Keycloak policy-enforcer, strange behaviour scope based policy

Hi guys,
We’re experiencing a strange behaviour during our tests on our authorization policies.
I’ve defined a resource in the policy adapter as the following:

“name”: “test”,
“path”: “/test/{id}/test”,
“methods”: [
“method”: “GET”,
“scopes”: [
“claim-information-point”: {
“claims”: {
“organization”: “{request.relativePath}”

Then, in Keycloak, i’ve defined:

  • the scope list_test_scope
  • a role based policy
  • a resource named “test” with the uri /test/{id}/test
  • a permission associating the resource, the scope and the policy

Everything works fine when i make a GET request to the endpoint: if the user has the role, he can access the endpoint, otherwise he receives a 403. But, if i make another request to the same endpoint with a different HTTP method, like a POST, nothing blocks me: i can reach the endpoint and i receive a 405 - Method not allowed (this due to the fact that i’ve not defined the operation on the endpoint). Why i’m not receiving a 403 error in this case? Shouldn’t the user be blocked by the fact that this method is not mapped / the user has not the scope?

I’ve already read the following post:
But removing the resource from the permission doesn’t work. Still i’m experiencing the same behaviour (i don’t know if something related to the cache is not working well).

Can you help us please?

Did u get a resolution for this issue, as I am facing the same if I have scope permission for a specific HTTP method and tried to access the other HTTP methods keycloak is not complaining and use the non HTTP method scope to bypass authz

No, unfortunately, i’m sorry

I am quite new to Keycloak as well, but a possible explanation for this behavior could be that your “Policy Enforcing Mode” is set to “Permissive”. Is this the case?