Access token is missing permissions when using MFA

,

Hello,

I have 2 apps set up and using optional MFA, both with access to the same APIs.
RBAC is enabled.
App #1 is for the UI, this uses Auth Code + PKCE flow.
App #2 is for automated tests, this is using password grant type.

MFA is enforced by adding a role called “MFA” and a custom rule in the auth pipeline that includes google auth MFA when the user has that role.

App 1 all works no worries.
App 2 has an issues when using MFA, where the access token is created, but it is missing the “permissions” block.

To get the access token we do a POST to /oauth/token with the usual password grant type fields:

curl --location --request POST 'https://my-tenancy.au.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'client_secret={client_secret}' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username={username}' \
--data-urlencode 'password={password}' \
--data-urlencode 'scope=profile openid email' \
--data-urlencode 'audience=https://my-audience'

This responds with a 403 including the mfa token.
I then do the MFA request:

curl --location --request POST 'https://my-tenancy.au.auth0.com/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'mfa_token=Fe26.2*bff76d* ... snip ... -2kyYfc' \
--data-urlencode 'otp=241586' \
--data-urlencode 'grant_type=http://auth0.com/oauth/grant-type/mfa-otp' \
--data-urlencode 'client_id={client_id}' \
--data-urlencode 'client_secret={client_secret}'

This responds with the access token, however it’s missing the permissions

{
  "https://custom::email": "mfa_user@example.org",
  "https://custom::client_ip": "x.x.x.x",
  "https://custom::session_id": "223acdbe-7972-4dd6-8725-d7cdf171d097",
  "https://custom::roles": [
    "Client",
    "MFA Enabled"
  ],
  "https://custom::from_client": "TestApp",
  "https://custom::allow_payments": false,
  "iss": "https://my-tenancy.au.auth0.com/",
  "sub": "auth0|....",
  "aud": [
    "https://my_audience",
    "https://my-tenancy.au.auth0.com/userinfo"
  ],
  "iat": 1597792793,
  "exp": 1597796393,
  "azp": "0GY3WjM1evGWm9ehWd0RW4mtdEFNpP3K",
  "scope": "profile openid email",
  "gty": "password"
}

Here’s a token from the same password grant type without an MFA user

{
  "https://custom::email": "non_mfa_user@example.org",
  "https://custom::client_ip": "x.x.x.x",
  "https://custom::session_id": "439a0f58-728d-43f5-b825-43d696ff0795",
  "https://custom::roles": [
    "Client"
  ],
  "https://custom::from_client": "TestApp",
  "https://custom::allow_payments": false,
  "iss": "https://my-tenancy.au.auth0.com/",
  "sub": "auth0| .... ",
  "aud": [
    "https://my_audience",
    "https://my-tenancy.au.auth0.com/userinfo"
  ],
  "iat": 1597800589,
  "exp": 1597804189,
  "azp": "0GY3WjM1evGWm9ehWd0RW4mtdEFNpP3K",
  "scope": "profile openid email",
  "gty": "password",
  "permissions": [
    "bank:accounts.basic:read",
    "bank:accounts.detail:read",
    "bank:accounts.detail:update",
    "bank:accounts.payments:read",
    "bank:accounts.payments:write",
    "bank:payees:read",
    "bank:products.basic:read",
    "bank:products.detail:read",
    "bank:transactions:read"
  ]
}

Does anyone know how / why this would happen?