I recently started diving into the Ory ecosystem and am very impressed with the work and love the active development going on!
I saw a few topics like this, so maybe it is being addressed and I might be thinking ahead, but I was looking at integrating ORY Hydra and Kratos (and later Oauthkeeper in front). I was adapting the example Kratos UI and Hydra example UIs to essentially use Kratos as the IPD for Hydra Oauth2 flor.
There were 2 issues I was seeing
Hydra and Kratos both do session management. I saw somewhere it mentioned that it was imperative that we do not have session management in both our Oath2.0 service and IDP service. I have not thought through exactly why but I can agree it might not make sense to be storing this in both places. It seems ideal to keep this in Hydra (since it will also be remembering user consent and is initiated first in the Oauth2 flow) but I am unsure how we can turn this off in Kratos. Hydra has the “remember” params which we could not use I guess. I am also a bit unclear, so hydra just using a session cookie to remember that this user (subject) has already given consent to this app, whereas Kratos would be verifying this user has logged in already in Kratos. These do seem fundamentally different and potentially okay to keep both (i.e. a user wants to delegate something to an app, and then sign into another app using that same IDP) but not sure how to deal with the sessions cookies getting in a state where it has User A in Hydra but User B in Kratos session.
Hydra is supposed to redirect to a login UI when initializing the ouath2 flow. The Kratos login approach seems to require then redirecting to Kratos (http://127.0.0.1:4455/.ory/kratos/public/self-service/browser/flows/requests/(login|registration)) to set CSRF cookies and initialize the login request there before getting redirected back with request id. The issue I was running into was that this redirect would remove the login_challenge query param from Hydra, so I would need to store it in a cookie to make it work. This doesn’t seem like the best way to do this and I was wondering if there is a recommended way to use these two flows like this.