Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Morning! I have come across <https://github.com/ory/network/issues/206>, which oddly seems to be the opposite to the issue I am having, though I cannot find a ticket for this.

We are using branding 2.0 preview with default URLS.

I amended the scope for our SSO connection and forced all users to re-consent.
• On the initial consent check we are no longer receiving the audience in the access token as expected (it is in both the OAuth2 client and the client side SSO config). 
    ◦ If the user clicks to *remember* the decision on the consent window THEN logs out and back in - the audience value (and the users name fields) are correctly populated on future log ins. 
    ◦ If the user does not click remember they will never get the audience value on access tokens.
This seems to be an issue with the consent window blocking/removing parts of the access token.

If you can make it reproducible, please feel free to open a ticket in ory/netowrk!

It is reproducible, will get a ticket on!