Stored access token for google cloud storage does not have expected scope

I have enabled Google Cloud Storage checkbox on google-oauth2 social connection in Auth0

I have enabled Oauth in BigQuery with all available BigQuery scopes

When calling the auth0 endpoint, the scope includes cloud storage read write: email profile openid

I extract the access token from the management API

Then using the google python sdk using the extracted access token

from import bigquery as bq
from google.oauth2 import credentials

req = bq.Client(credentials=credentials.Credentials(token='ACCESS TOKEN'), project="myproject")
print(req.query("SELECT 1").result())

I get the error:

google.api_core.exceptions.Forbidden: 403 Access Denied: BigQuery BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform read scope.

Hi there @Chris_Rasgo welcome to the community!

While I’m not super familiar with the Google side of things, the scopes mentioned in the error message seem to be entirely different scopes than what are available on the Google social connection in Auth0. It looks like they are:



Thanks for the welcome and fast reply! Their docs list as a BigQuery option OAuth 2.0 Scopes for Google APIs  |  Authorization  |  Google Developers and the error message says it needs BigQuery or Cloud Platform read scope, and that should cover both cases?

I have not been able to find clarity on minimum required scopes, I was just assuming what auth0 would send would be enough.

If that is not the case, do you (or others!) know of a way with the react web library (auth0/auth0-react) to send particular scopes only when authing through google single sign on? We will only want to request Big Query scope if they are using google accounts.

Edit: sorry to be clear, is sent as well when you check the checkbox Google Cloud Storage in auth0 google social connection page

Image of the selected option in Auth0, don’t see anything for BigQuery specifically

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.