To change the schema of an identity in Ory, you have two main approaches: updating the active schema for your project or updating individual identities to use a different schema. ## Changing the active schema for your project You can change the default schema used for new identities: 1. Using Ory Console: - Go to User management → Identity schema - From the Active schema dropdown, select the schema you want to use - Click the Change active schema button 2. Using Ory CLI:

# Encode your schema to Base64    schema=$(cat {path-to-json-with-identity-schema} | base64)        # Update your project's configuration    ory patch identity-config {your-project-id} \      --replace '/identity/default_schema_id="{unique-schema-id}"' \      --replace '/identity/schemas=[{"id":"{unique-schema-id}","url":"base64://'$schema'"}]'

## Updating existing identities to use a new schema For existing identities, you need to update them individually: 1. Using the patchIdentity API (recommended):

curl --location --request PATCH "https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID>" \    --header "Authorization: Bearer $ORY_API_KEY" \    --header "Content-Type: application/json" \    --data-raw '[    {        "op": "replace",        "path": "/schema_id",        "value": "{new-schema-id}"    },    {        "op": "remove",        "path": "/traits/foo"    },    {        "op": "add",        "path": "/traits/bar",        "value": "barfoo"    }    ]'

2. Using the Ory SDK: You can use the Ory SDK to programmatically update identities. The knowledge sources include a Go example for this purpose. Remember that identity schemas are immutable to prevent inconsistencies. If you need to modify a schema, you must create a new one based on the existing schema and then update identities to use it. [Manage identity schemas](https://www.ory.sh/docs/identities/model/manage-identity-schema) | [Update identities to use a new schema](https://www.ory.sh/docs/identities/model/manage-identity-schema#update-identities-to-use-a-new-schema)

I'll explain how to add email to a JWT in Ory. There are several ways to include email information in a JWT when using Ory, depending on your specific use case: ## 1. Using Social Sign-in Data Mapping When using social sign-in providers, you can map the email from the provider to your JWT using Jsonnet data mappers:

jsonnet local claims = std.extVar('claims');  {   identity: {     traits: {       // Only include email if it exists and is verified       [if 'email' in claims && claims.email_verified then 'email' else null]: claims.email,     },   }, }

This approach is used for providers like Microsoft and Ory itself as shown in the documentation for [Microsoft data mapping](https://www.ory.sh/docs/kratos/social-signin/microsoft#data-mapping) and [Ory data mapping](https://www.ory.sh/docs/kratos/social-signin/ory#data-mapping). ## 2. Using Session to JWT Conversion You can convert an Ory Session to a JWT and include email information using a custom claims mapper: 1. Create a JSON Web Key Set (JWKS) for signing:

ory create jwk some-example-set --alg ES256 --project $PROJECT_ID --format json-pretty > es256.jwks.json

2. Create a Jsonnet template to include email in the JWT claims:

jsonnet local claims = std.extVar('claims'); local session = std.extVar('session');  {   claims: {     iss: claims.iss,     // Include email from the session identity traits     email: session.identity.traits.email,     // Add other claims as needed   } }

3. Configure the JWT template in your Ory project:

JWKS_B64_ENCODED=$(cat es256.jwks.json | base64 -w 0) JSONNET_B64_ENCODED=$(cat claims.jsonnet | base64 -w 0)  ory patch identity-config --project <project-id> --workspace <workspace-id> \   --add '/session/whoami/tokenizer/templates/jwt_example_template1={"jwks_url":"base64://'$JWKS_B64_ENCODED'","claims_mapper_url":"base64://'$JSONNET_B64_ENCODED'","ttl":"10m"}' \   --format yaml

4. Convert a session to JWT with your template:

curl -X GET \   -H "Cookie: ory_session...=..." \   "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1|PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=jwt_example_template1>"

This approach is detailed in the [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors) documentation. ## 3. Using Ory Proxy Ory Proxy automatically translates Ory Sessions to JWTs and includes the full session information, including the identity traits (which contain the email):

json {   "session": {     "identity": {       "traits": {         "email": "<mailto:user@example.com|user@example.com>"       }     }   } }

This is documented in [Use Ory Proxy with JSON Web Tokens](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#use-ory-proxy-with-json-web-tokens). The most appropriate method depends on your specific integration needs and which Ory components you're using.

