The following link shows an example for how to ensure that access tokens will only contain the scopes which are valid according to a user’s permissions:
https://auth0.com/docs/architecture-scenarios/spa-api/part-2#create-a-rule-to-validate-token-scopes
However, seems like code adds the permissions to the requested scopes and not filtering the requested scopes by the permissions.
Array.prototype.push.apply(filteredScopes, permissions);
What am I missing?
Yossi