Hi @ahmed.mekliov,
This is true if you are accessing a protected resource. The FE is issued an access token from the BE after validating login credentials. The access token will contain permissions defined by scopes and are used to determine if the user is allowed to access the resource.
Let me mention that you are not prohibited from adding permissions to the ID token, but as we discussed, it’s not ideal if you intend to use them to show/hide different types of data.
Thanks,
Rueben