Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

<https://ory-community.slack.com/archives/C01340V8KSM/p1653424416795899>
could someone help with this please.

It feels like Ory have given up on their Slack community, so you shouldn't expect an official answer in any of the Slack Channels.

I don't think what you're asking is possible. To me it seems Oathkeeper is completely declarative. The closest you'd get to doing something dynamically is using mutators to add headers etc.. I think you'll need a static rule with the `jwt` authenticator and a jwk url on your service; then, after that you could have a simple router/proxy service which extracts the correct backend from the jwt and routes it to the correct backend.

Oh, and you shouldn't need to "revoke" jwt tokens in general. The whole point of them is that they're stateless (and carry meaningful data ofc). You _can_ validate a jwt against some session storage or a revocation list, but it should never be necessary. You should rely on the `exp` claim instead and only issue short lived tokens (like you already do). If you really really need to revoke tokens, you can rotate the JWK or use some kind of session storage.