Hello @ibi,
Welcome to the Community!
Scopes are typically associated with API access. An API defines what scopes are available (what services it provides). For example a user account management API might define scopes like read:user, create:user, update:user. These are the capabilities the API provides, but not necessarily what any given user can do. In the “Role & Scope” model, Roles are defined, and users are given a Role. Individual Scopes are associated with a given Role, combining all these elements together. For example, you might have:
Role: Audit, API: user_manager, Scopes: read:user
Role: Access Control, API: user_manager, Scopes: create:user, update:user
And maybe Alice has the Audit role, while Bob has the Access Control role.
When you request a scope, the Authorization Server (Auth0) will decide whether you get that scope or not. You can request anything you like, but the Authorization Server sends back a token with only the scopes it has decided your are allowed to have.
You do not need to use the Authorization Extension, and in general I would recommend not using it. Instead, use the core authorization feature now built in to Auth0.