Google Enterprise Connection - Accessing Users API

Help
,
5

Okay, I think this is sorted!

Ah, bummer, close but no cigar — this only works if the individual logging in has admin permissions. If not, the access token has the specified scope, but you get this error when trying to use it:

{
    "error": {
        "code": 403,
        "message": "Not Authorized to access this resource/api",
        "errors": [
            {
                "message": "Not Authorized to access this resource/api",
                "domain": "global",
                "reason": "forbidden"
            }
        ]
    }
}

(Original post)

Turns out using the Auth0 management API to manually add the additional https://www.googleapis.com/auth/admin.directory.user.readonly scope to upstream_params was the secret.

This appears to modify the connection so that the retrieved google access token that’s stored in each auth0 user’s identities array can retrieve data from the Google admin users API.

So for anyone searching this thread, this is what I did:

  1. Setup the google enterprise connection per these docs
  2. Use the ‘Try’ option to test the login on this screen:
    Screenshot 2025-01-17 at 4.50.44 PM
    Screenshot 2025-01-17 at 4.50.44 PM2194×828 50.1 KB
    • This will create a user in auth0 via the workspace connection.
  3. Use the auth0 management API to get the user data for the user created in step 2.
    • Note: Be sure the auth0 client you’re using to fetch the data has the read:user_idp_tokens permission for the management API, otherwise you won’t see the access tokens.
  4. From the auth0 user data, find the access_token within the identities array of the response.
  5. Run that token through google’s tokeninfo endpoint to verify the scopes it was requested with: https://oauth2.googleapis.com/tokeninfo?access_token=...
  6. Finally, update the connection directly via the Management API, adding this object to options (follow these docs):
"upstream_params": {
      "scope": {
          "value": "(add whatever scopes were returned in step 5 along with...) https://www.googleapis.com/auth/admin.directory.user.readonly"
      }
  },

From there, the access token on the Auth0 user should allow readonly access to the google admin users API.

Once the connection is updated, you can repeat steps 2-5, and the tokeninfo response from google should say the token has the new https://www.googleapis.com/auth/admin.directory.user.readonly scope necessary to retrieve the google user profile & custom attributes.

If you’re like me and wanting to retrieve the google user data via an auth0 action, you’ll still need to use the Auth0 management API to fetch the auth0 user’s full data to retrieve the google access token, then use that to call google’s API. You can refer to this doc for more details on that.