Any other thoughts?
The other way is to change the JWT Authorizer class on resource server side and let it check the permissions
claims instead of scope
claim. Not sure about AWS and what they offer, but I assume they allow custom authorizers.
I could have separate HTTP APIs for admin and regular user functionality
How do these roles relate to scope
and permissions
claim in your scenario? Asking because you didn’t mention them in the initial post. Do these user roles make the authorization request in a different way, or does RBAC only apply to one of them?
Related resources: