lacoonte opened a new issue, #12785: URL: https://github.com/apache/apisix/issues/12785
### Current Behavior APISIX authz-keycloak uses ctx.var.request_uri (path + query string) when performing lazy resource discovery, sending it directly as uri= to Keycloak’s UMA resource_set?matchingUri=true. Keycloak cannot match resources when query parameters are included, resulting in invalid_resource errors. ### Expected Behavior APISIX should follow the same behavior as the official Keycloak Policy Enforcer (see https://github.com/keycloak/keycloak-client/tree/main/policy-enforcer/src/main/java/org/keycloak/adapters/authorization ). In PolicyEnforcer.getPathConfig(), Keycloak's official enforcer resolves the resource using: return pathMatcher.matches(request.getRelativePath()); and not request.getURI(). request.getRelativePath() contains only the application path (no query string). This path is what gets passed to: authzClient.protection().resource().findByMatchingUri(targetUri); Therefore, lazy discovery must use the path without query parameters, mirroring Keycloak’s PEP behavior. ### Error Logs _No response_ ### Steps to Reproduce 1. Configure APISIX route with authz-keycloak and lazy_load_paths=true. 2. In Keycloak, create a an Authorization Resource with URI /api/items. 3. Call APISIX: GET /api/items?country=es ### Environment - APISIX version 3.1.4 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
