You did not request verification for these restricted scopes in the OAuth Consent screen

[Alan Wells]

I received an email from:

api-oauth-dev...@google.com

stating that I did not request verification for a restricted scope.  They email states that I'm using the scope:

https://mail.google.com/

The Auth verification department has their information wrong.  I am NOT using the restricted scope that they say that I'm using, and I definitely DID request verification. 

However, I did find a problem, and realized something.  The problem is, that one of the scopes listed in the G Suite Marketplace SDK configuration doesn't match a scope in the Google Cloud Platform - APIs & Services - Credentials.

Scopes are listed in 2 different places:

• Google Cloud Platform - APIs & Services - Credentials
• Google Cloud Platform - G Suite Marketplace SDK - APIs & Services - Credentials

Those are two very similar but different sections.  Again, the Google Cloud Platform asks for the scopes that your project is using, in two different places.   If you changed a scope in one section, and didn't make the change in the other section, then you'll have mismatched scope information.

What I know for sure, is that the email that I received from the auth verification department is wrong.  My Apps Script project is NOT using a sensitive scope, and there are no sensitive scope listed in either of the Credential sections.  But, I did find a problem with the scopes in the two Credential sections not matching.

I had changed a scope from:

https://www.googleapis.com/auth/forms

TO:

https://www.googleapis.com/auth/forms.currentonly

and I updated that scope change in the G Suite SDK Credentials section, but I had not updated it in the Google Cloud Platform - APIs & Services - Credentials section.  So, maybe, that is what triggered the email from the auth verification department.  All I can do is guess.

My suggestion, is that you check both of the Credential sections, and make sure that the list of scopes matches, and that the Credential sections match the scopes in your Apps Script project.

[Alan Wells]

What you need to understand, is that for an add-on, you need to manually list your scopes is 3 different places.

1. appsscript.json - manifest file

1. Google Cloud Platform - APIs & Services - Credentials
2. Google Cloud Platform - G Suite Marketplace SDK - APIs & Services - Credentials

You can NOT avoid using the appsscript.json - manifest file if your code sends an email, because the default scope is a sensitive scope.  (Unless you want to pay $15,000 to $75,000 dollars EVERY TIME that you publish a new version of your add-on)

You can not avoid listing your scopes in the G Suite Marketplace SDK - APIs & Services - Credentials, because you must use the G Suite Marketplace SDK to publish the add-on, and it must be configured properly.

You can not avoid listing your scopes in the Google Cloud Platform - APIs & Services - Credentials section, because you probably don't want the warning message that your add-on is unsafe, and be restricted to 100 accounts installing your add-on.

So, your scopes must be set in 3 separate places, and make sure they match.

[Faustino Rodriguez]

thanks @AJ for sharing your painful experiences

- I am about to embark in a scope change for a published add-on

- And the more I learn, the less I know

Find below some suggestions I got from the add-on-curator

I would recommend the following:

1- update the add-on script code with new limited scope and Publish (Deploy) it

(this step might take a few minutes or hours for approval)

2- update the scopes in the G Suite Marketplace SDK configuration and publish it

3- update the scopes in GCP OAuth consent screen and submit for Verification

(this step usually take a few days or even weeks for approval)

The change for users should be transparent. When the scope list changes for the new version then users will be asked to accept again the scope list.

Then I asked:

Could you please, also confirm that

- in the time between #1 deploy the add-on and verification granted after #3

- the users (current or new) will not get the "Unverified app screen" when authorizing?

And their reply was as follow:

This should not be a problem since we will only approve the new version with the new scopes when the Oauth verification has been granted.

When the new version is approved users will only be prompted in order to update and re approve the list of scopes but no warning message should be displayed to them.

[Eric Koleda]

If you are having trouble with the review process, please send an email to oauth-f...@google.com. The folks running the program monitor that mailing list and are interested in finding ways to make the process clearer.

- Eric