Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey folks we are trying to do the following:
• Allow a user to login via webapp client (in this case weweb). 
• After logging in, user makes requests to our backend. (a python backend)
• Our backend must be able to validate the identity of the user. So, they should be passing some sort of token which the backend can confirm with Ory.
Can anyone suggest how we should be doing this? Oauth for the initial webapp login, then store some sort of token to be sent to the backend? How would we get the token to be sent to the backend (js code or curl example would be nice)? How does the backend validate that token with Ory?

Hi <@U05NFREAY80>

Include the cookies from your webapp in the request to your backend. Then validate the cookie with Ory from your backend.

Some options:
1. Convert the cookie to a JWT (after it has been validated against Ory) for upstream validation with other backend services
2. Add a reverse proxy in-front of the entire backend which does the cookie validation with Ory per request. 
Both options here can be done through Ory Oathkeeper, but it will mean hosting and managing another service. <https://www.ory.sh/docs/oathkeeper/>

Ory has a caching endpoint for the session check and is served on the edge, which means you should get sub 50ms per check.