Welcome to the Auth0 Community!
Yes, that is correct. Auth0 Actions cannot modify scopes. Auth0 Rules is capable of doing this, but we recently just announced the deprecation for Rules and Hooks coming soon, so this is not a future-proof solution. See the context.accessToken object for more details.
I recommend going with this approach with using Auth0 Actions to set a custom claim if this option is possible for you. I have shared a helpful resource below worth checking out: How do I make an Axios API call and store it as a custom claim using Actions? FAQ.
Yes, this is possible as well. When you use Redirect Actions, you will need to pass the dynamic identifier back to the authentication transaction to set the identifier in the Access/ID token.
May I ask if it is possible for you to set this dynamic identifier to the user’s metadata preemptively and then setting it as a custom claim when they log in?
I look forward to your reply.
Thanks,
Rueben