Authorization Server Access Policy Rule: "AND Scopes requested" matches any scopes in the following list

I was trying to understand how authorization server access policy rules work and here’s what I found:

Given I’ve configured three rules with rule #1 catching the following scopes requested “, openid, offline_access” and rule #2 is “user:profile.write, openid, offline_access” and the catch-all is “Any scopes”.

I noticed that if I request just “openid offline_access”, rule #1 is catching. Essentially, the first rule that contains all of the scopes requested will match, even if there are more scopes in the rule. This is confusing because the way I understood the “AND the following scopes requested” input box is that it was an AND condition that requires all of the scopes listed, but really it is “OR any combination of the following scopes”. This means the catch-all rule I created only catches scope combinations that weren’t listed in the rules above already. Also, it seems I need to add more rules to catch n! combinations where n is the max number of scopes I included in one of my other rules, because I may not want subsets of scopes getting the same access. Is this the intended behavior?

This would be the intended behavior. As long as the scopes included in the request are present in the rule, even if not all of them are included, the rule would pass and it would use that policy and rule.

To avoid the fallback to the catch-all rule it would require either disabling that policy or limiting the applications or scopes allowed to use that policy or rule.