So taking a quick look at what you are doing there it seems you might be misunderstand what OAUTH is actually about.
I recommend reading this: https://www.ory.sh/hydra/docs/concepts/before-oauth2
Looking at step 4 in your “How to Start” it seems you are attempting to login to hydra like it is a user management system. It is not.
Oauth is all about authorizing one application to act on behalf of a user in a certain context. Your browser in this case, is not an application. What you need to write in order for this to make any sense is an application that runs in your browser that actually performs the Oauth flow and aquires a token.
What you get as a response in your flow is an authorization code that is never exchanged for a token. Oathkeeper (to the best of my knowledge) is not able to do anything with an authorization code because its designed to work with tokens. You are NOT authorizing oathkeeper. Oathkeeper only checks that you’ve BEEN authorized already.
That of course also means that oathkeeper basically sees your request, doesn’t see a token attached to it and thus rejects it.
The correct flow would be:
That application would redirect the user through the oauth flow and at the end retrieve the token via a POST request to Hydra. This token can then be presented to Oathkeeper who will check it against Hydra and afterwards apply your Keto policies for authorization.
TL;DR; You need an application that actually gets authorized, be it a serverside or client side application. Don’t use implicit flow as it has serious security issues if used improperly.