Hi everyone, what is the reason for using stateful session/cookie and supporting stateless access tokens (JWT)?
Is there a way I can make the solution works with stateless solution?
10/01/2021, 8:45 AM
do you mean in kratos?
10/01/2021, 2:11 PM
I don't understand your question.
Given Hydra, Kratos & Authkeeper (AK) are installed. I would like to auth the user using AK (proxy or forward auth).
When OAuth is used, AK validate the request using the JWKS endpoint of Hydta.
On the other hand, when Kratos is used, the user is given a session/cookie, in that case, AK need to communicate with Kratos to authenticate the request.
I would like that my clients (browser) will use JWT instead of session/cookie which will allow AK to authenticate the request in a similar manner to Hydra/OAuth flow.
10/01/2021, 3:01 PM
With JWTs you have effectively no way of revoking them, as you can only wait for them to expire. This was not a secure option for us to implement logout.
10/02/2021, 12:07 PM
Good point, but you can blacklist JWT if needed
1. internal/server-to-server communication, can I use ORY for authenticating such request?
I would I assume that there is a way to register a trusted OAuth client.
Trusted client should not go through the consent flow & are limited by scopes only.
2. outgoing/server-to-server communication. Can my ecosystem communicate with external/3rd-party services using ORY?
I would like to communicate with 3rd-party services with JWT.
The 3rd part in turn, can validate the JWT using Hydra's JWKS endpoint