<@U04UQ68083H> how to change jwt format in ory?
# ory-copilot
f
@chilly-king-10285 how to change jwt format in ory?
b
A message from kapa.ai
To change the format of JWTs in Ory, you have several options depending on which part of the Ory stack you are using and what you mean by "format": ### 1. Customizing JWT Claims (Session to JWT) If you want to customize the claims (the payload) of JWTs generated from Ory Sessions, you can use the "Session to JWT" feature. This involves defining a JWT template with a custom claims mapper using JsonNet. You can specify which claims to include and how they are structured. Example configuration:
Copy code
yaml session:   whoami:     tokenizer:       templates:         my_jwt_template:           jwks_url: base64://... # Your JWKS           claims_mapper_url: base64://... # Your JsonNet template           ttl: 10m
The JsonNet template allows you to modify or add claims, but the
sub
claim is always set to the session's
IdentityID
and cannot be changed. You can use variables like
claims
(default claims) and
session
(session data) in your template. For more details and examples, see the documentation on [Session to JWT](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) and [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors). ### 2. Customizing OpenID Connect Claims and Scopes For Ory OAuth2 and OpenID Connect, you can customize which claims are included in ID tokens and access tokens by using OAuth2 webhooks. This allows you to add or modify claims before the token is issued. You can also customize how scopes are represented in the JWT (as an array, string, or both) using the
/strategies/jwt/scope_claim
setting. Example to change scope claim format:
Copy code
bash ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="string"'
For more on customizing claims and scopes, see [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom) and [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh). ### 3. Changing JWT Signing Algorithm or Keys You can control which cryptographic algorithm is used to sign JWTs by providing the appropriate JSON Web Key Set (JWKS) in your configuration. Ory recommends using ES256 or ES512 for signing. The key set is referenced in your JWT template configuration. Example key generation:
Copy code
bash ory create jwk some-example-set \   --alg ES256 --project $PROJECT_ID --format json-pretty
See [JSON Web Token templates](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates) for more details. --- If you are looking to change the actual structure of the JWT (e.g., header, payload, signature format), this is not supported as JWTs follow a standard format (header.payload.signature) and Ory adheres to this standard. You can only customize the content (claims) and signing method, not the overall structure. If you need more specific changes, please clarify what aspect of the JWT format you want to change.
f
@chilly-king-10285 forexample here version: v1.3.1 dsn: postgres://kratos:secret@kratos-postgres:5432/kratos?sslmode=disable serve: public: base_url: https://login.alpha.qaap.io cors: enabled: true allow_credentials: true allowed_origins: - https://*.alpha.qaap.io admin: base_url: https://login.alpha.qaap.io/admin request_log: disable_for_health: true selfservice: default_browser_return_url: https://login.alpha.qaap.io/auth/login allowed_return_urls: - https://login.alpha.qaap.io/auth - https://core.alpha.qaap.io/auth/login - https://core.alpha.qaap.io/logout - https://core.alpha.qaap.io - https://remote.alpha.qaap.io - https://erp.alpha.qaap.io - https://core.alpha.qaap.io/check-session methods: password: enabled: true config: min_password_length: 6 identifier_similarity_check_enabled: true haveibeenpwned_enabled: false totp: enabled: true config: issuer: Qaap link: enabled: true code: enabled: true flows: error: ui_url: https://login.alpha.qaap.io/auth/error settings: ui_url: https://login.alpha.qaap.io/auth/settings privileged_session_max_age: 15m required_aal: highest_available recovery: enabled: true ui_url: https://login.alpha.qaap.io/auth/recovery use: link logout: after: default_browser_return_url: https://core.alpha.qaap.io/auth/login