I was trying to understand how authorization server access policy rules work and here’s what I found:
Given I’ve configured three rules with rule #1 catching the following scopes requested “user:profile.read, openid, offline_access” and rule #2 is “user:profile.write, openid, offline_access” and the catch-all is “Any scopes”.
I noticed that if I request just “openid offline_access”, rule #1 is catching. Essentially, the first rule that contains all of the scopes requested will match, even if there are more scopes in the rule. This is confusing because the way I understood the “AND the following scopes requested” input box is that it was an AND condition that requires all of the scopes listed, but really it is “OR any combination of the following scopes”. This means the catch-all rule I created only catches scope combinations that weren’t listed in the rules above already. Also, it seems I need to add more rules to catch n! combinations where n is the max number of scopes I included in one of my other rules, because I may not want subsets of scopes getting the same access. Is this the intended behavior?