Hello. I am using React SDK. I’ve found one thing, could you explain what is it?
Some time ago I’ve done everything like in youtube course (React and Auth0 Crash Course and Workshop - YouTube), I’ve added permissions to access token then I used it. One day I’ve decided to refactor my code and I found a typo. In settings .env file audience variable had one name and in Auth0ProviderWithHistory it had another name (for putting to Auth0Provider parameters). So that all the time undefined was inserted as audience value. And I got all user’s permissions (all permissions of all API). When I found that typo, I fixed it, now audience is defined and it is correct, but in user’s permissions I have only those permissions which match to configured audience. Another words permissions are scoped by API which is set as audience. Is it normal behaviour? Where I can read about that?
P.S. As I know, SSO turned on by default. I have two sites which I can visit if I logged in on any of those two. And if I want to allow user some actions on both sites I can delete audience parameter for Auth0Provider and user will get access token with all permissions for all API, so that I can implement universal login for all of my sites. Am I right?