I have an Auth0 tenant configured with multiple IdP logins including a Google social connection and M365 enterprise.
The Google social connection configuration UI does not allow read-only variants of scopes to be specified, only read/write.
I have my Google OAuth app configured to permit Calendar read/write and Contacts read, however Auth0 is requesting both as read/write when ticked in the Auth0 connector configuration (which I’m surprised Google isn’t blocking) and isn’t what I want.
I have seen several forum posts in which people are asking how to specify custom/readonly scopes such as Readonly Gmail Scope in Google Social Login and Pass contacts.readonly scope to google IDP.
Responses to those posts point to the documentation at Add Scopes/Permissions to Call Identity Provider APIs which requires the client to explicitly specify the connection_scope when redirecting the client to the Auth0 universal login page, however this also requires specifying connection=google-oauth2 which then has Auth0 immediately redirect to the google login, preventing the user from using any other identity provider.
How can I use universal login where the user can select the identity provider they want to use, but have the Google connector use the correct (readonly) scopes?