Scopes and permissions with RBAC for Machine-to-machine authentication

Hi @tommyr,

I apologize for the delay.

Permissions and RBAC are user-centric. This is explained better here:

This would explain the difference in how they are treated in a SPA where a user is requesting an access token and a M2M app where there is no user.

Hope this helps in some way!