Gmail API OAuth – This app is blocked

[David Cohen]

We have a Chrome extension that requests access to sensitive Gmail scopes. Due to financial constraints, we have not been able to have this app verified by Google. However, all of our users are business users and 98% of them have a G Suite account. Having our users whitelist our plug-in has met our needs admirably.

While 98% of our users have G Suite, the remainder have a plain Gmail account which does not allow whitelisting. Because we are not verified, we have a 100 user cap for these regular Gmail accounts. As of right now, we are well below this cap.

The issue I've encountered is that one of our customers is receiving the following error message when trying to connect to the Gmail API using OAuth:

In all other cases, our users with regular Gmail accounts have received the following message, which allows them to connect:

Why is this one particular user not able to connect? Is this a setting he can change, or is this something hardcoded into his Gmail account?

I would appreciate any help you can provide.

(We do have plans to verify our app sometime in the near future, which will remove this problem completely.)

Thank you!

[Jackie Han]

Why is this one particular user not able to connect? Is this a setting he can change, or is this something hardcoded into his Gmail account?

One possibility is that the user has enabled Advanced Protection Program. It does not allow Gmail OAuth to any third-party application. The user needs to use official Google Apps.

Due to financial constraints, we have not been able to have this app verified by Google. 

Gmail OAuth verification may not cost you money. Just do it, please.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/dc99a4f6-dc0d-4c9b-856e-6843a327b2cen%40chromium.org.

--

Jackie Han

[David Cohen]

Thank you for your response, Jackie!

I will check with the customer about this.

Regarding the cost of the Google OAuth verification, I went through the entire process and received a quote of over $30,000 for security testing. Believe me, I would really like to have our app verified.

[Jackie Han]

Yes, Google requires a security assessment, "If you submitted an app that requests restricted scopes, and the app accesses Google user data from or through a server.". I originally meant that if your app is a pure client app, it doesn't need a security assessment(no cost). Anyway, Good luck!

--

Jackie Han

[David Cohen]

I checked with the customer and they are not enrolled in the Advanced Protection Program. Are there any other thoughts about what might cause this error? If not, can somebody direct me to a place where I can open a bug with Google?

[David Cohen]

After testing this with family and friends, it seems that some regular Gmail accounts can approve the OAuth connection with a warning, whereas others cannot. Does anybody know if this is due to a change that Google is rolling out gradually? Will it soon be the case that no users with a regular Gmail account will be able to approve an OAuth connection for an unverified app with sensitive scopes?