Is it possible to remove a previously granted API IdP scope?


We’re currently using Auth0 for authentication and it’s working great. However, one new requirement in our app is to gather contacts from the various social connections, such as Google.

One of the particular requirement though is the ability to request this additional scope on-demand. We do not want to request this scope when the user registers on the platform. Only when they need to perform the action of importing their contacts.

Also, we want to give the freedom to users to revoke the particular scope that was requested for reading their contacts on the specific connection. But this action should not impact their Auth0 identity.

While researching on how to do this, I stumbled on this very informative documentation:

From our understanding, the first solution would not be fit since the scopes would always be requested…

However, the second solution is fine and also seems to work great when we tried it:

The only problem we have with it is that it seems like the requested scope is permanent to the identity it was requested with. It seems like the only solution would be to delete the associated identity and re-link it with the main identity. But this would not work if the identity is the main one.

Are we missing something? Is it possible to revoke those requested scope without unlinking the identity?

Thank you.