Some questions about OAuth consent screen

80 views
Skip to first unread message

Jose Pe Linares

unread,
Aug 27, 2019, 6:44:54 AM8/27/19
to Google Apps Script Community
https://support.google.com/cloud/answer/7454865?hl=en

It says:

"When the scopes requested in your app code differ from the scopes requested in your OAuth consent screen configuration page, your users see an "unverified app" screen. Make sure that scopes you request in your app are the same as what's in your OAuth consent screen."

My ask is: My web app is running "like I" and can access everybody. My app have many scopes but they are basically from my resources (drive, classroom...), i dont like access this scopes from user resources. From the user that access the app i only want to know basic info like email.

¿Am i going to have troubles with it?, i mean, google know scopes that are required in the project but  i dont ask for them in the consent screen are from my resources and the requested in the consent screen are for the user that access the app?

Thank you people.

Alan Wells

unread,
Aug 27, 2019, 9:41:34 AM8/27/19
to Google Apps Script Community
It seems that you have published your Web App as:

Execute the app as: ME
Who has access to the app:Anyone

There is also the option of: Who has access to the app: Anyone, even anonymous

If you are using the option of Who has access to the app:Anyone

Then your users still need to sign in.

If the app is running as:
Execute the app as: ME

Then the Web App can't access the users account.
Are your users getting the message:

This application was created by another user, not by Google.

You can submit your project, through the Google Cloud Platform, for verification.  But you need to consider the costs and benefits of going through that process.

I believe that the msg:
This application was created by another user, not by Google.

is still being displayed for unverified projects, even if you are the only person using the web app, in your account.

I think that you might be able to avoid having that message displayed if you embed your web app into a Google Site.  You could try that.

If you want to avoid any warning messages from Google, and because your web app is for public use, you would need have a "standard" GCP project associated with the Apps Script project, and be verified for the OAuth scopes.

But going through the verification process could be a lot of time and effort.  Your decision to go through the verification process may depend on how annoying the:
This application was created by another user, not by Google.
message is to you or your users.

Jose Pe Linares

unread,
Aug 27, 2019, 12:22:45 PM8/27/19
to Google Apps Script Community
Thank you Allan, glad of your help.

Execute the app as: ME
Who has access to the app:Anyone

Thats is correct

Unverified apps have some other problems, not only aesthetic, have some kind of quote (something like 100 perday exec, not sure).   And have some advantages that i want to take like userinfo (take gmail), i need this because i need to know this to let enter or not (now i make it with a user/pass form).

image.png



You can look the project/scopes of the app in the image, Because of the app running "ike me"  the scrpt can work with some calcs, words, (classroom courses even) of my account. All are needed for my app, but all of them are only employing my account/resources, i dont need them for the gmail/user that exec the app (he employ my resources).

When this 

"Execute the app as: ME
Who has access to the app:Anyone
"/script

execute an "Session.getActiveUser().getEmail()" with me running it, the script gets my email, but if you run it, it gets an "you dont have permission to get it". Then.... i suppose if i have oath consent the script would get those permissions ..., but then.... What happens with the other scopes of the app?, stay with my account-only-scopes?.

Is difficult understand what are the behavior, bacuse is a kind of mess of user/scopes. If anyone can help me...

Alan Wells

unread,
Aug 27, 2019, 8:01:53 PM8/27/19
to Google Apps Script Community
I believe that you can only have 100 total users authorize a project to access their account if it's not verified.  I don't think the verification has anything to do with how many times it runs in one day.  You may need to do some testing if you don't get an authoritative answer.  I don't publish Web Apps with the setting Who has access to the app:Anyone
So I don't have any direct experience. 
Reply all
Reply to author
Forward
0 new messages