Is there a pattern with Kratos/Hydra/Oathkeeper to...
# generalc
curved-ram-6189
09/15/2025, 2:29 PMIs there a pattern with Kratos/Hydra/Oathkeeper to convert a Kratos session token into an OAuth2 access token that identifies a user (not a machine)? I've not seen one and I'm not sure how you would go about that? Thinking in the context of using the Kratos direct login APIs, then also needing to make calls to another API which is protected by an OAuth2 access token (provided by hydra).
b
bland-eye-99092
09/15/2025, 2:52 PMKratos supports converting the session to a JWT: https://www.ory.sh/docs/identities/session-to-jwt-cors
maybe that solves your issue?
c
curved-ram-6189
09/15/2025, 2:53 PMI'm not sure that it does, becuase that JWT would not contain scopes for the target API (or any of the other access token required fields like audience and so on). Unless I'm missing something?
s
steep-lamp-91158
09/16/2025, 8:31 AM
otherwise you need to do a full oauth2 flow
c
curved-ram-6189
09/16/2025, 12:05 PMThat's what I thought, and unless you do an authorization_code flow, the access_token you receive will not have a user-specific Id in it? That would include any user-specific claims or info?
I don't think even OAuth2 Token Exchange (if it was supported by Hydra) would help in this instance, since I think the JWT submitted in that case must be a valid access or id token?
curved-ram-6189
09/16/2025, 12:06 PMWhat I'm trying to determine is if you go "non-OAuth" if it's all or nothing, or if there's a way to weasel back.
s
steep-lamp-91158
09/16/2025, 2:35 PM
no you can't just use "a part of oauth2"
steep-lamp-91158
09/16/2025, 2:36 PM
but you could use oathkeeper/someting to abstract the authentication away from the service
so that oathkeeper resolves and checks sessions/oauth2 tokens, and issues internal jwts for the downstream service that are always the same structure
👍 1
3 Views