Was searching for role related threads and found this. I’m currently trying to work out how we will implement roles in our own Auth0 environment.
To answer your question, you need to send the user’s roles over the wire with your token. Then it is up to your application to decide what to do with those roles.
For a more centralized approach, I had the idea of an RBAC API. This is similar to the Authorization Extension that Auth0 has. Once your user is authenticated, your app queries the API to see what roles they have, and perhaps all the scopes associated with those roles. Perhaps you list a user’s assigned groups in
app_metadata.groups: , and send that list with their token. Then the app asks the API what roles are associated with the user’s groups.