Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi again! I found the answer to my previous question and it was that I had mixed up the jwt-bearer grant with the client_credentials using jwts as authentication.... Whoops :man-facepalming:
So now I'm seeing the jwt-bearer grant assertion as expected on the token callback webhook :tada:
The question I have now is to what degree I can rewrite the accesss token? The documentation has led me to believe that I can rewrite most of the content since it states that you can change the session data with the exception that: "You cannot override the token subject." Or is the token rewrite a more narrow mechanism only intented to add custom scopes?
To add some context I'm trying to add a "resource" scope in the jwt-assertion which is then set as the audience in the returned token in a similar fashion to the rfc-8693 token exchange standard