Hi @subtlestag,
Thanks for reaching out to the Auth0 Community!
Unfortunately, there is no officially written documentation on appending user permissions to ID Tokens. Instead, the related community post that you found is the best source for solutions that are not available out of the box.
When using Rules, they are always triggered post-authentication in the auth pipeline. Therefore, the user’s permissions are retrieved on login and then appended to the ID Token in the example.
Scopes are not part of the required ID token claims as defined in the OpenID ID Token specification but can be included optionally as custom claims.
Generally, scopes are appended to the Access Tokens when you specify the scope parameter in the /authorize request. For example scope=openid profile email read:reports. Therefore, you will need to append the scopes as custom claims to the ID Token if you wish you include them there.
Hoped this answers your questions.
Please let me know if you have any further concerns or questions.
Thanks.