Trying to get my consent screen verified, as my iOS mobile app uses YouTube's API to get their YouTube subscriptions (this falls under the 'sensitive' scope, not 'restricted'). Info on it can be found here -> https://support.google.com/cloud/answer/9110914?hl=en
The consent verification form requires an "Authorized Domain" and also a "Homepage" for the app. The problem is that this is a iOS app and I don't have a website or a URL to give this form.
The consent form:
What do I put in the place of the Authorized Domain and Homepage links?
or
Am I going about the verification process all wrong? Is there another way for mobile apps?
First, if you don't have a domain for it then it is impossible to remove the unverified stuff on your screen.
Second, the domain field is something like google.com, youtube.com where you going to attach the tag for verification. Which, this domain currently you don't have.
Third, the application homepage link is your website.
Lastly, from my experience no special cases for mobile and web process when it comes to that stuff showing on the screen.
The app will show that unverified screen once you are using a sensitive scope that requires app verification regardless if it's a mobile app or web app.
Related
When attempting to log in with Google OAuth via the TikTok in-app browser it says "Authorization Error Error 403 disallowed_useragent Google can't sign you in safely inside this app. You can use Google sign-in by visiting this app's website in a browser like Safari or Chrome."
Thinking this is either a call by Google to prevent login within TikTok or they simply haven't added this user agent yet.
Google OAuth does not work in embedded web views per policy. See https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html.
You should reach out to the app developer to recommend they use one of the alternatives recommended like Chrome Custom Tabs.
I'm developing an Windows application that uses the Google Calendar API, already filled in all the informations in the "Consent Screen" page and sent to verification. After 3 days I received an e-mail saying:
Verification not required. Your app is not required to go through verification at this time. We will be closing out this request and there will be no impact on your app.
After 2 weeks, my consent screen page is still saying "Your consent screen is being verified." and the logo I choosed does not appear in the OAuth Screen. Any ideias of what is happening? Do I need to wait longer?
You must list one or more sensitive scopes in the under the Scopes for Google APIs section of your OAuth consent screen so that Google knows which scopes to verify.
I've created a screencast showing the process to add the ../auth/contacts.readonly scope to an OAuth project here. You should be able to use it as a reference to add the sensitive scopes you are accessing via API.
When you have added a sensitive scope, you'll see a warning asking you to verify your app, like here:
I wish to use Google Drive API to get a file content from Google Drive through Auth0: https://auth0.com/.
And when I try to link the google drive account with Auth0, it displays the following:
How to set Google Drive to authorize Auth0?
Thanks.
Requesting verification
You can request a verification of the OAuth client used by your app and its Cloud project. Once your app is verified, your users will no longer see the unverified app screen. In addition, your app will no longer be subject to the user cap.
Requirements
In order to submit your OAuth client for verification, you must own a web site on a domain. The site must host publicly-accessible pages that describe your app and its privacy policy. You must also verify your ownership of the site with Google.
You do not need to publish your app from an account in this domain, but the domain owner must be an editor or owner of the script project.
In addition, you must have the following required assets:
Application name. The name of the app; this is displayed on the consent screen. It should match the name used for the app in other locations, such as the G Suite Marketplace listing for published apps.
Application logo. A app logo JPEG, PNG, or BMP image to use in the consent screen. Its file size must be 1MB or less.
Support email. This is an email displayed on the consent screen for users to contact if they need app support. It can be your email address or a Google Group that you own or manage.
Scopes. The list of all the scopes your app uses. You can view your scopes in the Apps Script editor.
Authorized domains. This is a whitelist of domains containing information about your app. All your application's links (such as its required privacy policy page) must be hosted on authorized domains.
Application homepage URL. The location of a homepage describing your app. This location must hosted on an authorized domain.
Application privacy policy URL. The location of a page describing your app's privacy policy. This location must be hosted on an authorized domain.
In addition to the above required assets, you can optionally provide an Application terms of service URL that points to a page describing your app's terms of service. If provided, this location must be in an authorized domain.
