Also, is it possible to couple the Oathkeeper decision API with Keto ? If so, how does it work ? How can complex checks be made ? Or should it be my application that always calls Keto ?

You can use the

remote_json

authorizer in oathkeeper to call the check API in Keto, the configuration can be dynamic from the URL match group (regex), but you still have a single "check" call. If you need more complex query two solution: 1. Maybe your Keto relation tuple did not really match your authorization query, I think it's always better to be able to check auth in a single or at least a minimum number of check. 2. You need a slim micro service to handle the check logic if complex queries is needed

Hi, thanks for answering! I agree with the solutions you have given. I’m not sure I’ll be able to cover all of my needs with solution 1 but I’d like to not use solution 2 for as long as I can. The idea of having part of my security checks made by Oathkeeper -> Keto and part by my backend calling Keto directly seems a bit unmaintainable and error prone to me. I like the idea of complete delegation of security checks to Keto through Oathkeeper. I also like the single-check philosophy you proposed. I believe implementing one complex check might be more sustainable and efficient than a battery of simpler checks made calling Keto from the backend. This also makes unit testing of the security easier and more reliable as it is only scoped around Keto and not Keto + backend. Thanks again!