I have setup a ReactJS SPA with a Python Flask backend. Both are registered via the auth0 dashboard and I was succesfully able to have a user login and authenticate with auth0 then request an access token from auth0 in order to access a private endpoint on my Flask api. Now, however, I am trying to implement custom scopes to the same api in addition to authentication.
An example is that I have a dashboard on the SPA which only users with the permission ‘admin:dashboard’ should be allowed to access. I added this custom permission to both the Flask app via the auth0 dashboard and to my user which I am using to test this. I then carry the same process as before by using getAccessTokenSilently but this time parsing ‘admin:dashboard’ into the scope parameter in addition to the audience. I then receive an access token back BUT when, I decode the JWT token, the ‘admin:dashboard’ permission is not there. Only ‘openid profile email offline_access’ is there just like before.
Can anyone help me understand where I am going wrong please? I basically need the access token to contain the custom permission IF the user who is requesting it has that permision assigned to them on auth0.