Hi @buntspecht,
Welcome to the Community! Thanks for sharing your topic.
When you create assign a role to a user via Auth0, it’s assumed that you are following Role-Based Access Control to manage permissions. This means that each role is assigned certain permissions instead of individual users. When a user is assigned a role, they are granted all of the permissions that were granted to the role.
If you’d like to follow the RBAC pattern, you can follow the steps described here: Configure Core Authorization Features for Role-Based Access Control
Note: it is possible to assign permissions directly to users as documented here, but it is generally not recommended as it takes away from the benefits of the RBAC pattern.
Technically, you can add the user’s permission to the ID token if you’d prefer not to use RBAC. You can do this by adding the permission to the user’s app_metadata and then adding that as a custom claim just as you would for a role. But you may want to opt for sticking with roles for the ID Token/Access Token.
In OIDC, the consumer of the ID token is the web app and the consumer of the Access Token is the API. The ID token allows the web app to know that the user is logged in and provides some profile info about the user.
The API on the other hand is only concerned with the Access Token. You will not need to send the ID Token to the API at all. This is because OAuth2 uses bearer tokens for authorization. The API as the resource server can analyze the Access Token and know whether the user has permission to get the data they are requesting.
In this case, the API would be able to see the scopes issued in the Access Token and determine what can be returned to the web app.
Here is some more info about tokens: Tokens
Let me know if you have further questions!