the problem comes down to you using the RBAC (Role Based Access Control) approach, which puts the permissions into the permissions
claim, while the Spring library expects to check the scope
claim in the JWT.
This question came up before; there’s a way to put the user’s permissions
into the scope
claim via Rule (rule code in the thread):
Note though that this always calls the Auth0 Management API (which is rate limited) on every login.
(The alternative is to make changes to the Spring classes, let it check for permissions
instead of scope
claim. Not too familiar with the latest Spring Security, but maybe there are ways to add custom verifiers that can check any given claim.)
Apart from that, I’d like to point you to this docs page, which is about representing multiple APIs, but it seems that you’re already following this; just wanted to make you aware that there’s a documentation around that as well.