Yes, you can configure Ory to return a JWT access token with a "scope" claim instead of the default "scp" claim. By default, Ory uses the "scp" claim, but you can customize this behavior using the /strategies/jwt/scope_claim configuration option. The available options are: - list (default): The scope claim is an array of strings named "scope". - string: The scope claim is a space-delimited string named "scp". - both: Both "scope" (array) and "scp" (space-delimited string) claims are included. To set the "scope" claim as an array of strings, use:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="list"'

If you want both "scope" and "scp" claims, use:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="both"'

This allows you to control the format and key of the scope claim in your JWT access tokens, ensuring compatibility with your requirements or client libraries [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom). Note: There have been recent updates to this feature, and it is now available in Ory Network production environments as of late May 2024 [Github Issue: Configuration

scope_claim

is not persisted in Ory Network](https://github.com/ory/network/issues/384).

Based on the knowledge sources, the documentation is not necessarily outdated, but the command syntax requires the value to be valid JSON. In the example provided in the documentation, the value for scope_claim is given as a plain string (e.g., both), but the CLI expects a JSON string, which means it should be quoted. So, instead of:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim=both'

You should use:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="both"'

The same applies for other values like "list" or "string"—they must be wrapped in double quotes to be valid JSON strings. This is consistent with the examples in the documentation, which show the correct usage with quotes:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="string"'

[Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom) If you are still seeing errors after quoting the value, it may be due to a version mismatch or a recent change not yet reflected in the documentation. However, according to the knowledge sources, quoting the value is the correct approach.

Thank you for your detailed feedback and for sharing the exact error message. Based on the knowledge sources, the documentation for customizing the scope claim in JWT access tokens does show the use of the --replace flag with a quoted string value, for example:

ory patch oauth2-config {project.id} \   --replace '/strategies/jwt/scope_claim="string"'

However, your error message indicates that the CLI expects the path to be /services/oauth2/config/strategies/jwt/scope_claim, not just /strategies/jwt/scope_claim. This suggests that the correct path in the patch command should be:

/services/oauth2/config/strategies/jwt/scope_claim

So, your command should look like:

ory patch project --project {project.id} \   --replace '/services/oauth2/config/strategies/jwt/scope_claim="both"'

or, if you are using the oauth2-config-specific command, ensure the path matches what the CLI expects for that command. The knowledge sources do not provide a direct example for the full path with the oauth2-config command, and there may be a discrepancy between the documentation and the current CLI implementation. If the error persists even with the correct path and quoting, it may indicate a recent change or a bug not yet reflected in the documentation. In that case, I recommend checking the latest CLI help output or reaching out to Ory support for clarification. In summary: - Ensure you are using the correct JSON path as expected by the CLI. - The value must be a valid JSON string (quoted). - If using ory patch project, use the full path as shown above. - If using ory patch oauth2-config, the path may be shorter, but the knowledge sources do not provide a definitive example for this case. The knowledge sources do not contain enough information to fully resolve the discrepancy between the documentation and the error you are seeing.