Hey guys, can i configure a localhost webhook as an oauth2 token that can be triggered with ory tunnel ?

Not currently to my knowledge, but you can use another service like ngrok to expose your localhost web service.

i also have not been able to understand how i can convert my session to a hydra client jwt access token. I have seen configuration like this for self hosted setups but not ory network. I understand that the ory network integrates kratos and hydra together but how can i configure it to return an access token that uses a webhook to add custom claims.

Does it need to be an access token or just a JWT? Typically the latter fits most use cases as they are nearly identical. If that is the case check here: https://www.ory.sh/docs/identities/session-to-jwt-cors#json-web-token-claim-mapper

It could be just a jwt but in this case how could I add custom data business data (scope groups and internal user id), considering that the kratos identity should be kept lean

This might give you some ideas: https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#update-identity-traits

I know this might be far fetched and an extreme edge case but in the case where we are running our app in an iframe (teams app) we might want to start a session for a user that we have authenticated from an external token. Is there a way to use this token somehow and then create a session as an admin for that user ?

You will have issues with iframe and any Ory out of the box UI as we don’t allow iFraming. But if you app just needs to check if the user has session the session/whoami endpoint will validate there is a session.

I understand we are building out our custom ui but what I want to confirm is that an admin can create a session for a user in this sense. For full context this is why I asked about the jwt token because teams apps don't support cookies. I would like to take their teams token, validate it and then possibly issue a ory session for them so our internal services can be sure that this user is authenticated.

Ah ok, you would have to use the native login flow APIs for this rather than browser flows. You might want to think about using OIDC here and having their teams instance (your app in their teams) be a client of your Ory project. That might be a better flow.

I'm not sure I understand, do you have documentation on this?

Not directly no. Basically your teams app would be an OIDC/Oauth2.0 client of your Ory Project. You would need to research how to build OIDC into your teams app. Alternatively, you can just use the native login flows api to submit the credentials for the user on the backend (server to server) and get a session token in response.

Thanks Jeff, If I go with the native flow, how would the authentication work for the user? I would need to have the user id and password or some other prompt, in this case I only have the user's tokens from microsoft but I would like to unify our authentication process with ory and not have some authentication with their token and some with ory when the app is running on the web.

Well you would just have to build your own login ui for it is all. Ory only denies iframes on our UI, so if you build your own, you are all set.

The step I do not follow is how I can link a kratos identity and a teams token so they can receive a session jwt. I'm sorry if there is something obvious I am missing here.

I think you want to use Sign In With Microsoft so they can use their own MSFT credentials to sign into your app via OIDC. Which then would be their teams token technically.

I would prefer an approach when I can auto sign users in to the teams app an not prompt them again. Would it make sense here to have the teams app as a client and then preform a client credentials authentication to give this user a oauth2 token? Or is this a bad approach ?

You can use standard access token flow. Have the user sign in to your app via the OiDC flow with Microsoft. This would give you an access token for the user.