Add Scopes/Permissions to Call Identity Provider APIs
Once a user is logged in, you can get their user profile and then the associated accessToken
to call the Identity Provider (IdP) APIs as described in Call an Identity Provider API.
However, if you are receiving Access Denied
when calling the IdP API, you probably have not requested the correct permissions for the user during login. You can request the correct permissions in one of two ways.
Change Identity Provider Settings
To configure the scopes/permissions needed from the user, go to Auth0 Dashboard > Authentication > Social, and select an IdP. You can select the required permissions listed on the configuration screen.
For example, if you click the Google / Gmail connection, you can configure Google-specific permissions:
Pass Scopes to Authorize endpoint
You can also pass the scopes/permissions you wish to request as a comma-separated list in the connection_scope
parameter when calling the authorize endpoint. For example, if you want to request the https://www.googleapis.com/auth/contacts.readonly
and https://www.googleapis.com/auth/analytics
scopes from Google, you can pass these along with the connection
parameter to ensure the user logs in with their Google account:
https://{yourDomain}/authorize
?response_type=id_token
&client_id={yourClientId}
&redirect_uri={https://yourApp/callback}
&scope=openid%20profile
&connection=google-oauth2
&connection_scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fanalytics%2Chttps%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly
&nonce=abc
Was this helpful?