OAuth consent screen - some doubs

[Roberto Oneto]

Hi folk,
I have a couple of questions about the topic: "OAuth consent screen"

In the Google Cloud Console I have:

• created a project
• enabled the set of APIs that I will use, (Google Calendar API)
• associated the OAuth 2.0 client ID with my extension id

In the "OAuth consent screen" section I have entered:

• the name of the extension,
• the required email addresses
• the scopes I would use (calendars.readonly)
• an explanation of how the scope will be used?
• the app logo (which is basically the extension icon)
• App domain (the field is mandatory and I don't understand exactly what I need to enter)

In the relevant sections of the extension's manifest file I have inserted:

• the client ID, the scope and key

I still have to make a video where I illustrate the new features,
upload it to YT and insert the link in the required field in the "Scopes" step.

The extension seems to work well and is therefore almost ready to be updated .

My questions are:

1. Should the submission for verification be done before or after updating the extension?
2. I don't understand the meaning of the "App Domain" section. I entered the domain corresponding to the application homepage (shared with other extensions) which also corresponds to the domain of the privacy policy page. I did well?
3. Can the video to be uploaded to YT be without audio (adding some subtitles)?

TIA

[Uladzimir Yankovich]

1. Before. You can show a demo using an example of a dev build. And publish it only after your project is approved.

2. You must indicate the domain within which you want to receive redirects from the authorization service.

3. The video can be without sound and without subtitles. I always shoot with sound and even with a camera. I do not know why. I hope the moderators have more fun this way 😂.

Moderation usually takes from 1 to 4 weeks. Good luck!

[Roberto Oneto]

Thank very much you for the fast reply.

Could you please elaborate the 2nd answer further?

2. You must indicate the domain within which you want to receive redirects from the authorization service.

In my JS files I use:

chrome.identity.getProfileUserInfo

chrome.identity.getAuthToken

and make some fetch request at https://www.googleapis.com/calendar/v3/*  endpoints to retrieve calendars and events.

[Uladzimir Yankovich]

When a domain is used on the consent screen or in an OAuth client’s configuration, it must be pre-registered here. If your app needs to go through verification, please go to the Google Search Console to check if your domains are authorized. Learn more  about the authorized domain limit.

Just use "chromiumapp.org"

--

Uladzimir Yankovich,

Founder @ Manganum (manganum.app).

[Roberto Oneto]

I think the matter is not very clear at this point.

The field is mandatory even if I don't perform redirects of any kind (I think it's Google that does these redirects with chrome.identity.getAuthToken).

I cannot delete the domain I initially entered (which coincided with the one used for the privacy policy); I can however add "chromiumapp.org" as a second domain.

[Roberto Oneto]

I requested verification for the OAuth consent screen about 10 days ago.

Now I've checked the status of the request and I've noticed this message:

I clicked "LEARN MORE", but I'm quite confused.

Can someone who has already been down this road kindly tell me what Google expects from me?

I think it's because of the domain that hosts my html and php pages including the page with the privacy policy of my extensions.

The domain is not owned by me;  I only use a web hosting service.

[Uladzimir Yankovich]

Check your email and communicate with them. There's great support there.

[Roberto Oneto]

I have  not yet  received emails from the verification team.
This is why after 10 days I went to check if anything had changed.

[Uladzimir Yankovich]

This is impossible. Any action on the part of moderation is accompanied by a letter.

[Roberto Oneto]

I also checked to see if any important messages had ended up in spam.

[Oliver Dunk]

Hi Roberto,

Does the documentation here help? https://developer.chrome.com/docs/extensions/mv3/tut_oauth/#oauth_client

I believe if you choose "Chrome App" you should be able to use a webstore URL.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/878cd252-fcaa-4b86-bfa0-b6b8a736f16fn%40chromium.org.

[Roberto Oneto]

Hi Oliver, thank you for your help.
Now I'm going to create a brand new project following your suggestions.
I'll let you know about any progress

[Roberto Oneto]

I tried creating a new project with the same scope: "calendar.readonly".

At one point I was asked to select the type of application. Among the various options there was also "chrome extension" (which I selected).

A new client ID was generated (I therefore had to replace the relevant section in the manifest.json file).

However, there is always a section where you are asked to specify a domain (among those enabled\recognized).

I entered "onets.altervista.org", but as I have already written, it is not a top level domain and I am afraid that the problem is right here.

Altervista.org only provides me with hosting space.

Now I think I'll have to wait the couple of days we're asked to wait. (for the "old project" I still did not receive any email from the verification team

[Roberto Oneto]

I checked right now the verification status of the new project and I see the same hint that I got on the old one.

Action Required:

Comply with domain verification requirements

Ensure you application's domains have completed the Search Console verification process

If I necessarily have to buy a domain and renew it every year (in my country we're talking about NOT LESS than 50 euros / year) to satisfy this request,

then I throw up my arms and give up.

However, I would like someone to explain to me the reason for this (that is: "Why I should spend this amount for an extension that has never earned me a cent").

If anyone has an explanation please state it in a way that even a fool (like me) can understand.

Thank you

[Patrick Kettner]

Unfortunately, some kindof search console domain verification is needed. There are a number of TLDs available that are cheaprer than 50 euros. Things like .space, .xyz or .party are all much cheaper. I absolutely understand the frustration with not wanting to spend any money on someting you don't make money on. But as this isn't an issue with the extension itself, but rather about Google Cloud, I would encourage you to do what Uladzimir mentioned and contact Cloud's support team. 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/10182e19-8c34-4930-99cd-2f69287902ffn%40chromium.org.

[Uladzimir Yankovich]

You can always use a free Firebase domain that you can verify.

But I think my advice about contacting support is still valid. We went through the project verification procedure about 10 times. We went through it with a paid security audit the last two times. And the support always answered all my questions perfectly. And there were a lot of questions because I am not an engineer, and I did it all for the first time.

I am sure that, in this case, trying to get help in the community will take longer and bring less results.

You received this message because you are subscribed to a topic in the Google Groups "Chromium Extensions" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-extensions/IdQo7aCf7DE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAPAuxoBEQz%2BKCQyRD8Dm-YJpwhsyeWX-a961crGV6X7VdPxbdA%40mail.gmail.com.

[Roberto Oneto]

Thank you @Patrik and @Uladzimirfo.

I stll don't understand the mandatory of having a TLD.

I think Google could implement some other way to check the ownership of a website.

I'm checking the cost of registering a domain and actually the price per year has dropped significantly since the last time I checked (many years ago).

Maybe this could be done with $10 a year.

To this day, I feel lucky to open my wallet and find at least 10 euros inside. I just don't find it "very smart" to spend it this way.

I also want to highlight that 10 dollars for any citizen living in San Diego is very different for the average citizen of too many other countries in the world.

You can always use a free Firebase domain that you can verify.

Thank you @Uladzimirfor for your suggestion.

I'll try to read up a bit about it, but from a quick check of the authorized domains (I found the list here) it would seem that Firebase is not allowed.

It will mean that I will directly communicate to the handful of users of my unlisted extension to expect a scary popup message where they will be warned about the potentially harmful intentions of the extension itself.

best regards

[Patrick Kettner]

Again, I understand the frustration, but I want to make it clear that there is nothing anyone in this channel can do to make anything better. If you are wanting to see if there are alternatives, I suggest contacting the people behind product itself.

[Roberto Oneto]

@Uladzimir.

Hi, I post a question about Firebase here

In my country people say "Hope is the last to die" (that shold sound "Hope springs eternal" in english)

...and if it dies, we'll get over it (this part is not included in the original proverb)