Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Curious if there is an advantage to the JWT being signed when forwarding oathkeeper requests using the id token mutator? If the target service is internal (and only available behind oathkeeper), validating the signature isn't so important right? I guess it's important if the service is also available via other paths that don't go through oathkeeper?

if you're certain your networking only allows traffic from oathkeeper, you're right it's probably redundant. however, in keeping in line with the zero-trust approach, it's probably still a good backup to have just in case, and it should be negligible to performance