The Gmail managed connector's "Bring your own application" (BYOA) mode does not respect the OAuth scopes configured on the Google Cloud OAuth consent screen. It always requests the full https://mail.google.com/ scope (read, compose, send, and permanently delete), even when the BYOA app is configured with only https://www.googleapis.com/auth/gmail.readonly.
Documentation vs behavior
The Gmail connector docs state:
With "Bring your own application" option, you can use your own Google OAuth Client application instead of the one managed by Microsoft. Doing so will allow you to control permissions and enable certain limitations on the use of the connector.
And under scope configuration:
Note: Based on your usage need, you can select an appropriate subset of the permission scopes here.
This implies that configuring a narrower scope (like gmail.readonly) on the Google Cloud OAuth consent screen should result in the connector requesting only that scope. In practice, the connector hardcodes https://mail.google.com/ in the OAuth authorization request regardless of the BYOA app's configuration.
Root cause
The managed API definition for the Gmail connector (Microsoft.Web/locations/{region}/managedApis/gmail) hardcodes the same scope for both parameter sets:
// shared-application
"scopes": ["https://mail.google.com/"]
// byoa
"scopes": ["https://mail.google.com/"]
The BYOA parameter set has no mechanism to inherit or override scopes from the user's Google Cloud OAuth app configuration. The scope is baked into Azure's connector definition.
Full connector definition retrieved via:
GET /subscriptions/{sub}/providers/Microsoft.Web/locations/eastus/managedApis/gmail?api-version=2016-06-01
Steps to reproduce
- Create a Google Cloud project with the Gmail API enabled
- Configure the OAuth consent screen with only the
gmail.readonly scope
- Create an OAuth client credential with redirect URI
https://global.consent.azure-apim.net/redirect/gmail
- Create a Logic Apps Gmail API connection using the
byoa parameter set with the client ID and secret from step 3
- Generate a consent link via the
listConsentLinks API and open it in a browser
- Observe that Google's consent screen shows: "Read, compose, send, and permanently delete all your email from Gmail"
Expected behavior
The consent screen should show "View your email messages and settings" (the gmail.readonly scope description), matching the scope configured on the BYOA app's consent screen.
Actual behavior
The consent screen shows the full https://mail.google.com/ scope regardless of the BYOA app's configuration. Both shared-application and byoa parameter sets request the identical scope — BYOA provides no scope restriction capability.
Impact
Users who specifically choose BYOA to limit permissions (following the documentation's guidance) are unable to do so. This is particularly concerning for read-only use cases like inbox monitoring or email analytics, where granting delete access is unnecessary and creates an overprivileged token.
Suggested fix
The connector should either:
- Allow the
byoa parameter set's scopes field to be overridden by the user when creating the connection, or inherit from the BYOA app's configured scopes
- Add a separate connection parameter for specifying desired scopes
- At minimum, update the documentation to clarify that BYOA does not allow scope restriction
Environment
- Logic Apps (Consumption plan)
- Gmail connector,
byoa parameter set
- Region: East US
- API version: 2016-06-01
The Gmail managed connector's "Bring your own application" (BYOA) mode does not respect the OAuth scopes configured on the Google Cloud OAuth consent screen. It always requests the full
https://mail.google.com/scope (read, compose, send, and permanently delete), even when the BYOA app is configured with onlyhttps://www.googleapis.com/auth/gmail.readonly.Documentation vs behavior
The Gmail connector docs state:
And under scope configuration:
This implies that configuring a narrower scope (like
gmail.readonly) on the Google Cloud OAuth consent screen should result in the connector requesting only that scope. In practice, the connector hardcodeshttps://mail.google.com/in the OAuth authorization request regardless of the BYOA app's configuration.Root cause
The managed API definition for the Gmail connector (
Microsoft.Web/locations/{region}/managedApis/gmail) hardcodes the same scope for both parameter sets:The BYOA parameter set has no mechanism to inherit or override scopes from the user's Google Cloud OAuth app configuration. The scope is baked into Azure's connector definition.
Full connector definition retrieved via:
Steps to reproduce
gmail.readonlyscopehttps://global.consent.azure-apim.net/redirect/gmailbyoaparameter set with the client ID and secret from step 3listConsentLinksAPI and open it in a browserExpected behavior
The consent screen should show "View your email messages and settings" (the
gmail.readonlyscope description), matching the scope configured on the BYOA app's consent screen.Actual behavior
The consent screen shows the full
https://mail.google.com/scope regardless of the BYOA app's configuration. Bothshared-applicationandbyoaparameter sets request the identical scope — BYOA provides no scope restriction capability.Impact
Users who specifically choose BYOA to limit permissions (following the documentation's guidance) are unable to do so. This is particularly concerning for read-only use cases like inbox monitoring or email analytics, where granting delete access is unnecessary and creates an overprivileged token.
Suggested fix
The connector should either:
byoaparameter set'sscopesfield to be overridden by the user when creating the connection, or inherit from the BYOA app's configured scopesEnvironment
byoaparameter set