RBAC Step up Authentication Custom Scopes

I am using an API with RBAC enabled and I am including the permissions in the access token. My problem now is that I need to use mfa when the user wants to withdraw funds from our platform.

Before I turned RBAC on, I could request the custom scope withdraw:funds and then the access token would include this scope, but since I turned RBAC on the access token includes the scopes: openid profile email.

Now my question is how can I include both the permissions from the user and the requested scope in the access token?

I need to use the permission, because the user needs to complete a KYC process before using our platform and I am setting a permission after the user has completed this process.

Hi @gregor1337,

Welcome to the Community!

Have you enabled Add Permission in the Access Token in your API setup?

Let me know and we can go from there!

Hi, yes I’ve enabled that setting. If I enable that I get the permissions in the access token, but once this feature is enabled newly requested scopes through MFA (e.g.: withdraw:funds) is not returned within the access token, only the permission that is set in the user’s account.