Stored access token for google cloud storage does not have expected scope

Chris_Rasgo · March 15, 2023, 10:00pm

I have enabled Google Cloud Storage checkbox on google-oauth2 social connection in Auth0

I have enabled Oauth in BigQuery with all available BigQuery scopes

When calling the auth0 endpoint, the scope includes cloud storage read write: email profile https://www.googleapis.com/auth/devstorage.read_write https://www.googleapis.com/auth/userinfo.email openid https://www.googleapis.com/auth/userinfo.profile

I extract the access token from the management API

Then using the google python sdk using the extracted access token

from google.cloud import bigquery as bq
from google.oauth2 import credentials

req = bq.Client(credentials=credentials.Credentials(token='ACCESS TOKEN'), project="myproject")
print(req.query("SELECT 1").result())

I get the error:

google.api_core.exceptions.Forbidden: 403 Access Denied: BigQuery BigQuery: Missing required OAuth scope. Need BigQuery or Cloud Platform read scope.

tyf · March 15, 2023, 11:40pm

Hi there @Chris_Rasgo welcome to the community!

While I’m not super familiar with the Google side of things, the scopes mentioned in the error message seem to be entirely different scopes than what are available on the Google social connection in Auth0. It looks like they are:

https://www.googleapis.com/auth/bigquery
https://www.googleapis.com/auth/cloud-platform

Chris_Rasgo · March 15, 2023, 11:57pm

Thanks for the welcome and fast reply! Their docs list https://www.googleapis.com/auth/devstorage.read_write as a BigQuery option OAuth 2.0 Scopes for Google APIs | Authorization | Google Developers and the error message says it needs BigQuery or Cloud Platform read scope, and that should cover both cases?

I have not been able to find clarity on minimum required scopes, I was just assuming what auth0 would send would be enough.

If that is not the case, do you (or others!) know of a way with the react web library (auth0/auth0-react) to send particular scopes only when authing through google single sign on? We will only want to request Big Query scope if they are using google accounts.

Edit: sorry to be clear, https://www.googleapis.com/auth/devstorage.read_write is sent as well when you check the checkbox Google Cloud Storage in auth0 google social connection page

Chris_Rasgo · March 16, 2023, 12:02am

Image of the selected option in Auth0, don’t see anything for BigQuery specifically

tyf · April 28, 2023, 10:49pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Email address missing in access token when using Google Cloud Endpoint? Help	10	13281	September 3, 2019
Minimum scopes for the Auth0 Management API Help	3	3340	December 23, 2021
Pass additional REQUIRED scopes/permissions to a Social Connection Help social-connections	3	2969	January 6, 2022
403 Forbidden error when posting to LinkedIn using access token from Management API Help management-api , users	2	1808	April 13, 2023
Why I can't get the gmail scope inside the token? Help auth0 , scopes , google , gmail	1	4030	March 2, 2018

Stored access token for google cloud storage does not have expected scope

Related topics