Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hey everyone,

I’m using Oathkeeper + Kratos to protect services and populate upstream requests with customer details using the hydrator and header mutator, which works great!

Now, I need to extend this setup to enable API access for customers via Hydra using the client_credentials flow. My plan is to validate tokens with Hydra’s _/admin/oauth2/introspect_ and retrieve client metadata from _/admin/clients/{id}_ to populate requests.

Does this approach make sense? I’m unsure if it can be done directly with Oathkeeper and Hydra since the hydrator uses POST requests, while Hydra’s client details endpoint requires GET. The formats don’t seem to align perfectly, and I wonder if I’ve missed something in the documentation.

could you use the <https://www.ory.sh/docs/hydra/guides/claims-at-refresh|token hook> to set your data? that way oathkeeper remains ignorant :shrug: