Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi, I was trying to get the grant_type "urn:ietf:params:oauth:grant-type:jwt-bearer" working with hydra 2.3.0 locally. I followed this doc: <https://www.ory.sh/docs/hydra/guides/jwt#using-jwts-as-authorization-grants>
From the doc and also from the RFC (<https://datatracker.ietf.org/doc/html/rfc7523#section-2.1>) I assumed that a client_id and a client_secret is not necessary. But after trying a lot of config variants and looking into the code I found that they are necessary. So I assume that either the Ory docs are incomplete or the implementation is wrong.

It depends on your OAuth2 client config. If you set your client to require "client_secret_post" then it is required in the body. If you set it to "client_secret_basic" then the client credentials are required in the header.