If we move our server to google cloud, can we bypass the OAuth2.0 Verification Security Assessment?

[Heavy Mod]

We use OAuth2.0 to access rescricted scope data - this means we need to go through a security assessment:

Security assessment

If your application is sending or has the ability to send Google user data from a Restricted Scope to remote servers, then our verification process requires that your app undergo a security assessment to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request. Depending on the scope and complexity of your app, the cost for the third-party assessment might vary from $15,000 to $75,000.

If we use GC servers, do we still need to complete this part of the Verification process?

PS: why won't Google Groups let me add a relevant tag - there is no OAuth tag, or gmail tag, etc.  Is there a better group to discuss these issues?

[Heavy Mod]

Is anyone here is using OAuth2.0 restricted scopes?

[Keith Fawcett]

I'm struggling with the same question/concern about the 3rd party audit and it creating a huge barrier to entry. From what I've read, it seems the only way to bypass the audit is to use the app within a G Suite account. If you're building a SaaS-type business I think you'll need to be able to spin up separate instances for each customer, so their data is separated and not accessible by anyone other than the G Suite organization. 

Personal gmail appears to require the security audit. 

[Heavy Mod]

Ok, I was looking at : " "The app is trying to access data from users' Google Cloud Platform project." I must have mis-remembered it it to mean that GCP servers were considered secure and could bypass the security audit.

Are you aware of any forums where discussion of the OAuth2.0 verification process is discussed? It seems like a giant vacuum out there. StackExchange treats all these questions as non-technical and removes them. Google Developer Forum no longer exists, and directs people to StackExchange. GC Sales says these are technical questions, and refers me to Paid Support ( ... I'm trying to decide whether to pay for GC, so how would I have paid support for it? ). The official email account has replied to us once in the last month, and is saying they will start informing our customer base that we might be losing access to gmail... This whole thing is a clusterfrak. You'd think there would be _some_ kind of support for this. There are just so many questions:

• Does this policy apply to IMAP that doesn't use OAuth2.0 ( or gmail API ) ? Why would I apply for OAuth2 Verification if I'm not using OAuth2 or Gmail API?
  
• When creating the video, how do we demonstrate a restricted scope use that doesn't have a visual interface - we are just bouncing the email from the server to client?
• What is the "Minimum Scope Policy" referenced here: https://support.google.com/cloud/answer/9110914#Verification-Process
  If your usage of IMAP/SMTP is deemed to violate the minimum scope policy within the verification process, you will need to migrate to using the Gmail API by September 15, 2019.
• How is EXPLICIT USER-INITIATED ACTION defined? "Applications that send restricted scope data to a developer's or third party's servers without explicit user-initiated action will not be considered a local client.

This whole process is very frustrating.

[Keith Fawcett]

I've had just as many frustrating times as you and have been trying to parse all of the various pages of documentation to understand. I was not able to find any other official avenues that help with understanding.

Trying to boil all of it down -- If you're storing data on any "cloud server" outside of a G Suite Organization or not using the end user's local storage, then you need to go through verification. 

See this link's section about "when to go through verification". https://support.google.com/cloud/answer/7454865

See this link's section about "when can I skip submitting my app for verificaiton". https://support.google.com/cloud/answer/9110914

As for IMAP and using standard credentails instead of oAuth2. I have also thought about this and it may be the only workaround, as long as it's not violating some Google policy that we are unaware of. 

Regards,

Keith

[Heavy Mod]

Yeah - I really would appreciate some clarification from Google. Is reviving data, manipulating it, and sending it back out "storing"? Nothing is kept on the server, although theoretically a hacked server could intercept mail ( although that is true of any gateway mail server ). I've read the links you provided many MANY times, but to cover my ass, I checked them again. There has been some new information added since I checked last. So thanks for linking that.

How has your interaction with

api-oauth-dev...@google.com been? I feel like I'm talking to a bot. A bot that hasn't replied in 20+ days.

[Keith Fawcett]

Yes, they are VERY slow to respond. It typically takes 10+ days between each email. It's painful dealing with them. 

[Ying Li]

I understand your pain. Unfortunately, it's a long process and that team is the only team with the access to the assessment. Your best and only chance is to reply to that email and follow any instructions given to speed up the process. Even paid support can't help you, we would just be contacting them via email exactly as you have been doing. These process do eventually come to its conclusion, it just takes time.

[Heavy Mod]

Having to wait 20+ days and running just to get a questions answered is pretty silly. Many of these are generic questions which aren't specific to the assessment. They have to do with clarifying Google's language, and general follow up questions to the new rules Google has created.

Having a discussion board with some participation from that team, to answer even the occasional question, would be make such a difference. For example, whether we can use traditional IMAP moving forward ( no OAuth/ no google API ) I've seen that question in practically every online discussion.

