OAUTH2_ACCESS_TOKEN_STRATEGY=jwt does not work

[GuiTeK]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

I want Ory Hydra to issue JWTs instead of Opaque tokens.

I saw this issue & associated PR:

• oauth2: allow issuing of JWT access tokens #248
• oauth2: Adds JWT Access Token strategy  #947

Which suggest that setting the environment variable OAUTH2_ACCESS_TOKEN_STRATEGY=jwt will make Hydra issue JWTs instead of Opaque tokens.

However, it does not work. A quick grep in the source code of Hydra shows that OAUTH2_ACCESS_TOKEN_STRATEGY is only present in a test file and does not appear in the actual source code of Hydra.

Is that expected? Was it intentionally removed?

FYI setting strategies.access_token: jwt in the Hydra configuration file works as expected and JWTs are issued.

Reproducing the bug

1. Run the commands below (very similar to the this guide)
2. Note that the token returned by hydra token client is an opaque token and not a JWT.

docker network create hydraguide

docker run --network hydraguide \
  --name ory-hydra-example--postgres \
  -e POSTGRES_USER=hydra \
  -e POSTGRES_PASSWORD=secret \
  -e POSTGRES_DB=hydra \
  -d postgres:9.6

export SECRETS_SYSTEM=$(export LC_CTYPE=C; cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

export DSN=postgres://hydra:secret@ory-hydra-example--postgres:5432/hydra?sslmode=disable

docker run -it --rm \
  --network hydraguide \
  oryd/hydra:v1.11.2 \
  migrate sql --yes $DSN

docker run -d \
  --name ory-hydra-example--hydra \
  --network hydraguide \
  -p 9000:4444 \
  -p 9001:4445 \
  -e SECRETS_SYSTEM=$SECRETS_SYSTEM \
  -e DSN=$DSN \
  -e URLS_SELF_ISSUER=http://127.0.0.1:9000/ \
  -e URLS_CONSENT=http://127.0.0.1:9020/consent \
  -e URLS_LOGIN=http://127.0.0.1:9020/login \
  -e OAUTH2_ACCESS_TOKEN_STRATEGY=jwt \
  oryd/hydra:v1.11.2 serve all --dangerous-force-http


docker run --rm -it --network hydraguide -e OAUTH2_ACCESS_TOKEN_STRATEGY=jwt \
    oryd/hydra:v1.11.2 \
    clients \
    create \
    --endpoint http://ory-hydra-example--hydra:4445 \
    --grant-types client_credentials \
    --response-types token \
    --audience 'AUD4' \
    --id 'CLIENT4' \
    --secret 'SECRET4'

docker run --rm -it --network hydraguide -e OAUTH2_ACCESS_TOKEN_STRATEGY=jwt \
    oryd/hydra:v1.11.2 \
    token \
    client \
    --client-id 'CLIENT4' \
    --client-secret 'SECRET4' \
    --endpoint http://ory-hydra-example--hydra:4444

Relevant log output

None

Relevant configuration

None

Version

v1.11.2

On which operating system are you observing this issue?

macOS

In which environment are you deploying?

Docker

Additional Context

No response

[aeneasr]

The referenced issues are from 2016, almost 6 years ago (feels old man). Please use the official documentation to configure this:
https://www.ory.sh/docs/hydra/advanced#json-web-tokens

[rawnsley]

For future searchers: it looks like this environment variable is now called STRATEGIES_ACCESS_TOKEN