OAuth verification process for enterprise application with more that 100 customer domains
70 views
Skip to first unread message
Ashley Smith
Jul 22, 2019, 2:22:28 PM7/22/19
to Google App Engine
Our company is developing enterprise G Suite application which uses restricted authentication scopes. We don't allow to install our application for gmail users but we onboard several enterprise companies per day so we can't ask administrator of each customer domain to whitelist application after installing it from Marketplace, so far we have several hundreds of active customers. Also due to the number of clients we can't be restricted by 100 users capacity advertised by Google for application which doesn't go through verification process.
We published our application back in 2018 for the first time and in 2018 we also passed our first verification procedure. Then in the beginning of 2019 we were asked to resubmit application for verification again and started the process. During verification process we have done the following steps:
- submitted the video describing authentication process
- unchecked "Individual install" checkbox
- verified domain and linked project with our GCP organisation
Unfortunately now it seems that our verification procedure has went in wrong direction and we are kind of stuck - we answered that our application supports only Domain-wide installation and asked if we still need verification. This happened after verification team has complained that it can't install application with plain Gmail account and we answered them that individual install is disabled. I guess at this step we should have provided them test G Suite account instead, but I'm not sure since we didn't get any hints on this. At that moment we didn't realise that we still need to proceed with verification to avoid user cap and whitelisting each domain and assumed that install will still work fine this way. After this we have received yet another confirmation from verification team that verification is not needed. Still after more than a month we have received email that our verification request is declined.
Since our previous request was rejected we have resubmitted another one recently, but I believe that it has went in wrong direction again - our latest email from verification team asks us that all our current customer domain admins should whitelist the application. But as I understand with our volume we need to properly pass verification process.
So now I have the following questions:
- how shall we proceed with proper verification process? we are receiving very standard replies as if some robot is answering, I'm not sure how can i disregard previous context (domain-wide application which is whitelisted by admins) and ask what to do to proceed with verification
- what steps will be needed for verification in our case? do we need to provide enterprise G Suite account for verification team to evaluate the application?
- shall we still pass security assessment if we don't provide our service to individual Gmail users? I mean can we pass application verification, but doesn't pass security assessment?
Elliott (Cloud Platform Support)
Jul 22, 2019, 7:41:13 PM7/22/19
to Google App Engine
Hello Ashley,
Please note that Google Groups are reserved for general Google Cloud Platform-end product discussions and not for technical issues, which is why I suggest to contact the Verification team to find out your next steps. You should have obtained their email address in the email about your unverified application.
Ashley Smith
Jul 23, 2019, 9:39:02 AM7/23/19
to Google App Engine
I see that multiple guys are asking questions here:
What's wrong with this one? I wouldn't have asked this question here if I could get quality feedback from verification team(((
Harmit Rishi (Cloud Platform Support)
Jul 23, 2019, 2:04:44 PM7/23/19
to Google App Engine
Hello,
My understanding of your issue is that, your application was previously sent for verification (in 2018) and was passed. As the new calendar year was implemented for 2019, your team had sent the verification application to the OAuth team once more. For reasons discussed in the email between your team and the OAuth team, the application was rejected. This resulted in another application to be submitted to the OAuth team which lead to the them asking for whitelisting on your end. Given the size of your operation, this seems to be not a viable option for you.
Based on my research into this, the following FAQ answer for the question "What happens if my app gets rejected from the verification process?" mentions that "if you believe your app’s use of restricted scopes is compliant with the Additional Requirements for Specific API Scopes and you want to reapply, do the following:
In regards to what was discussed by Google Cloud Support so far on this thread, the OAuth process is handled by a completely different team. GCP support can only refer to the answers available on the FAQ page created by the OAuth team to help users with their issues with OAuth process. The communication for your specific use case would ultimately have to be directed to that team for further clarification.
Additionally, if you would like to submit some feedback about these OAuth policies and changes, you can always send them to the following no-reply email address: oauth-f...@google.com.
I hope this was of some help to you.
My understanding of your issue is that, your application was previously sent for verification (in 2018) and was passed. As the new calendar year was implemented for 2019, your team had sent the verification application to the OAuth team once more. For reasons discussed in the email between your team and the OAuth team, the application was rejected. This resulted in another application to be submitted to the OAuth team which lead to the them asking for whitelisting on your end. Given the size of your operation, this seems to be not a viable option for you.
Based on my research into this, the following FAQ answer for the question "What happens if my app gets rejected from the verification process?" mentions that "if you believe your app’s use of restricted scopes is compliant with the Additional Requirements for Specific API Scopes and you want to reapply, do the following:
1. For a faster verification turnaround, ensure that your app complies with our policy. For more information, see What are the requirements for verification?
2. On the GCP Console OAuth consent screen page, register the restricted scopes you’re requesting access to and click Submit for Verification.
If your app had access to restricted scopes prior to January 1, 2019, the verification process opened on January 15, 2019 and closed on June 26, 2019. Apps that had not completed the process were rejected. When you reapply for verification, all required materials need to be resubmitted. The end-to-end timeframes will take several weeks."
For more information on how to streamline the verification process further, you may feel free to consult the FAQ page created by the OAuth team here.
In regards to what was discussed by Google Cloud Support so far on this thread, the OAuth process is handled by a completely different team. GCP support can only refer to the answers available on the FAQ page created by the OAuth team to help users with their issues with OAuth process. The communication for your specific use case would ultimately have to be directed to that team for further clarification.
Additionally, if you would like to submit some feedback about these OAuth policies and changes, you can always send them to the following no-reply email address: oauth-f...@google.com.
I hope this was of some help to you.
Reply all
Reply to author
Forward
0 new messages