Shouldn't Hydra, OathKeeper and Keto work together automatically?

Hi, I am new to ORY stack and just had a look at the Fullstack example on Github.

When seeing these configurations in docker-compose file for Oathkeeper:

- AUTHORIZER_KETO_URL=http://keto:4466
- AUTHENTICATOR_OAUTH2_INTROSPECTION_URL=http://hydra:4445/oauth2/introspect
- AUTHENTICATOR_OAUTH2_CLIENT_CREDENTIALS_TOKEN_URL=http://hydra:4444/oauth2/token

I expect this is the way it should be:

  1. A request (attached with an access token) coming to Oathkeeper which acts as an API Gateway.
  2. Oathkeeper asks Hydra if the attached token is valid, whether or not it is blacklisted (not expired but user has logged out), etc.
  3. Then Oathkeeper asks Keto if user with this token is allowed to perform the action.
  4. Finally the request hits Resource service. Resource service doesn’t need to make lookup calls to neither Hydra nor Keto.

What I actually see in resource server sourcecode:

My questions is: Do Hydra, OathKeeper and Keto work together automatically (with some configuration, of course) without requiring the Resource service to implement manual calls like that? (Except in edge cases, but I mean normal case like the one in fullstack example). And if yes, how can I achieve that?

Yes, they work together. The files mentioned do have a bit of code attached to them, but if you look at the oathkeeper.js file for example, you will see that it only validates the incoming (from oathkeeper generated) token to make sure that no one else can call this endpoint.

The others are just examples of how to interact with each project (hydra, keto) individually / stand alone.

All of our projects are designed to be standalone but implement open standards which allows them to interact without having an explicit “HYDRA_WHATEVER” configuration setting.

1 Like