Hi guys, We're experiencing a strange behaviour during our tests on our authorization policies. I've defined a resource in the policy adapter as the following: { "name": "test", "path": "/test/{id}/test", "methods": [ { "method": "GET", "scopes": [ "list_test_scope" ] } ], "claim-information-point": { "claims": { "organization": "{request.relativePath}" } } Then, in Keycloak, i've defined: - the scope list_test_scope - a role based policy - a resource named "test" with the uri /test/{id}/test - a permission associating the resource, the scope and the policy Everything works fine when i make a GET request to the endpoint: if the user has the role, he can access the endpoint, otherwise he receives a 403. But, if i make another request to the same endpoint with a different HTTP method, like a POST, nothing blocks me: i can reach the endpoint and i receive a 405 - Method not allowed (this due to the fact that i've not defined the operation on the endpoint). Why i'm not receiving a 403 error in this case? Shouldn't the user be blocked by the fact that this method is not mapped / the user has not the scope? I've already read the following post: https://lists.jboss.org/pipermail/keycloak-user/2019-February/017174.html But removing the resource from the permission doesn't work. Still i'm experiencing the same behaviour (i don't know if something related to the cache is not working well). Can you help us please? -- Like <https://www.facebook.com/cuebiq/> I Follow <https://twitter.com/Cuebiq>I Connect <https://www.linkedin.com/company/cuebiq> This email is reserved exclusively for sending and receiving messages inherent working activities, and is not intended nor authorized for personal use. Therefore, any outgoing messages or incoming response messages will be treated as company messages and will be subject to the corporate IT policy and may possibly to be read by persons other than by the subscriber of the box. Confidential information may be contained in this message. If you are not the address indicated in this message, please do not copy or deliver this message to anyone. In such case, you should notify the sender immediately and delete the original message.