Our application has a front-end for regular customers, who authenticate by providing an email address and password. We have successfully integrated Hydra and Oathkeeper into our stack to handle this (using authorization code flow), and have been very happy with the results.
We also have an Admin Portal, whereby Support Agents (who are authenticated via Active Directory) are able to look up customer profiles, and then ‘become’ them (effectively signing into the main site as that customer).
My question is: how would one implement that a Hydra Access + ID Token would be issued for these Support Agents masquerading as customers, when there is only 1 configurable Login + Consent endpoint in Hydra?
Should we implement different behaviour when encountering the request coming from the Admin Portal Client ID, or is it possible to run 2 separate Hydra instances (each configured with a different Login + Consent handler) but share the database + secrets to ensure that tokens issued by one Hydra are interchangeable with tokens from another?