Hi Dan,
Thank you for pointing me to the actual problem: yes when I instanciated auth0Lock I did not indicate the audience , so indeed, where was auth0 going to get the permissions from?!
This said and FYI, when I looked at the lock configuration doc it indicates that the audience parameter belongs to the auth object, however, while I did this it did not work. I had to find this forum post and set the audience field under the params property of the auth object to get my RBAC. This is not documented. Is the documentation wrong? Is my use case rare?
In any case, thank you very much, this was a life saver!
Martin