Is it considered bad practice in terms of OAuth2 specification to add roles/permissions in ID token?

Hi @ahmed.mekliov , Welcome to the Auth0 Community! Yes, because the ID token holds information related to the user’s identity, as opposed to an access token, which contains information about a user’s access to protected resources. This often includes roles and permissions that define the extent o…

Adding permissions in ID token

Get Help

rueben.tiow March 21, 2024, 4:13pm 5

Hi @ahmed.mekliov,

Thanks for the reply.

You should be able to use the access token on your front-end application.

See OAuth 2.0 Authorization Framework.

Topic		Replies	Views
Adding user permission to the id-token Get Help management-api , roles , user-management	2	6110	March 23, 2023
Using only ID Token, with own roles/permissions database Get Help	2	1550	May 23, 2022
How to add user permissions to id token? Get Help jwt	6	12216	April 20, 2020
Including organization member' permission in the IdToken Get Help auth0	3	2922	February 25, 2022
Unclear about OAuth2.0 Roles / Permissions / Identity Providers Get Help user-profile , user-management	2	1171	September 28, 2023

Adding permissions in ID token

Related topics