Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi there! First of all, thanks for all the work you put into Hydra and the rest of the portfolio! :clap:
I've been using Hydra on multiple projects and it has really been a pleasure

I am trying to come up with a solution for a customer that wants something akin to the RFC-8693 Token Exchange delegation mechanism.
Hopefully Hydra will support it at some point since there is an git issue on it, but for now I need to find a workaround.
The idea is to use the oauth webhook to rewrite the token and ad the act claim after some checks. The problem is that I thought I would be able to access the original request in the webhook so that I can extract the data I need. Spesifically we are using the client_credential flow with jwks for authentication and I thought that the jwks would be available in the callback json under request.payload.assertion. Is there some configuration that I've forgotten, or was I a bit to optimistic in my assumptions?