I have two Applications (an SPA and a Machine to Machine app), and a custom API registered in my Auth0 account. The API has RBAC enabled, and a few permissions configured for it.
When I perform the client_credential OAuth grant using my M2M app, the token that comes back includes two claims (scope and permissions), and both always include all allowed permissions for that application, regardless of what scopes I request. Is this expected?
In contrast, authenticating with the SPA gives me a token with a permissions claim including all allowed permissions, and a scope claim including only requested scopes.