This document is a work in progress.
Synchronize Access Token / OAuth2 scope strategy
When using Ory Oathkeeper together with Ory Hydra the scope strategy needs to be kept in sync.
Ory Oathkeeper sends the scope as part of the introspection request. (More about token introspection)
Hydra processes this scope parameter (which is actually not defined in the OAuth2 Introspection RFC) according to the scope strategy defined in Hydra.
The scope strategy defined in Ory Oathkeeper serves as a fallback for when OAuth2 servers don't implement this feature.
Therefore, these two settings must be kept in sync.
The same problem would arise if you configure your client to be allowed to request scope foo and your OAuth2 request requests foo.bar.