Re: Question about GMail Restricted Scopes

[DimuDesigns]

Those are probably add-ons released prior to Google revamping their User Data Policy (which was sometime around 2018/2019, editor add-ons have been around since 2015).

There was a time when Google would handle add-on verification on a case-by-case basis, where if a developer could sufficiently prove their apps were safe for end users, most any scope would be approved. Those days are over thanks to government driven policies and legislation such as the EU's GDPR or California's CCPA, especially since Google had to fork out millions in fines.

I suspect some of the developers of those add-ons have probably been notified and granted a grace period in which to update their apps (probably extended due to Covid). Those with apps that are reputable and in good standing are probably given even more leeway. Not all devs are granted that courtesy though, I've seen some developer's reporting that their add-ons have been outright disabled with little or no discourse with Google (but there have been bad actors, so Google has to clean house).

Feel free to try your luck though. If at all possible try to use non-restricted scopes. Make sure to read Google's OAuth API Verification FAQ in depth.

But, if your app stores user data on a remote server expect that to trigger a security assessment. I don't think you can work around that one.

On Thursday, March 2, 2023 at 1:27:10 AM UTC-5 Ivelin I wrote:

Hello, I have a question about the Gmail restricted scopes and the security assessment. Specifically the  https://www.googleapis.com/auth/gmail.addons.current.message.readonly scope. Which is a restricted scope. 

I see that a lot of add ons are using it, but in my mind I can't imagine that all of them have undergone a security assessment. How is it possible that so many add ons are using restricted Gmail scopes?

Thank you!

[Romain Vialard]

https://www.googleapis.com/auth/gmail.addons.current.message.readonly is not a restricted scope as far as I know.

Here's the list of restricted Gmail scopes:

https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Cwhat-are-restricted-api-scopes

• https://mail.google.com/ (includes any usage of REST, IMAP, SMTP, and POP3 protocols)
• https://www.googleapis.com/auth/gmail.readonly
• https://www.googleapis.com/auth/gmail.metadata
• https://www.googleapis.com/auth/gmail.modify
• https://www.googleapis.com/auth/gmail.insert
• https://www.googleapis.com/auth/gmail.compose
• https://www.googleapis.com/auth/gmail.settings.basic
• https://www.googleapis.com/auth/gmail.settings.sharing

Old add-ons had a grace period, but long gone.

All add-ons / apps using the scopes mentioned above had to go through the security assessment.

Note that the security assessment has evolved. Before you had to pay. Now you don't in most cases (CASA Tier 2 assessment).

https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Csecurity-assessment

https://appdefensealliance.dev/casa/casa-tiering?hl=en

[DimuDesigns]

Oh...that's new! I've read some stuff about tiers before but I've never seen any official documentation that goes into it in depth until now! Thanks for the reference links Romain!

[Darren D'Mello]

Thanks Romain, This is interesting.

--
You received this message because you are subscribed to the Google Groups "Google Apps Script Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to google-apps-script-c...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/google-apps-script-community/915e2704-4688-4d05-a44e-0b2b03ed72adn%40googlegroups.com.

--

Best,

Darren