Blazor WASM permission based Authorization

Wish to authorise a user based on their permission assigned by their roles (using RBAC) on Blazor. in other words display portion of UI based on user permissions. the rbac and “permission to be added” are enabled.
We were able to get it worked on the backend (.net core 6) however we having issue for its the frontend (WASM).

After a user login to the app a cockie is saved with informations of ID-token and Access token
ID-token has user assigned role but lack of assigned permissions
Access token have both User roles and permission
following has been done to setup the blazor client:
1- added following code to the program.cs
builder.Services.AddOidcAuthentication(options => {
builder.Configuration.Bind(“Auth0”, options.ProviderOptions);
options.ProviderOptions.ResponseType = “code”;
options.ProviderOptions.AdditionalProviderParameters.Add(“audience”, builder.Configuration[“Auth0:Audience”]);

builder.Services.AddAuthorizationCore(options =>
options.AddPolicy(“admin”, policy => policy.RequireClaim(“permissions”, “read:user”)));

2- added following attr to the view page
@attribute [Authorize(Policy = “admin”)]

after running the app the following information is written to the chrome console and the page is show that is not athorized.
shown in the console:
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
ClaimsAuthorizationRequirement:Claim.Type=permissions and Claim.Value is one of the following values: (read:user)

after investigation found that since Authorize(Policy = “admin”) look for permissions in the ID token rather than access token, it fails.

Please advice how to overcome this issue.

Same issue. It appears the user claims aren’t populated. var scopes = context.User.FindFirst(c => c.Type == “scope” && c.Issuer == requirement.Issuer) from HasScopeHandler can’t find a claim.

Has anyone been able to help with this, I have the same issue, not seeing permissions in .NET 7 client app but they are available in my .NET 7 API

This seems to be by design. Id tokens dont contain permissions. Anyone at Auth0 having thoughts on this? How do I block a route, part of page or whole page based on permissions?