Auth0 Home Blog Docs

Getting groups for Google Enterprise connection - which scopes do I add?

I’m trying to get information about group memberships when users log in using a Google G Suite Enterprise connection. I’ve checked “Extended Attributes > Groups” in the connection settings, but I don’t see any group-related claims in the ID token.

I found this thread, where the solution was:

the Google Admin scopes have to be added on the consent screen stage

But it doesn’t say which scopes to add. I have the Google Admin SDK enabled, but when I visit https://console.cloud.google.com/apis/credentials/consent the only scopes listed for that SDK are:

Neither of those seem relevant, or appear to work if I enable them.

There are more relevant-sounding scopes listed at https://developers.google.com/identity/protocols/googlescopes, and I’ve tried a few (e.g. https://www.googleapis.com/auth/admin.directory.group.member.readonly) by pasting them into the Add Scope dialog, but that didn’t seem to work either.

Which scope do I need to add in order to get this to work?

NB: My Google API has the application type “Internal”, so this isn’t a question of the consent screen requiring verification before it goes live.