Hi John,
Thanks for your reply.
So, that means, if my dozen of APIs really have different permissions set, my mobile application would have to do a dozen of time the authentication process when a user log in to get a dozen of JWT token - one per audience - and use it when calling the api services.
May i ask then what’s the point of having RBAC ? We can create roles and assign API permissions to roles and that’s great. But if there is no way to get all permissions of a single user at once, what’s the point of it ?
Yes the token must be non-opaque, so why Auth0 returns opaque tokens by default and make it hard to get normal JWT tokens ? (without having to make a call for every single API an application have to interact with)