bland-finland-95044
07/24/2024, 7:24 PMchilly-king-10285
07/24/2024, 7:24 PMchilly-king-10285
07/24/2024, 7:25 PMbash ory patch oauth2-config $PROJECT_ID \ --replace "/strategies/access_token=\"jwt\""
For a specific client, you can update the client configuration as follows: javascript import { Configuration, JsonPatch, OAuth2Api } from "@ory/client" const ory = new OAuth2Api( new Configuration({ basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`, accessToken: process.env.ORY_API_KEY, }), ) export async function patchOAuth2Client(id: string, patches: JsonPatch[]) { await ory.patchOAuth2Client({ id, jsonPatch: [ ...patches, { op: "replace", path: "access_token_strategy", value: "jwt", }, ], }) }
These settings are also available through the Ory Console under the clients' settings ([source](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#per-client-configuration)).bland-finland-95044
07/24/2024, 7:25 PMchilly-king-10285
07/24/2024, 7:25 PMchilly-king-10285
07/24/2024, 7:26 PMbash ory create jwk some-example-set \ --alg ES256 --project $PROJECT_ID --format json-pretty \ > es256.jwks.json
2. Create a JsonNet template to modify the claims of the JWT: jsonnet local claims = std.extVar('claims'); local session = std.extVar('session'); { claims: { iss: claims.iss + "/additional-component", schema_id: session.identity.schema_id, session: session, } }
3. Base64-encode these files: bash JWKS_B64_ENCODED=$(cat es256.jwks.json | base64) JSONNET_B64_ENCODED=$(cat claims.jsonnet | base64)
4. Configure your Ory Network project's tokenizer templates: bash ory patch identity-config $PROJECT_ID \ --add '/session/whoami/tokenizer/templates/jwt_example_template1={"jwks_url":"base64://'$JWKS_B64_ENCODED'","claims_mapper_url":"base64://'$JSONNET_B64_ENCODED'","ttl":"10m"}' \ --format yaml
5. Convert an Ory Session to a JWT: javascript import { Configuration, FrontendApi } from "@ory/client" const frontend = new FrontendApi( new Configuration({ basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`, }), ) export async function toSessionWithJwt(sessionId: string) { const session = await frontend.toSession({ tokenize_as: "jwt_example_template1", }) const jwt = session.tokenized return jwt }
Please note that the session token can be obtained by calling the toSession
endpoint from a non-browser application (e.g., a mobile app). The token is included in the tokenized
field of the session ([source](https://www.ory.sh/docs/kratos/reference/api)). For more information, you can refer to the [Ory documentation on converting sessions to JWTs](https://www.ory.sh/docs/identities/session-to-jwt-cors).bland-finland-95044
07/24/2024, 7:27 PMchilly-king-10285
07/24/2024, 7:27 PMchilly-king-10285
07/24/2024, 7:28 PMjavascript import { Configuration, OAuth2Api } from "@ory/client" const ory = new OAuth2Api( new Configuration({ basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`, accessToken: process.env.ORY_API_KEY, }), ) export async function createOAuth2Client() { const { data } = await ory.createOAuth2Client({ client: { client_id: "your-client-id", client_secret: "your-client-secret", // Add your custom fields here custom_field_1: "custom value 1", custom_field_2: "custom value 2", }, }) return data }
Please note that these custom fields will not be recognized by Ory and will not be included in the client's metadata. You will need to handle these fields in your own application logic. For more information, you can refer to the [Ory documentation on managing OAuth clients](https://www.ory.sh/docs/hydra/sdk/go#createoauth2client-and-listoauth2clients).bland-finland-95044
07/24/2024, 7:36 PMchilly-king-10285
07/24/2024, 7:36 PMchilly-king-10285
07/24/2024, 7:37 PMiss
(issuer), sub
(subject), aud
(audience), jti
(JWT ID), exp
(expiration time), and iat
(issued at time) ([source](https://www.ory.sh/docs/oauth2-oidc/client-credentials#jwt-bearer-profile-for-oauth2-client-authentication)). However, Ory does provide a way to customize the claims of a JWT by using a JsonNet template ([source](https://www.ory.sh/docs/identities/session-to-jwt-cors)). This could potentially be used to include additional information in the JWT, but it would require custom application logic to fetch the OAuth client's metadata and include it in the JWT. Please note that including sensitive information in a JWT is not recommended, as the contents of a JWT can be easily read by anyone who has access to the token. Always ensure that you are not including sensitive or confidential information in your JWTs.bland-finland-95044
07/24/2024, 7:40 PMchilly-king-10285
07/24/2024, 7:40 PMchilly-king-10285
07/24/2024, 7:41 PMjavascript import { Configuration, OAuth2Api } from "@ory/client" const ory = new OAuth2Api( new Configuration({ basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`, accessToken: process.env.ORY_API_KEY, }), ) export async function acceptConsent(consentChallenge: string) { const { data } = await ory.getOAuth2ConsentRequest({ consentChallenge }) return await ory .acceptOAuth2ConsentRequest({ consentChallenge: consentChallenge, acceptOAuth2ConsentRequest: { session: { access_token: { some_custom_claim: "some_custom_value", }, id_token: { id_custom_claim: "some_value", }, }, }, }) .then(({ data }) => data) }
This results in the following access token: json { sub: "...", // ... ext: { some_custom_claim: "some_custom_value", }, // ... }
If you want some_custom_claim
to be added to the top level (instead of a nested level) in the access token, you need to modify the /oauth2/allowed_top_level_claims
configuration: bash ory patch oauth2-config $PROJECT_ID \ --replace "/oauth2/allowed_top_level_claims=[\"some_custom_claim\"]"
This results in an access token with the following structure: json { "sub": "...", // ... "some_custom_claim": "some_custom_value", "ext": { "some_custom_claim": "some_custom_value" } // ... }
Please note that required JWT claims can't be overwritten by custom claims ([source](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#custom-consent-ui-and-custom-claims-for-jwt-access-token)).