Hi @soon.hongooi,
Thank you for your response.
After reviewing your Action script, I noticed you are adding user permissions to the ID Token.
Firstly, calling the Management API for every login transaction can become unscalable and hit the rate limits.
As an alternative, I recommend using Role-Based Access Control (RBAC). This way, you can enable the Add permissions to Access Token setting on your API settings and assign Roles to your users. Let me add that Roles have permissions assigned to them, so when users are assigned a Role, they inherit those permissions.
Then when decoding the access token, there will be a Permissions array claim with the user’s permissions.
Here are some helpful resources:
- How can I add the permissions claim in my Access Token with Rules?
- How do I assign Permissions to users?
Please let me know how this goes or if you have any questions about the implementation.
Thanks,
Rueben