How to Support Elevated OAuth Scopes for Select Users in FusionAuth with Google Reauthentication
-
We want to provide two different login experiences:
- Users who opt to have us as an email client should re-login with Google to get elevated OAuth scopes (e.g. to read their email).
- Users who don’t opt for email services shouldn’t be forced to reauthenticate and should have a smooth login experience.
Ideally, we’d like to build our /oauth2/authorize URL with the additional scopes when needed, have users reauthenticate via Google, and have FusionAuth update the linked account with the new access token and elevated permissions. Is this possible?
-
This is definitely an uncommon scenario, so there’s no out-of-the-box flow documented for it, but here’s one way to handle it:
- Create a second Google IdP: FusionAuth supports only one native Google IdP, but you can set up an additional Google connection as a generic OpenID Connect (OIDC) IdP. This second IdP can request the elevated scopes you need for email access. See the OIDC docs here: OpenID Connect IdP in FusionAuth.
- Trigger reauthentication: When a user opts into the email client feature, redirect them through the second IdP’s OAuth flow to acquire the elevated scopes. This effectively escalates their session without forcing all users through additional authentication unnecessarily.
This approach allows you to avoid reauthentication for users who don’t need the extra scopes while supporting a higher-privilege flow for users who do.