This is a question I’ve seen floating around but not definitely answered:
I have a next.js app that’s setup as a regular web application. However, the access token that’s given from a regular web application does not seem to have the capability of having permissions embedded in them. On the other hand, all the RBAC docs seem to point to using RBAC for an API, not a regular web app.
So if I have a next.js app that has some server actions I’m trying to gate with permissions, what do I have to do here? I’m already getting an access token from authenticating as a user, but this doesn’t have permissions – so do I have to make another to this endpoint: https://projectname.us.auth0.com/oauth/token \to get ANOTHER access token which does have permissions in them, and then using that second access token and its decoded permissions to authenticate my server action?
This is possible but seems wasteful to have to make another call to get a second access token, this time that’s loaded with permissions, because the regular web app access token doesn’t have RBAC built in to it.