Its not a bug its a feature. Keycloak is not designed for authorization only for authentification. If you login in one service via sso and switch to the service you permitted the acces to (with your way), you will always be able to login (except disable autocreate new users).
But there is a work around implemented by univention: 4. Configuration — Univention Keycloak app manual 24.0.5