App without sensitive or restricted scopes still showing "Unverified App" message to clients

[Bryan Zera]

We have a web app that only uses the email, profile, and openid API scopes, none of which are listed as being restricted or sensitive. However, our OAuth Consent Screen flow is still taking the user to the "This app is unverified" message.

When we submitted the app for verification, we received a message back saying  "You need to select scopes for this app", but this app has the three non-sensitive/non-restricted scopes listed above.  

Everything I've read in the docs claims that if you're not using sensitive or restricted scopes, you don't need to verify your app.

Why are we receiving an "unverified app" message for an app with no sensitive/restricted scopes? How do we keep our customers from getting that error message?

[Julie (cloud platform support)]

To clarify, did you receive any emails regarding OAuth verification as that could provide more details on what actions need to be completed? I did notice that openid API may be related to OAuth API but I tried to recreate your issue with the same scopes there does not appear to be any warnings about verifying. 

Please post a screenshot of the "unverified app" message as it may not be due to OAuth verification after removing sensitive or personal information such as project ids, passwords, email addresses and credit card information. 

[Bryan Zera]

Here is the "Unverified App:" screen shot.

Additionally, this app is only to be used by G Suite domain accounts who have whitelisted our specific app, so anyone accessing our app should have already have been granted access from their administrator via G Suite permissions, so, per the OAuth API Verification FAQ, since this "app is domain installed or whitelisted by a G Suite domain administrator.", it does not need verification.

[Julie (cloud platform support)]

If the the owner and users of your apps belong to the same G Suite domain or customer then it is a internal application and you should mark it as internal-only. That way you can skip submitting for verification. 

[Bryan Zera]

If the app is marked as internal, will users from G Suite domains other than the domain that owns this app be able to whitelist and use our app without seeing a "Unverified App" screen?

[Julie (cloud platform support)]

An internal application will only allow access to users from your organization (@your-organization.com). A public application allows access to users outside of your organization (@your-organization.com). Access can be from consumer accounts, like @gmail.com, or other organizations, like @partner-organization.com. Public applications need to go through verification as detailed. As to why verification is required, Google verifies public applications that use OAuth 2.0 and meet one or more of the verification criteria.

[Bryan Zera]

@julie I really appreciate your attention to this, but please forgive me as I'm still confused.

We need our app to be used by other G Suite domain users (so marking as internal is a non-starter), but only if their domain administrator whitelists our app.  That whitelisting, according to the FAQ, means that our app can skip verification.  

Even if we can skip verification by requiring whitelisting of our app by other G Suite domain administrators, will users of that G Suite domain see the "unverified app" message?

[Julie (cloud platform support)]

If the application is marked as internal it will not need to go through the verification process it will no longer be unverified and the screen indicates an unverified application. The "unverified app" screen should not occur with internal apps as if your application is an internal web application for users in the same G Suite domain and the app is associated with a Cloud Organization that all of your users belong to, you don't need to go through verification(under section: When to go through verification). You can use these steps to mark your app as internal-only. 

[Bryan Zera]

Thanks for your response, but it doesn't answer the question I asked.  Can I please just get a yes/no answer on the following question:

Even if we can skip verification by requiring whitelisting of our app by other G Suite domain administrators, will users of that G Suite domain see the "unverified app" message?

Thank you

[David Charles Martinez]

Hello,

They should not see the “unverified app” message if the application is whitelisted. We can confirm this by reviewing this Gsuite updates documentation which I understand is not the clearest but it does states that after july 8, New users will not be able to install unverified apps unless you “trust them” which would be whitelisting. Hence, after whitelisting, the “unverified app” message should not be displayed.

[Bryan Zera]

@DavidCharlesMartinez.  Thank you for that link.  It certainly reads like users accessing whitelisted apps shouldn't see the "Unverified App" message.

@Julie, when the GSuite Updates Blog says the following: 

Trust apps that you want to allow users to continue to install: To trust an app, use our API Permissions (OAuth apps whitelisting) feature in the Security section of the Admin console. Trusting an app also means that, if users consent, the app will have access to some G Suite user data (OAuth2 scopes) that you’ve otherwise restricted using this same tool. For example, if you’ve generally blocked access to Gmail OAuth2 scopes, trusted apps will have access for accounts where users consent.

Does that mean that a user whose G Suite administrator has whitelisted our app should not see accessing whitelisted apps should not see the "unverified app" message?

[Jorge A (Google Cloud Support)]

As David mentioned and to answer your question, yes, if a G Suite administrator has whitelisted the application, the users of that G Suite domain should not see the “unverified app” message. This is stated under https://support.google.com/cloud/answer/9110914/#skip in the FAQ document for this topic: When can I skip submitting my app for a review?

"The app is domain installed or whitelisted by a G Suite domain administrator. If your app is intended for G Suite users, access might depend on domain administrator permission. Obtaining a verification will likely make it easier for administrators to grant access."

[Bryan Zera]

Yeah @Jorge, We are aware that the FAQ says that whitelisting means you don't have to submit for review, but what it doesn't explicitly say is if the end user is still going to get the "Unverified app" message when the app is whitelisted, because our app was created to be whitelisted, but our customers who do whitelist our app still get the unverified app message.

[Jorge A (Google Cloud Support)]

@Bryan, in that case it isn't an internal whitelisted app without sensitive or restricted scopes. If the warning still shows once whitelisted,  sensitive or restricted scopes are present. Please double check,since you need to go through verification before you launch a user-facing app. If you have customers (users) accessing the app, then it should be verified, whitelisting on their behalf doesn't change that your app isn't verified. 

[Bryan Zera]

I never said it was or should be an internal app. No scopes that we are using on the OAuth consent screen are restricted or sensitive.

While technically, this is a user-facing app, this app is meant to be whitelisted by other G Suite administrators at which time, the G Suite administrators would allow access to the sensitive scopes for their users. 

If you have customers (users) accessing the app, then it should be verified, whitelisting on their behalf doesn't change that your app isn't verified. 

So you're confirming that even though we don't technically need to get verified (per the FAQ that keeps getting referenced), users will still see the "Unverified App" message if we don't.  If you are confirming this, can you confirm that this is a recent change/fix, as this issue only recently started occurring. 

[Jorge A (Google Cloud Support)]

To make this clear: you don't need to get verified if the app isn't used by other organizations other than your own. In your specific case, the app is meant to be used by customers, thus requiring verification. 

The white-listing only works for internal applications, so everyone outside of your org will see the unverified warning.

Moving on to the dates for the change: there are several deadlines on the FAQ, since there are several scenarios, there are several dates where your app started showing up as unverified, some as early as March or as recently as the end of June. The dates have been on the FAQ and there were notifications sent since the beginning of the year.

[Bryan Zera]

Thank you for the clarification.

[Bryan Zera]

Nowhere in the FAQ does it say that whitelisting is only for apps designated as internal applications.  If that is the case, the FAQ should be updated to be clear about that.  Thanks again for helping suss out the solution to this.