docs: document omit_assertion_audience for the JWT bearer grant#2628
docs: document omit_assertion_audience for the JWT bearer grant#2628alnr wants to merge 3 commits into
Conversation
Describe the new oauth2.grant.jwt.copy_assertion_audience toggle in the JWT profile guide. The option controls whether the assertion JWT's audience is copied into the resulting access token and defaults to true. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Documents the new oauth2.grant.jwt.copy_assertion_audience toggle for the urn:ietf:params:oauth:grant-type:jwt-bearer flow in the Hydra JWT guide, explaining the default audience-copy behavior and how to disable it.
Changes:
- Add a new section describing how assertion
audvalues are copied into the resulting access token by default. - Document how to disable this behavior via
copy_assertion_audience: falseinhydra.yml. - Note the default value and availability (self-hosted OSS + Enterprise License deployments).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| By default, Ory copies the `aud` (audience) values from the assertion JWT into the access token it issues. The audience of the | ||
| resulting access token then includes every value from the assertion's `aud` claim, including the OAuth2 token URL. |
There was a problem hiding this comment.
Fixed — the validation requirement now says "OAuth2 token endpoint URL".
| To stop the assertion's audience from being granted to the access token, set `copy_assertion_audience` to `false`. Ory then issues | ||
| the access token without the audience values from the assertion: |
There was a problem hiding this comment.
Fixed — the guide now uses the fully qualified key oauth2.grant.jwt.omit_assertion_audience.
…ault Update the JWT profile guide for the renamed oauth2.grant.jwt.omit_assertion_audience setting. Per RFC 7523, the assertion audience is no longer copied into the access token by default. Document the new default and the Ory Network migration behavior for existing vs new projects. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
alnr
changed the title
| --replace "/oauth2/grant/jwt/max_ttl=1h" | ||
| ``` | ||
|
|
||
| ### Assertion audience in the access token |
There was a problem hiding this comment.
| ### Assertion audience in the access token | |
| ### Do not use the assertion's 'aud' value as the access token's 'aud' value. |
There was a problem hiding this comment.
Applied — reframed the heading to contrast the assertion's aud (the authorization server) with the access token's aud. Used code formatting for aud to match the rest of the guide.
| ### Assertion audience in the access token | ||
|
|
||
| Per [RFC 7523](https://www.rfc-editor.org/rfc/rfc7523), the assertion's `aud` (audience) claim identifies the authorization server | ||
| as the intended recipient of the JWT. It does not define the audience of the issued access token. By default, Ory therefore does |
There was a problem hiding this comment.
| as the intended recipient of the JWT. It does not define the audience of the issued access token. By default, Ory therefore does | |
| as the intended recipient of the JWT. The issued access token's `aud` value should be the resource server(s) or the APIs that the token is meant for. By default, Ory therefore does |
There was a problem hiding this comment.
Applied your suggestion verbatim.
|
|
||
| :::note | ||
|
|
||
| The default is `true` (omit) for self-hosted Ory Hydra (open source), Ory Enterprise License deployments, and Ory Network projects |
There was a problem hiding this comment.
| The default is `true` (omit) for self-hosted Ory Hydra (open source), Ory Enterprise License deployments, and Ory Network projects | |
| The default value is `true` (omit) for Ory Hydra (Ory OSS, Ory OEL, and Ory Network deployments). |
| :::note | ||
|
|
||
| The default is `true` (omit) for self-hosted Ory Hydra (open source), Ory Enterprise License deployments, and Ory Network projects | ||
| created after this change. Ory Network projects created earlier keep the previous behavior of copying the assertion audience; set |
There was a problem hiding this comment.
Wording like 'after' or 'before' this change is confusing to readers. How would they know when the change occurred? This type of info (breaking changes) are best communicated via release notes or other comms where a date can be referenced. The Documentation should cover what is currently true and accurate.
There was a problem hiding this comment.
Agreed — removed the 'before/after this change' wording. The note now states only the current default; the migration behavior for existing Ory Network projects is covered in the release notes / changelog.
| as the intended recipient of the JWT. It does not define the audience of the issued access token. By default, Ory therefore does | ||
| **not** copy the assertion's `aud` values into the access token. | ||
|
|
||
| The `omit_assertion_audience` setting controls this behavior: |
There was a problem hiding this comment.
| The `omit_assertion_audience` setting controls this behavior: | |
| The `omit_assertion_audience` setting controls whether or not the assertion's 'aud' value is copied to the access token: |
There was a problem hiding this comment.
Applied, and used the fully qualified key oauth2.grant.jwt.omit_assertion_audience (also addresses Copilot's note).
| Per [RFC 7523](https://www.rfc-editor.org/rfc/rfc7523), the assertion's `aud` (audience) claim identifies the authorization server | ||
| as the intended recipient of the JWT. It does not define the audience of the issued access token. By default, Ory therefore does | ||
| **not** copy the assertion's `aud` values into the access token. | ||
|
|
There was a problem hiding this comment.
I suggest the https://www.ory.com/docs/hydra/guides/jwt#exchanging-jwt-assertion-for-access-token topic is updated to clearly show the distinction between the assertion 'aud' and the access token's 'aud' values
Under 'Exchanging JWT assertion for access token,' in the Sample call/JWT used/Scopes in JWT tabs: Change 'Example claims of JSON Web Token' to 'Example claims of the issued access token'
Update the example to include the access token's 'aud' value that clearly shows it is the resource server(s) / the APIs the token is meant for and not the authorization server.
There was a problem hiding this comment.
Renamed the example to 'Example claims of the issued access token' and added a comment there clarifying the assertion's aud is not copied by default. I did not add a resource-server aud to the example because, with the default (omit), Ory does not currently populate the access token's aud from the request — wiring the standard audience/resource request parameter into this grant is tracked separately in ory-corp/cloud#12362. Once that lands I'll update the example to show a resource-server aud. Let me know if you'd prefer an aspirational example in the meantime.
Apply technical-writing review feedback on the JWT profile guide: - Reframe the heading and intro to contrast the assertion's "aud" (the authorization server) with the access token's "aud" (the resource servers / APIs the token is for). - Use the fully qualified setting key oauth2.grant.jwt.omit_assertion_audience. - State the default is true (omit) for Ory OSS, OEL, and Ory Network, dropping the temporal "before/after this change" wording (migration details live in the release notes). - Clarify the assertion "aud" is the OAuth2 token endpoint URL, and note in the issued-token example that the assertion "aud" is not copied by default. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Summary
Documents the
oauth2.grant.jwt.omit_assertion_audiencesetting in the JWT profile guide (docs/hydra/guides/jwt.mdx).Per RFC 7523, the assertion's
audclaim identifies the authorization server, not the audience of the issued access token. Ory therefore omits the assertion audience from the access token by default.true(omit) for self-hosted Ory Hydra (OSS), Ory Enterprise License, and new Ory Network projects.omit_assertion_audience: falseto restore the legacy behavior of copying the assertion audience.This is a breaking change. Documents the behavior introduced in ory/hydra#4076 (mirrored in ory-corp/cloud#11236).
🤖 Generated with Claude Code