Hi. I try to get warm with keycloak. So I created a test project that uses KeycloakOIDCFilter to secure a servlet requset (a vaadin UI). Basically it's working. Now I want to add some portions of the UI only visible to users granted permission to a certain scope. So I set up: * client (named test-context) is configured for authorization * A resource (admin-ui) with associated scopes urn:test-project:article:view and urn:test-project:article:create. * two realm roles: admin and user * two users (test, admin), one of them (test) having role user, the other (admin) having both admin and user roles * auth settings: policy enforcement mode: enforcing (also added "policy-enforcer": {} in keycloak.json) * Two policies: - Admin policy: type role, roles: admin (required) - User policy: type role, roles: user * Two scope permissions bound to the resource admin-ui. - Article Create Permission: resource: admin-ui, scopes: urn:test-project:article:create, policy: Admin policy, unanimous - Admin UI View Permission: resource: admin-ui, scopes: urn:test-project:article:view, policy User policy, unanimous * A resource permission granting access to the resource itself using Default Permission (js, grant all) Admin user is working fine and testing for scope membership using authzClient is working fine as well. However, when I try to access the page with user 'test', the user is denied access due to AbstractPolicyEnforcer. In method authorize() it always passes the requiredScopes variable to isAuthorized(...). This variable is ALWAYS filled with all scopes assiciated for the resource. These are taken from the pathConfig, which always yields both associated scopes. Of course, user 'test' has only granted permission to scope urn:test-project:article:view following the authorization set up, thus failing the grant although the evaluator is returning PERMIT with scopes (urn:testproject:article:view) as expected: { "jti": "8d805d7e-f2bf-485c-ad9e-9ca397903f6c", "exp": 1507127243, "nbf": 0, "iat": 1507126943, "aud": "test-context", "sub": "dccb9a67-5a45-4c15-bcee-3c1db26c16f0", "typ": "Bearer", "azp": "test-context", "auth_time": 0, "session_state": "6623b31b-9c5c-4e87-a882-21ab8d72c2a8", "acr": "1", "allowed-origins": [ "http://" ], "realm_access": { "roles": [ "uma_authorization", "user" ] }, "resource_access": {}, "authorization": { "permissions": [ { "scopes": [ "urn:testproject:article:view" ], "resource_set_id": "a9d034f3-0ea4-4c96-b314-6ce544bf01b8", "resource_set_name": "Admin UI" } ] }, "name": "Test Tester", "preferred_username": "test", "given_name": "Test", "family_name": "Tester", "email": "test(a)bla.de" } I'm using keycloak 3.2.1.FINAL on karaf 4.1.2. Please help!