Hello. I'm wondering if it's possible to do identity brokering with ory hydra (and/or kratos)? Something similar to how keycloak does it? Basically just looking to have the server-side portion of the OIDC authorization-code flow handled for us. Preferably without requiring an interstitial consent screen (required by OAuth2 token exchange).

Hello @curved-ram-6189 Yes identity brokering is one of the use cases that Ory Hydra is ideal for. You can skip the consent screen (basically instantly accepting it, without end-user interaction).

Awesome. Is there some documentation or a guide somewhere? I also have a question about Cookies. In an identity brokering scenario are Hydra or Kratos-native Cookies required to make the flow work? That is to say, I understand the brokered IdP needs to have cookies enabled, but does Hydra or Kratos issue any cookies that are critical to the authentication flow? I need a flow that would work without 3rd party cookies (iframes on iOS).

Yes you need the

/api

endpoint for native apps https://www.ory.sh/docs/identities/native-browser#native-apps With any browser based device you use the /browser endpoint.

Sure, but iOS doesn't imply a native app. The issue we have with Keycloak is that it requires session cookies in the browser. Since iOS blocks cookies from iframes in other domains in the browser, this doesn't work. From my reading of the documentation it seems the same for Kratos?