Hey again @DispatchCode 
It sounds like you might be using the PHP SDK for authentication rather than authorization, in which case this might not work the way you’re expecting as you’re working with ID rather than Access Tokens. This is a super common misunderstanding, and I don’t blame anyone for getting confused with this stuff! There’s a good post on our blog about the differences here: ID Token and Access Token: What Is the Difference?
For what you’re looking to do, you might want to consider injecting the permissions into your ID Tokens. I believe someone contributed a rule for this a while back that might help you, although admittedly, I have not tried it myself and your mileage may vary: Accessing the permissions array in the access token - #10 by ryantomaselli