To answer your question about getting user permissions in the session when using Kratos, Oathkeeper, and Keto, let's break it down into parts: 1. User Session: Kratos handles sessions, but it doesn't directly include permissions information. 2. Permissions: Keto is responsible for managing and checking permissions. 3. API Gateway: Oathkeeper acts as an Identity and Access Proxy. While the user session from Kratos doesn't inherently contain permission information, you can combine these components to achieve what you need. Here's a possible approach: 1. Use Kratos to authenticate the user and create a session. 2. Use Oathkeeper as an API gateway to protect your endpoints and convert the Kratos session to a JWT. 3. In your backend, use Keto to check permissions for the authenticated user. 4. Include relevant permission information in the JWT or in the response to the frontend. For step 2, you can use Oathkeeper's ID Token Mutator to convert the session information into a JWT. This JWT can then include claims about the user's permissions. As described in the [Zero Trust with Access Proxy guide](https://www.ory.sh/docs/kratos/guides/zero-trust-iap-proxy-identity-access-proxy#configuration):

yaml mutators:   id_token:     enabled: true     config:       issuer_url: <http://127.0.0.1:4455/>       jwks_url: file:///etc/config/oathkeeper/id_token.jwks.json       claims: |         {           "session": {{ .Extra | toJson }}         }

You can modify this configuration to include permission information in the claims. For step 3, you can use Keto's Check API to verify permissions for the authenticated user. The [Simple Access Check Guide](https://www.ory.sh/docs/keto/guides/simple-access-check-guide) mentions: "Once you authenticated the subject, you can perform permission checks by calling the check method of the OryPermissions client. The check method takes the subject, permission, and object as parameters and returns a boolean value indicating whether the permission is granted or not." To get a list of permissions, you could use Keto's List API as described in the [API overview](https://www.ory.sh/docs/keto/concepts/api-overview): "This API allows you to query relationships by providing a partial relationship. It can be used to: - list objects a user has access to - list users who have a specific role" You would need to implement this logic in your backend to fetch and include the relevant permissions in your responses to the frontend. Remember, the exact implementation will depend on your specific permission model and application architecture. The Ory documentation doesn't provide a direct, out-of-the-box solution for including permissions in the user session, but it offers the components and APIs necessary to build this functionality.