Hi people, I am a beginner with Hydra, but I hope I understood the main concept of

OAuth

and

OIDC

. Still I have some key points that I am thinking about. Lets say I'm building an API where I want to hide specific endpoints for non-authorized users. These endpoints are accessible for a client with an access token under a specific scope, right? Questions: Where are the scopes defined and where do I check if access should be granted based on the scope? Do I have to check that in my API or could it be done via

oathkeeper

? I hope that the question is understandable. Thanks!

We don't use hydra yet, but kratos (user management) and oathkeeper. The way it works is, oathkeeper is configured to respond to various routes and for "this requires a user" it then uses the

Authorization

header (in a request) or a cookie (session) to authenticate the user (using its authorizer and a mutator). so my backend just knows, "there is a user". if for some reason the authorizer "fails", my backend doesn't even get the request. now hydra would come in if you "authenticate" on behalf of the user, but IMO that's outside of what you describe. i think you need a user management piece (can be kratos) and then integrate that with hydra to create tokens for the user with the scope, etc.. your backend is another concern.

Thank you for you answer. I'm already using

Kratos

as my Identity Provider and also tried

oathkeeper

. But with only

kratos

the

oathkeeper

just checks on specific configured API routes whether a user session exists or not. And here I was wondering how

hydra

comes in place and how to check scopes of access tokens, since a scope gives permission to certain 'areas' of your API, as I understand.