in our case we have multiple authentication sources (a legacy oauth-based login that we will migrate to kratos in the future, custom access tokens, and hydra oauth tokens) that we use oathkeeper to mutate into a single internal id_token so our internal services only have to know how to parse and validate the id_token, i wouldn’t use oathkeeper if just using kratos and keto were enough for our use cases, but this keeps our unfortunately complicated authn much more independent of our application logic