Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I’ve been sifting through mountains of documentation and tutorials to no avail. Can someone confirm that there is NOT in fact possible to get a JWT from Ory that my API Management Gateway can then validate through one of it’s built in policies?

There is if you throw an oathkeeper into the mix :sunglasses:

At least I thought it supported token exchange (or rather proxying) from an ory cookie, but I can't find the docs to back it up. Maybe I've dreamt?

Maybe you'll find the answer to your dreams here? <https://www.ory.sh/docs/oathkeeper/pipeline/mutator>

Hi <@U04FPUH2G6L> and <@U058W51D9TN>

Also see this link <https://www.ory.sh/docs/security-model#what-about-json-web-tokens>
it references an issue discussing this topic

Thanks delved into doco details last night thanks to <@U04FPUH2G6L>. The fact that i need to add another layer to attach to my API calls is problematic to me. It’s removing the ‘turnkey’ out of the ‘turnkey solution’

<@U058W51D9TN> Yeah, I'm inclined to agree