Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I am implementing a consent endpoint to integrate Hydra. – When getting the consent request via the Hydra backend API, is the requested_scope already checked by hydra or is it possible that it consists scopes that should not be allowed for the OAuth client?

I am asking, because I want to add some fields to the OpenID Connect ID token if the client has requested and is allowed to access a certain scope.

Hm good question, just by going in the flow graphic in <https://www.ory.sh/hydra/docs/next/concepts/consent/>
i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra.

you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.