I want to implement fine-grained access to my app.
In the app client in KC I’ve created resource, added several scopes to it (Create, Delete etc) and created several permissions based on groups user participates.
Am I right that the correct way to use resources is when my app http://localhost/myApp has a page like localhost/myApp/Orders and these orders can be created or viewed - I need to create a Orders resource with url of baseappUrl/myApp/orders/* and when I go to something like localhost/myApp/orders/create - a Create permission will fire which will check (based on the appropriate policy) that user belongs to OrdersCreators group and permits access to /localhost/myApp/orders/create?
How does it work? Why will my app go to the KC to ask if a user has a permission to go to the orders-create page?
Thanks in advance