I gave up and ended up using a google service account with domain-wide delegation to retrieve the google workspace user custom attributes.
From what I can tell this checkbox in the Auth0 google workspace enterprise settings appears to set the https://www.googleapis.com/auth/admin.directory.user.readonly scope on the connection’s access token, not the user’s.
But I’m not sure how that’s intended to benefit the integration, since that access token is being managed by Auth0.
One could retrieve the access token from Auth0 via the management API (I tested this), and presumably use the refresh token stored alongside it to keep it valid and make requests to the google admin API, but at that point you’re jumping through hoops to replicate something a GCP service account does in an (arguably) simpler fashion.
Using Auth0 connection’s token approach:
- Parse connection ID from login attempt
- Fetch auth0
connectionby connection ID from Auth0 Management API - Get google
access_token+refresh_tokenfrom response - Refresh
access_tokenif necessary, and (I’m assuming) update auth0connectionwith new token - Use refreshed token to authenticate
- Retrieve user data from Google admin API
Using a GCP Service account approach:
- Store GCP service account credentials JSON as auth0 action
secret - Use service account credentials to authenticate with google API
- Retrieve user data from Google admin API
On the off-chance someone with internal Auth0 knowledge is reading this and has context on how the setting is meant to be used, that info would be super helpful!