Hello. Is there a reason that the subject id is not overwritable with the Ory Hydra token_hook? We have a use case where we want to create a user in Kratos when a token exchange happens, so it would be nice to use this

token_hook

to also overwrite the subject with what comes from Kratos. At the bottom of this document: https://www.ory.sh/docs/hydra/guides/claims-at-refresh it suggests that you cannot update the subject identifier, and I'm wondering if there's a technical (security, performance, etc) reason for this, or if it's just a limitation of the current implementation.

Hey 👋 tbh I am not sure about this but I think overwriting the subject would allow to impersonate others and break the trust relationship that you establish through oauth2 in the first place. Maybe this is a better solution for your use case: https://www.ory.sh/docs/hydra/guides/jwt - afaict going the other way around and exchanging the kratos session JWT for an access token

Hey! Well in our case we don't have a Kratos session or user at all (yet). Trying to create a user in Kratos from the JWT assertion flow via standard OAuth2 token endpoint. Basically poor-mans OAuth2 token exchange. So client calls Hydra token endpoint (via JWT Authorization grant as described in the link you pasted) with an access_token from 3rd party identity provider in the

assertion

. Then the hope is to create a user in Kratos if one does not already exist that corresponds to the 3rd party user. My understanding of how hydra implements JWT Authorization grant is that by default the token returned contains the subject (sid) claim of the 3rd party identity provider, which is what we're trying to change. In our case it might be okay to allow overwriting the subject since it's all in a trusted context (two co-located API services that already have a trust relationship).