<@U04UQ68083H> How can I add the user's name in th...
# ory-copilot
t
@chilly-king-10285 How can I add the user's name in the introspection call
b
A message from kapa.ai
To include the user's name in the response from the OAuth2 token introspection endpoint in Ory, you need to ensure that the name is added as a custom claim to the access token during the consent flow. This is done by setting the appropriate value in the session object when accepting the consent request. Here’s how you can do it: 1. Add the user's name as a custom claim in the access token When you accept the OAuth2 consent request, include the user's name in the
session.access_token
object. For example:
Copy code
js    import { Configuration, OAuth2Api } from "@ory/client"     const ory = new OAuth2Api(      new Configuration({        basePath: `https://${process.env.ORY_PROJECT_SLUG}.<http://projects.oryapis.com|projects.oryapis.com>`,        accessToken: process.env.ORY_API_KEY,      }),    )     export async function acceptConsent(consentChallenge, userName) {      return await ory.acceptOAuth2ConsentRequest({        consentChallenge,        acceptOAuth2ConsentRequest: {          session: {            access_token: {              name: userName,            },          },        },      })    }
2. Result in the introspection response After this, when you introspect the access token, the custom claim (e.g.,
name
) will be available in the
ext
field of the introspection response:
Copy code
json    {      "active": true,      // ... other claims ...      "ext": {        "name": "John Doe"      }    }
This approach leverages the ability to customize claims in the access token and ensures that the user's name is available in the introspection response under the
ext
field. For more details, see the documentation on customizing claims and token introspection: [Customizing claims with OAuth2 webhooks](https://www.ory.sh/docs/hydra/guides/claims-at-refresh), [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom), and [OAuth2 resource owner password credentials grant](https://www.ory.sh/docs/oauth2-oidc/resource-owner-password-grant).
t
@chilly-king-10285 I have this as my query items during request. Is this correct: urlComponents.setQueryItems(with: [ "client_id": clientId, "response_type": "code", "scope": "openid offline_access profile name traits.name.first traits.name.last traits.email", "state": String.randomString(length: 16), "redirect_uri": "\(redirectUri)://", "code_challenge": codeChallenge, "code_challenge_method": "S256" ])
b
A message from kapa.ai
Your query items are mostly correct for initiating an OAuth2 Authorization Code flow with Ory, especially if you want to use OpenID Connect and request refresh tokens (via offline_access). Here are some important points based on the knowledge sources: - The standard scopes for Ory are openid, offline_access, email, and profile. These are well-supported and map to standard claims ([Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom)). - profile is a standard OIDC scope and will map to traits like name, given_name, and family_name if your identity schema supports them. - openid is required for OIDC. - offline_access is required if you want a refresh token. - email is the standard scope for requesting the user's email. - name, traits.name.first, traits.name.last, and traits.email are not standard OIDC scopes. Ory supports mapping traits to claims, but requesting these as scopes may not have any effect unless you have custom logic to handle them. The standard way to get first and last name is through the profile scope, provided your identity schema is set up accordingly ([Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom)). Recommended scopes:
Copy code
swift "scope": "openid offline_access profile email"
If your identity schema includes first and last name, and you have mapped them to the appropriate OIDC claims (given_name, family_name), the profile scope will include them. Summary: - Remove name, traits.name.first, traits.name.last, and traits.email from the scope unless you have a custom implementation that expects them. - Use openid, offline_access, profile, and email for standard Ory/OIDC integrations. References: - [Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom) - [OAuth2 authorization code flow](https://www.ory.sh/docs/oauth2-oidc/authorization-code-flow) - [OAuth2 scopes represent user consent](https://www.ory.sh/docs/oauth2-oidc/overview/oauth2-concepts#oauth2-scopes-represent-user-consent) If you need custom claims, you should handle them via data mapping or custom consent logic, not by adding them as scopes.
t
@chilly-king-10285 I cannot get this to work. I am using Ory network for this and I don't see a config somewhere in the UI as well
b
A message from kapa.ai
Based on the knowledge sources, Ory Network supports the standard OpenID Connect scopes (such as openid, profile, email, offline_access) and maps them to identity traits according to your identity schema. The mapping of traits like first and last name to OIDC claims (e.g., given_name, family_name) is handled automatically if your identity schema is set up accordingly. There is no mention in the documentation of a UI configuration in Ory Network that allows you to customize or add non-standard scopes (like traits.name.first) directly through the Ory Console or UI. If you want to customize which claims are included in the ID token or introspection response, you typically need to: - Ensure your identity schema includes the relevant traits (e.g., name as an object with first and last). - Use the standard scopes (profile, email) in your OAuth2/OIDC requests. - For more advanced or custom claim mapping, you would need to implement a custom consent UI or use webhooks, but this is not configurable through the Ory Console UI at this time. The default Ory Account Experience only supports the standard mapping for core OIDC scopes ([Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom); see also [Github Issue #261](https://github.com/ory/network/issues/261)). If you need to add custom claims or map additional traits, the current workaround is to implement a custom consent UI or use webhooks for token customization, but these options require development effort and are not available as a simple UI configuration in Ory Network ([Github Issue #323](https://github.com/ory/network/issues/323)). In summary: There is no UI configuration in Ory Network to add or map custom scopes/claims beyond what is supported by the standard OIDC scopes and your identity schema. For more advanced mapping, you need to use custom consent logic or webhooks, which are not managed through the Ory Console UI.