Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Question for you guys, I use hydra to basically authenticate users to my app using oauth. However, if I view the sessions in kratos of the logged in user after a while the session has already ended but the hydra access token gets refreshed for example but the kratos session still is not in active state. Is this by design?

Hey <@U039P4XNES2>

Yes, this is by design. In Ory's architecture, Ory Hydra (OAuth2 provider) and Ory Kratos (identity/session management) operate independently.
Hydra's refresh token flow does not, by default, check the state of the user's Kratos session when issuing new access tokens.
As long as the Hydra refresh token is valid, it can be used to obtain new access tokens—even if the original Kratos session has expired or is no longer active.
This separation is intentional and common in OAuth2 systems: refresh token validity is managed by Hydra, and session validity is managed by Kratos.