Accessing Additional Scopes in Google Social Connection

Problem statement

There are situations when additional scopes (i.e. Google Classroom) would need to be accessed beyond those available in the default UI.

Solution

There are a few steps to access these scopes. First, make sure to have access to Google account’s production keys for the connection.

In addition to making sure google-oauth2 connection has production keys as mentioned previously, do the following to have the connection request the Google Classroom scopes.

  1. Update the connection via the Management APIv2 to request the Google Classroom scopes as upstream params, along with a Refresh Token if needed. Steps to do this in Google. Note, this only includes a single scope from the Google documentation as an example
{
  ...
  "options": {
    <... existing options ...>
    "upstream_params": {
      "connection_scope": {
        "value": "https://www.googleapis.com/auth/classroom.profile.emails"
      },
      "access_type": {
        "value": "offline"
      }
    }
  }
}
  1. Guidance on updating the connection via the Management APIv2

  2. Have the application get the Google Access Token by calling GET /api/v2/users/{id}. Find the Google Access Token (and Refresh Token if requested) in the identities array.

  3. The application can use the Access Token from step 2 to call the Google Classroom API.

Note: Users will be prompted for consent for the new permissions if this change is made after they have already logged in and given consent to google.