We have a scenario where I want to protect a service X with Wilma PEP Proxy. The service X is registered in Keyrock. The Wilma PEP Proxy contains the PEP credentials generated in Keyrock for service X. An application Y gets access to service X with the proper OAuth2 credentials generated for this specific service (client_id and client_secret from Service X). It is ok. But there is a problem: an application Z also gets access to the service X with different OAuth2 credentials (not the service X credentials)!!
If this is possible, why do we have applications with specific OAuth2 credentials generated in Keyrock if they do not control anything?! It does not make sense!
It is a big security issue, because one intruder can register some application in Keyrock and with tokens generated for this specific application (with its own OAuth2 credentials) this intruder can access all the applications registered in this Keyrock instance!
As you can see in PEP Proxy documentation, Level 1 only checks authentication. So every user with a valid token (i.e. authenticated in Keyrock) will be redirected to the server app. If you want to also check authorization you have to configure an AuthZForce server with basic or advanced security authorization levels.
On the other hand, in the token validation response, you will obtain a field application_id that indicates you the scope in which the token was created.