We are having trouble with the Google Consent Screen (oauth2) where the scopes we are requesting aren't ticked automatically.
This is leading to users telling us that they have given permission, but they actually haven't as they weren't aware they needed to tick the boxes in order to give permission.
Is there a way to have these checkboxes pre-ticked? Or perhaps not allow users to tick/untick them? Just give users the option to accept or not?
Thank you!
We are having the same issue here. As a temporary solution we reduced the amount of the scopes (checkboxes) to only one https://www.googleapis.com/auth/drive, which is enough to view/create files in drive (didn't test deletion/update though).
Related
I keep getting this rejection from Google Store and while I've tried adding many different clauses to the privacy policy, the rejection never was fixed. If someone can help me out please that would be great.
Your app is uploading the list of installed application so that needs to be disclosed in the Privacy Policy. In addition, a prominent disclosure / notice to get consent from users on your data collection is required.
Examples of prominent disclosures / notices:
Credits for screenshots: TermsFeed
Our company has changed to a new google account due to rebranding. We've created new project, OAuth consent screen and a client. Since then, our users presented with, what I call, multiple consent screen. They have to click on every single permission popup separately and then submit the summary page This is annoying. Previously, there was one page with all the scopes/permissions on it only. Examples attached:
Before:
After:
Does anybody know what's going on and how to switch it back?
Thank you
There was an announcement from Google. It's the change they made.
https://developers.googleblog.com/2018/10/more-granular-google-account.html
We will show each permission that an app requests one at a time, within its own dialog, instead of presenting all permissions in a single dialog*. Users will have the ability to grant or deny permissions individually.
I've been waiting for Google to verify my OAuth consent screen for several months. This means that my functionality is restricted. The message that I am getting on the admin panel is...
Your consent screen is being verified. This may take up to several
days. Your last approved consent screen is still in use.
Is there some way of following this up or checking for any issues with my application?
I would recommend to contact G Suite Support with the G Suite APIs team, they can help you to speed up the verification process. You can check this article https://support.google.com/cloud/answer/9110914?hl=en for more information.
There has been some changes and categorized new scopes as restricted or sensitive, also if you add, remove or update any scope within your consent screen you will be asked for a new verification process.
The verification process should not take months. The G Suite API team will help you to find the best solution since they have the chance to contact the Trust and safety team who will review your verification.
For a faster verification, ensure that your app complies with our policy. For more information, see https://support.google.com/cloud/answer/9110914?hl=en#verification-requirements. And provide with all possible information like videos using your application, things like that.
An Customer ask me to implement it at his Webpage, because he don't have the technical Skills to do so.
I wonder, what's the right way to do this.
On other Google-Services (like Google Search Console) the User can sign into his account and grant me permissions as Guest (he invite me as guest to his account and gave me permissions).
This is a clean way to do, because If I stop working for this customer, he can easily remove the permissions of my login and all is fine.
But how does it work at Google ReCaptcha?
Looking forward to hear, how you solve this.
it better to use the user's credentials for this purpose, just take client's primary or secondary email (or create a email for the project) and make it base for everything that's needed for your project like recatcha, search-console etc. you can use it as long as you are working, and client can simply change n give the credentials to next developer and he can continue.
i am web developer and i face this situation many times, this is best solution in my opinion.
Let us say I have multiple users. They all have items linked to their account. They can CRUD those items.
What is the best way to prevent users from manipulating items from each other.
At first I thought the antiforgerytoken would help. But it does not because when the users look at their control panel they get a valid token. So they could just open firebug and do some post requests to delete items.
While writing this I think I know what I should do. I guess I should just check on the server if the user is deleting his items.
Did I forget anything which would still make it possible to adjust each other's items?
The only way to be sure is to check on the server that the current user has permission to "do action"
You can use the "Roles" mechanizm (this feature ships with asp.net) to check whether a user can delete other accounts.