Yes, you can use Ory Hydra as an identity broker in your B2B application scenario. Ory Hydra supports the use case you've described, where you can exchange external identity tokens for your own tokens. This approach is known as token exchange or token transformation. Here's how you can implement this with Ory Hydra: 1. Set up Ory Hydra as your OAuth2 and OpenID Connect provider. 2. Configure Ory Hydra to trust the external identity providers of your customers. This can be done using the JWT Bearer grant type, which allows you to exchange JWT tokens from trusted issuers for Hydra access tokens. 3. When a user authenticates with their company's identity provider, you receive their identity token. 4. You can then exchange this external token for a Hydra access token using the JWT Bearer grant type. 5. Use the Hydra access token for all subsequent requests within your application. This approach allows you to standardize authentication within your application while still supporting multiple external identity providers. To implement this, you'll need to: 1. [Set up Ory Hydra](https://www.ory.sh/docs/hydra/5min-tutorial) as your OAuth2 server. 2. [Configure trusted issuers](https://www.ory.sh/docs/hydra/guides/jwt) for the JWT Bearer grant in Hydra. 3. Implement the token exchange flow in your application. It's important to note that while this approach is possible, it does add complexity to your system. You'll need to manage the trust relationships with multiple identity providers and handle token exchange securely. For more detailed information on using JWTs with Hydra, you can refer to the [Ory Hydra JWT guide](https://www.ory.sh/docs/hydra/guides/jwt). Remember that this setup requires careful configuration and security considerations. Always follow best practices for OAuth2 and OpenID Connect when implementing such a system.

Based on the knowledge sources provided, I can offer some insights on managing your B2B SSO scenario using Ory Kratos instead of Ory Hydra. Ory Kratos is indeed capable of handling social sign-in and SSO with multiple identity providers, which could be a good fit for your B2B application where each customer brings their own identity provider. Here's why this approach might be recommended: 1. Simplified Architecture: Ory Kratos provides built-in support for social sign-in and OIDC providers. This means you can manage multiple identity providers without the need for an additional identity broker like Hydra, potentially simplifying your architecture [Docs > Kratos > Social-signin > Get started with social sign-in](https://www.ory.sh/docs/kratos/social-signin/overview). 2. Automatic Account Linking: Kratos supports automatic account linking for OIDC providers, which can be useful in a B2B context where users might have multiple accounts [Github discussion on account linking](https://github.com/ory/kratos/discussions/3673). 3. Multiple Accounts per Provider: Kratos allows users to link multiple accounts from the same OAuth2 server (e.g., multiple Google accounts) to a single Kratos identity, which could be beneficial in a B2B setting [Github discussion on multiple Google accounts](https://github.com/ory/kratos/discussions/3780). 4. Token Management: Kratos can manage the tokens issued by social sign-in providers, allowing you to retrieve these tokens when needed [Docs > Kratos > Social-signin > Get social sign-in provider tokens](https://www.ory.sh/docs/kratos/social-signin/get-tokens). To implement this approach: 1. Configure each customer's identity provider as a social sign-in provider in Kratos. 2. Use Kratos' OIDC strategy to handle authentication with these providers. 3. Leverage Kratos' automatic account linking feature to associate external identities with your application's user accounts. 4. Use Kratos' APIs to manage and retrieve tokens when needed for interacting with the external providers. This approach allows you to centralize identity management within Kratos, potentially reducing complexity compared to using both Kratos and Hydra. However, it's important to note that the best approach depends on your specific requirements. If you need more advanced OAuth2 features or want to become an OAuth2 provider yourself, you might still consider using Hydra alongside Kratos [Why you probably do not need OAuth2 / OpenID Connect](https://www.ory.sh/oauth2-openid-connect-do-you-need-use-cases-examples/). For a B2B use case focused primarily on SSO with multiple identity providers, using Kratos alone could be a recommended and simpler approach.