docs: Sync Scope Strategies in Oathkeeper&Hydra

docs/docs/scope-strategies-hydra.mdx

@@ -0,0 +1,22 @@
+---
+id: oauth2-token-introspection-hydra
+title: Connect to ORY Hydra OAuth2 Token Introspection
+---
+
+This document is a work in progress.
+
+## Synchronize Access Token / OAuth2 Scope Strategy
+
+When using ORY Oathkeeper together with ORY Hydra the scope strategy needs to be kept in sync.
+
+ORY Oathkeeper sends the scope as part of the introspection request. [(More about token introspection)](https://www.oauth.com/oauth2-servers/token-introspection-endpoint/)
+
+[Hydra](https://www.ory.sh/hydra/docs/guides/oauth2-token-introspection/) processes this scope parameter (which is actually not defined in the OAuth2 Introspection RFC) according to the scope strategy defined in Hydra.
+
+The scope strategy defined in ORY Oathkeeper serves as a fallback for when OAuth2 servers do not implement this feature.
+
+Therefore, these two settings must be kept in sync. 
+
+[Here](https://www.ory.sh/hydra/docs/reference/api#parameters-27) you can find the Hydra setting and [here](https://www.ory.sh/oathkeeper/docs/v0.37/pipeline/authn/#configuration-5) the respective one for Oathkeeper.
+
+The same problem would arise if you configure your client to be allowed to request scope foo and your OAuth2 request requests foo.bar.

docs/sidebar.json

@@ -19,6 +19,7 @@
   ],
   "Guides": [
     "configure-deploy"
+    "oauth2-token-introspection-hydra"
   ],
   "Reference": [
     "reference/configuration",