I am sorry to say but I can not figure out, how to use correctly claims and its corresponding scopes. I am working for a larger enterprise where we would like to test if auth0 functionality is sufficient enough to replace our current identity system and migrate those users.
According to the OIDC specification, a client and a user can request authentication with specific scopes (and / or custom scopes) which are inside the corresponding claims (which seems to be api on auth0 side).
BUT: How do I set the value of those scopes in the user information??? (see: https://nat.sakimura.org/2012/01/26/scopes-and-claims-in-openid-connect/)
AND: How is it set for the Auth0 Management API, simply having read access to a scope makes any user FULL ADMIN? Is that really correct?
Would be glad if someone could help me out of my understanding…