[keycloak-user] Incorrect UMA Policy Evaluation

Hi, I’m using the protection API to manage UMA policies for my Keycloak resources. However, I get false-positive results when requesting permissions for a resource via the token endpoint. Example: I have a resource with ID “dataset-42” and two scopes “view” and “delete”. I create a UMA policy granting my user “view” access to this resource. If I now call the token endpoint (as suggested in [1]) to obtain permissions for the “delete” scope by setting: response_mode=permissions permission=dataset-42#delete , I get the following (confusing) result: [{ "scopes": ["view"], "rsid": "dataset-42", "rsname": "urn:atlas-api:resources:dataset:42" }] When setting “response_mode=decision”, I get: { "result": true } There is no policy that gives my user access to the “delete” scope anywhere, so shouldn’t I get a negative result here? Links: [1] https://www.keycloak.org/docs/latest/authorization_services/index.html#_s... Thanks, Marco