login: ui_url: https://login.alpha.qaap.io/auth/login lifespan: 10m after: default_browser_return_url: https://core.alpha.qaap.io/check-session registration: lifespan: 10m ui_url: https://login.alpha.qaap.io/auth/registration after: default_browser_return_url: https://core.alpha.qaap.io/check-session password: hooks: - hook: session log: format: json level: debug leak_sensitive_values: true session: lifespan: 24h cookie: same_site: Lax domain: alpha.qaap.io secrets: cookie: - 05fb1c63adf3776fd4917405c1ddc614 cipher: - f744e858bd8748467c97ff3330bf9959 ciphers: algorithm: xchacha20-poly1305 hashers: algorithm: bcrypt bcrypt: cost: 8 identity: default_schema_id: default schemas: - id: default url: file:///etc/config/kratos/identity.schema.json oauth2_provider: url: http://hydra:4445 courier: smtp: connection_uri: "smtps://login.alpha.qaap.io%40gmail.com:nppcccvgfrhspcax@smtp.gmail.com:465/?skip_ssl_verify=false&amp;legacy_ssl=false" from_address: "login@qaap.io" from_name: "Qaap" # channels: # - id: sms # type: http # request_config: # url: https://api.twilio.com/2010-04-01/Accounts/AXXXXXXXXXXXXXX/Messages.json # method: POST # body: base64://ZnVuY3Rpb24oY3R4KSB7ClRvOiBjdHguUmVjaXBpZW50LApCb2R5OiBjdHguQm9keSwKfQ== # headers: # Content-Type: application/x-www-form-urlencoded # auth: # type: basic_auth # config: # user: AXXXXXXX # password: XXXX feature_flags: use_continue_with_transitions: true
b
A message from kapa.ai
Based on your provided Ory Kratos configuration, there is no direct setting in this YAML file to change the format or structure of JWTs issued by Ory Kratos. By default, Ory Kratos issues sessions as cookies or session tokens, not as JWTs. If you want to issue JWTs or customize their claims, you need to use the "Session to JWT" feature, which is configured separately from the main Kratos YAML file. How to change the JWT format in Ory Kratos: 1. Enable Session to JWT Conversion: You need to define a JWT tokenizer template in your identity configuration, specifying the signing key (JWKS) and a JsonNet claims mapper. This is not present in your current config. 2. Example of JWT Template Configuration: Add a section like this to your identity config (not shown in your current YAML):
Copy code
yaml    session:      whoami:        tokenizer:          templates:            my_jwt_template:              jwks_url: base64://... # Your JWKS              claims_mapper_url: base64://... # Your JsonNet template              ttl: 10m
The
claims_mapper_url
points to a JsonNet file where you can define the structure and content of your JWT claims. The
jwks_url
is where your signing keys are stored (base64-encoded or via URL). 3. Customizing Claims: In your JsonNet template, you can control which claims are included in the JWT. For example:
Copy code
jsonnet    local claims = std.extVar('claims');    local session = std.extVar('session');     {      claims: {        iss: claims.iss + "/custom",        schema_id: session.identity.schema_id,        session: session,      }    }
The
sub
claim (subject) will always be set to the session's
IdentityID
and cannot be changed. 4. How to Use: When calling the
/sessions/whoami
endpoint, specify the
tokenize_as
parameter to get a JWT using your template.
Copy code
bash    curl -X GET \      -H "Cookie: ory_session...=..." \      "https://$<http://PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=my_jwt_template|PROJECT_SLUG.projects.oryapis.com/sessions/whoami?tokenize_as=my_jwt_template>"
Summary: Your current configuration does not include JWT customization. To change the JWT format, you must define a JWT tokenizer template and a claims mapper as described above. For full details and step-by-step instructions, see the official documentation on [Convert Ory Sessions to JSON Web Tokens](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates). If you need to customize JWTs for OAuth2/OIDC flows (e.g., with Ory Hydra), the process is different and involves webhooks or consent hooks, which are not shown in your current config. If you need more specific guidance, please clarify which JWTs you want to change (session JWTs, access tokens, ID tokens, etc.).
