External auth granular revoking


I would like to know if anybody managed to handle granular external auth providers with Google (or other providers) because I seem to have some problems with how they work right now.

Here is my current use case;

I’m setting up a Forge app in which the user can connect to their Google account for different scopes.

In the manifest, I have two different auth providers with scopes as defined;

    - key: google-drive-auth
      name: Google Drive
        - 'profile'
        - 'email'
        - 'https://www.googleapis.com/auth/drive.metadata.readonly'
        - 'https://www.googleapis.com/auth/drive.readonly'
    - key: google-sheets-auth
      name: Google Sheets
        - 'profile'
        - 'email'
        - 'https://www.googleapis.com/auth/spreadsheets'

Once accepted, the user can see the distinct remotes from the same Connected App in their account page;

The problem I am having is that if the user revokes either Google access, all of the scopes on Google’s side are removed, while there can be remaining connections on Atlassian’s side.


For instance, the user revokes “Google Drive” on Atlassian’s side. “Google Sheets” is left on Atlassian’s side.
Going to the Google account, the app’s complete access has been revoked.

The resulting behavior is that the “Google Drive” part of the app will request access while the “Google Sheets” part will fail all requests, and the user cannot do anything about it.
To fix the issue, the user must revoke all app access on both Atlassian and Google, then reconnect them.

What I expected to happen

Revoking “Google Drive” should only remove the scope that was defined in my manifest file. “Google Sheets” should be unaffected.

Thank so for your insight!