more particularly, I don’t find at all any reference to the permissions array in any rule, but I have it in the final access token.
so far i have tried everything and I cannot find an answer, can anyone help?
As it stands right now, the RBAC core does not provide access to the calculated permissions on the context object while rules execute, so you’ll have to do the merge in your app/API when processing the token.
While not exactly what you are after, if you set the API like this:
the scope will be the intersection of scopes requested and permissions allowed for the user. But the client application still needs to requests all the scopes it wants and then get only the scopes allowed for the user.