How to map users' roles or groups from Google for use in Auth0?

Hi everyone!

Is it possible to map users’ roles or groups from Google for use in Auth0?

I need users to assume the role configured on Google when logging in. A second option would be to map the user’s groups from Google as roles in Auth0.

I created an post-login Action to retrieve values from the ‘event.user.identities’ object, but there are no values for roles or groups.

By the way, I’m using Enterprise authentication and I’ve activated the Groups option in Extended Attributes, but I’m getting the error “Unable to get groups: unauthorized”.

Thank you for helping!

Hey @arilsonbarcelos !

I am checking the options here, and for now, I can share the feedback regarding:

Your client application, on the user’s behalf, can only access scopes requested during the authentication.

Can you please check if the /authorize request that your application sends to auth0 contains the scope query parameter with Google’s group scope?
If I’m not mistaken, the scope for Google Groups membership is https://apps-apis.google.com/a/feeds/groups/.

Thanks,
Marcelina

Hi @marcelina.barycka! Thank you for your reply!

I’m using this simple app for testing: GitHub - auth0-samples/auth0-python-web-app: Auth0 Integration Samples for Python and Flask Web Applications
The only possibility to set up scopes is in the part of code below, and I’ve tried to put ‘groups’ there , without success.

oauth.register(
    "auth0",
    client_id=env.get("AUTH0_CLIENT_ID"),
    client_secret=env.get("AUTH0_CLIENT_SECRET"),
    client_kwargs={
        "scope": "openid profile email",
    },
    server_metadata_url=f'https://{env.get("AUTH0_DOMAIN")}/.well-known/openid-configuration',
)

Thank you again for your help!

Hi @arilsonbarcelos ,

Did you include the whole string https://apps-apis.google.com/a/feeds/groups/?
Like this:

oauth.register(
    "auth0",
    client_id=env.get("AUTH0_CLIENT_ID"),
    client_secret=env.get("AUTH0_CLIENT_SECRET"),
    client_kwargs={
        "scope": "openid profile email https://apps-apis.google.com/a/feeds/groups/" 
    },
    server_metadata_url=f'https://{env.get("AUTH0_DOMAIN")}/.well-known/openid-configuration',
)

I was looking further into it @arilsonbarcelos , and actually the upstream IdP’s scopes should be under:

“upstream_params”: {"connection_scope": {
        "value": "https://www.googleapis.com/........"
      }}

Also, make sure that the application registered on the Google side has appropriate scopes allowed.
We have a Knowledge Solution for analogic use-case, maybe you find it helpful for general steps: Accessing Additional Scopes in Google Social Connection