Auth0 Home Blog Docs

Pass contacts.readonly scope to google IDP



Hello, trying to pass the scope to google when a user logs in using their gmail account. This scope isn’t listed on the google social connection auth0 page. I’m trying to follow the recommendation here to authorize this endpoint upon login using auth0-PHP.

 use Auth0\SDK\Auth0;
$auth0 = new Auth0([
  'domain'        => getenv('AUTH0_DOMAIN'),
  'client_id' => getenv('AUTH0_CLIENT_ID'),
  'client_secret' => getenv('AUTH0_CLIENT_SECRET'),
  'redirect_uri'  => getenv('AUTH0_CALLBACK_URL'),
  'audience' => '',
  'scope' => 'offline_access profile openid email',
  'persist_id_token' => true,
  'persist_access_token' => true,
  'persist_refresh_token' => true,
  'connection_scope' => '',
  'connection' => 'google-oauth2'

But when a user clicks the login button, the http query string that is built and passed onto auth0 doesn’t include these connection options.


Hi @Ben_Smith … You’ll need to pass those to the login method for that to work. See here:

You instantiate without those config params, then pass that connection as the second parameter in the login method. General example here:


        'connection_scope' => '' 


ah, I see. However, when I instantiate the login this way I’m taken straight to google to login, rather than the Universal Login page where I offer google-oauth2 as well as Username-Password-Authentication.


Yes, that’s what the connection parameter does, it specifies the connection to use instead of using all available. You can try without that but I’m not totally sure if it would work. I just tried it with logging in using a DB connection and it authenticated fine, even with those scopes there.


I’d still like the user to go through the universal login page and select their connection type. On a hunch I added my connections as an array:
‘connection_scope’ => ‘
But this just returned an invalid request on immediate redirect to my callback URL. “the%20connection%20was%20not%20found”


OK, removing the connections worked I think. I need to get google to re-enable my app to see. Thanks.


As you say, that connection parameter is a single value. Leave that off to show all connections on the login page.

As for the scopes … even if that works, I’m not sure what would happen if those were sent to another connection. Best case they are ignored, worst case they are rejected with an error.