v26.3.1
v26.3.1
JWT bearer grant no longer copies the assertion audience by default
The urn:ietf:params:oauth:grant-type:jwt-bearer grant no longer copies the aud (audience) claim of the assertion JWT into the
resulting access token by default. Per RFC 7523, the assertion's aud identifies the authorization server as the intended
recipient; it is not meant to define the audience of the issued access token.
A new setting, oauth2.grant.jwt.omit_assertion_audience, controls this behavior. It defaults to true (omit). Set it to false
to restore the previous behavior of copying the assertion audience into the access token.
Breaking changes
- Self-hosted Ory Hydra (OSS) and Ory Enterprise License (OEL): after upgrading, the assertion audience is omitted from access
tokens by default. Set
oauth2.grant.jwt.omit_assertion_audience: falseif you rely on the old behavior. - New Ory Network projects: created with the assertion audience omitted.
- Existing Ory Network projects: unchanged — they keep copying the assertion audience. To adopt the new behavior, set the option explicitly.