Google Enterprise Connection - Accessing Users API

zschaffter · January 17, 2025, 7:57pm

TL;DR: Does Auth0’s google enterprise connection’s Enable Users API checkbox grant access to the Google Admin Users API — and if so why is my setup not attaching the right scopes to the google access token?

I’m working on setting up a google enterprise connection for my Auth0 app using these docs:

Connect Your App to Google Workspace

The connection in auth0 is working. I can also retrieve the Google access token for my generated auth0 user’s connections array and use it to access my generic user data within google.

However, as part of my flow I need to retrieve some of the google user’s custom attributes, which requires access to the Google Admin Directory/Users API, specifically the users.get endpoint.

So I stumbled upon this checkbox in the enterprise connection settings:

I assumed this would add the https://www.googleapis.com/auth/admin.directory.user scope to the authorization request, which would in turn grant access to the google users API (aka the one at https://admin.googleapis.com/admin/directory/v1/users/... — this is the only “users” API I know of in Google).

But when using the generated access token from my auth0 connections array to hit the /admin/directory/v1/users/{userID} endpoint, I get a 403:

{
    "error": {
        "code": 403,
        "message": "Request had insufficient authentication scopes.",
        "errors": [
            {
                "message": "Insufficient Permission",
                "domain": "global",
                "reason": "insufficientPermissions"
            }
        ],
        "status": "PERMISSION_DENIED",
        "details": [
            {
                "@type": "type.googleapis.com/google.rpc.ErrorInfo",
                "reason": "ACCESS_TOKEN_SCOPE_INSUFFICIENT",
                "domain": "googleapis.com",
                "metadata": {
                    "method": "ccc.hosted.frontend.directory.v1.DirectoryUsers.Get",
                    "service": "admin.googleapis.com"
                }
            }
        ]
    }
}

When using Google’s /tokeninfo endpoint (https://oauth2.googleapis.com/tokeninfo?access_token=...) I do see that the generated token only has these scopes, so the 403 isn’t unexpected.

  "scope": "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile openid"

But(!) the checkbox in the Auth0 connections ettings clearly states that it needs access to the Google Admin SDK, which leads me to believe it is intended to grant access to the users API I’m trying to access.

Any ideas what’s off in my config? Or is it that the tokens associated with a user aren’t the tokens that can access the google admin API?

marybeth.hunter · January 17, 2025, 8:59pm

Hi @zschaffter,

You can add additional scopes via the /authorize endpoint using the connection_scope parameter. Please review this document which will demonstrate further: Add Scopes/Permissions to Call Identity Provider APIs

Let me know if that helps!

Thanks,

Mary Beth

zschaffter · January 17, 2025, 9:30pm

@marybeth.hunter Thanks for the reply!

I’d reviewed those docs, but this is actually for an SSO implementation that another platform will be using (Twilio Flex authenticating users through Google Workspace by way of Auth0), so I’m not sure I can directly modify the authorize endpoint twilio’s hitting.

I also found this post, which suggests manually modifying the connection via the management API to set upstream scopes, which may work.

Pass additional scopes/permissions to a Social Connection

That post actually led me to looking at the connection manually, where I found that it’s assigned an admin_access_token that does grant access to the Google users API.

So I’m still a bit confused by what that checkbox in the google enterprise connection settings does — is it meant to:

add the google admin user API scopes to the access_token associated with the individual user who is logging in
add the scope to the admin_access_token associated with the connection itself
Something else?

(In hindsight it seems a bit odd that an individual’s access token would gain access to the entirety of the google admin API, but if it attaches a readonly version of the scope it might make sense?)

Edit: Looks like the admin_access_token on the connection expires, and individual user logins don’t refresh it, so may be a false start, there.

zschaffter · January 18, 2025, 1:01am

~~Okay, I think this is sorted!~~

Ah, bummer, close but no cigar — this only works if the individual logging in has admin permissions. If not, the access token has the specified scope, but you get this error when trying to use it:

{
    "error": {
        "code": 403,
        "message": "Not Authorized to access this resource/api",
        "errors": [
            {
                "message": "Not Authorized to access this resource/api",
                "domain": "global",
                "reason": "forbidden"
            }
        ]
    }
}

(Original post)

Turns out using the Auth0 management API to manually add the additional https://www.googleapis.com/auth/admin.directory.user.readonly scope to upstream_params was the secret.

This appears to modify the connection so that the retrieved google access token that’s stored in each auth0 user’s identities array can retrieve data from the Google admin users API.

So for anyone searching this thread, this is what I did:

Setup the google enterprise connection per these docs
Use the ‘Try’ option to test the login on this screen:

Screenshot 2025-01-17 at 4.50.44 PM2194×828 50.1 KB
- This will create a user in auth0 via the workspace connection.
Use the auth0 management API to get the user data for the user created in step 2.
- Note: Be sure the auth0 client you’re using to fetch the data has the read:user_idp_tokens permission for the management API, otherwise you won’t see the access tokens.
From the auth0 user data, find the access_token within the identities array of the response.
Run that token through google’s tokeninfo endpoint to verify the scopes it was requested with: https://oauth2.googleapis.com/tokeninfo?access_token=...
Finally, update the connection directly via the Management API, adding this object to options (follow these docs):

"upstream_params": {
      "scope": {
          "value": "(add whatever scopes were returned in step 5 along with...) https://www.googleapis.com/auth/admin.directory.user.readonly"
      }
  },

From there, the access token on the Auth0 user should allow readonly access to the google admin users API.

Once the connection is updated, you can repeat steps 2-5, and the tokeninfo response from google should say the token has the new https://www.googleapis.com/auth/admin.directory.user.readonly scope necessary to retrieve the google user profile & custom attributes.

If you’re like me and wanting to retrieve the google user data via an auth0 action, you’ll still need to use the Auth0 management API to fetch the auth0 user’s full data to retrieve the google access token, then use that to call google’s API. You can refer to this doc for more details on that.

Topic		Replies	Views
Adding additional scopes to the Google Workspace connection setup Help auth0 , scopes , google , permissions , enterprise , admin , google-workspace	2	2054	October 10, 2022
How to fetch Groups for G Suite Users? Help google , enterprise	2	7451	August 22, 2020
Auth0 and google workspace access_denied Help connections , oidc-enterprise-connection	2	1298	May 15, 2023
Google Workspace Enterprise Authentication Tied to One User Knowledge Articles google , delete , enterprise , admin	1	1417	January 28, 2023
Specifying use of enterprise connection over social connection at application level Help connections , oidc-enterprise-connection	0	1218	June 27, 2023

Google Enterprise Connection - Accessing Users API

Related topics