Keyclock return 403 instead of 401 for unauthenticated requests when enabling policy enforcer config. When removing policy enforcer config it returns 401

Securing applications
1

Keyclock return 403 instead of 401 for unauthenticated requests when enabling policy enforcer config. When removing policy enforcer config it returns 401.

with this config am getting a 403 empty response.

keycloak:
  realm: ${KEYCLOAK_REALM}
  auth-server-url: ${KEYCLOAK_AUTH_SERVER_URL}
  ssl-required: external
  resource: ${KEYCLOAK_CLIENT_ID}
  credentials.secret: ${KEYCLOAK_CLIENT_SECRET}
  use-resource-role-mappings: true
  cors: true
  public-client: false
  bearer-only: true
  policy-enforcer-config:
    lazy-load-paths: true
    http-method-as-scope: true
    path-cache-config:
      max-entries: 1000
      lifespan: 1000
    paths:
      - name: Insecure Resource
        path: /
        enforcement-mode: DISABLED
      - name: Swagger UI
        path: /swagger-ui/*
        enforcement-mode: DISABLED
      - name: Swagger Resources
        path: /swagger-resources/*
        enforcement-mode: DISABLED
      - name: Swagger api Resources
        path: /api-docs
        enforcement-mode: DISABLED
  securityConstraints:
    - authRoles:
       - '*'
      securityCollections:
        - name: protected
          patterns:
            - '/v1/*'
            - '/intranet/*'

if I remove policy enforcer like this

keycloak:
  realm: ${KEYCLOAK_REALM}
  auth-server-url: ${KEYCLOAK_AUTH_SERVER_URL}
  ssl-required: external
  resource: ${KEYCLOAK_CLIENT_ID}
  credentials.secret: ${KEYCLOAK_CLIENT_SECRET}
  use-resource-role-mappings: true
  cors: true
  public-client: false
  bearer-only: true
#  policy-enforcer-config:
#    lazy-load-paths: true
#    http-method-as-scope: true
#    path-cache-config:
#      max-entries: 1000
#      lifespan: 1000
#    paths:
#      - name: Insecure Resource
#        path: /
#        enforcement-mode: DISABLED
#      - name: Swagger UI
#        path: /swagger-ui/*
#        enforcement-mode: DISABLED
#      - name: Swagger Resources
#        path: /swagger-resources/*
#        enforcement-mode: DISABLED
#      - name: Swagger api Resources
#        path: /api-docs
#        enforcement-mode: DISABLED
  securityConstraints:
    - authRoles:
       - '*'
      securityCollections:
        - name: protected
          patterns:
            - '/v1/*'
            - '/intranet/*'

returns 401

{
    "timestamp": "2021-10-05T11:25:33.116+0000",
    "status": 401,
    "error": "Unauthorized",
    "message": "No message available",
    "path": "/v1/approve-documents"
}

The policy enforcement is happening for all request even its not authenticated or not. How return 401 if token is invalid or missing.

complete code GitHub - prajintst/keyclock-permissions