https://www.ory.sh/ logo
Join SlackCommunities
Powered by
<@U04UQ68083H> what fields can we modify in hydra ...
# ory-copilot
b
@chilly-king-10285 what fields can we modify in hydra token hook
b
A message from kapa.ai
When using Ory Hydra's token hook feature, you can modify specific fields in the tokens that Hydra issues. According to the documentation, you can customize both the ID token and access token claims through your webhook response. In your webhook response, you can modify the following fields: 1. ID Token Claims: You can add custom claims to the ID token by including them in the 
session.id_token
object in your response. 2. Access Token Claims: You can add custom claims to the access token by including them in the 
session.access_token
object in your response. Here's an example of a valid webhook response format:
Copy code
json {   "session": {     "access_token": {       "your:custom:access-token-claim": "any value you like",       "your:second:access-token-claim": 124390123     },     "id_token": {       "your:custom:id-token-claim": "another value",       "your:second:id-token-claim": 2394123     }   } }
It's important to note that: - You cannot override the token subject (
sub
claim) - To keep the claims as they are, you can return an empty body with a 204 status code - To deny the token exchange, you can reply with a 403 HTTP status code - Any other HTTP status code will abort the token exchange with an error message [Ory Hydra Docs: Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh#responding-to-the-webhook) provides more details on how to respond to the webhook and the format of the updated tokens.
b
@chilly-king-10285 how do i then map username with x-user header in oahtkeeper. this is my intrsospection response- { "active": true, "client_id": "cfd26b31-2fe5-4493-9c51-2655cd2fa691", "exp": 1744817719, "ext": { "identity": { "traits": { "email": "harshit.khatri@capventis.com", "username": "kernel-harshit.khatri" } } }, "iat": 1744803319, "iss": "https://my-app:8443/", "nbf": 1744803319, "sub": "cfd26b31-2fe5-4493-9c51-2655cd2fa691", "token_type": "Bearer", "token_use": "access_token" } oathkeeper - mutators: noop: enabled: true header: enabled: true config: headers: X-User: "{{ print .Subject }}" X-User-Email: "{{ print .Extra.identity.traits.email }}"
b
A message from kapa.ai
I can help you map the username from your OAuth2 introspection response to the X-User header in Oathkeeper. Based on your introspection response, I can see that the username is available in the 
ext.identity.traits.username
path. To map this to the X-User header, you need to modify your header mutator configuration to access this field. Here's how you can update your Oathkeeper configuration to map the username to the X-User header:
Copy code
yaml mutators:   noop:     enabled: true   header:     enabled: true     config:       headers:         X-User: "{{ print .Extra.identity.traits.username }}"         X-User-Email: "{{ print .Extra.identity.traits.email }}"
The key change is replacing 
{{ print .Subject }}
with 
{{ print .Extra.identity.traits.username }}
for the X-User header. This will extract the username value ("kernel-harshit.khatri" in your example) from the introspection response and set it as the X-User header value. The header mutator in Oathkeeper allows you to use Go templates to access different parts of the authentication session, including the data returned from the introspection endpoint. The 
.Extra
field contains all the custom data from the 
ext
field in your introspection response [Oathkeeper Pipeline Mutators](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#header). If you need to access other fields from the introspection response, you can follow the same pattern to create additional headers in your configuration.
Open in Slack
PreviousNext
Powered by