Based on the available knowledge sources, Ory Oathkeeper does not support triggering the authorization step if authentication is invalid. The documented decision engine and pipeline make it clear that the steps are sequential: first, access rule matching; second, authentication; third, authorization; and finally, mutation. If authentication fails (i.e., credentials are invalid), the request is denied and the authorization step is not executed. This is explicitly described in the documentation: > Invalid credentials result in denial of the request. The "internal" session state (such as the user ID) of valid (authenticated) credentials becomes input for the next steps. > ... > Access Rules can check permissions. To secure, for example, an API that requires admin privileges, configure the authorizer to check if the user ID from step 2 has the "admin" permission or role. > ... > Failed authorization (for example user doesn't have role "admin") results denial of the request. [Introduction to Ory Oathkeeper Zero Trust Proxy](https://www.ory.sh/docs/oathkeeper#decision-engine) Additionally, the pipeline documentation confirms that if a handler encounters invalid credentials, other handlers (including authorizers) will be ignored: > If a handler encounters invalid credentials, then other handlers will be ignored too. [Oathkeeper Authenticators](https://www.ory.sh/docs/oathkeeper/pipeline/authn) Therefore, Oathkeeper does not provide a way to proceed to authorization if authentication fails.