I’ve read through a chunk of the docs and am not fully following one concept.
We currently have a “regular web application” client, and users log in with the Resource Owner flow (hitting
/oauth/ro). We get an ID token back, and an opaque access token.
Question 1: How would I take this setup and gain access to an Auth0 API, allowing the API to have a JWT that tells the Auth0 USER’s identity (not just the Auth0 client info).
Question 2: Can I assign scopes to a USER (not the Auth0 client)? I have 3 user types in the same Auth0 Client. I’d like to say User A can have a read scope on an API and User B can have a read/write scope and User C can have read/write/delete scope. From what I’ve seen scopes are defined on the Auth0 CLIENT (not user).