I have two services, A and B, and I want to create an access policy to allow the service A access the service B only if it is inside of an allowed group.
I created a policy like to that to all clients.:
IF Grant type is client credentials
and User is Assigned the app and a member of one of the following Services Allowed to B Group
and scopes service_b
But, even the service A isn’t inside of Services Allowed to B Group it can generate a token. 
Can someone help me? Thanks!
Is there another policy on your authorization server? I think what is happening is that the policy doesn’t match, so it is going to the next one (and that one matches).
I need a little more information about your config. Also, another quick check is to make sure that the authorization server is the one where your policy is specified.
There is only one policy at the moment and the policy is in the right authorization server.
I will share with you some screenshots.:
I have a similar issues,
All the requested scopes end up in the token irrespective of the groups the user is member of.
Looks like the Rule dialog box is broken, I saw on the demo videos it has the imaged where the
AND Scopes requested is replaced by THEN Grant these scopes
Any help is appreciated.
