Open dwalker-sabiogroup opened 6 months ago
I have tested using a custom plugin that replaces ctx.var.request_uri
with ctx.var.uri
in authz-keycloak.lua and works perfectly with keycloak resource authorization (where query string value is not needed for authorization purposes).
Description
Keycloak does not support authorization with dynamic patterns where the URL contains a query string (https://github.com/keycloak/keycloak/issues/28772) and causes 403 issues using the authz-keycloak plugin as the full request URL including any querystring is passed to keycloak when using
lazy_load_paths
ctx.var.request_uri
is used in the plugin to check for permissions whichAn option to solve would be to add a configuration item
include_query_string = {type = "boolean", default = true},
which toggle betweenctx.var.request_uri
andctx.var.uri
(which is the normalised URI and does not include the querystring)