[keycloak-user] Why scope permission denial affects the whole resource avaiability?

[Artem Voskoboynick]

I have a resource and a few scopes associated with the resource.
Both the resource and the scope have permissions associated with them.

It seems logical that if one of the resource permissions resolves to DENY,
the whole resource is denied for the user.
But why the same happens with scope permissions?

As I understood from the docuemntation, scopes are verbs that can act upon
a resource. So if an user isn't authorized to perform one of the verbs (one
of the scopes), the user still should have access to the resource itself,
if the resource permissions allow, but it doesn't to seem to work this way.
I expected to automaticlaly block users that are not authorized for the
resource. With the rest users I expected to check each scope
programmatically for avaiability of corresponding actions (resource:view,
resource:edit, etc).

I used the "hello-world-authz-service" example (Keycloak server
configuration and the application code) with a few changes (added scopes)
to check it. Didn't work - access denied if one of the scope permissions
fails.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160703/3c8bc7b5/attachment.html