Do we have any oathkeeper example of ory network in which both _authenticator*(cookie_session)*_ and authorizer (remote_json) are shown? I am using cloud, the authenticator (cookie_session) works fine, but when I use remote_json in authorizer, I consistently get

"expected status code 200 but got 401"

but if I use allow for the authorizer, the url works fine and gives response.

oathkeeper.yml

log:
  level: debug
  format: json

serve:
  proxy:
    cors:
      enabled: true
      allowed_origins:
        - "*"
      allowed_methods:
        - POST
        - GET
        - PUT
        - PATCH
        - DELETE
      allowed_headers:
        - Authorization
        - Content-Type
      exposed_headers:
        - Content-Type
      allow_credentials: true
      debug: true

errors:
  fallback:
    - json

  handlers:
    redirect:
      enabled: true
      config:
        to: <https://auth.mydomain.com/ui/login>
        when:
          - error:
              - unauthorized
              - forbidden
            request:
              header:
                accept:
                  - text/html
    json:
      enabled: true
      config:
        verbose: true

access_rules:
  matching_strategy: glob
  repositories:
    - file:///etc/config/oathkeeper/access-rules.yml

authenticators:
  anonymous:
    enabled: true
    config:
      subject: guest

  cookie_session:
    enabled: true
    config:
      check_session_url: <https://auth.mydomain.com/sessions/whoami>
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      additional_headers:
        accept: application/json
        accept-encoding: identity

  noop:
    enabled: true

authorizers:
  allow:
    enabled: true

  remote_json:
    enabled: true
    config:
      remote: <https://auth.mydomain.com/relation-tuples/check>
      payload: |
        { }
      forward_response_headers_to_upstream:
        - X-Foo
      retry:
        max_delay: 1s
        give_up_after: 6s


mutators:
  noop:
    enabled: true
  header:
    # Set enabled to true if the authenticator should be enabled and false to disable the authenticator. Defaults to false.
    enabled: true
    config:
      headers:
        X-User: "{{ print .Subject }}"

``Access-rules.yml`

- id: "api:protected"
  upstream:
    url: "<https://jsonplaceholder.typicode.com/posts/>"
    strip_path: "/a"
  match:
    url: "<https://api.mydomain.com/a>"
    methods:
      - GET
      - POST
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: remote_json
    config:
      remote: <https://auth.mydomain.com/relation-tuples/check>
      payload: |
        {     
          "subject_id": "{{ print .Subject }}",
          "relation": "access",
          "namespace": "bv_organizations",
          "object": "hello-world-service"          
        }

Also, in Ory console,

in custom domain have set:
Cookie Domain: <http://mydomain.com|mydomain.com>

CORS ALLOWED ORIGINS
<https://auth.mydomain.com>
<https://app.mydomain.com> 
<https://api.mydomain.com>

I had a similar issue but was able to resolve it by deploying a side car proxy that had the ory api token. Look at my message in the oathkeeper channel

@narrow-greece-70477 Are you referring to this ? https://ory-community.slack.com/archives/C01340V8KSM/p1693109464512839 Also, possible to check whether you used

glob

or

regex

matching?

@agreeable-microphone-83376 Yes. I have made an update to my deployment. I am no longer hosting it as a sidecar. I have now deployed it as a separate pod so that my other apps can also use it.