keycloak · ebondu · Jan 16, 2025
diff --git a/authz-client/src/main/java/org/keycloak/authorization/client/ResourceNotFoundException.java b/authz-client/src/main/java/org/keycloak/authorization/client/ResourceNotFoundException.java
@@ -0,0 +1,32 @@
+/*
+ *  Copyright 2016 Red Hat, Inc. and/or its affiliates
+ *  and other contributors as indicated by the @author tags.
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ */
+package org.keycloak.authorization.client;
+
+/**
+ * @author <a href="mailto:[email protected]">Pedro Igor</a>
+ */
+public class ResourceNotFoundException extends RuntimeException {
+
+    public ResourceNotFoundException(Throwable cause) {
+        super(cause);
+    }
+
+    public ResourceNotFoundException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}
diff --git a/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java b/authz-client/src/main/java/org/keycloak/authorization/client/util/Throwables.java
@@ -19,6 +19,7 @@
 import java.util.concurrent.Callable;
 
 import org.keycloak.authorization.client.AuthorizationDeniedException;
+import org.keycloak.authorization.client.ResourceNotFoundException;
 import org.keycloak.authorization.client.representation.TokenIntrospectionResponse;
 
 /**
@@ -85,6 +86,8 @@ public static <V> V retryAndWrapExceptionIfNecessary(Callable<V> callable, Token
                 }
 
                 throw handleWrapException(message, cause);
+            } else if (httpe.getStatusCode() == 400 && new String(httpe.getBytes()).contains("invalid_resource_id")) {
+                throw new ResourceNotFoundException(message, cause);
             }
         }
 

diff --git a/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java b/policy-enforcer/src/main/java/org/keycloak/adapters/authorization/PolicyEnforcer.java
@@ -41,6 +41,7 @@
 import org.keycloak.authorization.client.AuthzClient;
 import org.keycloak.authorization.client.ClientAuthorizationContext;
 import org.keycloak.authorization.client.Configuration;
+import org.keycloak.authorization.client.ResourceNotFoundException;
 import org.keycloak.authorization.client.resource.PermissionResource;
 import org.keycloak.authorization.client.resource.ProtectionResource;
 import org.keycloak.common.util.Base64;
@@ -260,7 +261,16 @@ private AuthorizationContext authorize(HttpRequest request, HttpResponse respons
                 LOGGER.debugf("Sending challenge to the client. Path [%s]", pathConfig);
             }
 
-            if (!challenge(pathConfig, methodConfig, request, response)) {
+            boolean challenged;
+            try {
+                challenged = challenge(pathConfig, methodConfig, request, response);
+            } catch (ResourceNotFoundException exception) {
+                LOGGER.debugf("Resource id no existing anymore on server, removing path [%s] from cache and challeging again", pathConfig);
+                pathMatcher.getPathCache().remove(pathConfig.getPath());
+
+                challenged = challenge(getPathConfig(request), methodConfig, request, response);
+            }
+            if (!challenged) {
                 if (LOGGER.isDebugEnabled()) {
                     LOGGER.debugf("Challenge not sent, sending default forbidden response. Path [%s]", pathConfig);
                 }