I have been following the steps described in this tutorial: API and SPA Configuration (SPAs + API)
At some point, I have configured an API, created roles, attached permissions and created a test user.
My access token now contains something like this:
{
"iss": "my-tenant",
"sub": "...",
"aud": [
"my-audience",
],
"iat": 1568059650,
"exp": 1568146050,
"scope": "openid email profile",
"gty": "password",
"permissions": [
"read:something",
"write:something"
]
}
I was able to validate the signature of the token in my API. After that, I was expecting Authz lib to validate the scopes. However, I get the following error: “Insufficient scope”.
I understand that my token has the property permissions instead of scopes.
Questions:
a) What’s the difference between permissions and scopes in Auth0?
b) How can I include my custom scopes, for example, “read:something”, inside the access token?
Thanks in advance!