Permission issue [#3034336]

I have this issue when trying to access endpoints GET /openid-connect/rest/provider-ids and GET /openid-connect/rest/authorization-endpoint/{provider_id} by calling them with REST request using postman or insomnia.

(What's not working)
Not able to get the expected response value using postman.

Steps to reproduce:
1. In Drupal permission section, I grant admin and authenticated user to allow access
2. From postman, I have the following request

GET: http://192.168.254.107:8080/openid-connect/rest/authorization-endpoint/generic
HEADERS:
Key: Authorization; Value: Basic *****
Key: Content-type; Value: application/json

Note: Key and Value are generated when I input admin username and password under Authorization tab > TYPE: Basic Auth

3. Hit send and I'm getting 403 Forbidden.
Page response:
You are not authorized to access this page.

Header response:

Cache-Control →must-revalidate, no-cache, private
Connection →Keep-Alive
Content-Type →text/html; charset=UTF-8
Content-language →en
Date →Mon, 25 Feb 2019 06:23:12 GMT
Expires →Sun, 19 Nov 1978 05:00:00 GMT
Keep-Alive →timeout=5, max=100
Link →<http://192.168.254.107:8080/>; rel="shortlink", <http://192.168.254.107:8080/>; rel="canonical"
Link →<http://192.168.254.107:8080/>; rel="shortlink", <http://192.168.254.107:8080/>; rel="canonical"
Server →Apache/2.4.27 (Red Hat)
Transfer-Encoding →chunked
Vary →
X-Content-Type-Options →nosniff
X-Content-Type-Options →nosniff
X-Drupal-Cache-Contexts →cookies:big_pipe_nojs group_membership.roles.permissions languages:language_interface route session theme url.path url.query_args:_wrapper_format user
X-Drupal-Cache-Tags →4xx-response block_view config:block.block.bootstrap_patterns_anhomepageheroblock config:block.block.bootstrap_patterns_content config:block.block.bootstrap_patterns_footer config:block.block.bootstrap_patterns_local_tasks config:block.block.bootstrap_patterns_sitebranding config:block.block.bootstrap_patterns_views_block__activity_stream_block_stream_homepage config:block.block.groupaddeventblock config:block.block.openidconnectlogin_2 config:block.block.searchheroblock config:block.block.signup config:block.block.useraccountmenu config:block.block.views_block__activity_stream_group_block_stream_group_2 config:block.block.views_block__activity_stream_profile_block_1_2 config:block.block.views_block__disclaimer_block_1 config:block.block.views_block__group_business_information_block_1 config:block.block.views_block__group_members_block_newest_members_2 config:block_list config:color.theme.bootstrap_patterns config:system.menu.admin config:system.menu.footer config:system.site extensions http_response rendered user:1
X-Frame-Options →SAMEORIGIN
X-Generator →Drupal 8 (https://www.drupal.org)
X-UA-Compatible →IE=edge

Drupal logs:

Type	access denied
Date	Wednesday, February 20, 2019 - 09:16
User	admin
Location	http://192.168.254.107:8080/openid-connect/rest/provider-ids
Referrer	
Message	/openid-connect/rest/provider-ids
Severity	Warning
Hostname	192.168.254.107
Operations

Type	access denied
Date	Wednesday, February 20, 2019 - 09:13
User	admin
Location	http://192.168.254.107:8080/openid-connect/rest/authorization-endpoint/generic
Referrer	
Message	/openid-connect/rest/authorization-endpoint/generic
Severity	Warning
Hostname	localhost
Operations

(What's working)
However, when I use a browser as logged in user and access the URL directly, I am getting an expected result.

Browser request(access as URL): http://192.168.254.107:8080/openid-connect/rest/provider-ids
Browser response: {"generic":"Log in with Generic"}

Browser request(access as URL): http://192.168.254.107:8080/openid-connect/rest/authorization-endpoint/generic
Browser response:
{"target_url":"http:\/\/192.168.254.107:8083\/auth\/realms\/master\/protocol\/openid-connect\/auth?client_id=opensocial\u0026response_type=code\u0026scope=openid%20email%20profile\u0026redirect_uri=https%3A\/\/192.168.254.107\/openid-connect\/rest\/generic\u0026state=w6kIBo-LC8P6wa3NnCXCCYN4ls6kxjWnfub0DwhCfgQ","components":{"base_url":"http:\/\/192.168.254.107:8083\/auth\/realms\/master\/protocol\/openid-connect\/auth","parameters":{"client_id":"opensocial","response_type":"code","scope":"openid email profile","redirect_uri":"https:\/\/192.168.254.107\/openid-connect\/rest\/generic","state":"w6kIBo-LC8P6wa3NnCXCCYN4ls6kxjWnfub0DwhCfgQ"}}}

HTTP headers from browser

General
Request URL:http://192.168.254.107:8080/openid-connect/rest/authorization-endpoint/generic
Request Method:GET
Status Code:200 OK
Remote Address:192.168.254.107:8080
Referrer Policy:no-referrer-when-downgrade

Response Headers
view source
Cache-Control:must-revalidate, no-cache, private
Connection:Keep-Alive
Content-language:en
Content-Length:647
Content-Type:application/json
Date:Mon, 25 Feb 2019 06:15:46 GMT
Expires:Sun, 19 Nov 1978 05:00:00 GMT
Keep-Alive:timeout=5, max=100
Server:Apache/2.4.27 (Red Hat)
Vary:
X-Content-Type-Options:nosniff
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Generator:Drupal 8 (https://www.drupal.org)
X-UA-Compatible:IE=edge

Request Headers
view source
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.9,fil;q=0.8
Connection:keep-alive
Cookie:SESSf333817de57c6f65f28d7295bfdca9e0=v7cVZ53xZ5hq6igUuUKxAH7U9mQLqBhH2Me89vO75Qc
Host:192.168.254.107:8080
Upgrade-Insecure-Requests:1
User-Agent:Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/63.0.3239.84 Chrome/63.0.3239.84 Safari/537.36

(Also working)
I tried to change Permission and checked Anonymous users and I am getting expected response using postman of the same request above. But of course, we only want to grant authenticated users and NOT anonymous.

Would appreciate it if you could please help me with this issue and how can we handle this? Thanks in advance.