Is it match with Ory?


I would like to know if I can use the Ory suite to do what I want ?

This is the model that I would like to implement

From my API gateway I can send the identity, the scope (group) and the operation.

Instead of the operation, I guess I can send the needed permission.

In Ory Keto, I can have a policy with the user, an action (permission?) and a ressource (scope?)

Si it seems to match, but in my model I would like to bind the identity to a role and not directly to the permissions.

How to achieve this with Ory ?


  • There is 2 roles « manager » and « reader « and these roles have a common permission « data:read ».
  • The operation « Get data’s » needs the « data:read » permission.
  • UserA had the role « manager » on the scope « tenant1 ».

The userA calls Get data’s in the tenant1 scope.

I would like to know if this user had the right to do that.

And as a bonus, if Ory can generate a new access token with custom claims based on the result, it will be perfect !

Thank you

I think you’re confusing what OAuth2 is (and therefore Hydra), check out our excellent docs on that:

Once that is clear, everything will probably be clearer to you.

Thank you for your answer.

I know that OAuth2 is a delegation of a user authorization.
And in our case we don’t have user but service to service communication.
I have to use an existing identity provider for the access token and I would like to know if I could use Keto juste for the authorization part as Policy Decision Point ?

Edit : I read more deeper all the documentation and the XACML concepts.
I think I could use Oathkeeper as PEP to do authentication and generate a internal token via the mutator feature (like a STS).
Then, I could use Keo as PDP. But I don’t understand if I can call a PIP from Keo to have addtional context to evaluate the policy.

Is it something possible?

Thank you

Adding context to calls from Oathkeeper to Keto is currently not very well supported but it is high on our list of things to do as we will soon touch this internally for our cloud system as well. I’m sorry that I don’t have more info here on this as of now. Feel free to open an issue regarding this on the Oathkeeper GitHub so we keep track of this :slight_smile:


I created an issue :

Perfect, thank you