In the backend, I get all the user’s permissions in the access token (permissions claim), is there any security issues with this approach? I understand that with he recommended way, i.e. adding the scopes on the client side so that you get intersection of the client-side scopes and API permissions in the scope claim of the access token, you don’t give permissions that are not requested, but I don’t see anything critical about it, I am missing something?
Put simply, permissions (privileges when assigned to a user) relate to the actions a user can take for a given resource whereas scopes, generally speaking, are requested by the client (app) to act on behalf of the user. Adding permissions to the access token via RBAC is an acceptable approach that doesn’t introduce any security issue. The following blog post and accompanying video is very helpful in outlining the differences: