jenskeiner edited a comment on issue #3274: URL: https://github.com/apache/apisix/issues/3274#issuecomment-759546929
Thanks for the feedback @sshniro. > > The resource is determined by using Keycloak's resource registration endpoint which can return the resources that match a given URI. > > I may be mistaken, does Keycloak matches the URI and returns results, or do we have to obtain all the paths and resolve it in APISIX? The resource registration endpoint can be used to offload the path matching to Keycloak. You need to invoke it with parameters `uri` set to the request URI and `matchingUri` set to `true`. Got that from the official adapter's code. I tested it that way and it works. The result just contains a JSON-style array with the IDs of matching resources. It seems to prefer stricter matches, not sure if anything can be further configured within Keycloak regarding the matching algo. Also, the endpoint has more options and I didn't test every possible combination. Importantly, one can then use the returned IDs when querying the token endpoint for the permission decision. All that works in a little POC of mine. I think, as a first step, it's best to make that extra call to Keycloak and swallow the added cost, but avoid the paths management inside the plugin. In a following change, I would suggest look at the matching on the plugin side as an optimization. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
