ResourceGuard always results in 403 Forbidden Error?

[IRuFFeYI]

I try to use Keycloak as Authorization Services. I want to secure the endpoints of my REST API with resources, scopes and permissions.

The problem is, I get a 403 Forbidden Resource Error on every request. I try to explain my whole configuration with a lot of images. Am I missing something or have I misunderstood something?

Keycloak Configuration

Configuration of the client:

My test rescource:

My policy:

My permission:

Evaluation To test my configuration I use the internal evaluation tool. I have the user: "testcustomer" who is member of the group: Testproject. Therefore he should have access to the resource. The evaluation shows, it's working correctly:

REST API:

In my NestJs REST API I'm using the nest-keycloak-connect-package.

This is the configuration of the KeycloakModule:

My Test-Controller

My understanding of the package: When a user (in this case the testcustomer) sends a request to the API to the following URI: "http://localhost:3002/api/test/test", the resource from Keycloak is associated with it. And the testcustomer is authorized to call this endpoint. Other users who are not in the Testproject group will get a 403 Forbidden response.

The problem is that I always get a 403 error no matter if my user is in the group and it doesn't even matter if the resource exists in Keycloak at all.

Note: General authentication or even authorization via roles works.