Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I've encountered an issue with hydra and jwt. We must use JWT as one of the token consumers is Kubernetes. Inside this token we have embedded all required principalse (user subject and groups). We've created a key in the jwt called `principals` which is a list of group-ids. For some reason (backward compability) the `principals`  key gets duplicated and also made available inside the `ext` dictionary in the JWT. Our edge case is that some of our users have a lot of groups and the size of the JWT grows fast, so fast that we've exceeded some browser request-header size limitations (4k). Having the opportunity to disable this `ext` backward compability won't solve our issue, but it would at least delay it for a long time. Is there an easy way of toggling this backward compability? Or do we have to maintain our own fork of hydra to be able to do it?  (I really don't want to do that).