Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

&gt; How do I configure hydra to reject the auth flow if the current user is not allowed to access the client app that initiated the flow?
You can use oathkeeper and configure cookie_session authenticator. In that case, oathkeeper passes only authenticated requests to hydra. The example configuration of <https://github.com/ory/examples/blob/3bb4514bffe9573e82a380d5d058fc18c4f68cab/ory-full-stack/oathkeeper/oathkeeper.yml|oathkeeper.yml> and <https://github.com/ory/examples/blob/3bb4514bffe9573e82a380d5d058fc18c4f68cab/ory-full-stack/oathkeeper/access-rules.yml|access-rules>
&gt; The app can access user info stored in kratos through the `sessions/whoami` endpoint, but this is possible only if the app runs on the same domain as kratos because of the cookie domain configuration. Apps on a different domain can’t access the kratos session.
You can use oathkeeper’s mutators (id_token for example) and pass the information to Hydra. On accept login you can add json information about the user (without personal data. E.g. user_id) and use <https://www.ory.sh/docs/kratos/reference/api#operation/adminGetIdentity|adminGetIdentity> API method

I think that using oathkeeper can save you time to pass only authenticated requests to your backends. You can handle the rest by implementing middlewares (e.g. get identity_id from the session and get the data about this identity)

Thanks for the reply ... I'll have a look on oathkeeper and see how to go about this.