RBAC permissions for SPA app and API


First some backgorund on our setup:
We have a SPA + API + machine to machine app. We want to assign roles to users and decide which API endpoints the frontend can call based on that.

So we have RBAC setup with a role with some permissions. This seems to add the scopes in a permissions property in the token used to call the API. We then use GitHub - auth0/express-jwt-authz: Validate the JWT scope to authorize access to an endpoint to check that the required permissions are there.

So far so good.

We then try to call the API using a machine-to-machine app token. We set the required scopes from the dashboard. The problem is that the permissions are now stored in the scope field in the token.

The library that we use to check the permissions express-jwt-authz can only check one single field for permissions and the permissions for a SPA and a machine to machine app are stored in different places.

This can be easily fixed by us writing our own middleware to check either the scopes field or permissions field but what concerns us is that there is an inconsistency and this really feels like a workaround.

Are we missing something?

This question seems to be related to this one, therefore linking: