Auth0 Custom Social Connection To Google OAuth2 - Invalid Scope

When setting up a custom social connection in Auth0 I run into an error where Google OAuth2 responds with:

You are receiving this error either because your input OAuth2 scope name is invalid or it refers to a newer scope that is outside the domain of this legacy API. This API was built at a time when the scope name format was not yet standardized.

I have setup my custom oauth social connection with the following:

  1. /authorize endpoint:
  2. /token endpoint:
  • Scope:
  1. Google Client Id and Secret
  2. Updated the connection through Auth0 Management with this these configs:
  "options": {
    "authorizationURL": "",
    "client_id": "{google-client-id}",
    "client_secret": "{google-client-secret}",
    "customHeaders": {
      "Content-Type": "application/x-www-form-urlencoded"
    "redirect_uri": "https://{tenant}",
    "scope": "",
    "tokenURL": "",
    "upstream_params": {
      "access_type": { "value": "offline" },
      "include_granted_scopes": { "value": "true" },
      "prompt":{ "value": "consent" }
    "useOauthSpecScope": false
  "is_domain_connection": false,
  "enabled_clients": [

Order of Testing Events:

  1. Google presents profile selection screen (good)
  2. I select a profile
  3. My redirect in the Google Client: https://{tenant}
  4. Auth0 displays error screen indicated the above message

A few things I noticed:

  1. When using prebuilt google-oauth2 connection in Auth0 they escape spaces between scopes with a (+) not %20
  2. When observing the custom social connector generated url they escape scope spaces with %20
  3. When attempting to overwrite scope values by using upstream_params google throws an error when using the + instead of %20

Before you ask, I am trying to setup multiple google clients (1 per application) within a tenant, based on assignment. If its possible to use the custom OAuth2 strategy to achieve this I would like to.

Hi @adam.kramer,

What do you have configured for the Seperate scopes using a space parameter?

Also, those scopes look correct from what I can tell. Have you tried sending each scope individually to determine if the url encoded space (%20) is the issue?