Based on the knowledge sources provided, I can explain how OAuth2 token customization works in Ory. Yes, Ory OAuth2 (Hydra) can use custom mappers for token claims, but this is implemented through OAuth2 webhooks rather than the same Jsonnet mappers used in Ory Identities (Kratos). ## OAuth2 Token Customization with Webhooks Ory allows you to customize the claims in OAuth2 tokens (both access tokens and ID tokens) by registering a webhook endpoint in your OAuth2 configuration. This webhook is called before the token is issued to the client. Here's how it works: 1. You configure a webhook URL in your OAuth2 configuration:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/oauth2/token_hook/url="<https://my-example.app/token-hook>"' \ --add '/oauth2/token_hook/auth/type="api_key"' \ --add '/oauth2/token_hook/auth/config/in="header"' \ --add '/oauth2/token_hook/auth/config/name="X-API-Key"' \ --add '/oauth2/token_hook/auth/config/value="MY API KEY"' \ --format yaml

2. When a token is requested from the

/oauth2/token

endpoint, Ory will call your webhook with information about the OAuth client and session. 3. Your webhook can then return custom claims to be included in the tokens. 4. The tokens issued by Ory will contain your custom claims: - For ID tokens, custom claims are added directly to the token - For access tokens, custom claims are added under the

ext

field [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh) This is different from the Jsonnet data mappers used in Ory Identities for social sign-in, which map provider data to identity traits. ## Known Issues with Claims There have been some issues with claims in remembered consents. For example, one issue reported that email claims were missing from ID tokens and

/userinfo

responses when a consent was remembered: [Email is missing from the ID token and /userinfo response when a consent is remembered](https://github.com/ory/network/issues/206) Another issue noted that the default Consent UI had limited ability to populate ID tokens from identity traits: [Default Consent UI should be able to populate ID token from traits](https://github.com/ory/network/issues/261) The Ory team has implemented some minimal mapping that works out of the box for core OIDC scopes, but for more complex use cases, you might need to use a custom consent endpoint or the webhook approach described above. If you need more specific information about your particular use case, please provide more details about what you're trying to accomplish. I hope this helps clarify how OAuth2 token customization works in Ory!

Based on your previous questions, I understand you want to add email information directly to the OAuth2 tokens (JWT) issued by Ory. Here's how you can do that: ## Adding Email to OAuth2 Tokens You can add email claims to your OAuth2 tokens (both ID tokens and access tokens) by using Ory's OAuth2 token webhook feature: 1. Set up a webhook endpoint that will receive token requests and return customized claims:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/oauth2/token_hook/url="<https://your-webhook-endpoint.com/token-hook>"' \ --format yaml

2. Implement your webhook endpoint to return the email claim. Your endpoint should respond with a JSON payload like this:

json {   "session": {     "access_token": {       "email": "<mailto:user@example.com|user@example.com>"     },     "id_token": {       "email": "<mailto:user@example.com|user@example.com>",       "email_verified": true     }   } }

3. When Ory calls your webhook, it will include information about the OAuth client and session. You can use this to determine which email to include in the token. 4. The resulting tokens will contain your custom email claims: - ID token will have the email claim directly in the token body - Access token will have the email claim under the

ext

field [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh) ## Responding to the Webhook Your webhook endpoint should return a 200 status code with a JSON body containing the claims you want to add:

json {   "session": {     "access_token": {       "email": "<mailto:user@example.com|user@example.com>"     },     "id_token": {       "email": "<mailto:user@example.com|user@example.com>",       "email_verified": true     }   } }

If you want to keep the existing claims and just add new ones, you can return only the claims you want to add. To deny the token exchange, return a 403 status code. [Responding to the webhook](https://www.ory.sh/docs/hydra/guides/claims-at-refresh#responding-to-the-webhook) This approach allows you to customize the tokens at issuance time, ensuring that email information is included directly in the tokens themselves.

