How can I add additional key values to the Ory Kratos cookie? Use case I'm exploring is embedding

userId

etc, like you'd probably do with a JWT. Suggestions as to how it could be solved with Oathkeeper could be interesting as well 🙏

Sorry, I cannot help you but I’m curious if you figured it out? For Kratos it can be done by adding it to a users identity or metadata (through admin end-points) but how Kratos maps to Oathkeeper I don’t know

I didn't 😕 Adding it to the metadata means db lookups for every request though, right? Or is the decoded cookie's contents the same as the metadata?

I figured that there are a number of options: 1. Do the look up. If you run in AWS there should be a <=10ms latency if you your Kratos next to your other service, you can cache the lookup for as long as the expire in Redis or whatever (but then you’d have to do that call as well) 2. You can exchange you session cookie or token with your own JWT token from your api/service that needs an authenticated user. You exchange the session cookie/token with a JWT by using the Kratos admin end-points.

Thanks, but does that mean that the Ory Oathkeeper JWT functionality just gives you another format for the cookie? Without any other (usual) advantages that you usually get with JWTs? E.g. possibility to validate 100 requests coming in 10 secs by just decoding and checking validity of the JWT expiry? Maybe you can confirm please @magnificent-energy-493? 🙏

You can say that Oathkeeper exchanges your session token / cookie (which are representations of your session id) for a JWT token with similar expire times. I’m just assuming this. Please confirm this with someone more knowledgable on this topic.

Thanks, hoping @magnificent-energy-493 can confirm. Our whole team has tried to figure out this to no avail, and we don't want to deploy Oathkeeper just to figure it out (ideally)

Hello @blue-caravan-99316 I dont really know to be honest if that would work for your case, but AFAIK you get a “usual” JWT with Oathkeeper. How many requests are you dealing with? What is the reason to use a JWT instead of doing an whoami call to Kratos? Would be great if we could contribute an example of JWT with Oathkeeper here: https://github.com/ory/examples/tree/master/oathkeeper I would be happy to support you in creating one!

Millions, but I can't share specifics (here) about traffic unfortunately. Reason why we would like to use JWTs is that we can embed metadata directly in the JWT, avoiding expensive lookups. We could of course expose Kratos to all our infrastructure and hammer at Kratos for every single request, but it would be way better to share the crypto keys for decrypting the JWT in all services, exposing frequently accessed metadata for the user at literally no expense (vs. 1 db lookup for every single request). Oathkeeper is awesome in that regard, but I just don't know what he JWT holds when it's decrypted and if it's even possible to change the contents. I know the pros and cons with both approaches, for example invalidation in the case of JWTs. But with a customisable JWT refresh interval we would be able to at least avoid 100 api requests within 1 minute triggering 100 db calls (or millions if we have a could of thousand users simultaneously).