From de8057d10ca4cc83536ec7ee7e094da66a6c547c Mon Sep 17 00:00:00 2001
From: Chris Larson <chris@webbuilderpro.com>
Date: Wed, 22 Apr 2026 13:32:27 -0600
Subject: [PATCH] Fix JWT request-resource-path to include query string

The extractResourcePath method was stripping query parameters from
the request target before signing the JWT. This causes UNAUTHORIZED_USER
401 errors on endpoints that require query params (e.g. GET /uw/v1/applications?status=New)
because the signed path no longer matches the actual request URL.

Return the full request_target as-is so the signed path exactly matches
the URL the server receives.
---
 lib/AuthenticationSDK/authentication/jwt/JwtToken.rb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/AuthenticationSDK/authentication/jwt/JwtToken.rb b/lib/AuthenticationSDK/authentication/jwt/JwtToken.rb
index 422c0939..03bdb315 100644
--- a/lib/AuthenticationSDK/authentication/jwt/JwtToken.rb
+++ b/lib/AuthenticationSDK/authentication/jwt/JwtToken.rb
@@ -105,10 +105,10 @@ def getHeaderClaimSet(jwt_cert_obj)
 
     def extractResourcePath(request_target)
       return '' if request_target.nil? || request_target.empty?
-      
-      # Split the string to remove the query params
-      parts = request_target.split('?', 2)
-      return parts[0]
+
+      # Visa UAPI requires the full path including query string in request-resource-path.
+      # The signed path must exactly match the actual request URL or the server rejects with UNAUTHORIZED_USER.
+      request_target
     end
 
     implements TokenInterface