Our company has changed to a new google account due to rebranding. We've created new project, OAuth consent screen and a client. Since then, our users presented with, what I call, multiple consent screen. They have to click on every single permission popup separately and then submit the summary page This is annoying. Previously, there was one page with all the scopes/permissions on it only. Examples attached:
Before:
After:
Does anybody know what's going on and how to switch it back?
Thank you
There was an announcement from Google. It's the change they made.
https://developers.googleblog.com/2018/10/more-granular-google-account.html
We will show each permission that an app requests one at a time, within its own dialog, instead of presenting all permissions in a single dialog*. Users will have the ability to grant or deny permissions individually.
Related
I keep getting this error when editing or creating the consent screen.
This happens whenever I click edit settings on the consent screen. An error dialog pops up saying
"Sorry, there’s a problem. If you entered information, check it and try again. Otherwise, the problem might clear up on its own, so check back later.
Tracking Number: #############"
After this, I can stay on the consent screen settings, but I can't add any scopes at all. I don't understand why it's happening, it worked fine before. But now for weeks it's been like this and I can't edit the consent screen.
This usually happens because you don't have the authorization to perform edits, i.e. it is a permission issue. If you go to the link https://console.cloud.google.com/iam-admin/iam?project=YOUR-PROJECT-ID you should be able to see the Identity Access Management permissions assigned to your user, if there is any. You should find out who is the owner of the project and request editor permissions for the action you are attempting to do.
I have developed an app that synchronises our users' Google contacts with the School's database. When I submitted the consent screen for verification I was asked to change the display name, as it violated branding policies by including GMail in the title. However when I try to update the consent screen in the API Console, after changing the app name the Save button remains greyed out, so I can't change it. How do proceed now?
Note the app is currently in use with an unverified consent screen, but new users are now unable to sign up since Google appear to have tightened their policies.
Also the app is only used by members of our organisation, so it should really be an internal app. However the Make Internal link is deactivated, apparently because I am not a G Suite User. However we have a G Suite for Education account, so does this not make me a G Suite user?
As no-one has provided a solution it looks like there is none. Therefore I’ve resorted to my plan B, which is to create a new API Project and consent screen, This time I created it as an internal project, which avoids any complications of validation. The previous project was created public as it was envisaged that parents with private Gmail accounts might also use it. However with the constraints of GDPR it has been decided to restrict it to employees only. Fortunately I have found a way for existing users to continue using the old version, while new users have to register using the new consent screen.
It appears that the message about not being able to change to a local project if you’re not a G Suite user is a red herring. I suspect you just can’t change project type once it’s in use, because of the possible implications for existing users,
I am trying to make the Pre-launch report work well to cover more screens (beyond the signin screen) by providing Sign-in credentials, however after providing the testing account the crawl still cannot beyond the Sign-in screen. This is my configuration:
I can confirm the username/password resource name are correct, but in my app, they are in two separated screens.
I.e.: Input username (actually it requires a phone number) first then tap on Next button in this screen to see the screen for typing password (actually it is the 2fc via SMS),
and after typing in 2fc, the app logs the user in automatically, so there is no Sign-in button.
My question is does Google supports my use case stated as above? I.e.: if username and password are not in the same screen, is Google still able to crawl beyond the sign-in screen?
The crawler will use the provided sign-in credentials when it matches the corresponding resource id on a given screen. So, having username and password on two different screens is not a problem. The tricky part is getting from one screen to another (in your case, it is clicking the Next button) such that the crawler has an opportunity to type in the password. If the crawler does not perform this step on its own, you can guide it with a Roboscript - that is, instead of using sing-in credentials, record a Roboscript in which you type in the username, click Next, type in the password (basically, the steps you mentioned above), and then upload this Roboscript for your pre-launch report.
In the documents of Google One-Tap sign in, it says:
Returning users are signed in automatically, even when they switch devices or platforms, or after their session expires.
Question 1:
But it doesn't say anywhere how it does this? Is the user refresh token saved in the browser's cache? How can it then auto log in a user cross devices?
Question 2: The reason I ask is because I have a setup where I initialize the Google API client for JavaScript ("GAPI"). The GAPI library also automatically logs in a user whenever the client is "initialised" through gapi.client.init().
Now the problem is that after I have added the Google One-Tap code (Or should I say "YOLO code"? : ) my user gets logged in through One-Tap and also through GAPI. I can prevent this by not initializing the GAPI client, but I don't think that's wise, because I thought this whole library is built to manage my refresh tokens etc. Is my understanding correct that One-Tap does exactly the same and in case I only want to Authenticate users I do not need the GAPI client anymore?
Really, which library does a better job at managing my refresh tokens? And how do they differ? I'm clueless...
The way I implemented my login is the following:
Try to login in the user first using gapi.auth2. Maybe the user was previously signed into the site.
If can't login user automatically, then use googleyolo to try to find existing user accounts.
If no existing accounts, then present a signin button for user to signin.
I can give you some code snippet if you need.
To answer your questions.
#1, the credential is stored within the browser/device. If the user has never signed into google in a device, then yolo won't be able to sign in the user.
#2. googleyolo will also login the user, the difference is that it will give the account selector even if there's only one user to select (it will automatically login the user if there's only one). gapi simply sign in the user without showing anything.
We are integrating our app in the new Google Marketplace.
Our marketplace config in the developer console is ok.
Our oauth2/sso flow is ok (scopes match the ones setup in the console, auth params ok)
All users, when accessing our application through the Navigation bar, don't see any consent screen. All is perfect … except the following :
when an admin user is installing our application for his domain for the first time, he is presented with the domain consent screen displaying the scopes defined in our marketplace config, which is fine, he accepts and is presented with a button "Launch app". This link hit our server and a redirection is made to google auth in order to get the email and profile of that user. The redirection happens quickly that the admin is presented with yet another consent screen displaying the exact same scopes … which is bad.
If we wait 10 - 20 seconds before clicking the 'Launch app' button and after having accepted the scopes for the domain, the redirection to google auth is done and no consent screen is presented to the admin.
Are we missing something? Some sort of pooling technique with callback? "Sleeping"?
The same happens with other apps available on Google Apps Marketplace.
I installed several apps from Marketplace (Mavenlink, Lucidchart, etc), and they showed exactly the same result. I was prompted with consent screen immediately after installing them. A bit later, and I was let in without prompting.
It seems that the information on the installed app is not immediately propagated through Google system. There is a short delay between the time the administrator installs an app to his domain, and the time that app becomes available on his domain.
Most users wouldn't mind to wait a minute after the installation. Unfortunately, a reviewer at Google is not that forgiving. If he is quick enough to start your app immediately after the installation, your app will be caught asking for consent, for which it will be rejected from Marketplace. Too bad.