Describe the bug

There is app's policy enforcer configuration

quarkus:
  keycloak:
    policy-enforcer:
      paths:
        tenant-resource:
          path: /{ver}/tenants/{id}
          methods:
            get:
              method: GET
              scopes:
                - scope:omg:view

and

quarkus:
  keycloak:
    policy-enforcer:
      enable: true
      lazy-load-paths: true
      http-method-as-scope: false

Client makes request GET /v1/tenants/{id} and get 403 Forbidden.
But in debug I found a permission in the client authorization token

{
  "authorization": {
    "permissions": [
      {
        "scopes": [
          "scope:omg:admin",
          "scope:omg:manage",
          "scope:omg:view"
        ],
        "rsid": "4309b76b-d627-4cc3-a9fb-4afc04f60e35",
        "rsname": "resource:omg:tenant:1"
      }
    ]
  }
}

Essential corresponding Keycloak resource parameters:

name: resource:omg:tenant:1
URIs: /{ver}/tenants/1/*

Checked code of the library and it seems it skips loading of resource from the server in this line.

Since my configuration doesn't have "*" in path (and pathconfig is still valid).

So enforcer continues its execution and unable to match grantedPermission with actualPathConfig (it doesn't have an id) in line

Is it a bug or expected behaviour and I should configure kc/app something else?

Version

keycloak-policy-enforcer-26.0.6.jar

Expected behavior

Policy enforcer should refresh pathconfig and match granted permissions with it.

Actual behavior

403 Forbidden

How to Reproduce?

No response

Anything else?

An interesting point is that after some time (likely the cache invalidation interval), the path configuration is updated from the server and the application is then able to handle the request with a 200 response