I have an Auth0 tenant configured with multiple IdP logins including a Google social connection and M365 enterprise.
The Google social connection configuration UI does not allow read-only variants of scopes to be specified, only read/write.
I have my Google OAuth app configured to permit Calendar read/write and Contacts read, however Auth0 is requesting both as read/write when ticked in the Auth0 connector configuration (which I’m surprised Google isn’t blocking) and isn’t what I want.
Responses to those posts point to the documentation at Add Scopes/Permissions to Call Identity Provider APIs which requires the client to explicitly specify the
connection_scope when redirecting the client to the Auth0 universal login page, however this also requires specifying
connection=google-oauth2 which then has Auth0 immediately redirect to the google login, preventing the user from using any other identity provider.
How can I use universal login where the user can select the identity provider they want to use, but have the Google connector use the correct (readonly) scopes?