When we configure Auth0 with Google OIDC sign-in with extra permissions like calendar or Contacts apart from usual scopes( openId, email & profile).
User is able to login to SP for the first time even if user dont give consent for extra permissions like Calendar or Contacts but, subsequent logins fail if user does not give consent to extra permissions and Auth0 callback returns “access_denied” error with 403.
Refer below logs from Auth0 monitoring section:
{
"date": "2022-04-19T12:15:53.317Z",
"type": "f",
"description": "Forbidden",
"connection": "google-oauth2",
"connection_id": "con_FikTvbUaQHYgUIRA",
"client_id": "OdB3sWr74Rhqsh5VrywRhyIjbGWuXryr",
"client_name": "Automation DNT",
"ip": "165.225.124.161",
"user_agent": "Chrome 100.0.4896 / Mac OS X 10.15.7",
"details": {
"body": {},
"qs": {
"error": "access_denied",
"state": "q6sxdp08lXfo_i_O9jk5M0t-k0E4WVGA"
},
"connection": "google-oauth2",
"error": {
"message": "Forbidden",
"oauthError": "access_denied",
"type": "oauth-authorization"
},
"session_id": "SNNjdQn2fR5dUP6nF-HEn7KbqM3nQ_MO"
},
"hostname": "dev-r740qkog.us.auth0.com",
"strategy": "google-oauth2",
"strategy_type": "social",
"log_id": "90020220419121556485263449819921570671768865562815365138",
"_id": "90020220419121556485263449819921570671768865562815365138",
"isMobile": false
}