I'll explain how to patch the OAuth2 configuration in Ory. You can patch the OAuth2 configuration in Ory using the Ory CLI. Here are the steps and examples: ## Using the Ory CLI The basic syntax for patching OAuth2 configuration is:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> [options] --format yaml

### Examples of common OAuth2 configuration patches: 1. Adding a token webhook:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/oauth2/token_hook/url="<https://my-example.app/token-hook>"' \ --add '/oauth2/token_hook/auth/type="api_key"' \ --add '/oauth2/token_hook/auth/config/in="header"' \ --add '/oauth2/token_hook/auth/config/name="X-API-Key"' \ --add '/oauth2/token_hook/auth/config/value="MY API KEY"' \ --format yaml

2. Adding a simple webhook without authentication:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/oauth2/token_hook="<https://my-example.app/token-hook>"' \ --format yaml

3. Setting refresh token TTL:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --replace '/ttl/refresh_token="999h0m0s"' \ --format yaml

[Configure Ory OAuth2 and OpenID](https://www.ory.sh/docs/guides/cli/oauth2-cli) ## Getting Current Configuration Before making changes, you might want to get the current configuration:

ory get oauth2-config --project <project-id> --workspace <workspace-id> --format yaml > oauth2-config.yaml

You can then edit this file and update the configuration:

ory update oauth2-config --project <project-id> --workspace <workspace-id> --file oauth2-config.yaml

## Common Operations - `--add`: Adds a new value - `--replace`: Replaces an existing value - `--remove`: Removes a value Each operation requires a path to the configuration key you want to modify. If you encounter issues with complex configurations, you might need to specify the entire object. For example, with token hooks:

ory patch oauth2-config <project-id> \   --add '/oauth2/token_hook={"url":"<https://example.com/>", "auth": {"type":"api_key", "config":{"api_key_name":"","api_key_value":"", "in":"header"}}}' \   --format yaml

[Cannot set

oauth2/token_hook/url

without

auth

config](https://github.com/ory/network/issues/357) This should help you patch your OAuth2 configuration according to your needs.

I understand you want to add email claims to your OAuth2 tokens directly through the OAuth2 configuration rather than using a webhook. Based on the knowledge sources, here's how you can do this: ## Adding Email to OAuth2 Tokens via OAuth2 Configuration You can configure the OAuth2 server to include email claims in tokens by patching the OAuth2 configuration using the Ory CLI. Here's how: 1. Configure a token hook in your OAuth2 configuration:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/oauth2/token_hook/url="<https://my-example.app/token-hook>"' \ --format yaml

This token hook is essential because it's the mechanism Ory provides to customize token claims. Your webhook endpoint will receive information about the OAuth session and can return customized claims including email. 2. Implement your webhook endpoint to return the email claim from the user's identity: Your webhook will receive a payload containing session information, and should return a response that includes the email claim you want to add to the tokens. 3. Alternative approach: If you're using Ory as both your identity provider and OAuth2 provider, you can configure the consent screen to include email claims:

ory patch oauth2-config --project <project-id> --workspace <workspace-id> \ --add '/strategies/access_token/claims=["email"]' \ --add '/strategies/id_token/claims=["email", "email_verified"]' \ --format yaml

However, note that the knowledge sources don't explicitly confirm this approach works for all setups. [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh) ## Important Considerations 1. The token hook is the official way to customize token claims in Ory OAuth2. 2. If you're using social sign-in providers, make sure your identity schema and data mapping are configured to capture email information from those providers. 3. For the email claim to be included, the OAuth2 client must request the appropriate scopes (typically

email

scope). 4. You may need to ensure that the email is properly mapped from the user's identity to the session that's used when generating tokens. If you need more specific guidance, please provide details about your exact setup (whether you're using Ory Identities with Ory OAuth2, which identity providers you're using, etc.). Would you like me to provide more details on any specific part of this process?