``` id helloworld protected1 upstream preserve host true url Ory Community #ory-copilot

```[ { "id": "helloworld:protected1", "u...

square-napkin-92357

04/12/2025, 9:18 AM

Copy code

[
  {
    "id": "helloworld:protected1",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/><**>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "PATCH"
      ]
    },
    "authenticators": [
      {
        "handler": "noop"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "noop"
      }
    ]
  },
  {
    "id": "helloworld:protected2",
    "upstream": {
      "preserve_host": true,
      "url": "<http://host.docker.internal:8080>"
    },
    "match": {
      "url": "<http://127.0.0.1:4455/hello>",
      "methods": [
        "GET"
      ]
    },
    "authenticators": [
      {
        "handler": "bearer_token"
      }
    ],
    "authorizer": {
      "handler": "remote_json"
    },
    "mutators": [
      {
        "handler": "id_token"
      }
    ]
  }
]

1. all requests to oathkeeper match with my app 2. I want to set an endpoint http://127.0.0.1:4455/hello must need authentication and authorization, but I got this message when call this endpoint

"message": "Expected exactly one rule but found multiple rules"

Could anyone can suggest me a way to solve? Thank you! @chilly-king-10285

brief-egg-61061

04/12/2025, 9:23 AM

A message from kapa.ai

brief-egg-61061

04/12/2025, 9:23 AM

I can see you're having an issue with Ory Oathkeeper rule matching. The error message "Expected exactly one rule but found multiple rules" indicates that Oathkeeper is finding more than one rule that matches your request to the

/hello

endpoint. ## The Problem Looking at your access rules, I can identify the issue: 1. Your first rule

helloworld:protected1

has a URL pattern

<http://127.0.0.1:4455/><**>

which matches ALL paths at that host, including

/hello

. 2. Your second rule

helloworld:protected2

specifically targets

<http://127.0.0.1:4455/hello>

. When you make a request to

/hello

, both rules match, causing Oathkeeper to be confused about which rule to apply. ## Solution You need to make your rules mutually exclusive. Here are a few approaches: ### Option 1: Make the first rule exclude

/hello

Modify the first rule's URL pattern to exclude the

/hello

path. This depends on whether you're using regexp or glob matching strategy:

Copy code

json "match": {   "url": "<http://127.0.0.1:4455/(?!hello).*>",  // For regexp matching   "methods": [     "GET",     "POST",     "PUT",     "DELETE",     "PATCH"   ] }

### Option 2: Make the rules more specific Make the first rule match only specific paths instead of using a catch-all pattern:

Copy code

json "match": {   "url": "<http://127.0.0.1:4455/(api|users|other-paths)>",   "methods": [     "GET",     "POST",     "PUT",     "DELETE",     "PATCH"   ] }

### Option 3: Order your rules properly If you're using a file repository for your rules, ensure that more specific rules come before general rules. Oathkeeper will use the first matching rule it finds. ## Additional Information According to the Oathkeeper documentation, the matching strategy (glob or regexp) is defined in the global configuration file as

access_rules.matching_strategy

[API access rules](https://www.ory.sh/docs/oathkeeper/api-access-rules#access-rule-format). Make sure you're using the correct pattern syntax for your chosen strategy. For more information on configuring access rules, you can refer to the [Oathkeeper API access rules documentation](https://www.ory.sh/docs/oathkeeper/api-access-rules).

Open in Slack

Previous Next