When you’ve already set up everything (see yesterday’s journal), you should see permissions like read:messages in permissions and scope claims in the access_token from /oauth/token. However, there are some nuances that you need to know:
permissionswill have the permissions assigned to the authenticated user as long asAdd Permissions in the Access Tokenis enabled. These are the permissions assigned to the user.scopechanges because the final value is the intersection of the requested scope by the client,User-delegated Accesspermissions assigned to the SPA, and the assigned permissions to the user. For example, even ifread:messagesis assigned to the user, thescopefrom theaccess_tokenwill not contain that permission if any of the two does not have the requested permission:User-delegated Accessof the SPA and user’s permissions.