Thanks for elaborating.
I understand the issue here. I can’t find a way to retrieve all of the user’s permissions, including ones from seperate organizations and roles in a single API call.
Adding them to the token as a custom claim in a rule could potentially be more costly (in terms of management API rate limit) than making calls from your backend, as rule will run on every successful authentication (silent auths, refresh token requests, etc) vs. only requesting this data when needed.
Unfortunately, I don’t see a better solution than the one in your initial post. You can create a Feature Request for this if you would like.