Fwhat is your exact use case? i am not sure if I see the full picture
Fincluding the audience into a token, does only tell that the token has been issued for a specific project. based on the oidc standard
Fthis doesn't mean that the user does have any permission to the said project (roles)
Fcan you describe your use case a little more in detail?
Fbasically the app defines what they need from the tokens, the app can say which scopes are requested and therefore which information is incnluded. e.g profile, email, etc
Fwe differ between autn (authentication) and authz (authorization), so who can access what
Fgenerally we allow users to authenticate
Fyou can also enable some settings on the project, where you tell zitadel that only users are allowed to authenticate which have a role for the project:
Fyes this only works for user login, as it is validated in the login ui
Fbut you can build this by yourself, by checking if the user does have the permission to access the api, with giving the user a specific role to it
Fzitadel does have its own internal role system, its called managers or somethimes in the backend memberships,
Fthere are different levels of members, e.g on the organization: https://zitadel.com/docs/apis/resources/mgmt/members
