Scopes in ID TOKEN

Currently writing a spa svelte app, need to decide when to show certain buttons / areas for their respective permissions.
I need access to the user permissions in the client.
To set the base for those who may stumble upon this, let me clarify one thing according to standards and auth0.
It is said, don’t look into the access token (getTokenSilently()) in the client, instead, use the id token (getIdTokenClaims())
But it seems auth0 doesn’t even pass the permissions to the id token when you get it from getIdTokenClaims.
On the other hand, if you “break the rules” and you use jwt-decode to decode the access token, there… you have everything your heart desires.

What’s the best way to do this the right way, to get permissions/scopes included in the id token? It’s tempting to just decode the access token and use the scopes in there. I also rather not be hitting management api if I can.

All of this needs to be muuuuuuch more clearer in the docs for building a spa. Authorization is a basic auth need.

Thanks!

Thanks for the descriptive feedback. I agree, this is something that could be clearer in our docs.

There is an angular example of how to do this without the access token. It may be helpful:

Best,
Dan

1 Like

The linked example uses auth0-js, not the spa package

That is correct, and the methodology is still applicable.