forked from ory/oathkeeper
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
docs: guide for integrating with ORY Hydra (ory#497)
Co-authored-by: hackerman <3372410+aeneasr@users.noreply.github.com>
- Loading branch information
Showing
2 changed files
with
23 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
--- | ||
id: oauth2-token-introspection-hydra | ||
title: Connect to ORY Hydra OAuth2 Token Introspection | ||
--- | ||
|
||
This document is a work in progress. | ||
|
||
## Synchronize Access Token / OAuth2 Scope Strategy | ||
|
||
When using ORY Oathkeeper together with ORY Hydra the scope strategy needs to be kept in sync. | ||
|
||
ORY Oathkeeper sends the scope as part of the introspection request. [(More about token introspection)](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/) | ||
|
||
[Hydra](https://www.ory.sh/hydra/docs/guides/oauth2-token-introspection/) processes this scope parameter (which is actually not defined in the OAuth2 Introspection RFC) according to the scope strategy defined in Hydra. | ||
|
||
The scope strategy defined in ORY Oathkeeper serves as a fallback for when OAuth2 servers do not implement this feature. | ||
|
||
Therefore, these two settings must be kept in sync. | ||
|
||
[Here](https://www.ory.sh/hydra/docs/reference/api#parameters-27) you can find the Hydra setting and [here](https://www.ory.sh/oathkeeper/docs/v0.37/pipeline/authn/#configuration-5) the respective one for Oathkeeper. | ||
|
||
The same problem would arise if you configure your client to be allowed to request scope foo and your OAuth2 request requests foo.bar. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters