bug: authz-keycloak should omit querystring, so that keycloak authorization works

[lacoonte]

Current Behavior

APISIX authz-keycloak uses ctx.var.request_uri (path + query string) when performing lazy resource discovery, sending it directly as uri= to Keycloak’s UMA resource_set?matchingUri=true. Keycloak cannot match resources when query parameters are included, resulting in invalid_resource errors.

Expected Behavior

APISIX should follow the same behavior as the official Keycloak Policy Enforcer (see https://github.com/keycloak/keycloak-client/tree/main/policy-enforcer/src/main/java/org/keycloak/adapters/authorization ).

In PolicyEnforcer.getPathConfig(), Keycloak's official enforcer resolves the resource using:

return pathMatcher.matches(request.getRelativePath());

and not request.getURI().
request.getRelativePath() contains only the application path (no query string).

This path is what gets passed to:

authzClient.protection().resource().findByMatchingUri(targetUri);

Therefore, lazy discovery must use the path without query parameters, mirroring Keycloak’s PEP behavior.

Error Logs

No response

Steps to Reproduce

1. Configure APISIX route with authz-keycloak and lazy_load_paths=true.
2. In Keycloak, create a an Authorization Resource with URI /api/items.
3. Call APISIX: GET /api/items?country=es

Environment

• APISIX version 3.14.1
• Keycloak 26.4.6

[Baoyuantop]

Hi @lacoonte, please provide your Keycloak version and the correct APISIX version.

[lacoonte]

@Baoyuantop updated issue with versions

[Baoyuantop]

https://github.com/apache/apisix/blob/master/apisix/plugins/authz-keycloak.lua#L570

The code uses ctx.var.request_uri, causing the URL sent to keyclock to contain a query string.