Hi, I want to make a transition from Keycloak to Ory. But I don't know if Ory is suitable. I have multiple microservices that are accessible via REST api. Next to this there is a frontend, that makes calls to those rest apis. In the future there should be a mobile app too. One important part is that the microservices might call each other at specific times, so these routes should only be accessible internally by this microservice and not by the users. When coming to permissions I have introduced different roles that restrict the api and are getting parsed at the frontend to conditionally render pages, if you have the rights for it. This is currently only done by issuing a jwt from keycloak that includes the roles in the payload which get checked per middleware in each service. As I want to make a transition to Ory, I was wondering if this is all possible when using Kratos, Keto and Oathkeeper for user management and authentication/permission controll. I have seen, that Oathkeeper works like a reverse proxy before the services so I wouldn't have to parse or validate inside the servuces itself. Would Ory work for my planned ideas?

Yep, Ory would work for this - what you've described is very similar to what we're doing with Ory at the moment.

Should I use oathkeeper to check permissions with it, or should I implement this in a custom middleware inside the flask or nextjs app, maybe via jwt? What is the best approach for this?

You could use Mutators within oathkeeper to take the incoming request, and transform the request to define whether permission should be granted or not, that's probably the easiest approach, If your roles are quite complex (thinking RBAC type access), then you're probably better with Keto and using that for the permission lookup instead