I use Role-Based Access Control in Auth0.
The user tokens contain always all permissions assigned to the user. Scopes on the other hand are only included if they are requested during the authentication process.
In case of applications I can enable to include permissions but the scopes are still included and I end up with all the information duplicated.
I’m wondering if there is any reasoning behind this. Is it necessary for some reason to differentiate between scopes and permissions even tough they are effectively the same?
I’m also a bit concerned about the token size. I’m afraid to hit hit a token size limit at some point if everything included twice.
Thanks for helping me to understand the concepts here!
1 post - 1 participant