famous-jackal-2829
07/07/2025, 11:52 AMbrief-egg-61061
07/07/2025, 11:52 AMbrief-egg-61061
07/07/2025, 11:52 AMyaml session: whoami: tokenizer: templates: my_jwt_template: jwks_url: base64://... # Your JWKS claims_mapper_url: base64://... # Your JsonNet template ttl: 10m
The JsonNet template allows you to modify or add claims, but the sub
claim is always set to the session's IdentityID
and cannot be changed. You can use variables like claims
(default claims) and session
(session data) in your template. For more details and examples, see the documentation on [Session to JWT](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) and [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors). ### 2. Customizing OpenID Connect Claims and Scopes For Ory OAuth2 and OpenID Connect, you can customize which claims are included in ID tokens and access tokens by using OAuth2 webhooks. This allows you to add or modify claims before the token is issued. You can also customize how scopes are represented in the JWT (as an array, string, or both) using the /strategies/jwt/scope_claim
setting. Example to change scope claim format: bash ory patch oauth2-config {project.id} \ --replace '/strategies/jwt/scope_claim="string"'
For more on customizing claims and scopes, see [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom) and [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh). ### 3. Changing JWT Signing Algorithm or Keys You can control which cryptographic algorithm is used to sign JWTs by providing the appropriate JSON Web Key Set (JWKS) in your configuration. Ory recommends using ES256 or ES512 for signing. The key set is referenced in your JWT template configuration. Example key generation: bash ory create jwk some-example-set \ --alg ES256 --project $PROJECT_ID --format json-pretty
See [JSON Web Token templates](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) for more details. --- If you are looking to change the actual structure of the JWT (e.g., header, payload, signature format), this is not supported as JWTs follow a standard format (header.payload.signature) and Ory adheres to this standard. You can only customize the content (claims) and signing method, not the overall structure. If you need more specific changes, please clarify what aspect of the JWT format you want to change.famous-jackal-2829
07/07/2025, 11:53 AMbrief-egg-61061
07/07/2025, 11:53 AMbrief-egg-61061
07/07/2025, 11:53 AMyaml session: whoami: tokenizer: templates: my_jwt_template: jwks_url: base64://... # Your JWKS claims_mapper_url: base64://... # Your JsonNet template ttl: 10m
The claims_mapper_url
points to a JsonNet file where you can define the structure and content of your JWT claims. The jwks_url
is where your signing keys are stored (base64-encoded or via URL). 3. Customizing Claims: In your JsonNet template, you can control which claims are included in the JWT. For example: jsonnet local claims = std.extVar('claims'); local session = std.extVar('session'); { claims: { iss: claims.iss + "/custom", schema_id: session.identity.schema_id, session: session, } }
The sub
claim (subject) will always be set to the session's IdentityID
and cannot be changed. 4. How to Use: When calling the /sessions/whoami
endpoint, specify the tokenize_as
parameter to get a JWT using your template. bash curl -X GET \ -H "Cookie: ory_session...=..." \ "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=my_jwt_template|PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=my_jwt_template>"
Summary: Your current configuration does not include JWT customization. To change the JWT format, you must define a JWT tokenizer template and a claims mapper as described above. For full details and step-by-step instructions, see the official documentation on [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates). If you need to customize JWTs for OAuth2/OIDC flows (e.g., with Ory Hydra), the process is different and involves webhooks or consent hooks, which are not shown in your current config. If you need more specific guidance, please clarify which JWTs you want to change (session JWTs, access tokens, ID tokens, etc.).famous-jackal-2829
07/07/2025, 11:57 AMbrief-egg-61061
07/07/2025, 11:57 AMbrief-egg-61061
07/07/2025, 11:57 AMyaml session: whoami: tokenizer: templates: my_jwt_template: jwks_url: base64://<your-base64-encoded-jwks> claims_mapper_url: base64://<your-base64-encoded-claims-mapper> ttl: 10m
- The JWKS you provide must contain a key with "alg": "RS256"
. - You can generate an RS256 key using the Ory CLI or another tool, and encode the JWKS as base64 for the jwks_url
. For more details, see the [Session to JWT documentation](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates). --- ## Ory Hydra Ory Hydra uses JWKS for signing JWTs (ID tokens, access tokens). To use RS256, you need to create a key set with the RS256 algorithm. How to create an RS256 key set in Hydra: You can use the CLI or the admin API: CLI example: bash hydra create jwks <set-id> --alg RS256 --use sig
- <set-id>
is typically hydra.openid.id-token
for ID tokens or hydra.jwt.access-token
for JWT access tokens. Admin API example: Send a POST request to /admin/keys/{set}
with the following body: json { "alg": "RS256", "use": "sig", "kid": "<your-key-id>" }
This will create a new RS256 key in the specified set. Hydra will use the latest key for signing JWTs. For more, see the [Hydra JWKS documentation](https://www.ory.sh/docs/hydra/jwks#how-to-rotate-cryptographic-keys) and [API reference](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json). --- Summary: - In Kratos, provide a JWKS with an RS256 key in your JWT tokenizer template. - In Hydra, create a JWKS set with an RS256 key using the CLI or admin API. If you need more specific configuration examples or have a particular use case, please clarify which service and JWT type you are targeting.famous-jackal-2829
07/07/2025, 12:00 PMbrief-egg-61061
07/07/2025, 12:00 PMbrief-egg-61061
07/07/2025, 12:01 PMserve
, urls
, secrets
, and strategies
sections configure CORS, endpoints, secrets, and token strategies, but do not specify the signing algorithm for JWTs. To use RS256 for JWT signing in Ory Hydra, you must create or rotate a JSON Web Key Set (JWKS) with the RS256 algorithm. This is done using the CLI or the admin API, not in the YAML configuration file. For example, you would run: bash hydra create jwks <set-id> --alg RS256 --use sig
or, using the Ory CLI: bash ory create jwks --alg RS256 hydra.openid.id-token
This ensures that Hydra uses RS256 for signing JWTs. Hydra will always use the latest key in the set for signing tokens. The YAML config does not have a field to set the JWT signing algorithm directly; it is managed through key management commands and APIs [Cryptographic key management and JSON Web Key Sets (JWKS)](https://www.ory.sh/docs/hydra/jwks#how-to-rotate-cryptographic-keys) [hydra create jwks](https://www.ory.sh/docs/hydra/cli/hydra-create-jwks#hydra-create-jwks). Summary: - The YAML config you posted does not set the JWT signing algorithm. - To use RS256, generate a JWKS with RS256 using the CLI or API as shown above. - Hydra will use the latest RS256 key for signing JWTs. If you need to configure this for Ory Kratos session-to-JWT, you must provide a JWKS with an RS256 key in your JWT tokenizer template, as described in previous answers.