SkyeYoung opened a new pull request, #12914: URL: https://github.com/apache/apisix/pull/12914
### Description <!-- Please include a summary of the change and which issue is fixed. --> <!-- Please also include relevant motivation and context. --> ## Summary - Fix authz-keycloak plugin to use `ctx.var.uri` instead of `ctx.var.request_uri` when resolving resources with `lazy_load_paths=true`, ensuring query parameters are stripped before sending to Keycloak's resource registration endpoint ## What's the problem? When `lazy_load_paths=true` is enabled, the plugin incorrectly includes query parameters when calling Keycloak's UMA resource registration endpoint (`resource_set?matchingUri=true`). This causes Keycloak to fail resource matching with "invalid_resource" errors. For example, a request to `/api/items?country=es` would send the full URI including query string to Keycloak, which cannot match it against a resource configured with URI `/api/items`. ## What's the solution? Replace `ctx.var.request_uri` (path + query string) with `ctx.var.uri` (path only) when resolving resources. This aligns with Keycloak's official Policy Enforcer behavior which uses `request.getRelativePath()`. #### Which issue(s) this PR fixes: <!-- *Automatically closes linked issue when PR is merged. Usage: `Fixes #<issue number>`, or `Fixes (paste link of issue)`. --> Fixes #12785 ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [ ] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) <!-- Note 1. Mark the PR as draft until it's ready to be reviewed. 2. Always add/update tests for any changes unless you have a good reason. 3. Always update the documentation to reflect the changes made in the PR. 4. Make a new commit to resolve conversations instead of `push -f`. 5. To resolve merge conflicts, merge master instead of rebasing. 6. Use "request review" to notify the reviewer after making changes. 7. Only a reviewer can mark a conversation as resolved. --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
