I've been waiting for Google to verify my OAuth consent screen for several months. This means that my functionality is restricted. The message that I am getting on the admin panel is...
Your consent screen is being verified. This may take up to several
days. Your last approved consent screen is still in use.
Is there some way of following this up or checking for any issues with my application?
I would recommend to contact G Suite Support with the G Suite APIs team, they can help you to speed up the verification process. You can check this article https://support.google.com/cloud/answer/9110914?hl=en for more information.
There has been some changes and categorized new scopes as restricted or sensitive, also if you add, remove or update any scope within your consent screen you will be asked for a new verification process.
The verification process should not take months. The G Suite API team will help you to find the best solution since they have the chance to contact the Trust and safety team who will review your verification.
For a faster verification, ensure that your app complies with our policy. For more information, see https://support.google.com/cloud/answer/9110914?hl=en#verification-requirements. And provide with all possible information like videos using your application, things like that.
Related
I have developed an app that synchronises our users' Google contacts with the School's database. When I submitted the consent screen for verification I was asked to change the display name, as it violated branding policies by including GMail in the title. However when I try to update the consent screen in the API Console, after changing the app name the Save button remains greyed out, so I can't change it. How do proceed now?
Note the app is currently in use with an unverified consent screen, but new users are now unable to sign up since Google appear to have tightened their policies.
Also the app is only used by members of our organisation, so it should really be an internal app. However the Make Internal link is deactivated, apparently because I am not a G Suite User. However we have a G Suite for Education account, so does this not make me a G Suite user?
As no-one has provided a solution it looks like there is none. Therefore I’ve resorted to my plan B, which is to create a new API Project and consent screen, This time I created it as an internal project, which avoids any complications of validation. The previous project was created public as it was envisaged that parents with private Gmail accounts might also use it. However with the constraints of GDPR it has been decided to restrict it to employees only. Fortunately I have found a way for existing users to continue using the old version, while new users have to register using the new consent screen.
It appears that the message about not being able to change to a local project if you’re not a G Suite user is a red herring. I suspect you just can’t change project type once it’s in use, because of the possible implications for existing users,
Use of this API scope will be restricted until it is approved
our consent screen is being verified. This may take up to several days. Your last approved consent screen is still in use.
Before your users authenticate, this consent screen will allow them to choose whether they want to grant access to their private data, as well as give them a link to your terms of service and privacy policy. This page configures the consent screen for all applications in this project.
Verification status
Being verified (Last approved consent screen is still in use)
Because you've added a sensitive scope, your consent screen requires verification by Google before it's published.
How long verification takes depends greatly upon the application, and the scopes it uses. I have seen anything from a few days to six weeks+ and Google asking for a video of your application running.
This is why its good to start the process while you are still in development developers with access to the project in google developer console should still be able to use your application while you are in the verification process.
I need to have access to Calendar information from a company's G Suite accounts, to synchronize data with the company system through a API.
When I need to provide access to my own data, there is a fairly simple way to do it. Using Oauth2, through a login window the user allows the API to access the requested data.
But in the G Suite documentation, the path indicated when involving the administrator and company data, involves the administrator accessing admin.google.com, go to the security-related session, and manually register my API, listing the scopes that he wants to grant me access.
To make a parallel, in Microsoft Graph there is a way to request consent from the domain administrator, where only a user consent / admin consent screen is displayed using Oauth2.
I wonder if there is a way to get this type of access in G Suite without requiring the end user to take such complicated steps to make my API work properly.
UPDATE:
This question was originally posted in 2019, does anyone aware if something was changes since then?
You should use the Marketplace SDK for this. This allows you to publish an application to the Google Workspace Marketplace where company admins can choose to install it for their domain.
There are a couple things to keep in mind:
There's an expectation that your application will have some sort of user facing presence (e.g. add-on, link to web app, etc).
Google will review your app before publishing. Since you're not using Gmail or Drive scopes (for these, Google requires a 3rd party security review), this process should not be too difficult. But plan for it to take some time, and follow the best practices so it's done right the first time.
You also mentioned synchronizing calendars. If that means mainly reading, no problem, but if you're writing (a lot at once), be mindful of calendar use limits. These are per user and for all activity by that user (not just your app).
I realize that this is a potentially duplicate question and is related to the following issues:
Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?
Consent screen appearing after Google Apps installation using oauth2 while it should not
I currently don't have the commenting privilege yet, but was asked to post here by the Google Apps reviewer currently handling my case.
In any event, after going through the installation flow for my app numerous times at various speeds, I believe there is an issue related to timing and the propagation of permissions through the Google system. If I do the installation and attempt to login really quickly I get presented with the consent pop up. If I wait a few seconds then I do not get presented with the consent pop up.
I have verified that the OAuth scopes configured for the Google Apps Marketplace SDK in the developer console match those we are using during login. I am using the JavaScript client-side library that is mentioned in the Apps Marketplace guide.
Any help would be appreciated as this issue is preventing my app from getting approved.
I am considering developing an application for the Apps for Business Marketplace. I see that new rules takes affect on November 19th. Referring to the new documentation (https://developers.google.com/apps-marketplace/) I do not see that any SSO requirement exists. There is allot of talk about migrating to new sign on methods, but I see no mention of sign on requirements.
What are the sign on requirements as of November 19th?
If SSO continues to be required or if I publish before Nov. 19th, my application requires security token from my API, in order to carry out API exchanges. To get this token a user/pass exchange is required one time. They would never need to enter a user/pass for my app after that. Will a one time exchange for the security token be denied under a SSO requirement?
For example the statement regarding SSO that an app cannot do is:
The end user should not be required to enter a username and password when invoking an application from within Google Apps. (https://developers.google.com/google-apps/marketplace/sso)
In my case it would not be required for the user to enter every time, just on the initial creation of the account. After that I would retain the token from my site, encrypted with the Installed App.
Would my app be denied for requiring this one time exchange under the SSO policy?
Mark
You will have to use SSO (or should if at all possible) -- see this part of the documentation: Besides, that is a better practice and should make your users feel more trust for your application.
From what I gather (note that I'm building my first marketplace app) you should not prompt users to enter username/password on your site. I am creating user record & storing token behind the scenes. So the user sees Google authorization screen, agrees to let my app use some data, accepts and sign-in right away without any prompt to create an account. After this, user will not be prompted in the future because I have their google id linked to a user record.
From their site - https://developers.google.com/google-apps/marketplace/sso#user_experience
As long as you don't have any intermediate screen, your app should be approved.