From 3c068f1396953aafd73f4de4e1a22b10fcc55cb1 Mon Sep 17 00:00:00 2001
From: Stacy Curry <stacy@workos.com>
Date: Wed, 28 May 2025 19:12:14 -0500
Subject: [PATCH 1/2] add support for provider_scopes query param

---
 tests/test_user_management.py | 21 +++++++++++++++++++++
 workos/user_management.py     |  4 ++++
 2 files changed, 25 insertions(+)

diff --git a/tests/test_user_management.py b/tests/test_user_management.py
index e41dd99a..cf51e7a9 100644
--- a/tests/test_user_management.py
+++ b/tests/test_user_management.py
@@ -344,6 +344,27 @@ def test_authorization_url_has_expected_query_params_with_screen_hint(self):
             "provider": "authkit",
         }
 
+    def test_authorization_url_has_expected_query_params_with_provider_scopes(self):
+        provider = "GoogleOAuth"
+        provider_scopes = [
+              "https://www.googleapis.com/auth/calendar",
+              "https://www.googleapis.com/auth/admin.directory.group",
+            ]
+        redirect_uri = "https://localhost/auth/callback"
+        authorization_url = self.user_management.get_authorization_url(
+            provider=provider, provider_scopes=provider_scopes, redirect_uri=redirect_uri
+        )
+
+        parsed_url = urlparse(authorization_url)
+        assert parsed_url.path == "/user_management/authorize"
+        assert dict(parse_qsl(str(parsed_url.query))) == {
+            "provider": provider,
+            "provider_scopes": ",".join(provider_scopes),
+            "client_id": self.http_client.client_id,
+            "redirect_uri": redirect_uri,
+            "response_type": RESPONSE_TYPE_CODE,
+        }
+
     def test_get_jwks_url(self):
         expected = "%ssso/jwks/%s" % (
             self.http_client.base_url,
diff --git a/workos/user_management.py b/workos/user_management.py
index d31e35ee..edfa2142 100644
--- a/workos/user_management.py
+++ b/workos/user_management.py
@@ -358,6 +358,7 @@ def get_authorization_url(
         login_hint: Optional[str] = None,
         state: Optional[str] = None,
         provider: Optional[UserManagementProviderType] = None,
+        provider_scopes: Optional[Sequence[str]] = None,
         connection_id: Optional[str] = None,
         organization_id: Optional[str] = None,
         code_challenge: Optional[str] = None,
@@ -379,6 +380,7 @@ def get_authorization_url(
                 The value of this parameter should be a WorkOS Organization ID. (Optional)
             provider (UserManagementProviderType): The provider connection selector is used to initiate SSO using an OAuth-compatible provider.
                 Currently, the supported values for provider are 'authkit', 'AppleOAuth', 'GitHubOAuth, 'GoogleOAuth', and 'MicrosoftOAuth'. (Optional)
+            provider_scopes (Sequence[str]): Can be used to specify additional scopes that will be requested when initiating SSO using an OAuth provider. (Optional)
             domain_hint (str): Can be used to pre-fill the domain field when initiating authentication with Microsoft OAuth,
                 or with a GoogleSAML connection type. (Optional)
             login_hint (str): Can be used to pre-fill the username/email address field of the IdP sign-in page for the user,
@@ -412,6 +414,8 @@ def get_authorization_url(
             params["organization_id"] = organization_id
         if provider is not None:
             params["provider"] = provider
+        if provider_scopes is not None:
+            params["provider_scopes"] = ",".join(provider_scopes)
         if domain_hint is not None:
             params["domain_hint"] = domain_hint
         if login_hint is not None:

From a4e6739e8e240d258d0373a5bf8fc8397a062542 Mon Sep 17 00:00:00 2001
From: Stacy Curry <stacy@workos.com>
Date: Wed, 28 May 2025 19:23:54 -0500
Subject: [PATCH 2/2] fix formatting

---
 tests/test_user_management.py | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/tests/test_user_management.py b/tests/test_user_management.py
index cf51e7a9..bedbaaec 100644
--- a/tests/test_user_management.py
+++ b/tests/test_user_management.py
@@ -347,12 +347,14 @@ def test_authorization_url_has_expected_query_params_with_screen_hint(self):
     def test_authorization_url_has_expected_query_params_with_provider_scopes(self):
         provider = "GoogleOAuth"
         provider_scopes = [
-              "https://www.googleapis.com/auth/calendar",
-              "https://www.googleapis.com/auth/admin.directory.group",
-            ]
+            "https://www.googleapis.com/auth/calendar",
+            "https://www.googleapis.com/auth/admin.directory.group",
+        ]
         redirect_uri = "https://localhost/auth/callback"
         authorization_url = self.user_management.get_authorization_url(
-            provider=provider, provider_scopes=provider_scopes, redirect_uri=redirect_uri
+            provider=provider,
+            provider_scopes=provider_scopes,
+            redirect_uri=redirect_uri,
         )
 
         parsed_url = urlparse(authorization_url)