Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Token & refresh hooks may rely on non-standard request parameters to the token endpoint, but TokenHook() sanitizes the request parameters down to assertion + default allowed parameters.

It can be important for integrations with legacy systems. Some things can be solved via whitelisting special scopes in the client configuration. However, other parameters depend on the subject (user) rather than client. In our case, it's not possible to bind such parameters to the session in the very beginning of the Authorization Code flow.

Describe your ideal solution

Ideally, HookConfig allows to specify additional forwarded request parameters into the webhook payload. It should be possible to configure additional payload parameters via /oauth2/token_hook/additional_payload string list or similar.

Workarounds or alternatives

The alternative is to abandon the webhook mechanism completely and deploy a service to acquire necessary values out-of-band instead of receiving them in token claims.

Version

2.3.0

Additional Context

No response