Auth0 Custom Social Connection To Google OAuth2 - Invalid Scope

adam.kramer · December 12, 2023, 4:51pm

When setting up a custom social connection in Auth0 I run into an error where Google OAuth2 responds with:

You are receiving this error either because your input OAuth2 scope name is invalid or it refers to a newer scope that is outside the domain of this legacy API. This API was built at a time when the scope name format was not yet standardized.

I have setup my custom oauth social connection with the following:

/authorize endpoint: https://accounts.google.com/o/oauth2/v2/auth
/token endpoint: https://oauth2.googleapis.com/token

Scope: https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile

Google Client Id and Secret
Updated the connection through Auth0 Management with this these configs:

{
  "options": {
    "authorizationURL": "https://accounts.google.com/o/oauth2/v2/auth",
    "client_id": "{google-client-id}.apps.googleusercontent.com",
    "client_secret": "{google-client-secret}",
    "customHeaders": {
      "Content-Type": "application/x-www-form-urlencoded"
    },
    "redirect_uri": "https://{tenant}.us.auth0.com/login/callback",
    "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile",
    "tokenURL": "https://oauth2.googleapis.com/token",
    "upstream_params": {
      "access_type": { "value": "offline" },
      "include_granted_scopes": { "value": "true" },
      "prompt":{ "value": "consent" }
    },
    "useOauthSpecScope": false
  },
  "is_domain_connection": false,
  "enabled_clients": [
    "{enabled_client_id}"
  ]
}

Order of Testing Events:

Google presents profile selection screen (good)
I select a profile
My redirect in the Google Client: https://{tenant}.us.auth0.com/login/callback
Auth0 displays error screen indicated the above message

A few things I noticed:

When using prebuilt google-oauth2 connection in Auth0 they escape spaces between scopes with a (+) not %20
When observing the custom social connector generated url they escape scope spaces with %20
When attempting to overwrite scope values by using upstream_params google throws an error when using the + instead of %20

Before you ask, I am trying to setup multiple google clients (1 per application) within a tenant, based on assignment. If its possible to use the custom OAuth2 strategy to achieve this I would like to.

dan.woda · December 20, 2023, 3:55pm

Hi @adam.kramer,

What do you have configured for the Seperate scopes using a space parameter?

Also, those scopes look correct from what I can tell. Have you tried sending each scope individually to determine if the url encoded space (%20) is the issue?

Topic		Replies	Views
Scopes for a custom social connection Help auth0 , social-connections , scopes , social , custom-social-connec	0	2151	June 1, 2022
Invalid scopes for Google OAuth v2 Help social-connections	4	3467	June 1, 2022
Custom social connect injects unwanted scopes Help connections , custom-social-connections-branding	2	187	May 9, 2024
Auth0 "Custom Social" for Google fails with "Invalid user id." Help login-experience , login-prompt-new-experience	1	1146	September 5, 2023
How do I get custom scopes from a social connection? Help connections , other-built-in-social-connections	1	1050	May 9, 2023

Auth0 Custom Social Connection To Google OAuth2 - Invalid Scope

Related topics