OAuth Approval // Blocking Users

[Jesse McCabe]

Hello everyone!

I have an Add-on which required some sensitive scopes to be added to the permissions/consent screen.

When I published the application via the standard Chrome Web Store process it released the package, but existing users were required to re-auth the add-on.  Of course, the  OAuth Google team (who clearly does not work with add-ons very often) is having trouble approving the app.  They keep asking me for youtube videos from my website showing how users login via OAuth.

Anyone have any idea how to handle this?  I've seen over 5,000 errors reported this morning meaning that none of my users are able to use the add-on.

Thanks for you help.

[Alan Wells]

They have been doing that for a long time.  There is no "log-in."  The terminology they use I find confusing.  The "OAuth login" is the prompt that the user gets to accept the permissions needed.  At least that's my understanding.  I've never seen an official explanation of what they are really talking about.  In the past, I've provided a screen recording of the add-on going through the installation process, including an explanation of what each permission is used for.  I use Blueberry Software - Flashback Pro recorder for the screen recording.  That's the best value for the dollar that I've found.

I've never republished an older version of the Apps Script project, but if your add-on is unusable at this point, then you've got nothing to loose by trying.  It sounds like you don't have a current pending version, but it you did then you'd probably need to get that rejected in order to republish an older version.  You can update your add-on draft version without republishing it.  So, I'd update the draft version without publicly publishing it while waiting for your OAuth consent screen to be approved.  Of course that would be after you republish an older version if you are going to try to revert backwards.

I'm not sure if I'm giving you the perfect answer, but those are my ideas.

[Jesse McCabe]

I've reverted back to the previous version.  They won't review/approve the app if it's in draft because I think they don't see the scopes actually being used.  I'll just keep publishing and reverting until it goes through, I guess.

[Alan Wells]

The same thing just happened to me with the approval people asking for a YouTube video.  I created a video, with an explanation of the permissions that need to be authorized and emailed them back with the MP4 file, and posted it to YouTube.  It's time consuming and not exactly easy to do, but I try to give them what they want.  I figure that's my best option for keeping them happy and increasing my chances of getting approved. For the scopes that are very broad, like the ones that can delete all the users files of a certain type; it's good to assure the user of what the add-on will and won't do.  For example, my add-on will create a calendar event, and in order to do that I need to use the scope that can delete all their calendars, but I explicitly state that my add-on will never delete a calendar.

Again, for an add-on, the user doesn't really login via OAuth.  That's the terminology that they are using, but the installation handles that.  All the user does is click the "Allow" button.  And then the scopes are authorized.  For an "editor add-on" the user never sees the scope urls, or is prompted to login.

On Friday, July 12, 2019 Jesse McCabe wrote:

I've reverted back to the previous version.  They won't review/approve the app if it's in draft because I think they don't see the scopes actually being used.  I'll just keep publishing and reverting until it goes through, I guess.

[Jesse McCabe]

Thanks. I’ve uploaded many videos at this point. And have done everything they’ve requested. I understand how the scopes are related to the app and are not used as logging in.

My issue is that while sensitive scopes are being reviewed my users can not use the add on. The only way to get them to review my app is by submitting the app. They will not do it while it is in draft or unsubmitted status. In other words, I am caught in a catch-22.

Right now I am submitting the app at night and hoping they review while most of the American users are not at work. If they don’t, I just republish it with an earlier version.

[Alan Wells]

Here is the official google email address to give feedback on the OAuth review process:

oauth-f...@google.com

Originally posted in this group at:

https://groups.google.com/forum/#!searchin/google-apps-script-community/feedback%7Csort:date/google-apps-script-community/95vZ6BIjIe4/hhVbBlf7AAAJ

I would let them know what your situation is.

[Eric Koleda]

@Jesse, were you able to get through this review?

- Eric

[Jesse McCabe]

Yes, thank you!  The email you gave me helped...

Best,

--

Jesse McCabe

CEO, Solid Digital

o: 312-763-2310
c: 310-570-8738

Website: www.soliddigital.com

LinkedIn: www.linkedin.com/in/jessemccabe

Do you know your #DigitalValue?

--
You received this message because you are subscribed to a topic in the Google Groups "Google Apps Script Community" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/google-apps-script-community/UseoOy50FCY/unsubscribe.
To unsubscribe from this group and all its topics, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/81269dc2-5703-47f9-98c1-65c09cfbe550%40googlegroups.com.