Pass IdP specific scopes when using universal login

I have an Auth0 tenant configured with multiple IdP logins including a Google social connection and M365 enterprise.

The Google social connection configuration UI does not allow read-only variants of scopes to be specified, only read/write.

I have my Google OAuth app configured to permit Calendar read/write and Contacts read, however Auth0 is requesting both as read/write when ticked in the Auth0 connector configuration (which I’m surprised Google isn’t blocking) and isn’t what I want.

I have seen several forum posts in which people are asking how to specify custom/readonly scopes such as Readonly Gmail Scope in Google Social Login and Pass contacts.readonly scope to google IDP.

Responses to those posts point to the documentation at Add Scopes/Permissions to Call Identity Provider APIs which requires the client to explicitly specify the connection_scope when redirecting the client to the Auth0 universal login page, however this also requires specifying connection=google-oauth2 which then has Auth0 immediately redirect to the google login, preventing the user from using any other identity provider.

How can I use universal login where the user can select the identity provider they want to use, but have the Google connector use the correct (readonly) scopes?

Hi @rich-panda,

Welcome to the Auth0 Community!

You can pass default or dynamic upstream params to identity providers, and you should be able to provide a scope parameter to override the existing scopes.

You will need to update your connection’s with the following:

  "upstream_params": {
    "scope": {
      "value": "email profile"
//the rest of your connection options...

Let me know if you have any questions about this.