[keycloak-user] Keycloak, Openresty and fine grain authorization not working

[The Mechanix]

Hi,

I’m relative new to KC but I’ve read a lot of documentations in the past few days and I managed to get a (almost) working POC.. 
An overview can be found here [1] 

The setup is fairly easy, we just want to authenticate some web services.(HTML)
The components used are all docker containers:

- OpenResty Cluster 1.13.6.2-1 (Keepalived + GlusterFS) with lua-resty-openidc
- Keycloak Cluster 6.0.1
- PostgerSQL Cluster 9.6.12
- Nginx for the web services

In KC, I created a client “metropolis” [2] and a user “ckent”. Whenever I call the protected URL I get redirected to KC, can authenticate and I’m landing on the web service page. So far so good.

Now, I just wanted to see what happens if I negate the default policy:

// by default, grants any permission associated with this policy
$evaluation.grant();

<negate>

A quick evaluation shows following:

Default Resource             
Result
DENY
Scopes
No scopes available.
Policies
• Default Permission decision was DENY by UNANIMOUS decision.
	• Default Policy voted to DENY.


According to the results, I should not be able to access the resource anymore, right? But this doesn’t happen, I’m still able to login (after killing the session in KC). What am I missing?

Here [3] is the openresty config.

Any hints are much appreciated. 

Thanks

[1] https://i.imgur.com/z3E6Fn2.jpg
[2] https://i.imgur.com/J15kXFG.png
[3| https://pastebin.com/7zfHePYK