I am experimenting with configuring Oathkeeper to do introspection in collaboration with Hydra. I was aiming for a configuration, which would forward the introspected token from Hydra downstream to the backend. However, I do not see an option to forward the raw access token from Hydra. Is this by design? Or am I missing some option to do this?

if you don’t mutate the request, oathkeeper simply forwards the request as it received it, in this case with the hydra token still in the Authorization header - https://www.ory.sh/docs/oathkeeper/pipeline/mutator#noop

That makes sense. In my experiment, the incoming request contains an opaque token, so I was hoping that the introspection would exchange that into a non-opaque token, which could then be forwarded downstream. I assume that requires a mutation of some kind. And I do not see a way of doing this. If this is not supported and not a conscious design choice, I am willing to make a contribution to Oathkeeper to build in support for it.

sounds like what you probably want is https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token

If I understand id_token mutator correctly, it will issue a new ID token based on the data in context. That does not entirely match what I am aiming for. What I would like to do is pass the exchanged access token from Hydra downstream without tampering with it. The result of the exchange with Hydra is not saved anywhere in the introspection handler, so I assume that it is not possible to do this.

introspection doesn’t exchange the token for another token, it just receives a JSON response with data about the token, so there’s no new token to pass downstream

Ah, that explains it then. Thank you for clarifying that.