Now how do I get user permissions in order conditionally render the UI?
RBAC only adds permissions to the access token, not ID token. However, you’d need it in the ID token, because only that one is meant to be parsed in the SPA client, the access token is not.