Help with OAuth and service accounts needed

289 views
Skip to first unread message

Marc Pedri

unread,
Dec 20, 2021, 6:09:05 PM12/20/21
to Google Cloud Developers
Hello,
looking for some help here

We have developed an analytics platform, which connects through google login (OAuth) to google, to retrieve the google project information (read only) and furthermore retrieve the intents from each dialogflow agent associated with the google project (read only) to generate statistics for the owner of this project.

Something like google analytics but for chatbots.

We need some help to understand what we are doing wrong, to get through the OAuth verification process


Another provider, used even more sensitives scope and got it approved:

The feedback we got from google is:

1.      Create a service account to represent your service and to access data from your users’ Google Cloud Platform project

2.      Instruct your customers to grant your service account appropriate access to their Cloud data via IAM Policies


As our application is a SaaS application, we cannot ask every single user to manually grant us access.

Please, what are we doing different from the other provider who has even more sensitive scopes approved and is not asking each single customer to grant permissions via IAM policies?

Horace (Cloud Platform Support)

unread,
Dec 22, 2021, 3:55:02 AM12/22/21
to Google Cloud Developers

Hello,

With regards to the verification, it does follow a very specific set of guidelines [1] and your app’s behaviour might be incompatible with the guidelines. 

Do note that the Trust and Safety team (which does the approval) is a completely separate Team from the Google Cloud Platform Support and we do not have any way of communicating with them directly, nor can we facilitate or influence the review process. The only way to communicate with the T&S API Team is replying through the emails you receive from them. Best to send them a feedback to the email: ‘oauth-f...@google.com’ [2] explaining the nature of your usecase.

Sincerely,

[1] - https://support.google.com/cloud/answer/9110914

[2] https://support.google.com/cloud/answer/9110914?hl=en#:~:text=remediate%20my%20vulnerabilities%3F-,Feedback,-How%20can%20I

Marc Pedri

unread,
Dec 26, 2021, 12:37:14 PM12/26/21
to Google Cloud Developers
Thank you Horace for your response

I did, and this is the answer I got from the security team:

------------------------------------------------------------------
Hi,

Dear Developer,

Thank you for response.

Unfortunately, we are unable to provide support for issues of OAuth verification.

Please note that Google participates in community discussion groups and mailing lists that can help you find answers or troubleshoot problems.

We strongly recommend that you submit a question via any of the below third-party community discussion groups and/or mailing lists:

You can find more information in the OAuth Application Verification FAQ. Please reply directly to this email to continue with the verification process. Any new emails sent to api-oauth-dev-verification (at) google.com won't go to our team.

Thanks,

The Google Cloud Trust & Safety Team

------------------------------------------------------------------

So here I am, hoping to find someone with more expátriese than mine, to really understand the difference between those two implementations and how we can achieve the same.

Any help is highly appreciated!!!!

And merry Christmas to everyone!

Jorge Sierra

unread,
Dec 27, 2021, 5:47:12 AM12/27/21
to Google Cloud Developers
Just a suggestion, my app got approved some time ago.
I recommend to use the minimum scopes...

final GoogleSignIn googleSignIn = GoogleSignIn(scopes: <String>[
//'email',
 'profile',
//'https://www.googleapis.com/auth/userinfo.email', // ?
 // this ask for contacts, I dont need contacts
 //'https://www.googleapis.com/auth/contacts.readonly',
]);

...and when you are approved....ask for more scopes......


Reply all
Reply to author
Forward
0 new messages