Hello, we are moving to Hydra to support token based authentication for external and internal clients. These clients are often using the authorization code flow but sometimes also the client credentials flow. At the same time we have some internal, legacy applications that are using our old login/authentication service (with is self-implemented). The legacy system is using the concept of JWTs. Now we have the case where a legacy application needs to access a new api that only accepts Tokens issued by Hydra. Is there any way to exchange our own tokens with a token from Hydra? In this case we need a token that identifies a user. But we don't want the user to re-authenticate. One option could be to specify our old login system (or a proxy) as the login_url in hydra. This proxy could then just accept the login request from Hydra if there is already a token from our old login service present. But this would require a new "login cascade" and would disrupt the user experience because the application would need to reload (the application is a single page application). I'm looking for something like the OAuth 2.0 Token Exchange Grant (https://connect2id.com/products/nimbus-oauth-openid-connect-sdk/examples/oauth/token-exchange#:~:text=Token%20exchange%20(RFC%208693)%20is,to%20be%20swapped%20for%20another.&text=The%20exchange%20occurs%20at%20the,exchange%20)%20established%20for%20the%20purpose. ). Is it possible to configure Hydra to trust a token that was not issued by Hydra itself for a token exchange? Is https://www.ory.sh/docs/hydra/reference/api#operation/trustJwtGrantIssuer the right way for the Token Exchange Grant with another Token Issuer?

are you trying to use hydra to implement authentication? i.e. are you trying to know who the user is?

No, authentication itself is done in a separate service. We are using Hydra to authorize applications to access resources on behalf of a user. The "legacy-app" now needs to access resources from a resource server that only accepts tokens issued by Ory. But our legacy-app currently only has a JWT issued by our own, self-made "token issuer" (it is not OAuth/OIDC compliant). We need an easy way to exchange the "legacy-token" with the "hydra-token". But of course both tokens need to contain the same value in the "sub" claim. Because if I call the resource server with "/my-protected-resource" the resource server somehow needs to know who the user is.

it sounds like oathkeeper may be a better solution here, that’s exactly what we’re doing to use both legacy tokens and hydra tokens to access our graphql backend, so your backends only need to process oathkeeper-generated id_tokens, and oathkeeper can handle the authentication step against whatever client-level tokens you may use (e.g. legacy tokens, hydra tokens, cookies, etc)

Nice! This is exactly what I'm looking for. Thank you. :)