Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Or rather, to be more exact: is there a way of adding a custom claim to all user identities using the data mapper?

You can add metadata or traits to user identities with the OIDC data mapping: <https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata>

I am not sure how it would work with claims, but afaict it would be the same thing.
You would just have an extra step where you write the metadata into the token as claim using this most likely: <https://www.ory.sh/docs/hydra/guides/claims-at-refresh>

Thank you, would be nice if that was documented better.
To recap:
1. create a lambda/api endpoint that responds to oauth2 session requests.
    a. return the additional claim types:
```    session: {
      id_token: {
        groups: ["admin"],
      },
    },```
2. add the lambda to the oauth2 project:
```ory patch oauth2-config --project &lt;project_id&gt; \
  --add '/oauth2/token_hook/url="<https://example.com/oauth2/token>"'```
I would like to have this per-oauth2 client vs per project, as in the one project we have several oauth2 clients