Any other thoughts?
The other way is to change the JWT Authorizer class on resource server side and let it check the permissions claims instead of scope claim. Not sure about AWS and what they offer, but I assume they allow custom authorizers.
I could have separate HTTP APIs for admin and regular user functionality
How do these roles relate to scope and permissions claim in your scenario? Asking because you didn’t mention them in the initial post. Do these user roles make the authorization request in a different way, or does RBAC only apply to one of them?
Related resources: