@marybeth.hunter Thanks for the reply!
I’d reviewed those docs, but this is actually for an SSO implementation that another platform will be using (Twilio Flex authenticating users through Google Workspace by way of Auth0), so I’m not sure I can directly modify the authorize endpoint twilio’s hitting.
I also found this post, which suggests manually modifying the connection via the management API to set upstream scopes, which may work.
That post actually led me to looking at the connection manually, where I found that it’s assigned an admin_access_token that does grant access to the Google users API.
So I’m still a bit confused by what that checkbox in the google enterprise connection settings does — is it meant to:
- add the google admin user API scopes to the
access_tokenassociated with the individual user who is logging in - add the scope to the
admin_access_tokenassociated with the connection itself - Something else?
(In hindsight it seems a bit odd that an individual’s access token would gain access to the entirety of the google admin API, but if it attaches a readonly version of the scope it might make sense?)
Edit: Looks like the admin_access_token on the connection expires, and individual user logins don’t refresh it, so may be a false start, there.