f
@chilly-king-10285 how to use rs256 for jwt token in kratos.yml or hydra.yml
b
A message from kapa.ai
To use the RS256 algorithm for signing JWT tokens in Ory, the approach depends on whether you are configuring Ory Kratos or Ory Hydra. --- ## Ory Kratos Ory Kratos does not issue JWTs by default, but you can configure it to issue JWTs for sessions using the "Session to JWT" feature. To use RS256 for signing these JWTs, you need to provide a JSON Web Key Set (JWKS) that contains an RS256 key in your JWT tokenizer template. Example configuration for RS256 in Kratos:
Copy code
yaml session:   whoami:     tokenizer:       templates:         my_jwt_template:           jwks_url: base64://<your-base64-encoded-jwks>           claims_mapper_url: base64://<your-base64-encoded-claims-mapper>           ttl: 10m
- The JWKS you provide must contain a key with
"alg": "RS256"
. - You can generate an RS256 key using the Ory CLI or another tool, and encode the JWKS as base64 for the
jwks_url
. For more details, see the [Session to JWT documentation](https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-templates). --- ## Ory Hydra Ory Hydra uses JWKS for signing JWTs (ID tokens, access tokens). To use RS256, you need to create a key set with the RS256 algorithm. How to create an RS256 key set in Hydra: You can use the CLI or the admin API: CLI example:
Copy code
bash hydra create jwks <set-id> --alg RS256 --use sig
-
<set-id>
is typically
hydra.openid.id-token
for ID tokens or
hydra.jwt.access-token
for JWT access tokens. Admin API example: Send a POST request to
/admin/keys/{set}
with the following body:
Copy code
json {   "alg": "RS256",   "use": "sig",   "kid": "<your-key-id>" }
This will create a new RS256 key in the specified set. Hydra will use the latest key for signing JWTs. For more, see the [Hydra JWKS documentation](https://www.ory.sh/docs/hydra/jwks#how-to-rotate-cryptographic-keys) and [API reference](https://raw.githubusercontent.com/ory/hydra/master/spec/api.json). --- Summary: - In Kratos, provide a JWKS with an RS256 key in your JWT tokenizer template. - In Hydra, create a JWKS set with an RS256 key using the CLI or admin API. If you need more specific configuration examples or have a particular use case, please clarify which service and JWT type you are targeting.
f
@chilly-king-10285 how about this? serve: cookies: same_site_mode: Lax public: cors: enabled: true allowed_origins: - http://127.0.0.1 - http://localhost - https://*.alpha.qaap.io allowed_methods: - POST - GET - PUT - PATCH - DELETE allowed_headers: - Authorization exposed_headers: - Content-Type # Enable CORS for the admin endpoint only during local testing admin: cors: enabled: true allowed_origins: - http://127.0.0.1 - http://localhost - https://*.alpha.qaap.io allowed_methods: - GET - POST - OPTIONS allowed_headers: - Content-Type exposed_headers: - Content-Type # 4444: Hydra public URL # 4455: Kratos UI: Kratos sign up, sign in, logout # 4434: Kratos admin URL urls: self: issuer: https://auth.alpha.qaap.io consent: https://login.alpha.qaap.io/auth/consent login: https://login.alpha.qaap.io/auth/login logout: https://login.alpha.qaap.io/auth/logout identity_provider: url: https://login.alpha.qaap.io/admin secrets: system: - CHANGE_ME_TO_REAL_SECRET strategies: scope: exact access_token: jwt oidc: subject_identifiers: supported_types: - pairwise - public pairwise: salt: CHANGE_ME_TO_REAL_SECRET # ttl: # login_consent_request: 1m # access_token: 1m # refresh_token: 1m # id_token: 1m # auth_code: 1m log: leak_sensitive_values: true level: info
b
A message from kapa.ai
The configuration snippet you provided does not directly control the JWT signing algorithm (such as RS256) for Ory Hydra or Ory Kratos. The
serve
,
urls
,
secrets
, and
strategies
sections configure CORS, endpoints, secrets, and token strategies, but do not specify the signing algorithm for JWTs. To use RS256 for JWT signing in Ory Hydra, you must create or rotate a JSON Web Key Set (JWKS) with the RS256 algorithm. This is done using the CLI or the admin API, not in the YAML configuration file. For example, you would run:
Copy code
bash hydra create jwks <set-id> --alg RS256 --use sig
or, using the Ory CLI:
Copy code
bash ory create jwks --alg RS256 hydra.openid.id-token
This ensures that Hydra uses RS256 for signing JWTs. Hydra will always use the latest key in the set for signing tokens. The YAML config does not have a field to set the JWT signing algorithm directly; it is managed through key management commands and APIs [Cryptographic key management and JSON Web Key Sets (JWKS)](https://www.ory.sh/docs/hydra/jwks#how-to-rotate-cryptographic-keys) [hydra create jwks](https://www.ory.sh/docs/hydra/cli/hydra-create-jwks#hydra-create-jwks). Summary: - The YAML config you posted does not set the JWT signing algorithm. - To use RS256, generate a JWKS with RS256 using the CLI or API as shown above. - Hydra will use the latest RS256 key for signing JWTs. If you need to configure this for Ory Kratos session-to-JWT, you must provide a JWKS with an RS256 key in your JWT tokenizer template, as described in previous answers.