Hi @magadiflo,
Welcome to the Auth0 Community!
Glad that you appreciated my article, and I hope I can clear up your doubts.
In an SPA + API scenario, the user’s resources (the resources that you must protect) live on the API side. Your authorization decisions need to be made on that side. Therefore, your access token should contain the relevant info for your authorization decisions.
On the SPA side, you do not make real authorization decisions. You just manage the UI of your application to provide a good user experience. You can decide to show certain views to specific categories of users based on roles or other information. In this case, you can put this info in your ID token. In Auth0, you can add roles to your ID token through Actions, for example.
But keep in mind that anyone can bypass the checks you make on the client side. The client-side controls are there for UI management reasons. These checks also need to be be mirrored on the server side, where the real access control happens.
In summary, any extra info you add to the ID token (such as roles) has the purpose to improve the user experience, not to make real access control to the user’s resources.