Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Network project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

We have a login solution based on Hydra that serves both internal clients (meaning oauth2 clients) and external clients.

For internal clients, we have an existing codebase that is built around JWT tokens that is hard to migrate to opaque. These clients also use internal identifiers as subjects in access tokens.

For external clients, we would like to use the pairwise subjects feature and opaque tokens that come with it.

We also want to have Single Sign On support between internal/external clients.

Currently, Hydra only supports a global configuration of token types, which prevents us from enabling the pairwise subjects feature for external clients, while keeping internal clients unchanged.

Describe your ideal solution

It would be great to be able to configure token type per client, similar to how it is done with token TTL values. With that, our internal clients would stay on JWT tokens and internal identifiers as subjects, and we could also enable external clients with pairwise subjects and opaque tokens.

Workarounds or alternatives

1. Switch all clients to opaque tokens and implement an opaque -> JWT translation layer for internal clients. This solution forces us to use a separate token issuer for JWT tokens.
2. Migrate all clients to opaque tokens. This is a massive migration for us, with around 500 services involved and infrastructure not really built around introspection calls.

Version

2.x

Additional Context

No response