Hi again Paul. Thanks for the feedback, I’ll work on the PRs to try to make things easier for the next person who works on this.
I honestly missed the text within “token Contents” section in the authorization extension. This comes from previous versions of the authentication pipeline, where everything in the user profile ended up in the ID token by default (without the need to use custom claims). This definitely needs work: it should clarify that the toggles mean “add the information to the user object” (so that the information is available on rules), and link to https://auth0.com/docs/extensions/authorization-extension/v2/rules#add-custom-claims-to-the-issued-token for instructions on how to put that information in custom claims.