Skip to main content

Connect to Ory Hydra OAuth2 Token Introspection

This document is a work in progress.

Synchronize Access Token / OAuth2 Scope Strategy

When using Ory Oathkeeper together with Ory Hydra the scope strategy needs to be kept in sync.

Ory Oathkeeper sends the scope as part of the introspection request. (More about token introspection)

Hydra processes this scope parameter (which is actually not defined in the OAuth2 Introspection RFC) according to the scope strategy defined in Hydra.

The scope strategy defined in Ory Oathkeeper serves as a fallback for when OAuth2 servers don't implement this feature.

Therefore, these two settings must be kept in sync.

Here you can find the Hydra setting and here the respective one for Oathkeeper.

The same problem would arise if you configure your client to be allowed to request scope foo and your OAuth2 request requests foo.bar.