Let’s say I have two Users. UserA belongs to the Admin Role. UserB belongs to the Standard Role. Each Role defines a set of Scopes. Both UserA and UserB log in with Username-Password connection. There is no social sign-in. The SPA authenticates with Auth0, grabs the Access Token, and then calls my API. I would like to Authorize the EndPoints based on the Scopes in the Access Token.
My question is this - can I populate the Access Token with all the Scopes assigned to the Role that is in turn assigned to the User when they log in? i.e. UserA logs in, a Rule fires which sees he is in Admin Role, grabs those Scopes and populates the Access Token with them?
I know I can explicit request Scopes when calling auth0.WebAuth, but this makes no sense to me. How can I distinguish between a Standard and Admin Role at the point of login?