I’ve got a react application and a backend project which exposes some APIs.
I’ve assigned some roles to the users and some permissions to those roles. I have access to the permissions in my access token, so the backend project can authorize the user based on the permissions. But I need those permissions in the SPA too. For example the user should not be able to see the “edit post” button if he doesn’t have post:edit permission.
Of course I can parse the access token payload in the SPA and get the permissions from that, but this is not a good practice. Now I’ve two questions:
Is there a way to add permissions to the id token? (e.g. Via actions or any other way)
Is there a special reason that this is not the default behaviour of the system, because I think it is not a rare use-case.