The error message you're seeing indicates that Ory Oathkeeper is expecting exactly one rule but found multiple rules. This could be due to the way your rules are structured. In your configuration, you have two rules:

sso-private

and

sso-public

. Each rule has its own set of

match

,

authenticators

,

authorizer

,

mutators

, and

errors

configurations. According to the Ory Oathkeeper documentation, there is a 1:1 mandatory relationship between an authorizer and an access rule. It isn't possible to configure more than one authorizer per Access Rule. This means that each rule should have exactly one authorizer. In your configuration, both rules have only one authorizer, which is correct. However, the issue might be with the

mutators

configuration. In the

sso-private

rule, you have two mutators:

id_token

and

header

. According to the Ory Oathkeeper documentation, mutations are performed iteratively from index 0 to n and should all succeed in order for the HTTP request to be forwarded. If the issue persists, it might be due to some other configuration problem. It would be helpful to check the Ory Oathkeeper logs for more detailed error messages. Here are the relevant knowledge sources: - [Ory Oathkeeper API - api > Methods > listRules > Responses Part 3](https://www.ory.sh/docs/oathkeeper/reference/api) - [Ory Oathkeeper API - api > Methods > getRule > Responses Part 3](https://www.ory.sh/docs/oathkeeper/reference/api) - [Ory Oathkeeper API - api > Methods > listRules > Responses Part 5](https://www.ory.sh/docs/oathkeeper/reference/api) - [Ory Oathkeeper > Pipeline > Authorizers](https://www.ory.sh/docs/oathkeeper/pipeline/authz) - [Ory Oathkeeper > API access rules > Access rule format Part 2](https://www.ory.sh/docs/oathkeeper/api-access-rules#access-rule-format) - [Ory Oathkeeper > Introduction > Decision engine](https://www.ory.sh/docs/oathkeeper#decision-engine)

Sure, you can use regular expressions to match the URLs for your rules. Here's how you can modify your rules:

yaml - id: sso-private   match:     url: "^<https://sso.nimbus.test/settings$>"     methods:       - GET   authenticators:     - handler: bearer_token     - handler: cookie_session   authorizer:     handler: allow   mutators:     - handler: id_token       config:         issuer_url: <http://localhost:4455/>         jwks_url: file://./resources/sso/config/jwks.json     - handler: header       config:         headers:           X-User-Id: "{{ print .Subject }}"           X-User-Email: "{{ print .Extra.identity.traits.email }}"   errors:     - handler: redirect       config:         to: <https://sso.nimbus.test/login>         return_to_query_param: return_to         code: 302  - id: sso-public   match:     url: "^<https://sso.nimbus.test/(?!settings).*$>"     methods:       - GET       - POST   authenticators:     - handler: noop   authorizer:     handler: allow   mutators:     - handler: noop

In the

sso-private

rule, the URL is set to match exactly

<https://sso.nimbus.test/settings>

. In the

sso-public

rule, the URL is set to match any path under

<https://sso.nimbus.test/>

except for

settings

. The

(?!settings)

part is a negative lookahead in the regular expression that excludes

settings

from the match. Please note that the regular expression should be enclosed in quotes and the special characters should be escaped properly. For more information on how to configure access rules in Ory Oathkeeper, you can refer to the [Ory Oathkeeper Access Rules documentation](https://www.ory.sh/docs/oathkeeper/api-access-rules).