It is difficult to accept how slow this is going because 

1) There are two separate, Google imposed, deadlines looming. Neither of these seem to take into account how slow this process is.

2) Google is going to be actively informing our user base that they might not be able to use Gmail. This creates unnecessary panic with our user base. I can see using this tactic to pressure people to get verified - but again, it doesn't take into account how deliberately slow this process is. I don't see what purpose it serves, except to panic users, developers, and clients.

3) Google is a massive corporation, with extensive resources, and they could speed up this process if they wanted to. Heck, a team member spending an hour a week answering questions in a forum would be a game changer. Apparently, the OAuth2.0 tag is being monitored by the OAuth team on stackexchange - but nowhere else I'm aware of. Unfortunately, questions about the new rules are either ignored, or the questions are closed for not being "technical" questions.

I just can't wrap my head around why Google has set it up this way.

[Harmit Rishi (Cloud Platform Support)]

I looked into it and as Ying has mentioned, this process takes some time. You may feel free to provide your feedback to the team with the following email: oauth-feedback@google.com. However, note that there will be no response with this email. 

Additionally, if you have reason to believe that your request has not been processed correctly,  you may file a private issue on our issue tracker here. I would like to mention that before you take this action, it would be a good idea to check any spam folders or filters that may be hiding the email responses from the OAuth Team.

[Heavy Mod]

I'm not sure why you both say this process "takes some time". Answering email doesn't take much time. Sure, I can see how the verification process itself might take some time - but I'm not talking about that. I'm talking about submitting 5 questions and a video, hearing nothing for 20+ days.

Then when I receive a reply, they comment on the video, and ignore all the other questions. That goes beyond "takes some time", and gets into massive under-staffing, or a decision to keep people from working with the gmail API. Google has even made it hard to discuss these issues! Where is an OAuth tag? Where is the OAuth group? Why can't we get some very simple, generic questions answered?

Everyone needs to know if traditional IMAP connections ( do not use OAuth, do not use gmail API ) are still going to be allowed. This has been asked and discussed since the day the new security requirements were announced. Where is the support from google in answering these very basic questions?

[Yasser Karout]

This section of the FAQ's [1] might address your question about IMAP. For further inquiries, the best way to get an accurate answer is by replying to their email as others have mentioned.

[1] https://support.google.com/cloud/answer/9110914?hl=en#enterprise-imap-or-smtp

[Heavy Mod]

On Thursday, June 6, 2019 at 11:22:29 AM UTC-7, Yasser Karout wrote:

This section of the FAQ's [1] might address your question about IMAP. For further inquiries, the best way to get an accurate answer is by replying to their email as others have mentioned.

[1] https://support.google.com/cloud/answer/9110914?hl=en#enterprise-imap-or-smtp

Yes, and as I have explained - I have been in contact by replying to their email, and it has been almost 30 days since I sent these questions. I have followed up multiple times, and they have replied to a video submission, but ignored the 6 questions that came with it. I am not ignoring the advice given here, but rather following exactly what I have been asked to do, and the requirements as I understand them.

Yes, because IMAP and SMTP usage require using https://mail.google.com/, you will need to submit your app for the restricted scope verification. If your usage of IMAP/SMTP is deemed to violate the minimum scope policy within the verification process, you will need to migrate to using the Gmail API by September 15, 2019.

 
I have read the above section you mentioned multiple times. This appears to apply to OAuth verification and restricted scopes. What if we aren't using OAuth at all - just traditional IMAP connection. Will we be violating Google policy? This is a critical question because it determines whether or not many apps will continue to exist into 2020. The majority of people who use IMAP in their apps aren't going to be able to afford ( or even pass ) the $50,000 security review that is required.

I also find the last line confusing. What does it mean to "violate the minimum scope policy within the verification process". Does this suggest that if we do access the restricted scopes, but fail the verification process, we need to migrate to the Gmail API? The Gmail API has the exact same requirements as OAuth2.0. Am I misunderstanding this? Can we just use the Gmail API and somehow bypass the verification process?

[Nicolas (Google Cloud Platform Support)]

Hi,

Thanks for your reply, I understand that you would like clarification about the minimum scope policy within the verification process and also would like to discuss the progress of your Oauth verification.

To clarify your first question, indeed yes, using a traditional IMAP connection will still require your app to go through the verification process as this would require to use https://mail.google.com/.

Additionally, as the FAQ states “If your usage of IMAP/SMTP is deemed to violate the minimum scope policy within the verification process, you will need to migrate to using the Gmail API by September 15, 2019”

Also please note that using the Gmail API would not allow you to skip the verification process.

For more information about what can constitute a violation of the policy you can refer to this FAQ

Also I’ve opened a channel of communication that you can access here to discuss this process.

Thanks for your understanding!