I am using an API with RBAC enabled and I am including the permissions in the access token. My problem now is that I need to use mfa when the user wants to withdraw funds from our platform.
Before I turned RBAC on, I could request the custom scope withdraw:funds and then the access token would include this scope, but since I turned RBAC on the access token includes the scopes: openid profile email.
Now my question is how can I include both the permissions from the user and the requested scope in the access token?
I need to use the permission, because the user needs to complete a KYC process before using our platform and I am setting a permission after the user has completed this process.