Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey Ory,

We’ve set up Ory JWT following these docs: <https://www.ory.sh/docs/identities/session-to-jwt-cors>
Some time after we did an update to `claims.jsonnet` and now need to update `identity-config`
In the *dev environment*, the update worked successfully using:
```ory --project $PROJECT_ID patch identity-config --workspace $WORKSPACE_ID \
  --add '/session/whoami/tokenizer/templates/jwt_default={"jwks_url":"base64://'$JWK_B64_ENCODED'","claims_mapper_url":"base64://'$JSONNET_B64_ENCODED'","ttl":"'$JWT_TTL'"}' \
  --format yaml```
However, when running the same command against the *prod environment*, it fails with the following error:
```Blocked
Request has been marked as malicious.```


Seems that it marks it malicious only when I provide correct `jwt-default.jwk.prod.private.json` within `jwks_url` property.
It worked with empty base64 `"jwks_url":"base64://"` .

thank you for the report, we have several like those and the sre team is looking into it!

Hi Mark, once we apply the changes, we will let you know so you can verify that the issue is resolved.