[KEYCLOAK-13656] - Deny request if requested scope is not associated to resource or any typed resources

services/src/main/java/org/keycloak/authorization/authorization/AuthorizationTokenService.java

@@ -506,6 +506,11 @@ public class AuthorizationTokenService {
 
                     if (perm == null) {
                         perm = Permissions.createResourcePermissions(resource, requestedScopesModel, authorization, request);
+                        //if scopes were requested, check if the permission to evaluate resolves to any of the requested scopes.
+                        // if it is not the case, then the requested scope is invalid and we don't need to evaluate
+                        if (!requestedScopesModel.isEmpty() && perm.getScopes().isEmpty()) {
+                            continue;
+                        }
                         permissionsToEvaluate.put(resource.getId(), perm);
                         if (limit != null) {
                             limit.decrementAndGet();

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/client/authorization/PolicyEnforcerTest.java

@@ -404,6 +404,13 @@ public class PolicyEnforcerTest extends AbstractKeycloakTest {
         context = policyEnforcer.enforce(httpFacade);
         assertTrue(context.isGranted());
 
+        // create a PATCH scope without associated it with the resource so that a PATCH request is denied accordingly even though
+        // the scope exists on the server
+        clientResource.authorization().scopes().create(new ScopeRepresentation("PATCH"));
+        httpFacade = createHttpFacade("/api/resource-with-scope", token, "PATCH");
+        context = policyEnforcer.enforce(httpFacade);
+        assertFalse(context.isGranted());
+
         ScopePermissionRepresentation postPermission = new ScopePermissionRepresentation();
 
         postPermission.setName("GET permission");