Auth0 Custom Social Connection To Google OAuth2 - Invalid Scope

When setting up a custom social connection in Auth0 I run into an error where Google OAuth2 responds with:

You are receiving this error either because your input OAuth2 scope name is invalid or it refers to a newer scope that is outside the domain of this legacy API. This API was built at a time when the scope name format was not yet standardized.

I have setup my custom oauth social connection with the following:

  1. /authorize endpoint: https://accounts.google.com/o/oauth2/v2/auth
  2. /token endpoint: https://oauth2.googleapis.com/token
  • Scope: https://www.googleapis.com/auth/userinfo.email
  • https://www.googleapis.com/auth/userinfo.profile
  1. Google Client Id and Secret
  2. Updated the connection through Auth0 Management with this these configs:
{
  "options": {
    "authorizationURL": "https://accounts.google.com/o/oauth2/v2/auth",
    "client_id": "{google-client-id}.apps.googleusercontent.com",
    "client_secret": "{google-client-secret}",
    "customHeaders": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "redirect_uri": "https://{tenant}.us.auth0.com/login/callback",
    "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
    "tokenURL": "https://oauth2.googleapis.com/token",
    "upstream_params": {
      "access_type": { "value": "offline" },
      "include_granted_scopes": { "value": "true" },
      "prompt":{ "value": "consent" }
    },
    "useOauthSpecScope": false
  },
  "is_domain_connection": false,
  "enabled_clients": [
    "{enabled_client_id}"
  ]
}

Order of Testing Events:

  1. Google presents profile selection screen (good)
  2. I select a profile
  3. My redirect in the Google Client: https://{tenant}.us.auth0.com/login/callback
  4. Auth0 displays error screen indicated the above message

A few things I noticed:

  1. When using prebuilt google-oauth2 connection in Auth0 they escape spaces between scopes with a (+) not %20
  2. When observing the custom social connector generated url they escape scope spaces with %20
  3. When attempting to overwrite scope values by using upstream_params google throws an error when using the + instead of %20

Before you ask, I am trying to setup multiple google clients (1 per application) within a tenant, based on assignment. If its possible to use the custom OAuth2 strategy to achieve this I would like to.

Hi @adam.kramer,

What do you have configured for the Seperate scopes using a space parameter?

Also, those scopes look correct from what I can tell. Have you tried sending each scope individually to determine if the url encoded space (%20) is the issue?