OAuth - App re-verification on scope addition
783 views
Skip to first unread message
Nitish Kumar Sinha
Apr 23, 2021, 11:46:27 AM4/23/21
to Google Cloud Developers
Hi,
I have an App which we are using in production currently and now we need to add a new scope(https://www.googleapis.com/auth/gmail.send) to it which is a sensitive one. For this we need to apply for verification and I am confused with the steps to do it.
This email is subject to Tracxn's Email Policy
I have an App which we are using in production currently and now we need to add a new scope(https://www.googleapis.com/auth/gmail.send) to it which is a sensitive one. For this we need to apply for verification and I am confused with the steps to do it.
The documentation says:
- Show that the OAuth Consent Screen correctly displays the App Name.
- Show that the URL bar of the OAuth Consent Screen correctly includes your app’s Client ID.
Is there any way to create a video without taking my App off production in this scenario?
Thanks,
Thanks,
Nitish
This email is subject to Tracxn's Email Policy
Alan Wells
Apr 26, 2021, 11:13:08 AM4/26/21
to Google Cloud Developers
What type of app is it?
There is a difference between the OAuth consent screen settings and your app publication settings.
I believe that you can change/add a scope in the OAuth consent screen, and have it pending approval,
and still have the currently approved list of scopes in effect.
The problem is, if you change a scope and a version number in your publication settings, and save the new settings,
then your live app would probably have a problem authorizing new users, or maybe worse.
If you change your production code file to add the new scope, and have a way to run/test the app without changing your
publication settings in the GCP console, then the app being run in testing/development should ask for the new scope,
and then you can use that to "show" the new permission request.
They often ask for a YouTube video showing the OAuth client ID in the prompt that asks the user to accept the permissions requests.
My experience with getting OAuth scope approvals is with Google Add-ons published to the Workspace Marketplace, so I don't know if my experience is the same as yours.
Nitish Kumar Sinha
Apr 29, 2021, 2:41:44 AM4/29/21
to Google Cloud Developers
Thanks for the response.
It's a normal oAuth App.
The problem is not adding new scope pending approval.
It is when I need to create a video after adding a sensitive scope to the already existing production App. It's seem to be vicious cycle. I can't create a video unless this scope is added to production App and on the other hand the App will be available for video only in testing environment on adding this scope.
This means I have to pull my App out of production each time I add a new sensitive/restrictive scope.
It's a normal oAuth App.
The problem is not adding new scope pending approval.
It is when I need to create a video after adding a sensitive scope to the already existing production App. It's seem to be vicious cycle. I can't create a video unless this scope is added to production App and on the other hand the App will be available for video only in testing environment on adding this scope.
This means I have to pull my App out of production each time I add a new sensitive/restrictive scope.
Roger Chao Espinalt
May 3, 2021, 9:42:31 AM5/3/21
to Google Cloud Developers
Hello,
From what I can see in the documentation [1], you have to prepare a video that fully demonstrates the OAuth grant process by users and shows, in detail, the usage of sensitive scopes in the app.
This means you have to just showcase, possibly, in a testing environment, how would the sensitive scope be used. The video has to follow certain guidelines:
- Show the OAuth grant process that users will experience, in English (the consent flow, and, if you use Google Sign-in, the sign-in flow).
- Show that the OAuth Consent Screen correctly displays the App Name.
- Show that the URL bar of the OAuth Consent Screen correctly includes your app’s Client ID. (Non applicable for native Android and iOs apps.
- Show how the data will be used by demonstrating the functionality enabled by each sensitive and restricted scope you request
From what I understand, there is no immediate need of pulling your application from production to perform this showcase, as you can record the required video in an environment safe for your product to make sure that it follows all the steps mentioned above.
_____________________________________________
[1] -
El dia dijous, 29 d’abril de 2021 a les 8:41:44 UTC+2, nitis...@tracxn.com va escriure:
Niklas Therning
Jul 28, 2021, 5:22:42 AM7/28/21
to Google Cloud Developers
Hi Nitish,
We're having the same chicken-and-egg problem. We need to add a restrictive scope to our existing production consent screen, but are stuck on creating the verification video which showcases the use of the new scope as we cannot use it until we have been verified. How did you go about resolving this issue?
Regards,
Niklas
Reply all
Reply to author
Forward
0 new messages