keycloak授权服务器中的客户端策略对允许的客户端返回拒绝

我使用两个客户端配置 keycloak (quay.io/keycloak/keycloak:24.0.2)：

1. 商店700
2. 我的资源服务器

我还将我的 my-resource-server 设置为资源服务器并这样设置：

1. 创建了范围，命名为上传
2. 创建了资源，命名为交易（范围：上传）
3. 创建了名为“store-clients”的策略：客户端策略的类型（并允许客户端IDstore-700）
4. 创建了名为“permission-700”的permission，允许访问transaction:upload

这是我的整体配置：

{
"allowRemoteResourceManagement": true,
"policyEnforcementMode": "ENFORCING",
"resources": [
    {
        "name": "transaction",
        "ownerManagedAccess": false,
        "displayName": "",
        "attributes": {},
        "_id": "e61bc461-85d4-4390-af7b-d594c5f4c6d7",
        "uris": [],
        "scopes": [
            {
                "name": "upload"
            }
        ],
        "icon_uri": ""
    }
],
"policies": [
    {
        "id": "c2fec000-591d-41e2-94e7-6062bca6ca5b",
        "name": "store-clients",
        "description": "",
        "type": "client",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
            "clients": "[\"store-700\"]"
        }
    },
    {
        "id": "82cdb7dd-a70b-4272-abbd-f9d941fbdd27",
        "name": "permission-700",
        "description": "",
        "type": "scope",
        "logic": "POSITIVE",
        "decisionStrategy": "UNANIMOUS",
        "config": {
            "resources": "[\"transaction\"]",
            "scopes": "[\"upload\"]",
            "applyPolicies": "[\"store-clients\"]"
        }
    }
],
"scopes": [
    {
        "id": "9b14076d-17a9-42a8-a8ac-a0c98dc253ca",
        "name": "upload",
        "iconUri": ""
    }
],
"decisionStrategy": "UNANIMOUS"}

当我尝试在“评估”选项卡中对此进行评估时，我得到“拒绝”：

我不明白的是为什么我会被拒绝？如果策略允许该客户端，为什么策略会投票拒绝授权请求？