Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I want to summarize my above post and generalize my question:

Is there a possibility to enrich the token that is returned by Hydra after a successful OpenID Connect flow with additional data from another API?

The use case is, for me, the following: I want to implement authn&amp;authz for a Kubernetes cluster (<https://faun.pub/kubernetes-auth-e2f342a5f269>). This works in a way that the user follows the normal OAuth2/OpenID Connect flow and gets a token. This token, however, has an additional key+value pair that specifies the groups the user is in. This additional piece of information is then used by Kubernetes to manage authorization.

The approach that <@U02U9MSKL9X> suggested was to use the Hydrator mutator of Oathkeeper. However, I am not really able to figure out how this flow would look like, if it is possible at all.

Did anybody encounter a similar challenge and tried to solve it with the Ory stack? As described in the blog article, it is no problem to implement this with other identity providers, like Keycloak. Therefore, I hope that it is not too difficult to do it with Ory either :wink: