If you just want access to the permissions the user has within the organization, then there is a feasible workaround. The workaround is to put the permissions on the access token, then open up an endpoint on your server that returns the permissions that are on the access token, then make a request to the new endpoint from your SPA to get the permissions. It’s not ideal for multiple reasons. I’m hoping the team at Auth0 can provide a way to just simply put the permissions on the identity token so we can save a request and keep permissions out of the access token since the access token is sent on every request and we only need the permissions in the SPA.
2 Likes