I’m little confused about how the terms “Scope” and “Permissions” are used between Documentation, official Examples and the settings itself here at Auth0. I’ve read all the questions here around the same topic, but I am confused once more after reading them.
As one can see at the page https://auth0.com/docs/quickstart/backend/golang/01-authorization#validate-scopes, the function checkScopes will be used to ask for a permission “read:messages” within the scope of the Claims of the JWT token. However, although I added some permissions to the user that I was using here, there are not present in the scope. The scope consists just “openid profile email”.
Permissions are even not present at all in the returned token.
Is this a bug or a feature or what I got wrong here?
The scopes in the Access Token are returned as: "scope": "openid profile email read:messages"
(openid profile email are the default OIDC scopes and read:messages is specific to my API)
Would you mind sharing the code for where your client app is setting up the Auth0 client or sending the token request? (Please remove any sensitive data such as domain and Client ID)