You can read more about it here requesting verification remember this is done though google not auth0
I have submitted a documentation issue with auth0 6946 I suspect that this is not going to work as you cant verify the domain. However i will let them deal with their documentation.
I need google oauth for google+ login on my opencart store. My app is requesting the following scopes only and app is public.
https://googleapis.com/auth/plus.me
https://googleapis.com/auth/userinfo.profile
https://googleapis.com/auth/userinfo.email
These are not sensitive scopes and on my oauth consent screen I see the submit verification button is disabled and it says
Your changes don't require verification
Still customers see Unverified app screen (This app isn't verified)
I have also submitted oauth app verification form https://support.google.com/code/contact/oauth_app_verification . Its been more than a week not got any response from google.
Please suggest any way how to remove Unverified app screen for my customers?
Google will ignore your request for verification unless you have one or more sensitive scopes listed in the OAuth consent screen list of "Scopes for Google APIs".
e.g.
There are a bunch of steps for this so I made a video while I add a sensitive scope to an OAuth consent screen.
Here are the steps, written out:
First, be sure that all URIs associated with your project are hosted on HTTPS. This includes the Authorized Javascript URIs and Authorized Redirect URIs listed in each of the OAuth Credentials. Google won't approve any app that uses any insecure connections.
Next, confirm that your OAuth app has enabled access to the sensitive API (such as People or Contacts API).
Then, add the scope to your "OAuth consent screen".
Finally, click the enabled "Submit for verification" button at the bottom of the form.
You should not require app verification if you are only setting up 'Sign in with Google'. An app review is required if you request sensitive scopes. Google+ sign-in is deprecated, you should be using the branding-approved 'Sign in with Google' button: https://developers.google.com/identity/branding-guidelines
If you do use sensitive scopes, you should update the scopes section of the OAuth consent screen configuration to include all sensitive scopes you are requesting before the 'submit for verification' button becomes available. In order to add your sensitive scopes on the configuration page, you need to enable the APIs you would like your project to access. For example, enable the GMail APIs for your project by visiting the API library, then add the GMail scopes to your consent screen configuration, fill out additional information, submit for verification.
Please see the 'User Consent' section of https://support.google.com/cloud/answer/6158849?hl=en for more information.
Well, something is really off with my google account.
[x] All URLS HTTPS
[x] Sensitive scope not added
[x] App submitted for verification
[x] Got an email stating verification not required.
Now if I do the following events:
Open Incognito Browser
Click login with Google
Sign In using a general email id ( I used and email account from Gmail)
Here's the warning: This app isn't verified!!
If I tried doing this in normal browser where I am already signed in, this doesn't show up! This can be really bad for new users, it guarantees a high bounce rate!
can you guys give a try and see if this true.
Also, as an answer: I would suggest you to kindly check the app in incognito mode or in a fresh browser.
scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth?https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]
This just my local test page.
is there some parameter to show my product name ?
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=750613625541-ju0p2hvmml1eahjmt9l4f01gdtp9s33o.apps.googleusercontent.com&as=-2201fc670d7b92ee&nosignup=1&destination=https%3A%2F%2Fwww.storage.com&approval_state=!ChRxdl9WYmw4YURnUWxCemhGSTFUZRIfMC1LRl90bTZ2Z2NaWUg3R0Q2SDQtRUVFOEJjeHpoVQ%E2%88%99ADiIGyEAAAAAWVH50eZlchIgJ3-_vV2dZuQUMH9bhmmI&passive=1209600<mpl=nosignup&oauth=1&sarp=1&scc=1&xsrfsig=AHgIfE_ysFUz37usqpUy0VanY6KxOc5Kkg&flowName=GeneralOAuthFlow
This is the url of authorization in my App.
This used to be possible as a is a setting in the Google developer console.
Google developer console -> credentials -> Oauth consent screen tab
Google has been making a number of changes to the OAuth consent form recently. This is a direct consequence of the Gmail phishing hack a few months ago. One of the changes is as you see it the website of the application is now being displayed instead of the application name. This it was thought would be easier for users to understand WHO they are granting access to their data rather than what application has access to their data. This is not something you can change.