Scopes settting in Angular and Auth0 Dashboard UI

The sample project is here:

The UI is written in Angular, and used Auth0 Angular SDK to simplify the work, in AuthModule, I have set the scopes there.

AuthModule.forRoot({
      domain: 'dev-ese8241b.us.auth0.com',
      clientId: 'xwulkQN219vK2LU9MKowCo0HQLRi0WQU',
      audience: 'https://hantsy.github.io/api',
      scope: 'openid profile email read:posts write:posts delete:posts',
      // The AuthHttpInterceptor configuration
      httpInterceptor: {
        allowedList: [
          '/api/*',
...

I have created two users in the Auth0.com management dashboard.

The user/permissions are configured as the following.

  • user - read:posts, write:posts
  • admin - read:posts, write:posts, delete:posts

When I used user to login in my UI application, in the backend logging info(Spring Boot), I saw the SCOPE_delete:posts is assiged to user, but delete:posts is not assigned to it in the Auth0 Management Dashbard.

And I opened Firefox developer tools, and tried to create a post and extract the token from the requests info, and pasted it in the jwt.io to decode, the delete:posts that existed in the token.

How to make the scopes settigns to sync my settings in the Auth0 Management Dashbard?

What I can not understand is the request scopes set in @auth0/angular AuthModule(UI application) are applied in the returned token directly.

I understand auth0 has an option to enable RBAC in the settings page, when enabling it and will add permissions in the access token.

But Spring Security supports securing the endpoints via the scopes in the jwt token.

How to make these matched? converted permissions to scope in the Auth0 rules? or convert permissions to scope in the backend(Spring) side?

Or give up the permissions, and used roles?

@stephanie.chamblee