RBAC - scopes or custom claim

Question

In section 5.4 of the OIDC spec (https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) it says “The scopes associated with Access Tokens determine what resources will be available when they are used to access OAuth 2.0 protected endpoints.”

As I read this, it seems straightforward, if you have any permissions which an API should respect, the you put them within the “scopes” claim of an access token.

However, both Auth0 and Okta put a users permissions within a custom claim. In Auth0s case, it puts a users permissions within a “permissions” claim and in Oktas case, they put them within a “groups” claim of the access token.

Because both of these identity providers put the permissions as a custom claim, it makes me think I am reading the spec wrong. Does anyone have thoughts or can clear up when to put permissions in a custom claim vs putting them in the scopes claim?

Answer 1

The difference here is the scopes for the token vs the permissions for the user. Some auth0 users will add users permissions in a custom claim to do things like gate content. The scopes in the token are explicitly describing what the token has access to.

This doc shows an example of the access token with scopes: https://auth0.com/docs/api-auth/why-use-access-tokens-to-secure-apis#compare-the-tokens

Here is an example of adding permissions to a token via a custom claim (id token in this instance): https://community.auth0.com/t/how-do-i-add-user-permissions-to-id-token/28611