Hey @IAmTheVex,
Thanks for the additional info!
The step I thought you were doing was to assign the permission to the user before requesting the read:posts scope. Authenticating via Google without this permission being assigned to the user and RBAC being enabled wouldn’t return this scope as Google has no knowledge of it and it’s not applicable to Google.
You’re actually on the right lines with your last post! My suggestion would be to create a default role with the required permission(s) to your API, then use a rule to add the default role to the user on first login, by calling the management API:
There is an example rule here:
This will need to be done in a rule rather than the Post Registration Hook as the Post-User Registration extensibility point is only available for Database Connections and Passwordless Connections.