We’re trying to figure out a proper deployment model for Hydra in a multi-tent scenario.
We’ve reached the conclusion that in order to have true multi-tenancy support on the oauth/oidc side (with Hydra), we need to deploy a single Hydra instance per tenant and distribute the oauth client registrations between these Hydra instances (possibly using https://github.com/ory/hydra-maester).
We’re now looking into how oathkeeper fits into this and it seems like all the urls you configure in oathkeeper, for example the token and instrospection urls for the oauth2_introspection authenticator must be absolute, which would mean (afaics) that we’d have to run a oathkeeper per tenant as well. Am I understanding that correctly?
If so, would you consider a PR that would allow relative urls for such config and logic to prepend the domain of the current requestUrl to it?
And what about a PR to force the iss claim in a JWT token to match the current requestUrl, as adding the urls of each tenant in the trusted_issuers config is not really scalable/manageable