Understanding best practices regarding connecting .NET Core Identity Framework with Auth0 roles

I hired a development team who created a Blazor WebAssembly app for us. As part of this project, the .NET Core Identity tables were installed in our database:

In Auth0, I have figured out where to turn on RBAC and Add Permissions in the Access Token. I created a couple test Permissions under my Auth0 API, I created an Auth0 Role that is connected to a couple permissions. I put my User into the Role, and I can see in the network trace where the token comes back with the permissions stuffed in the token. All is good so far!

I want to start by implementing a simple Administrator role that has global access to the application. I believe what gives me the most control and autonomy is to extend my application to support more data in the AspNetUserRoles table (right now we are not using it) so that the application has direct access to what the user should have access to.

I believe that it is efficient for the API to take advantage of the Permissions attribute that is stuffed in the token. Is the only way to get permissions in the token is to use the built-in Auth0 Roles and Permissions feature? Or is there a mechanism to have the .NET application send down the role/permission data when it is retrieving the token? That is, I wasn’t sure if there was some type of “payload” value that can be sent down to be included in the token without having to do the full Role/Permissions implementation in Auth0.

If I have to use Auth0 Roles/Permissions to stuff the token with payload data, I want to understand the best practices of synchronizing roles from my application to Auth0. I believe modifying the roles on a user account would need to be done through an Auth0 API, which would need to be done from code that I’m hosting inside of my trusted server/API app (not anything that runs client side). If I’m correct, is this Auth0 user management API typically done just inside of the application user interface where user permissions are set? Or do people typically push down the current role(s) during login?

I’m thinking about the case where the database role gets modified outside of the user interface where user permissions are assigned.

Maybe I’m overthinking things - you can tell me if I’m way off base here. I’m just trying to understand how I should write up the next set of user stories for my developer team (who is new to Auth0).

Thanks… Mike