I have 1 usecase, some thing like: • for urls match /abc/clients --> use Oauth2 client to authenticate • for urls match /abc/** --> use cookie to authenticate can I use access rule like this? in this case, order of rules is matter (it need to check rule company:protected1 first), does rule checking of oathkeeper have this order sensitive?

-
 id: "company:protected1"
 match:
  url: "<https://company/><{abc/clients/**}>"
  methods:
   - GET
   - POST
   - PUT
   - DELETE
 authenticators:
  -
   handler: oauth2_client_credentials
 authorizer:
  handler: allow

-
 id: "company:protected2"
 match:
  url: "<https://company/><{abc/**}>"
  methods:
   - GET
   - POST
   - PUT
   - DELETE
 authenticators:
  -
   handler: cookie_session
 authorizer:
  handler: allow
 mutators:
  - handler: header

you can't have conflicting rules in oathkeeper

is there any best practice for us to exclude 1 pattern from url match, @steep-lamp-91158? Rule

company:protected1

, I can rewrite it to:

url: "<https://company/><{abc/clients/*}>"

For

company:protected2

, I don't know exactly what I can rewrite, the reason I use ** here because it can match url

abc/xyz

or url

abc/def/ccc

you will have to use different, i.e. non-conflicting routes

what's about this one, @steep-lamp-91158?

-
 id: "company:protected1"
 match:
  url: "<https://company/abc/clients/><{**}>"
  methods:
   - GET
   - POST
   - PUT
   - DELETE
 authenticators:
  -
   handler: oauth2_client_credentials
 authorizer:
  handler: allow

-
 id: "company:protected2"
 match:
  url: "<https://company/abc/[!clients]><{**}>"
  methods:
   - GET
   - POST
   - PUT
   - DELETE
 authenticators:
  -
   handler: cookie_session
 authorizer:
  handler: allow
 mutators:
  - handler: header

have a look here: https://www.ory.sh/oathkeeper/docs/api-access-rules it has many examples

thank @steep-lamp-91158, it works 🙂