Skip to content

docs: document omit_assertion_audience for the JWT bearer grant#2628

Open
alnr wants to merge 3 commits into
masterfrom
docs/hydra-jwt-bearer-copy-assertion-audience
Open

docs: document omit_assertion_audience for the JWT bearer grant#2628
alnr wants to merge 3 commits into
masterfrom
docs/hydra-jwt-bearer-copy-assertion-audience

Conversation

@alnr

@alnr alnr commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Documents the oauth2.grant.jwt.omit_assertion_audience setting in the JWT profile guide (docs/hydra/guides/jwt.mdx).

Per RFC 7523, the assertion's aud claim identifies the authorization server, not the audience of the issued access token. Ory therefore omits the assertion audience from the access token by default.

  • Default true (omit) for self-hosted Ory Hydra (OSS), Ory Enterprise License, and new Ory Network projects.
  • Existing Ory Network projects keep the previous copy behavior unless they set the option explicitly.
  • Set omit_assertion_audience: false to restore the legacy behavior of copying the assertion audience.

This is a breaking change. Documents the behavior introduced in ory/hydra#4076 (mirrored in ory-corp/cloud#11236).

🤖 Generated with Claude Code

@alnr @claude
docs: document copy_assertion_audience for the JWT bearer grant
9aae716 
Describe the new oauth2.grant.jwt.copy_assertion_audience toggle in the
JWT profile guide. The option controls whether the assertion JWT's audience
is copied into the resulting access token and defaults to true.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 15, 2026 21:13
Copilot AI reviewed Jun 15, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Documents the new oauth2.grant.jwt.copy_assertion_audience toggle for the urn:ietf:params:oauth:grant-type:jwt-bearer flow in the Hydra JWT guide, explaining the default audience-copy behavior and how to disable it.

Changes:

  • Add a new section describing how assertion aud values are copied into the resulting access token by default.
  • Document how to disable this behavior via copy_assertion_audience: false in hydra.yml.
  • Note the default value and availability (self-hosted OSS + Enterprise License deployments).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx Outdated
@alnr @claude
docs: omit_assertion_audience now omits the assertion audience by def…
75359b6 
…ault

Update the JWT profile guide for the renamed oauth2.grant.jwt.omit_assertion_audience
setting. Per RFC 7523, the assertion audience is no longer copied into the access
token by default. Document the new default and the Ory Network migration behavior
for existing vs new projects.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alnr alnr changed the title docs: document copy_assertion_audience for the JWT bearer grant docs: document omit_assertion_audience for the JWT bearer grant Jun 15, 2026
unatasha8
unatasha8 requested changes Jun 16, 2026
View reviewed changes
Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx Outdated
Comment thread docs/hydra/guides/jwt.mdx
@alnr alnr requested a review from Copilot June 16, 2026 12:27
Copilot AI reviewed Jun 16, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

@alnr @claude
docs: address review on the assertion-audience section
787a274 
Apply technical-writing review feedback on the JWT profile guide:

- Reframe the heading and intro to contrast the assertion's "aud" (the
  authorization server) with the access token's "aud" (the resource servers /
  APIs the token is for).
- Use the fully qualified setting key oauth2.grant.jwt.omit_assertion_audience.
- State the default is true (omit) for Ory OSS, OEL, and Ory Network, dropping
  the temporal "before/after this change" wording (migration details live in
  the release notes).
- Clarify the assertion "aud" is the OAuth2 token endpoint URL, and note in the
  issued-token example that the assertion "aud" is not copied by default.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alnr alnr requested a review from unatasha8 June 16, 2026 19:58
unatasha8
unatasha8 approved these changes Jun 19, 2026
View reviewed changes

@unatasha8 unatasha8 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@unatasha8 unatasha8 unatasha8 approved these changes

@vinckr vinckr Awaiting requested review from vinckr vinckr is a code owner

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

Assignees

@alnr alnr

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alnr @unatasha8 @ory-bot