docs: guide for integrating with ORY Hydra (ory#497)

Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
blep-ai · Aug 31, 2020 · 64c8bb8 · 64c8bb8
1 parent da87d8e
commit 64c8bb8
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 0 deletions.
diff --git a/docs/docs/scope-strategies-hydra.mdx b/docs/docs/scope-strategies-hydra.mdx
@@ -0,0 +1,22 @@
+---
+id: oauth2-token-introspection-hydra
+title: Connect to ORY Hydra OAuth2 Token Introspection
+---
+
+This document is a work in progress.
+
+## Synchronize Access Token / OAuth2 Scope Strategy
+
+When using ORY Oathkeeper together with ORY Hydra the scope strategy needs to be kept in sync.
+
+ORY Oathkeeper sends the scope as part of the introspection request. [(More about token introspection)](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/)
+
+[Hydra](https://www.ory.sh/hydra/docs/guides/oauth2-token-introspection/) processes this scope parameter (which is actually not defined in the OAuth2 Introspection RFC) according to the scope strategy defined in Hydra.
+
+The scope strategy defined in ORY Oathkeeper serves as a fallback for when OAuth2 servers do not implement this feature.
+
+Therefore, these two settings must be kept in sync. 
+
+[Here](https://www.ory.sh/hydra/docs/reference/api#parameters-27) you can find the Hydra setting and [here](https://www.ory.sh/oathkeeper/docs/v0.37/pipeline/authn/#configuration-5) the respective one for Oathkeeper.
+
+The same problem would arise if you configure your client to be allowed to request scope foo and your OAuth2 request requests foo.bar.
diff --git a/docs/sidebar.json b/docs/sidebar.json
@@ -19,6 +19,7 @@
   ],
   "Guides": [
     "configure-deploy"
+    "oauth2-token-introspection-hydra"
   ],
   "Reference": [
     "reference/configuration",