I'm developing an Windows application that uses the Google Calendar API, already filled in all the informations in the "Consent Screen" page and sent to verification. After 3 days I received an e-mail saying:
Verification not required. Your app is not required to go through verification at this time. We will be closing out this request and there will be no impact on your app.
After 2 weeks, my consent screen page is still saying "Your consent screen is being verified." and the logo I choosed does not appear in the OAuth Screen. Any ideias of what is happening? Do I need to wait longer?
You must list one or more sensitive scopes in the under the Scopes for Google APIs section of your OAuth consent screen so that Google knows which scopes to verify.
I've created a screencast showing the process to add the ../auth/contacts.readonly scope to an OAuth project here. You should be able to use it as a reference to add the sensitive scopes you are accessing via API.
When you have added a sensitive scope, you'll see a warning asking you to verify your app, like here:
Related
Use of this API scope will be restricted until it is approved
our consent screen is being verified. This may take up to several days. Your last approved consent screen is still in use.
Before your users authenticate, this consent screen will allow them to choose whether they want to grant access to their private data, as well as give them a link to your terms of service and privacy policy. This page configures the consent screen for all applications in this project.
Verification status
Being verified (Last approved consent screen is still in use)
Because you've added a sensitive scope, your consent screen requires verification by Google before it's published.
How long verification takes depends greatly upon the application, and the scopes it uses. I have seen anything from a few days to six weeks+ and Google asking for a video of your application running.
This is why its good to start the process while you are still in development developers with access to the project in google developer console should still be able to use your application while you are in the verification process.
I need google oauth for google+ login on my opencart store. My app is requesting the following scopes only and app is public.
https://googleapis.com/auth/plus.me
https://googleapis.com/auth/userinfo.profile
https://googleapis.com/auth/userinfo.email
These are not sensitive scopes and on my oauth consent screen I see the submit verification button is disabled and it says
Your changes don't require verification
Still customers see Unverified app screen (This app isn't verified)
I have also submitted oauth app verification form https://support.google.com/code/contact/oauth_app_verification . Its been more than a week not got any response from google.
Please suggest any way how to remove Unverified app screen for my customers?
Google will ignore your request for verification unless you have one or more sensitive scopes listed in the OAuth consent screen list of "Scopes for Google APIs".
e.g.
There are a bunch of steps for this so I made a video while I add a sensitive scope to an OAuth consent screen.
Here are the steps, written out:
First, be sure that all URIs associated with your project are hosted on HTTPS. This includes the Authorized Javascript URIs and Authorized Redirect URIs listed in each of the OAuth Credentials. Google won't approve any app that uses any insecure connections.
Next, confirm that your OAuth app has enabled access to the sensitive API (such as People or Contacts API).
Then, add the scope to your "OAuth consent screen".
Finally, click the enabled "Submit for verification" button at the bottom of the form.
You should not require app verification if you are only setting up 'Sign in with Google'. An app review is required if you request sensitive scopes. Google+ sign-in is deprecated, you should be using the branding-approved 'Sign in with Google' button: https://developers.google.com/identity/branding-guidelines
If you do use sensitive scopes, you should update the scopes section of the OAuth consent screen configuration to include all sensitive scopes you are requesting before the 'submit for verification' button becomes available. In order to add your sensitive scopes on the configuration page, you need to enable the APIs you would like your project to access. For example, enable the GMail APIs for your project by visiting the API library, then add the GMail scopes to your consent screen configuration, fill out additional information, submit for verification.
Please see the 'User Consent' section of https://support.google.com/cloud/answer/6158849?hl=en for more information.
Well, something is really off with my google account.
[x] All URLS HTTPS
[x] Sensitive scope not added
[x] App submitted for verification
[x] Got an email stating verification not required.
Now if I do the following events:
Open Incognito Browser
Click login with Google
Sign In using a general email id ( I used and email account from Gmail)
Here's the warning: This app isn't verified!!
If I tried doing this in normal browser where I am already signed in, this doesn't show up! This can be really bad for new users, it guarantees a high bounce rate!
can you guys give a try and see if this true.
Also, as an answer: I would suggest you to kindly check the app in incognito mode or in a fresh browser.
scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth?https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]
This just my local test page.
is there some parameter to show my product name ?
