FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    How to Support Elevated OAuth Scopes for Select Users in FusionAuth with Google Reauthentication

    Scheduled Pinned Locked Moved Solved
    Frequently Asked Questions (FAQ)
    idp
    1
    2
    261
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wesley
      last edited by

      We want to provide two different login experiences:

      • Users who opt to have us as an email client should re-login with Google to get elevated OAuth scopes (e.g. to read their email).
      • Users who don’t opt for email services shouldn’t be forced to reauthenticate and should have a smooth login experience.

      Ideally, we’d like to build our /oauth2/authorize URL with the additional scopes when needed, have users reauthenticate via Google, and have FusionAuth update the linked account with the new access token and elevated permissions. Is this possible?

      W 1 Reply Last reply Reply Quote 0
      • W
        wesley @wesley
        last edited by

        This is definitely an uncommon scenario, so there’s no out-of-the-box flow documented for it, but here’s one way to handle it:

        1. Create a second Google IdP: FusionAuth supports only one native Google IdP, but you can set up an additional Google connection as a generic OpenID Connect (OIDC) IdP. This second IdP can request the elevated scopes you need for email access. See the OIDC docs here: OpenID Connect IdP in FusionAuth.
        2. Trigger reauthentication: When a user opts into the email client feature, redirect them through the second IdP’s OAuth flow to acquire the elevated scopes. This effectively escalates their session without forcing all users through additional authentication unnecessarily.

        This approach allows you to avoid reauthentication for users who don’t need the extra scopes while supporting a higher-privilege flow for users who do.

        1 Reply Last reply Reply Quote 0
        • W wesley marked this topic as a question
        • W wesley has marked this topic as solved
        • First post
          Last post