Custom fields in response in additional OAuth 2 access token, refresh token and id token

Is there an option to add custom fields in the response generating access token from Hydra in addition to OAuth 2/Open ID Connect tokens?
I am referring to this need for SMART App on FHIR healthcare app, which is a specification on top of OAuth 2.0 + Open ID Connect.
This requires some additional fields to be returned by Authorization server based on some additional inputs (launch parameter)

Please advise, if there’s any such support/plugin/extension available or can be developed?

No, that is not possible. Also, it was partially already answered in one of your threads: Userinfo endpoint

Thanks for replying. Is there any support for plugins/extensions that we could write for custom scenarios that enable us to intercept certain request parameters on the OAuth server requests (and add additional fields to the token endpoint response)?

For info: SMART App on FHIR is the conformance on top of OAuth 2.0 and Open ID Connect, but there are not many open source providers available for this solutions, so we are trying to evaluate if we can build it with Hydra.

It is not possible to write extensions or plugins for ORY Hydra. I do not know the SMART or FHIR standards so I don’t really know what’s needed and what isn’t which means I can’t really answer your question regarding this :confused:

Thank you for responding. I know its not defined anywhere in OAuth 2 or OpenID Connect and has come up as a standard for health care applications.

(Just for info in nutshell about) SMART on FHIR capabilities: It requires oauth server to accept an additional “launch” parameter in addition to all supported for authorization code and return the response with certain additional fields, depending on the value of launch parameter passed to it earlier when requesting authorization code.
We could build something in here provided there’s a way in hydra to support some interceptors/plugins/extensions

Could you point me to the relevant specification and specific section where this is explained? Thank you!


This page lists the auth flow at high level for both scenarios EHR launch and standalone launch of a healthcare 3rd party app, which is part of SMART app launch criteria

This page defined the scopes that client should have. Most of them are standard except “launch”, “launch/*” related, which seems to add a different behavior on auth server - (Section 3 defines how the context data is shared from EHR application to 3rd party App using launch parameter and then passed on to OAuth server, which then returns the context information back to 3rd party app/client.

This page is listing the conformance page criteria with link to above other pages -

Thank you for showing an interest.
Hope this helps.