diff --git a/authz-client/src/main/java/org/keycloak/authorization/client/ResourceNotFoundException.java b/authz-client/src/main/java/org/keycloak/authorization/client/ResourceNotFoundException.java
new file mode 100644
index 0000000..c418ba9
--- /dev/null
+++ b/authz-client/src/main/java/org/keycloak/authorization/client/ResourceNotFoundException.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright 2016 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package org.keycloak.authorization.client;
+
+/**
+ * @author Pedro Igor
+ */
+public class ResourceNotFoundException extends RuntimeException {
+
+ public ResourceNotFoundException(Throwable cause) {
+ super(cause);
+ }
+
+ public ResourceNotFoundException(String message, Throwable cause) {
+ super(message, cause);
+ }
+}
diff --git a/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java b/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java
index 016daf2..00121f4 100644
--- a/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java
+++ b/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java
@@ -19,6 +19,7 @@
import java.util.concurrent.Callable;
import org.keycloak.authorization.client.AuthorizationDeniedException;
+import org.keycloak.authorization.client.ResourceNotFoundException;
import org.keycloak.authorization.client.representation.TokenIntrospectionResponse;
/**
@@ -85,6 +86,8 @@ public static V retryAndWrapExceptionIfNecessary(Callable callable, Token
}
throw handleWrapException(message, cause);
+ } else if (httpe.getStatusCode() == 400 && new String(httpe.getBytes()).contains("invalid_resource_id")) {
+ throw new ResourceNotFoundException(message, cause);
}
}
diff --git a/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java b/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
index 6c5bc73..0523168 100644
--- a/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
+++ b/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@@ -41,6 +41,7 @@
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.ClientAuthorizationContext;
import org.keycloak.authorization.client.Configuration;
+import org.keycloak.authorization.client.ResourceNotFoundException;
import org.keycloak.authorization.client.resource.PermissionResource;
import org.keycloak.authorization.client.resource.ProtectionResource;
import org.keycloak.common.util.Base64;
@@ -260,7 +261,16 @@ private AuthorizationContext authorize(HttpRequest request, HttpResponse respons
LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
}
- if (!challenge(pathConfig, methodConfig, request, response)) {
+ boolean challenged;
+ try {
+ challenged = challenge(pathConfig, methodConfig, request, response);
+ } catch (ResourceNotFoundException exception) {
+ LOGGER.debugf("Resource id no existing anymore on server, removing path [%s] from cache and challeging again", pathConfig);
+ pathMatcher.getPathCache().remove(pathConfig.getPath());
+
+ challenged = challenge(getPathConfig(request), methodConfig, request, response);
+ }
+ if (!challenged) {
if (LOGGER.isDebugEnabled()) {
LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", pathConfig);
}