We are currently trying to prototype a client side SPA connection to a resource API and for some reason the groups/roles/permissions are not being included in the tokens even though we have enabled the settings in the authorization extension.
We assume this is something to do with implicit grants (https://auth0.com/docs/api-auth/tutorials/adoption/implicit) and using OIDC but my question is how is a resource server supposed to evaluate whether the users access token has the correct permission to execute a route?
- User logs into client and client authenticates with Auth0 and retrieves a TokenID and an AccessToken (audience set to resource API)
- The client then sends a request to the resource server with the access token and is validate successfully
- PROBLEM: No groups/roles/permissions are contained in the access token so the route is unable to verify whether it has permissions to execute route??
Any help would great, we would expect the Authorization Extension to take care of this but it looks to be a bug when enabling OIDC?