@rueben.tiow thanks for the reply. Seeing as that Product Feedback request is from 2022, I’m not optimistic (but did go and upvote it, per your suggestion).
Seems like we’re stuck in purgatory here where Auth Core is the desirable and preferred solution, but the Auth Extension is the only thing that properly supports groups.
Auth0’s documentation on the Migrate To Authorization Extension V2 page (I’d post a link but the platform disallows it) is very misleading. Your documentation reads this:
Auth0 provides two ways to implement role-based access control (RBAC), which you can use in place of or in combination with your API’s own internal access control system:
Authorization Core
Authorization Extension
The Authorization Core feature set matches the functionality of the Authorization Extension, improves performance and scalability, and provides a more flexible RBAC system than the Authorization Extension.
Currently, both implement the key features of RBAC and allow you to restrict the custom scopes defined for an API to those that have been assigned to the user as permissions.
Specifically, saying “The Authorization core feature set matches the functionality of the Authorization Extension” is flat out false - it very much does not match. Reading that leads to a lot of wasted time trying to find the “missing” documentation and thinking the features must match when they don’t.
Please update your docs to provide full transparency on the fact that Auth0 shipped “Auth Core” without the critical elements of Groups.