At this time you can use rules to implement custom authorization policies where a specific logic check will influence the scopes issued in the access token. For an example of this see this section of the reference documentation.
In your particular case, the check would be based on the role contained in user profile metadata. An important thing to note is that you should store this information as part of app_metadata
; DO NOT store it as part of user_metadata
. The reason is the user_metadata
can be modified directly by end-users so a malicious user could control their own role information and elevate its permission.