Hello! I using a managed Ory Hydra (Ory Network) to utilize RFC7523

urn:ietf:params:oauth:grant-type:jwt-bearer

and build "enriched" tokens. E.g. after authenticating, users may exchange their long-lived authentication tokens with smaller lived "account / role scoped" access tokens. I was able to get

RF7523

grant type working. Created Trust relationship between Ory Hydra <> My Token Exchange Service. Can also issue tokens signed by Ory Network utilizing the trust relationships. However having some problems: 1. The RFC says you MUST have

aud

in the

assertion

token claims, which equals to the Token URL of the Authorization server. However, I get this

aud

also mirrored to my output access token. I have not seen this behaviour documented in the RFC, is there a specific reason Ory is doing this? I think the culprit is this line in fosite. 2. I can not add extra claims to the issued access token. RFC says

assertion

"The JWT MAY contain other claims." , I am not sure if this means fosite should put these extra claims to the output access token or not, but this is something I need. 3. Unrelated to the code; does the above use-case I described justify the usage of RFC7523? Is there another way of implementing smaller lived access tokens with extra information inside?

yes best to create an issue with all the details 🙂