hydra-instance.com/admin/keys/maverick-set>') jwks = response.json()  public_keys = [key for key in jwks['keys'] if key['use'] == 'sig']  with open('rs256-public.jwks.json', 'w') as f:     json.dump(public_keys, f, indent=4)

In this example, replace

<http://your-hydra-instance.com|your-hydra-instance.com>

with the URL of your Hydra instance and

maverick-set

with the ID of the JWK set you want to retrieve. Please note that this API call requires administrative privileges, so you would need to include an appropriate authorization token in your request. For more details, refer to the following source: - [Ory Hydra API - jwk - Methods - getJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api#operation/getJsonWebKeySet)

Yes, you can add a key to the keys published at

/.well-known/jwks.json

in Ory Network. This can be done by creating a new JSON Web Key (JWK) and adding it to a specific JWK set. Here's how you can do it using the Ory CLI:

bash ory create jwk my-new-key \   --alg RS256 --project {{project.id}} --format json-pretty

Replace

{{project.id}}

with your actual project ID. This command will create a new JWK with the algorithm RS256 and add it to the JWK set

my-new-key

. You can also do this using the Ory Hydra API. Here's how you can create a new JWK and add it to a JWK set:

bash PUT /admin/keys/{set}

Replace

{set}

with the ID of the JWK set you want to add the new key to. Please note that these operations require administrative privileges, so you would need to include an appropriate authorization token in your request. For more details, refer to the following sources: - [Ory CLI - ory create jwk](https://www.ory.sh/docs/cli/ory-create-jwk) - [Ory Hydra API - jwk - Methods - setJsonWebKeySet](https://www.ory.sh/docs/hydra/reference/api#operation/setJsonWebKeySet) - [Ory Hydra API - jwk - Methods - setJsonWebKey](https://www.ory.sh/docs/hydra/reference/api#operation/setJsonWebKey)