As said, I’m not too familiar with passport, but it seems that the custom claims are ommitted, while they are actually returned in the raw data and in the _json object.
You can try with this strategy, which should return all claims in a flat format (not nested as before), including the permissionLevel.
const {domain, clientID, clientSecret, callbackURL} = require('./config/auth0');
const passportStrategy = new Auth0Strategy(
{domain, clientID, clientSecret, callbackURL, state: false},
function (accessToken, refreshToken, extraParams, profile, done) {
return done(null, profile._json);
}
);
passport.use(passportStrategy);
app.use(passport.initialize());
app.use(passport.session());
passport.serializeUser((user, done) => done(null, user));
passport.deserializeUser((user, done) => done(null, user));