You can modify or extend the response of the userinfo endpoint by adding custom claims to the userinfo response. Any information included in

session.id_token

when accepting the consent request will also be included in the response. Here is an example of how you can do this using the Ory SDK in JavaScript:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: process.env.ORY_API_KEY,     }),   )      export async function acceptConsent(consentChallenge: string) {     const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })        return await ory       .acceptOAuth2ConsentRequest({         consentChallenge: consentChallenge,         acceptOAuth2ConsentRequest: {           session: {             access_token: {               some_custom_claim: "some_custom_value",             },             id_token: {               id_custom_claim: "some_value",             },           },         },       })       .then(({ data }) => data)   }

In this example,

some_custom_claim

and

id_custom_claim

are custom claims added to the userinfo response. The values of these claims are

some_custom_value

and

some_value

respectively. Please be aware that the

/userinfo

endpoint is publicly available. Its contents are thus as visible as those of ID Tokens. It is therefore imperative to not expose sensitive information without user consent. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response).

New message text here

To extend the response to include a

fullname

field, you can use Jsonnet for data mapping. You can combine the

given_name

and

family_name

fields to create a

fullname

field. Here's an example of how you can do this:

jsonnet local claims = {     email_verified: false,   } + std.extVar('claims');      {     identity: {       traits: {         [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,         first_name: claims.given_name,         last_name: claims.family_name,         fullname: claims.given_name + " " + claims.family_name,         [if 'hd' in claims && claims.email_verified then 'hd' else null]: claims.hd,       },     },   }

In this example, the

fullname

field is created by concatenating

given_name

and

family_name

with a space in between. Please note that you should not save secrets such as API keys, credentials, or personal data directly in Jsonnet code snippets. Jsonnet code snippets used for data mapping aren't stored in an encrypted format in Ory Network. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/kratos/social-signin/google#additional-configuration).

Adding new scopes in Ory involves defining them in the configuration of the social sign-in provider. This is usually done in the Ory Console or in the configuration file. Here's a general step-by-step guide on how to do it in the Ory Console: 1. Go to Authentication → Social Sign-In in the [Ory Console](https://console.ory.sh/projects/current/social-signin). 2. Click the switch next to the logo of the provider you want to configure. 3. In the Scopes field of the form, add the scopes you want to request from the provider. For example, if you're configuring Google as a provider, you might add the

email

and

profile

scopes for a basic setup:

yaml - `email` - `profile`

Please note that the available scopes depend on the provider. You should refer to the provider's documentation to learn more about the scopes they support. For instance, you can find the scopes available for Google in their [related documentation](https://developers.google.com/identity/protocols/oauth2/scopes). If you're configuring the provider in a configuration file, you would add the scopes in the

scope

section of the provider's configuration. Here's an example:

yaml selfservice:     methods:       oidc:         config:           providers:             - id: generic             provider: generic               client_id: ....             client_secret: ....             issuer_url: <https://accounts.google.com>             mapper_url: "base64://{YOUR_BASE64_ENCODED_JSONNET_HERE}"             scope:                 - email

In this example, the

email

scope is being requested from the provider. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/self-hosted/kratos/configuration/oidc#example-configuration).

Creating a custom scope for your own OAuth2 client in Ory involves defining the scope when creating the OAuth2 client. This can be done using the Ory CLI. Here are examples of creating OAuth2 clients with different options: For client credentials:

bash ory create oauth2-client \     --grant-type client_credentials \     --scope my-scope \     --token-endpoint-auth-method client_secret_basic

For token endpoint auth method:

bash ory create oauth2-client \     --grant-type authorization_code \     --response-type code \     --scope openid \     --token-endpoint-auth-method client_secret_post \     --redirect-uri <https://my-app.com/callback>

For multiple redirect URIs:

bash ory create oauth2-client \     --grant-type authorization_code --grant-type refresh_token \     --response-type code \     --scope openid --scope offline_access \     --token-endpoint-auth-method client_secret_post \     --redirect-uri <https://my-app.com/callback> --redirect-uri <http://my-other-app.com/callback>

In these examples, the

--scope

flag is used to define the scope for the OAuth2 client. You can replace

my-scope

,

openid

, and

offline_access

with your custom scope. Please note that the available scopes and their meanings are dependent on your implementation of the resource server and authorization server. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/hydra/guides/oauth2-clients#example-oauth2-clients).

Yes, you can return more information in the userinfo endpoint based on your custom scope. The information returned by the userinfo endpoint is determined by the scopes in the access token. However, Ory does not directly support adding custom scopes that would automatically add more information to the userinfo endpoint. The scopes and the corresponding claims they add to the userinfo response are defined by the OpenID Connect (OIDC) specification and are not directly customizable. If you want to add more information to the userinfo response, you would typically add custom claims to the ID token when accepting the consent request. Any information included in

session.id_token

when accepting the consent request will also be included in the userinfo response. Here is an example of how you can do this using the Ory SDK in JavaScript:

javascript import { Configuration, OAuth2Api } from "@ory/client"      const ory = new OAuth2Api(     new Configuration({       basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,       accessToken: process.env.ORY_API_KEY,     }),   )      export async function acceptConsent(consentChallenge: string) {     const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge })        return await ory       .acceptOAuth2ConsentRequest({         consentChallenge: consentChallenge,         acceptOAuth2ConsentRequest: {           session: {             access_token: {               some_custom_claim: "some_custom_value",             },             id_token: {               id_custom_claim: "some_value",             },           },         },       })       .then(({ data }) => data)   }

In this example,

some_custom_claim

and

id_custom_claim

are custom claims added to the userinfo response. The values of these claims are

some_custom_value

and

some_value

respectively. Please be aware that the

/userinfo

endpoint is publicly available. Its contents are thus as visible as those of ID Tokens. It is therefore imperative to not expose sensitive information without user consent. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/oauth2-oidc/userinfo-oidc#adding-custom-claims-to-the-userinfo-response).

Yes, there is an example payload for a before registration webhook action. Here's an example of the

ctx

object for a registration flow:

json {     "ctx": {       "flow": {         "expires_at": "2023-01-31T12:19:35.782238Z",         "id": "cec1c06e-48eb-4f9d-abf1-2e287371f4eb",         "issued_at": "2023-01-31T11:19:35.782238Z",         "oauth2_login_challenge": null,         "request_url": "<https://playground.projects.oryapis.com/self-service/registration/browser?return_to=>",         "transient_payload": {           "custom_data": "test"         },         "type": "browser",         "ui": {           "action": "<http://localhost:4455/self-service/registration?flow=cec1c06e-48eb-4f9d-abf1-2e287371f4eb>",           "method": "POST",           "nodes": [             {               "attributes": {                 "disabled": false,                 "name": "csrf_token",                 "node_type": "input",                 "required": true,                 "type": "hidden",                 "value": "P91A1RzvL4xHAls2Gl76cbaXVMhBdpAj3c4vaRMckYY7JmGswmBHuul/+mZguOsQUOBmeJMOJWoa5xY2bd81CQ=="               },               "group": "default",               "messages": [],               "meta": {},               "type": "input"             },             {               "attributes": {                 "autocomplete": "email",                 "disabled": false,                 "name": "traits.email",                 "node_type": "input",                 "required": true,                 "type": "email"               },               "group": "password",               "messages": [],               "meta": {                 "label": {                   "id": 1070002,                   "text": "Your E-Mail",                   "type": "info"                 }               },               "type": "input"             },             {               "attributes": {                 "autocomplete": "new-password",                 "disabled": false,                 "name": "password",                 "node_type": "input",             }           }         ]       }     }   } }

This payload includes information about the registration flow, such as the flow ID, expiration time, and the UI elements that are part of the registration form. For more information, you can refer to the [Ory documentation](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#customizing-request-body-with-jsonnet).