I've thought a lot about add-ons with restricted scopes and avoiding security assessments. And I think I have a possible workaround but it will require massive buy-in from end users so its probably not going to be viable.
So here's the basic idea. Extract code that uses restricted scopes into a series of CRUD(Create, Read, Update, Delete) operations to form the equivalent of a custom API. Provide this code publicly and free-of-charge to end-users with instructions on how to deploy it as an API Executable and how to generate OAuth2 refresh tokens specific to their accounts.When end-users install an add-on they will be asked to provide the refresh token of their custom API which the add-on will then leverage to make calls against the API executable.
IF the Add-on uses a restricted scope AND accesses an external service with a call to UrlFetch.fetch() THEN you need a security assessment (unless it is private, has less than 100 users, etc.) ELSE you just need Google verification?
“...if the app accesses or has the capability to access Google user data from or through a server, the system must undergo an independent (3P) security assessment.”
Which ties in with what Romain has said about how basically they don't want your Add-on to be able to take user data and send it to a third-party server.--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/028e73ec-96c9-4e59-ad09-b2d56c0f4a88%40googlegroups.com.
Can we send user data somewhere through the client? And not need the $15,000 security assessment? That's what I want to know. Firebase can work totally through a client side script, correct?
--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/293ff5af-bf38-4c99-af9b-b2fadc80dede%40googlegroups.com.