That’s correct, that rule adds roles to the Access Token and ID Token. If you wanted to add permissions to the Access Token, you’d enable RBAC for your API and enable “Add Permissions in the Access Token” or enable RBAC via the Management API and set the Token Dialect to access_token_authz as described above.
http://demozero.net1 is an example custom namespace. It’s required so that claims don’t collide with and reserved claims.
Rules execute for every application in your tenant. You can check the application name if you’d prefer to only run a rule for a particular application:
if(context.clientName !== 'NameOfTheAppYouWantToRunRuleFor'){
return callback(null, user, context);
}
The John Doe data is just example data that you can try with rules, but you may want to actually log into your application with a user who you have assigned permissions to. You can go to Getting started in the dashboard and click Try it out under “Try your Login box”.
It looks like you are using the Authorization Extension instead of the Authorization Core (FAQ: Can I Use Authorization Core and Authorization Extension together?). Unfortunately, you cannot use both, so this may be what is causing the null values for permissions: Authorization Core vs. Authorization Extension
Here are the docs for the Authorization Extension (although the Authorization Core as described in the earlier posts is recommended): Authorization Extension