I would like to share some updates for the core authorization.
We introduced TOKEN_DIALECT which helps to get the scopes in the Access Token based on the permissions assigned to the user either directly or through roles.
When the RBAC feature is enabled along with token dialect for an API, the permissions which are allowed for the user and requested by the application will be inserted in the scope attribute of the issued Access Token.
An app may request one or more permissions for a specific API. E.g let’s say I have an API with the API identifier named https://myblogapi and the associated permissions read:posts , update:posts and delete:posts.
My blog application only needs read:posts and update:posts so it asks for them in the scope attribute.
https://myblog.us.auth0.com/authorize?scope=openid read:posts update:posts&audience=https://myblogapi&client_id=1234567&response_type=code&redirect_uri=https://myblog.com/callbacki&state=abc
Let’s say Alice has an admin role that allows her to have all of the above permissions. When Alice clicks on the login button, my blog redirects Alice’s browser to the Universal Login with the above URL.
When Alice logs in, as she has all of the requested permissions, the Access Token will have both read:posts and updata:posts permissions in the scope but not the delete:posts.
However let’s say Bob is a regular user who has only the permission to read the posts so he has the read:posts permission, so the same URL above will issue an Access Token with read:posts permission only for him.