Hi,
I think there is a problem with the authorization header for Keyrock and the cache. The authorization header is not stored in the cache (only action and resource are) and is in turn not checked on further requests. This leads to the situation, that on a successful request with the legit authorization header, the authorization headers are ignored on further requests and access is granted regardless of the header. Vice versa if the first request was denied, it will be denied again, even if the header is correct on the next request.
Hi,
I think there is a problem with the authorization header for Keyrock and the cache. The authorization header is not stored in the cache (only action and resource are) and is in turn not checked on further requests. This leads to the situation, that on a successful request with the legit authorization header, the authorization headers are ignored on further requests and access is granted regardless of the header. Vice versa if the first request was denied, it will be denied again, even if the header is correct on the next request.