Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello, I was reading the documentation about Permission check and Permission model, and I wonder can an Ory OAuth2 Client be an User in this example?
<https://www.ory.sh/docs/keto/modeling/create-permission-model>

Let's say I have a 3rd party using my API and they authenticate through Ory OAuth2 Client. As long as they (or any other 3rd party) authenticate through that client, they will have specific permissions, or maybe I can check the permissions using REST API using the client_id?

Yeah, the "user" (ie the subject) in keto is simply a string, so any string that is unique for each client, and also persistent throughout all sessions can be used as the subject for permission checks. The client_id sounds ideal to my ears :slightly_smiling_face: