https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Can I just push values to the grant...
# ory-copilot
w
@chilly-king-10285 Can I just push values to the grantScope to get more things in the id token? Like this
Copy code
"use client";

import { hydra, kratos } from "@/lib/ory";
import { useSearchParams } from "next/navigation";
import { useEffect } from "react";

export default function ConsentPage() {
	const searchParams = useSearchParams();
	const consent_challenge = searchParams.get("consent_challenge");

	useEffect(() => {
		const fetchConsent = async () => {
			if (consent_challenge) {
				try {
					const challenge = await hydra
						.getOAuth2ConsentRequest({
							consentChallenge: consent_challenge,
						})
						.then(async ({ data: body }) => {
							if (body.skip || body.client?.skip_consent) {
								let grantScopes: string[] =
									body.requested_scope || [];
								if (!Array.isArray(grantScopes)) {
									grantScopes = [grantScopes];
								}

								grantScopes.push("email");
								grantScopes.push("profile");
								grantScopes.push("name");

								return hydra
									.acceptOAuth2ConsentRequest({
										consentChallenge: consent_challenge,
										acceptOAuth2ConsentRequest: {
											grant_scope: grantScopes,
											grant_access_token_audience:
												body.requested_access_token_audience,
											remember: true,
											remember_for: 3600,
										},
									})
									.then(({ data }) => {
										// All done, redirect the user back to Hydra!
										window.location.href = data.redirect_to;
									});
							}
						});
				} catch (error) {
					console.error("Error fetching consent request:", error);
				}
			}
		};

		fetchConsent();
	}, [consent_challenge]);

	return <div>Consent Page</div>;
}
c
A message from kapa.ai
No, simply pushing more values to the 
grant_scope
array (like 
"name"
) does not automatically add more information to the ID token. The 
grant_scope
determines which scopes are granted to the client, but the actual claims included in the ID token depend on how your consent app maps those scopes to claims and what data you include in the 
session.id_token
when accepting the consent request. By default, Ory only maps certain scopes (
email
, 
profile
) to specific claims in the ID token, based on the user's identity traits. For example, the 
email
scope will include the user's email, and the 
profile
scope will include fields like 
username
, 
website
, and 
name
if they exist in the identity traits. Adding a custom scope like 
"name"
to 
grant_scope
will not have any effect unless your consent app is explicitly mapping that scope to claims in the ID token when you call `acceptOAuth2ConsentRequest`[Customize OpenID Connect scope and claims](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom). If you want to include additional claims in the ID token, you need to add them to the 
session.id_token
object in your consent acceptance logic. For example:
Copy code
js acceptOAuth2ConsentRequest({   consentChallenge: consent_challenge,   acceptOAuth2ConsentRequest: {     grant_scope: grantScopes,     grant_access_token_audience: body.requested_access_token_audience,     remember: true,     remember_for: 3600,     session: {       id_token: {         custom_claim: "custom_value",         // add more claims as needed       }     }   } })
This is also reflected in Ory's example consent endpoint code, where claims are added to the ID token based on the granted scopes and the user's identity traits. You must implement this logic yourself if you want to support additional or custom claims beyond the defaults[Consent endpoint code example](https://www.ory.sh/docs/oauth2-oidc/custom-login-consent/flow#consent-endpoint-code-example). In summary: - Adding scopes to 
grant_scope
only grants those scopes to the client. - To get more claims in the ID token, you must explicitly add them to 
session.id_token
in your consent acceptance logic. - The default Ory setup only maps certain scopes to claims; custom mapping requires custom code in your consent app.
w
@chilly-king-10285 Okay for this
Copy code
"use client";

import { hydra, kratos } from "@/lib/ory";
import { useSearchParams } from "next/navigation";
import { useEffect } from "react";

export default function ConsentPage() {
	const searchParams = useSearchParams();
	const consent_challenge = searchParams.get("consent_challenge");

	useEffect(() => {
		const fetchConsent = async () => {
			if (consent_challenge) {
				try {
					const challenge = await hydra
						.getOAuth2ConsentRequest({
							consentChallenge: consent_challenge,
						})
						.then(async ({ data: body }) => {
							if (body.skip || body.client?.skip_consent) {
								let grantScopes: string[] =
									body.requested_scope || [];
								if (!Array.isArray(grantScopes)) {
									grantScopes = [grantScopes];
								}

								grantScopes.push("email");
								grantScopes.push("profile");

								return hydra
									.acceptOAuth2ConsentRequest({
										consentChallenge: consent_challenge,
										acceptOAuth2ConsentRequest: {
											grant_scope: grantScopes,
											grant_access_token_audience:
												body.requested_access_token_audience,
											remember: true,
											remember_for: 3600,
										},
									})
									.then(({ data }) => {
										// All done, redirect the user back to Hydra!
										window.location.href = data.redirect_to;
									});
							}
						});
				} catch (error) {
					console.error("Error fetching consent request:", error);
				}
			}
		};

		fetchConsent();
	}, [consent_challenge]);

	return <div>Consent Page</div>;
}
I'm not getting the email and profile, do they have to be configured in hydra to allow those scopes?
c
A message from kapa.ai
Yes, the 
email
and 
profile
scopes must be allowed for the OAuth2 client in your Ory Hydra (or Ory Network) configuration. If the client is not configured to allow these scopes, even if you push them to 
grant_scope
in your consent app, they will not have any effect and the corresponding claims will not appear in the ID token. From the documentation: > The OAuth 2.0 Client making the request isn't allowed to request the scope 
openid
. > ... > Your consent app didn't send 
granted_scope: ["openid"]
or when accepting the consent request. > ... > For the 
email
scope, the system uses the verifiable addresses of a user. The first verifiable email is used to include the email in the ID token claims. This means that both 
email_verified
and 
email
claims get set. > For the 
profile
scope, the system uses traits associated with a user. > ... > This setup supports the 
email
and 
profile
scopes as defined by OpenID Connect. [(Customize OpenID Connect scope and claims)](https://www.ory.sh/docs/oauth2-oidc/openid-connect-claims-scope-custom) [(Solutions for common OAuth2-related problems)](https://www.ory.sh/docs/hydra/debug) So, you need to ensure: - The OAuth2 client is configured to allow the 
email
and 
profile
scopes. - The identity schema includes the relevant traits (e.g., email, name, etc.). - You grant these scopes in your consent app as you are doing. If you have done all of the above and still do not see the claims, double-check the client configuration in the Ory Console or your Hydra client settings to ensure those scopes are listed as allowed. If the client is not allowed to request those scopes, they will not be included in the token, regardless of what you send in 
grant_scope
.
w
@chilly-king-10285 This code is pretty complex for a end user app, can I instead use a existing library or does it have to be like this?
Copy code
"use client";

import { createFileRoute } from "@tanstack/react-router";
import { exchangeCodeForToken } from "../../../lib/ory";
import { useEffect } from "react";

export const Route = createFileRoute("/auth/callback")({
	component: RouteComponent,
});

function decodeIdToken(idToken: string): any {
	const parts = idToken.split(".");
	if (parts.length !== 3) {
		throw new Error("Invalid JWT format");
	}
	const payload = parts[1];
	// Add padding if necessary
	const base64 =
		payload.replace(/-/g, "+").replace(/_/g, "/") +
		"=".repeat((4 - (payload.length % 4)) % 4);
	const decoded = atob(base64);
	return JSON.parse(decoded);
}

function RouteComponent() {
	// get the url params
	useEffect(() => {
		const checkTokens = async () => {
			const params = new URLSearchParams(window.location.search);
			const code = params.get("code");
			const state = params.get("state");

			// get the state from session storage
			const storedState = sessionStorage.getItem("oauth2_state");

			if (!code || !state || state !== storedState) {
				// Invalid request, redirect to home
				window.location.href = "/";
				return null;
			}

			try {
				const tokens = await exchangeCodeForToken({
					tokenUrl: "<http://127.0.0.1:4444/oauth2/token>",
					code: code,
					redirectUri: "<http://127.0.0.1:3001/auth/callback>",
				});

				// decode the id token to get user info
				const idToken = tokens.id_token;
				if (idToken) {
					const info = decodeIdToken(idToken);
					console.log("ID Token Info:", info);
				}
			} catch (error) {
				console.error("Error exchanging code for token:", error);
			}
		};

		checkTokens();
	}, []);

	return <div>You're authenticed!</div>;
}
c
A message from kapa.ai
You do not have to implement the OAuth2 Authorization Code flow and token exchange logic manually as shown in your example. In fact, the Ory documentation recommends using well-established, open-source OAuth2 and OpenID Connect client libraries for this purpose, rather than writing your own code to interact with endpoints like 
/oauth2/token
or handling JWT decoding yourself. Ory specifically states: > The Ory Hydra SDK doesn't provide a comprehensive API for handling OAuth 2.0 flows such as the authorization code flow and refresh flow. Use one of the many [well-established libraries](https://oauth.net/code/) for this purpose, don't write your own code to interact with OAuth 2.0. > > Read the [OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2) document for more information. [SDK overview](https://www.ory.sh/docs/hydra/sdk/overview) They also provide a list of recommended libraries for various languages, such as: - [node-openid-client](https://github.com/panva/node-openid-client) for Node.js - [AppAuth](https://appauth.io/) for mobile and SPA clients - [simple-oauth2](https://github.com/lelylan/simple-oauth2) for Node.js - And many more for other languages and frameworks [Popular OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2) Summary: You should use a standard OAuth2/OpenID Connect client library for your language or framework. These libraries handle the redirect, state, code exchange, and token validation securely and with less code, reducing the risk of errors and security issues. Writing your own implementation is discouraged unless you have a very specific use case that cannot be covered by existing libraries.
w
@chilly-king-10285 Give me an example of using node-openid-client or simple-oauth2 with nextjs and ory kratos/hydra
c
A message from kapa.ai
I'm sorry, but the knowledge sources provided do not contain a full, step-by-step example of using 
node-openid-client
or 
simple-oauth2
with Next.js and Ory Kratos/Hydra. However, the documentation does recommend using these libraries for OAuth2/OpenID Connect flows with Ory Hydra and provides links to their repositories for further reference. It also explains that you should not implement the OAuth2 flow manually, but instead use these well-established libraries for secure and reliable integration [Popular OAuth2 client libraries](https://www.ory.sh/docs/hydra/guides/using-oauth2). If you need a concrete code example, you will need to refer to the official documentation of [node-openid-client](https://github.com/panva/node-openid-client) or [simple-oauth2](https://github.com/lelylan/simple-oauth2), and adapt it to your Next.js application and Ory setup. The Ory documentation does not provide a ready-to-use code sample for this specific stack. If you need guidance on how to configure OAuth2 clients in Ory for use with these libraries, the documentation does provide CLI commands and configuration steps for setting up OAuth2 clients, scopes, and redirect URIs [Add OAuth2 and OpenID Connect to your ExpressJS app](https://www.ory.sh/docs/getting-started/oauth2-openid/add-oauth2-openid-connect-nodejs-expressjs). If you have a more specific question about the configuration or a particular step, please let me know!
Open in Slack
PreviousNext
Powered by