Hey Y'all, I have a question, maybe I misunderstood something: As I can read in the hydra documentation (https://github.com/ory/docs/blob/master/docs/hydra/concepts/openid-connect-oidc.mdx#userinfo) my email for example is not included in the

/userinfo

response, unless I grant that scope. Right? Since the "real" return value for the

sub

field is my users UUID from the database, and not the email-address. I granted the

email

scope to the client (used by Grafana in my case), but it cannot see/retrieve the email address of my logged in user. Am I missing some configuration here? Are the granted scops not mapped to user traits automatically and if not, what am I supposed to implement and make that work? And where - is it necessary to adapt the hydra-consent client here? (I'm using the example - or something very close to it).

Hello mate. As I understand your issue, you have two options to work with: 1. Either use the UUID to make another query to Kratos and find the user's details. 2. Modify the content of the token when accepting the token request. You can change the sub value or add any other key-value pair you want. Take a look at userinfo docs and this hydra client function (I chose python but it is also available in other languages)

Hey! Thank you for your reply! 1. I can not make another query, since Grafana uses a specific flow to find the email address of the user. So I would expect that Hydra integrates with this in some way. More information about Grafana Generic OAuth2 2. So if I understood you correctly, adding the email to the id_token is the recommended way? Here (ory/hydra#2163) it states that the id_token should not contain the email - but this warning is only because the email was not explicitly requested then? And it is okay to include the email here, if the scope was granted?

I do not think there is any specification regarding what information you can embed in accesToken or idToken. The PR you linked was referring to hydra returning unrequested data. In your case, you can handle the email scope to include the email address wherever you want. It all comes down to your specific use case and how much you care about information getting potentially leaked. :)

I have it working, thank you very much! 🙂

@steep-teacher-8664 I’m working on the same issue, and I’m wondering how you went about getting the user’s email inside the consent app in order to include it in the ID token (e.g. is it already present somewhere or did you have to use the kratos sdk and make an additional request)

Hey, I will push it to the repo (my fork) tomorrow, if I think of it. I made an additional request to Kratos. I don’t think it’s already included somewhere, I inspected some stuff, don’t remember what exactly, but couldn’t find it. Another reason in my opinion to include the consent flow in Kratos selfservice example directly…

Gotcha, I ended up doing the same, thanks for the details!

https://github.com/DrBu7cher/ory-selfservice-ui-node/tree/add_hydra_consent_page If anyone is interested. It also adds trusted clients capability and prepares permission checking, which could add groups to the id_token for e.g. Grafana to make the user Admin or blind.