[keycloak-user] Keycloak is granting broader authorization entitlements to scopes on resources than specified

Hi keycloak users! I've a question about using scope and resource permissions to protect my resources. To me it seems that keycloak is granting broader authorization entitlements than I specified it with the policies & permissions - a security issue from my point of view. For example keycloak - according to the entitlement token of a user - grants access to a resource and ALL its scopes, even if I only specified a permission to access only ONE scope on that resource for that user (with a policy). Is It wrong to assume that the user should only have access to the one scope? Another issue is that keycloak grants access to a resource and ALL its scopes, even if I only specified a permission to access only that resource for that user (with a policy) without a scope. Is the assumption wrong that the user should only know about the resource but not the scopes? Or is my understanding of how to handle the authorization entitlements for resources and their scopes with keycloak wrong? What would be the best practice to secure the resources and their scopes? Here I describe the scenario & point to a live example: _ The scenario _ Created Entities: User: Marta Policy: Policy-IsUser-Marta Scopes: read, write, execute Resource: resource-a (with all three scopes) Resource: resource-c (with all three scopes) Resource-Permission: resource-c -> Policy-IsUser-Marta Scope-Permission: resource-a + scope read -> Policy-IsUser-Marta Retrieve entitlements: Get your (Martas) entitlements token and check the granted permissions - they are: - resource-a -> read + write + execute - resource-c -> read + write + execute What I would expect: - resource-a -> read - resource-c -> (no scopes) _ Sample Project _ I created a sample to see it live in action: https://github.com/kklimpfi/keycloak-scenarios It contains a keycloak-migration.json with some sample data (in master realm) + an java application that retrieves the Permissions. you can clone it and try it (configure setup script for importing and pass the system property for the java application to its configuration). (Using Keycloak-2.5.4.Final standalone on Windows 7, should also work on Linux) kind regards, Koloman