[keycloak-user] Keycloak policy enforcer for bearer-only client

Hi. I am developing a Node.js web app that uses Keycloak as authentication service. I already have two clients: public client for the web app (app-web) and bearer-only for the API (app-api). On the app-api I use resources, scopes, policies, and permissions to control the access. To check the permissions, I am using the keycloak.enforcer(...) from the keycloak-connectmodule (npm keycloak-connect <https://www.npmjs.com/package/keycloak-connect>). When I try to check permission, the server always returns 403 Access denied response. But if I change app-api from bearer-only to confidential (keeping the same keycloak.json configuration file), the client works fine and is capable to check permissions. This problem seems to be because a bearer-only client cannot obtain tokens from the server (keycloak similar question <http://keycloak-user.88327.x6.nabble.com/keycloak-user-can-we-use-authori... ). My question is: Is this a normal behavior of Keycloak? Why allow the Authorization tab in bearer-only clients if you cannot use the keycloak.enforcer? Am I missing some configuration? Thanks for your help. Stackoverflow question: https://stackoverflow.com/questions/56906984/keycloak-policy-enforcer-bea...