We are currently configuring authorization to deny/allow access to certain resources. However, we can always access the resources that is limited to certain users only.
I’m having this issue as well, I’ve been able to set up an authorization flow using Permission -> Policy -> Resouce, and can evaluate users to be Permitted or Denied to the resource, but when they try to access the resource they are always able to access it.
Were you able to solve this?
My instance was discussed here, resulting in the following answer:
You may also take a look at the Client Authorization Extension. See https://www.keycloak.org/extensions.html. Note that this is not supported by us but an extension provided by our community.
The Authorization Services capabilities are mainly about enforcing access to protected resources in your application after the user is authenticated. That is why you need to enable the policy enforcer.
I will look into the Client Authorization Extension, maybe it is right for you as well if this is still an issue.