Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi there. I'm creating a SPA frontend using Ory Network to manage Identities and to login via an Ory provisioned OAuth2 Client. -- Upon completing the login flow our OAuth2 JS library (<https://github.com/authts/oidc-client-ts|oidc-client-ts>) takes the `code` url param (among others) to exchange for a JWT access token (by calling `.signinCallback()`) however there are no custom claims in this JWT.

1. What is the recommended way to include an Identity's `public_metadata` in the claims of an OAuth2 JWT (to be read by our domain's API via a Auth Header)?
2. What is the recommended approach to perform Dynamic Multi-Factor authentication `?aal=aal2&amp;via=phone` -- such that I can encode the timestamp of the completed `aal2` login as a claim in the OAuth2 JWT (to be read by our API, and rejected if the timestamp is too old)?
Previously I was using only Ory's Sessions via the `/login` endpoint to authenticate the user with email + password and then querying the `/whoami` endpoint via `ory.toSession` with a tokenizer configured to produce a JWT that includes fields from `public_metadata` as well as the `completed_at` timestamp of the last AAL2 entry of the session's `authentication_methods`. (used to create a API enforced temporary "sudo mode").

However, now that we're using an OAuth2 flow I need to re-solve these two problems -- ideally without creating any API endpoints. -- Thanks!