sharepoint online – What permissions do I need to get RoleAssignments via the rest api?

I finally found out what I was doing wrong:
It seems that to get RolePermissions you need a higher level of access than you can request from oAuth, you need to put those permissions onto the AppPrinciple you are using. From the admin site:
e.g. https://foo-admin.sharepoint.com/_layouts/15/AppInv.aspx

Find your app then enter the following XML code into the box ‘Permission Request XML’ and click create – then authorise the app.

<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Read" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="FullControl" />
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="FullControl" /></AppPermissionRequests>