Hi, I’m relative new to KC but I’ve read a lot of documentations in the past few days and I managed to get a (almost) working POC.. An overview can be found here [1] The setup is fairly easy, we just want to authenticate some web services.(HTML) The components used are all docker containers: - OpenResty Cluster 1.13.6.2-1 (Keepalived + GlusterFS) with lua-resty-openidc - Keycloak Cluster 6.0.1 - PostgerSQL Cluster 9.6.12 - Nginx for the web services In KC, I created a client “metropolis” [2] and a user “ckent”. Whenever I call the protected URL I get redirected to KC, can authenticate and I’m landing on the web service page. So far so good. Now, I just wanted to see what happens if I negate the default policy: // by default, grants any permission associated with this policy $evaluation.grant(); <negate> A quick evaluation shows following: Default Resource Result DENY Scopes No scopes available. Policies • Default Permission decision was DENY by UNANIMOUS decision. • Default Policy voted to DENY. According to the results, I should not be able to access the resource anymore, right? But this doesn’t happen, I’m still able to login (after killing the session in KC). What am I missing? Here [3] is the openresty config. Any hints are much appreciated. Thanks [1] https://i.imgur.com/z3E6Fn2.jpg [2] https://i.imgur.com/J15kXFG.png [3| https://pastebin.com/7zfHePYK