When setting up a custom social connection in Auth0 I run into an error where Google OAuth2 responds with:
You are receiving this error either because your input OAuth2 scope name is invalid or it refers to a newer scope that is outside the domain of this legacy API. This API was built at a time when the scope name format was not yet standardized.
I have setup my custom oauth social connection with the following:
- /authorize endpoint:
https://accounts.google.com/o/oauth2/v2/auth
- /token endpoint:
https://oauth2.googleapis.com/token
- Scope:
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
- Google Client Id and Secret
- Updated the connection through Auth0 Management with this these configs:
{
"options": {
"authorizationURL": "https://accounts.google.com/o/oauth2/v2/auth",
"client_id": "{google-client-id}.apps.googleusercontent.com",
"client_secret": "{google-client-secret}",
"customHeaders": {
"Content-Type": "application/x-www-form-urlencoded"
},
"redirect_uri": "https://{tenant}.us.auth0.com/login/callback",
"scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
"tokenURL": "https://oauth2.googleapis.com/token",
"upstream_params": {
"access_type": { "value": "offline" },
"include_granted_scopes": { "value": "true" },
"prompt":{ "value": "consent" }
},
"useOauthSpecScope": false
},
"is_domain_connection": false,
"enabled_clients": [
"{enabled_client_id}"
]
}
Order of Testing Events:
- Google presents profile selection screen (good)
- I select a profile
- My redirect in the Google Client: https://{tenant}.us.auth0.com/login/callback
- Auth0 displays error screen indicated the above message
A few things I noticed:
- When using prebuilt google-oauth2 connection in Auth0 they escape spaces between scopes with a (
+
) not%20
- When observing the custom social connector generated url they escape scope spaces with
%20
- When attempting to overwrite scope values by using
upstream_params
google throws an error when using the+
instead of%20
Before you ask, I am trying to setup multiple google clients (1 per application) within a tenant, based on assignment. If its possible to use the custom OAuth2 strategy to achieve this I would like to.