From what I’ve read if we are implementing a SPA and a Resource API then we have to enable OIDC as the access token returned from Auth0 won’t be in a JWT format. This then overrides the Authorization Extension configuration of having Groups/Roles/Permissions included in the Tokens.
Should the Authorization Extension not include these as custom claims instead of having to create another rule to do what the extension was doing before OIDC was enabled?
In regards to scope my understanding is that these are used to define the claims included in the token not for storing permissions?