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=750613625541-ju0p2hvmml1eahjmt9l4f01gdtp9s33o.apps.googleusercontent.com&as=-2201fc670d7b92ee&nosignup=1&destination=https%3A%2F%2Fwww.storage.com&approval_state=!ChRxdl9WYmw4YURnUWxCemhGSTFUZRIfMC1LRl90bTZ2Z2NaWUg3R0Q2SDQtRUVFOEJjeHpoVQ%E2%88%99ADiIGyEAAAAAWVH50eZlchIgJ3-_vV2dZuQUMH9bhmmI&passive=1209600<mpl=nosignup&oauth=1&sarp=1&scc=1&xsrfsig=AHgIfE_ysFUz37usqpUy0VanY6KxOc5Kkg&flowName=GeneralOAuthFlow
This is the url of authorization in my App.
This used to be possible as a is a setting in the Google developer console.
Google developer console -> credentials -> Oauth consent screen tab
Google has been making a number of changes to the OAuth consent form recently. This is a direct consequence of the Gmail phishing hack a few months ago. One of the changes is as you see it the website of the application is now being displayed instead of the application name. This it was thought would be easier for users to understand WHO they are granting access to their data rather than what application has access to their data. This is not something you can change.
Is it possible for me to create an application that can send our requests to access to users' Google Calendar so that I can see the events in there and be able to add, edit, and delete events?
I do not want the users to log into my website to enable this access. Rather, I want to be able to send this request, perhaps via email.
Alternatively, perhaps they could log in the web app and authorize access themselves somehow.
One option would be to e-mail the user a link to the OAuth 2.0 consent screen. The users would still need to open the link in a browser, sign in to their Google account (if not already signed in), and click the "Authorize" button to grant your application access to their Google calendar events.
First, you will need to register your application as a Web App in Google's Developer Console (just like for any other application) and obtain a client_id. Be sure to fill in the name of your application and a link to your website in the "OAuth consent screen" section, because these values will be shown to your users when they click the authorization link.
Then, follow these steps:
Send the user an authorization link in an HTML e-mail message. The link should be constructed according to the guidelines in "Redirecting to Google's OAuth 2.0 server", and pay attention to the following aspects:
Ensure that the redirect_uri parameter in the authorization link points to your application.
Since you already know the e-mail address of the user, consider including the login_hint=<email address> parameter to bypass the account selection screen.
Important: provide a value in the state parameter so that you can link this authorization request with the user.
The link should be placed in an <a> tag somewhere in the body of the e-mail: Allow access to my Google calendar
When the user clicks on this link, their browser will open and show the standard Google consent screen:
Once the user has made a choice, their browser will be redirected to the redirect_uri which you have provided.
Make sure that the redirect_uri will work even if the user isn't signed in to your application. Capture the state and authorization_code values which Google appends to the redirect_uri, and then return a confirmation page (e.g. "Thank you for giving us access to your Google calendar" would be a good idea).
Using the state and authorization_code values, follow the rest of the standard OAuth 2.0 flow and retrieve a refresh_token which will allow you to access the user's Google calendar from your application.
Keep in mind that the calendar owner (the user who is clicking the link in the e-mail and granting your application consent to access the calendar) may not even be a user of your application. This is why it is important to provide as much information as possible on the consent screen and in the confirmation page.
Since your confirmation page will be loaded even if the user does not grant your application consent, you could take the opportunity to give the user a full description of why you are asking for access to their calendar and provide a link that will take them back to the consent screen. This should increase your success rate.
Every request your application sends to the Google Calendar API must
include an authorization token. The token also identifies your
application to Google.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses
Google+ Sign-In, some aspects of authorization are handled for you.
The details of the authorization process, or "flow," for OAuth 2.0
vary somewhat depending on what kind of application you're writing.
For more details on the workflow to gain access click here. Once your app has access, it will be able to view and edit a user's calendar events, depending on the approved permissions.
I realize that this is a potentially duplicate question and is related to the following issues:
Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?
Consent screen appearing after Google Apps installation using oauth2 while it should not
I currently don't have the commenting privilege yet, but was asked to post here by the Google Apps reviewer currently handling my case.
In any event, after going through the installation flow for my app numerous times at various speeds, I believe there is an issue related to timing and the propagation of permissions through the Google system. If I do the installation and attempt to login really quickly I get presented with the consent pop up. If I wait a few seconds then I do not get presented with the consent pop up.
I have verified that the OAuth scopes configured for the Google Apps Marketplace SDK in the developer console match those we are using during login. I am using the JavaScript client-side library that is mentioned in the Apps Marketplace guide.
Any help would be appreciated as this issue is preventing my app from getting approved.