hackerman

> Yes I did, even before opening this question. I'd appreciate if you give benefit of a doubt to community members offering help both in providing feedback and writing code....

> I think it is important to clarify, that I view Authorization server as a internal component of a bigger company infrastructure, where there are multiple first-party services using it's...

Sorry for the late reply! > I suggest use existing admin registration code as is, but reject certain fields from client definition when invoked via public DCR. Initially only token...

> On another thought, to register client with DCR one already have to have a client credentials. Maybe make it a property of the client instead? Something like can_register_token_claims. Admin...

While I understand that a date of delivery is helpful when planning, we stopped giving out due dates for features or milestones. It puts maintainers in an unfair spot as...

For anyone looking, a good place to start for the client credentials flow is here: https://github.com/ory/hydra/blob/0a73d8be3639372fe9830a65df1334842888814b/oauth2/handler.go#L590-L627 As you can see we are setting some values in this block: https://github.com/ory/hydra/blob/0a73d8be3639372fe9830a65df1334842888814b/oauth2/handler.go#L604-L605 And...

> Where should someone specify the jsonnet 'program'? I think the best approach would be to define this as a deployment specific configuration. Or is there any need to define...

> At the event, where the tokens were actually issued by Hydra but the response was not sent to the users because of some network issues, the users are generally...

> @aeneasr does it help to mitigate the replay attack if we set a low default before the old token is completely unusable. Lowering TTL of things is typically a...

https://github.com/ory/hydra/issues/1928#issuecomment-678119025