Missing permissions and correct scopes the first time a user logs in

Context

  1. We integrate with Microsoft Active Directory for roles.
  2. I am a front end iOS developer, and am not super familiar with how this works on our backend system.
  3. This problem only occurs the first time a user logs in, or if their role is removed in the Auth0 portal.

Problem
GIVEN a user logs in to our application for the first time
WHEN the /token endpoint responds
THEN the user is missing the correct permissions in the access token (they have empty permissions)
AND the scopes we request from the iOS front end aren’t respected, and instead the default scopes are used “openid profile email offline_access”

Workaround 1
GIVEN a user logs in
WHEN the /token endpoint responds with empty permissions in the access token
THEN request a refresh token with a maximum retry count of 2

The workaround above, oddly works for the resolving the issue of empty permissions in the access token. However, the scopes we pass for the refresh token request still aren’t respected. The scopes that are sent are the default scopes “openid profile email offline_access”.

Because the scopes aren’t respected, this causes other issues when accessing protected endpoints on our backend.

Workaround 2
GIVEN a user logs in
WHEN the /token endpoint responds with empty permissions in the access token
THEN display an alert telling the user to try logging in again
AND log them out when the alert is dismissed
THEN display the log in screen

This fully resolves the issue. So after they log in for the second time, the correct permissions are sent back and the scopes we request are respected.

However, we would prefer to resolve this in the background for the user automatically via Workaround 1, but that isn’t working.

Question
Do you have any suggestions on how we could go about resolving this in our front end iOS application using the Auth0 SDK? Have others reported similar issues to this before?