How does the OAuth user cap work for apps which are Enterprise-only

[Naresh Shenoy]

Hi,

I have an application which is supposed to be used only by users with a work email. I went through the OAuth verification process and there we were advised that we don't need a security assessment if we don't serve users with an @gmail.com email address. 

We were advised that we should publish an app on the Google Workspace Marketplace and make it available only for domain-wide install (disable individual install). We've done that as well. We ask users to install our app domain-wide before providing email and calendar permissions within the app. However, we don't have any way to confirm whether they have actually done that.

My questions are -

1. I got the below communication from the verification team yesterday - 

What happens when user tokens to my project are revoked?

Once your app has been rejected, existing user tokens will subsequently be revoked. This means both new and existing users will be subject to the unverified app screen. Sign-in with Google will be disabled for all users if the 100 user OAuth quota limit has been exceeded. 

Does this mean that even users who have domain-installed my app will not be able to log in if this cap is breached? Or does "all users" mean only users who have not installed my app domain-wide?

2. Let's say someone gives permission to my app even after seeing the "danger" screen. I'm assuming this user will count under the "Oauth user cap". If that user subsequently domain-installs my app, will the count reduce?

3. Is there any way for me to programmatically detect whether a user (or domain) has installed my application from the marketplace?

I would be very thankful if someone could provide answers to these questions.

Thanks,

Naresh

[George (Cloud Platform Support)]

Hello, 

You should direct this questions at the verification team. This discussion group is oriented more towards general opinions, trends, and issues of general nature touching App Engine and Cloud SQL. For coding and programming architecture, as well as OAuth user cap limits, you may be better served in dedicated forums such as stackoverflow, where experienced programmers are within reach and ready to help. 

In general, you can skip the verification process if your app is solely built for Google Workspace customers and if the customers’ domain admin whitelists your app by completing the following steps:

- Make sure your project has User type set to External on the OAuth consent configuration page on Cloud Console.

- Ask your customers' domain admin to allow access to your app so that unverified app UI will not be shown to users on that domain. Note that Google Workspace administrators for those enterprise accounts can control which applications their users can access.

- Note that the following users will still experience the unverified app UI and eventually a user cap will be enforced:

      * Users trying to access the app from any domain that hasn’t explicitly whitelisted your app

      * Consumer users trying to authorize access to your app

If your application doesn’t fit the usage pattern in the preceding description, then you need to submit your application for verification. If you allow only enterprise accounts to use your app, be prepared to provide us with a sample enterprise account for verification purposes.