To replicate the “anonymous” user feature of Firebase Auth with Ory, you can use the Ory Oathkeeper's anonymous authenticator. This authenticator allows requests without credentials and assigns them a configurable subject (such as "anonymous", "guest", or "anon"). Here’s how it works: - If a request does not include an Authorization header, the anonymous authenticator sets the subject to your chosen anonymous username. - You can configure this both globally and per access rule. Example configuration in Oathkeeper:

yaml authenticators:   anonymous:     enabled: true     config:       subject: guest

Example access rule:

json {   "id": "some-id",   "upstream": {     "url": "<http://my-backend-service>"   },   "match": {     "url": "<http://my-app/some-route>",     "methods": ["GET"]   },   "authenticators": [{     "handler": "anonymous"   }],   "authorizer": { "handler": "allow" },   "mutators": [{ "handler": "noop" }] }

With this setup, any request without credentials will be treated as coming from an "anonymous" user. If credentials are provided but only the anonymous authenticator is enabled for the URL, the request will be rejected as unauthorized. You can customize the subject name as needed (e.g., "guest", "anon") in the configuration. This approach closely mirrors Firebase Auth's anonymous user feature, allowing you to handle unauthenticated users in your application logic as needed [Oathkeeper anonymous authenticator](https://www.ory.sh/docs/oathkeeper/pipeline/authn#anonymous). If you need to assign a temporary identity or session to anonymous users (as Firebase does), you would need to implement additional logic in your application, as Ory Oathkeeper's anonymous authenticator only sets a static subject and does not create persistent user records or sessions for anonymous users.