Skip to content

fix(authz-keycloak): copy permissions before appending http_method_as_scope#13410

Open
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:fix/authz-keycloak-method-scope-copy
Open

fix(authz-keycloak): copy permissions before appending http_method_as_scope#13410
shreemaan-abhishek wants to merge 1 commit into
apache:masterfrom
shreemaan-abhishek:fix/authz-keycloak-method-scope-copy

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented May 21, 2026

Description

When the authz-keycloak plugin is configured with http_method_as_scope enabled together with a static permissions list, the request method was appended onto conf.permissions in place.

Because the plugin configuration object is reused across requests, the appended method scope accumulated on each subsequent request (e.g. course_resource#GET became course_resource#GET, GET, then course_resource#GET, GET, GET, and so on).

This change copies the permissions list with core.table.clone before deriving the per-request method scope, so the shared plugin config is left untouched. The else branch (permission = conf.permissions) is unchanged. A regression test (t/plugin/authz-keycloak5.t) is added that sends two requests through the same configured route and asserts the derived scope does not accumulate.

Which issue(s) this PR fixes:

Fixes #

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek
fix(authz-keycloak): copy permissions before appending http_method_as…
4fcfa13 
…_scope

When http_method_as_scope is enabled together with a static permissions
list, the request method was appended onto conf.permissions in place.
Because the plugin configuration is reused across requests, the appended
method scope accumulated on each subsequent request. This copies the
permissions list before deriving the per-request method scope, so the
shared config is left untouched. A regression test is added.
@shreemaan-abhishek shreemaan-abhishek mentioned this pull request May 21, 2026
Closed
5 tasks
@shreemaan-abhishek shreemaan-abhishek marked this pull request as ready for review May 21, 2026 06:51
@dosubot dosubot Bot added size:L This PR changes 100-499 lines, ignoring generated files. bug Something isn't working labels May 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@membphis membphis membphis approved these changes

@nic-6443 nic-6443 nic-6443 approved these changes

@AlinsRan AlinsRan AlinsRan approved these changes

Assignees

No one assigned

Labels

bug Something isn't working size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@shreemaan-abhishek @membphis @nic-6443 @AlinsRan