Receiving this App is blocked on trying to authorize

[sithara suresh]

HI

As per https://developers.google.com/google-ads/api/docs/oauth/cloud-project, is it necessary  to need to undergo a Google OAuth verification when the publishing status Is set to production in GCP ? 

Initially we generated the refresh token using OAuth Playground and supplied the refresh token, GCP creds and Google Adwords API to Azure ADF(ETL tool) to extract data for Google Adwords. But as soon as we modified the publishing status to Production, the authorization kep failing with the below message - 

`This app is blocked

This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.`

Could you please let me know if this is because of the OAuth verification not completed?

Thanks & Regards

Sithara

[Google Ads API Forum Advisor]

Hi Sithara,
 

Thanks for reaching out to the Google Ads API team. I hope you are doing well today.
 

Please see my response to your questions below.
 

1.) As per https://developers.google.com/google-ads/api/docs/oauth/cloud-project, is it necessary to need to undergo a Google OAuth verification when the publishing status Is set to production in GCP ? 
 

• Yes, you need to undergo a Google OAuth verification when the publishing status.

2.) Could you please let me know if this is because of the OAuth verification not completed?
 

• Yes, "This App is blocked" error could be due to missing OAuth verification steps. For information on OAuth Verification, and how to verify your projects, please refer to the below links:

          -How to verify: OAuth API verification FAQs - Google Cloud Platform Console Help

          -General information: Unverified apps - Google Cloud Platform Console Help

I hope this helps.
 

Regards,

Darwin Google Ads API Team

ref:_00D1U1174p._5004Q2h0KWQ:ref

[sithara suresh]

Hi Darwin

Appreciate the prompt response.

 However for completing the OAuth consent screen, GCP mandates developers to provide App domain names/privacy policy. What can we fill in there if we don't have an application since we only authorize using Oauth Playground only to retrieve a life time refresh token which could be used in our azure linked service connectors. Since Google Ads API leverages GCP do we have a documentation on this - where we can retrieve a lifetime time refresh token from a GCP while the publishing status is set to Production. Also on how we can fill up the OAuth Consent Screen given this scenario.

Thanks & Regards

Sithara 

[Google Ads API Forum Advisor]

Hi Sithara,

Thanks for getting back to us.

If you set the publish status to In Production in order to generate refresh tokens that persist longer than 7 days. So that does indeed sound like the right setting for your use case. Note that we have examples of how you can generated refresh token with our Google Ads API client libraries here: 

https://developers.google.com/google-ads/api/docs/samples/generate-user-credentials  

If you leave the project unverified, you will see an unverified warning when you authenticate and your project will be subject to an OAuth user quota. But if this is an internal script that will not be authenticating many individual external users, that is normally sufficient for most developers. However, if your app is going to be used in any of the following scenarios, you do not need to submit it for review:

1. Personal Use: The app is not shared with anyone else or will be used by fewer than 100 users (all of whom are known personally to you). Note that your app will be subject to the unverified app screen and the 100-user cap will be in effect.
2. Development/Testing/Staging: If your app’s publishing status is set to “Testing” and not “In production”, then you do not need to submit your app for verification. Note that your app will be subject to the unverified app screen and the 100-user cap will be in effect. Learn more about Publishing status.
3. Service-owned Data Only: The app only accesses its own data (using a Service Account), and not user data (linked to a Google Account).
4. To understand what service accounts are, see Service accounts.
5. For instructions on using a service account, see Using OAuth 2.0 for Server to Server Applications.
6. Internal Use: The app is used only by people in your Google Workspace or Cloud Identity organization. Note that your app will not be subject to the unverified app screen or the 100-user cap if it's marked as Internal.
7. Learn more about public and internal applications.
8. Learn how to mark your app as internal in the FAQ How can I mark my app as internal-only?
9. Domain-wide Installation: The app is used only by Google Workspace enterprise users. Access will depend on permission being granted by the domain administrator. Google Workspace domain administrators are the only ones that can add the app to an allowlist for use within their domains.
10. To learn how to make your app a Domain-Wide Install, see My application has users with enterprise accounts from another Google Workspace Domain.
11. SMTP/IMAP/WP: The app is used to send emails through WordPress, or similar single-account SMTP plugins.

Let me know if you have any follow up questions, so that our team can assist you further.

Regards,

Yasar Google Ads API Team

ref:_00D1U1174p._5004Q2h0KWQ:ref

[sithara suresh]

Hi Yasar

Thank you for the detailed response. Our requirement is pretty simple - the count of app users is 1 and  extract keywords  on a daily basis using Azure ADF(or a simple script),  from Google Ads and drop it to a database. We don't want the refresh token to expire  hence have modified the publishing status to Production. We would like to leverage OAuth Playground to generate the refresh token which would be a one time activity.

Recently when we fetch the refresh token using OAuth Playground, the authorization was denied with the below error message 

`This app is blocked

This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.`

which we suspect may be because the OAuth verification has not been submitted. Is our assumption correct ?

If we were to go with a script(extracting the refresh token from OAuth Playground), how would we be able to fill in the below details in the consent screen?

> Application home page

> Application privacy notice

Or should we build a web application only to get the OAuth verification approved ?

Thanks & Regards

Sithara

[Google Ads API Forum Advisor]

Hello Sithara,

Thank you for reaching out to us.

Please note that this support channel can only provide assistance to issues/concerns related to the Google Ads API.

Since you're concern is related to the app verification process, you can check on this related article or reach out to the Cloud Console Team via this link.

Regards,

Nirmita Google Ads API Team

ref:_00D1U1174p._5004Q2h0KWQ:ref

[Google Ads API Forum Advisor]

Hi,

Thank you for reaching out to us.

Please note that this forum channel can only provide assistance to issues/concerns related to the  Google Ads API.

[sithara suresh]

Hi Nirmita 

Since retrieving refresh tokens with OAuth Playground is one of the recommendations from Google Ads It would really help if your team could suggest on how we fill up the OAuth Consent Screen if we go ahead with OAuth Playground. If users are redirected to GCP there would obviously be questions on OAuth playground and why it is recommended to retrieve refresh tokens by Google Ads. Also the link you shared details on how the consent screen can be filled if authorisation is performed via web app 

Ref: 

https://developers.google.com/google-ads/api/docs/oauth/playground

Thanks 

Sithara