Today I've received email from Google, that claims my project uses one scope plus.me from Google+ API which will be shutdown.
I've already implemented Google Drive API usage with new OAuth 2.0 in my app. And was trying to find where it uses that Google+ scope.
The only place where this scope exists is in "OAuth consent screen" in Google APIs console.
But there is no "Delete" button. So I'm wondering how could I remove it? I'm afraid with shutting down Google+ my requests to OAuth 2.0 could be denied :(
Whew! Today got clarification from Google with subject "[Correction] Google+ APIs being shutdown on March 7, 2019".
Earlier this week we sent you an email related to your projects that will be impacted by the Google+ API shutdown, which also affects requests for Google+ OAuth scopes.
The email listed that one or more of your projects are requesting the
“plus.me” scope, and would thus be affected. We would like to clarify
that only projects directly requesting the “plus.me” scope are
affected. This scope may have been listed in some emails, even if not
directly requested by your project. We apologize for any confusion
caused.
If you are directly requesting the “plus.me” scope, any other Google+
OAuth scopes, or making any Google+ API calls, please ensure that you
remove these requests from your project before March 7, 2019.
To see if your project is directly requesting the “plus.me” or any
other Google+ OAuth scopes:
If your project is written in Google Apps Script, you can view which scopes your project is requesting by reviewing your project
properties in App Script Editor.
If your project is not written in Google Apps Script, please check your code for references to “plus.me” in OAuth scope requests. We
recommend that you review projects using any 3rd-party libraries that
support sign-in or social functionality, as these may also be affected
by the shutdown.
So it seems we should not worry about the plus.me item any more. Just remove this scope from the code if we use it.
Related
I generate a auth link like:
https://accounts.google.com/o/oauth2/v2/auth/oauthchooseaccount?access_type=offline&scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email%20https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcalendar.events&prompt=consent&response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A4200%2Fapplication%2Fsettings%2Fgcal&flowName=GeneralOAuthFlow
As you can see I call for the authorization as defined in the documentation here https://developers.google.com/calendar/api/guides/auth however, when I go to auth this is what I am presented with: and I thought this might be some new security thing from google but then I look at connecting to other sites and the account works just fine there.
This application is also fully verified for the consent screen.
While doing some comparison between my calls and other site's I notice that mine have /v2/ in the path while others do not. I have tried multiple individual google accounts with same result, but I always get a v2 redirect.
Anyone here know why this happens with v3 accounts and how I can solve it?
Unfortunately, this is the new default behaviour
It is realted to the new policy of More granular Google Account permissions with Google OAuth and APIs
It is being gradually introduced and is not related to either v2 or v3 accounts are being used but rather will eventually implemented for all accounts
Should the user not grant you all the scopes necessary for your Addon to run - you will need to handle it programmatically checking which scopes have been granted and requesting additional scopes if required
Best practive would be to make it very clear to your users PRIOR to the app installation that checking all checkboxes is crucial for the correct functionality of the app.
There is a very good stackoverflow post that explains the new change more in detail and includes many useful references.
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
I'm trying to write a CLI script (ruby) to manage my youtube videos. Technically I'm updating a script that I used in 2012 to do this. It appears that since 2012, youtube has discontinued the simple client authentication mechanism and moved to OAUTH2 (though I'm not totally sure).
I'm wouldn't be the first to say that OAUTH2 is hell (just google it). It's been 3 hours and I still haven't gotten my old script to even authenticate with google (using the youtube_it ruby gem).
I simply do not understand why I would need to use OAUTH to access my own account on Google? What am I missing? I thought OAUTH was so that separate users could give access to applications to temporarily access their data.
Is there another way? What am I missing. As one blogger commented OAUTH2 is enough to make one want to change careers. Even the lead dev quit the project.
The Youtube API docs is specific in stating that if you're going to use Youtube API (or other Google APIs), you must learn how to use OAuth:
If your application will use any API methods that require user
authorization, read the authentication guide to learn how to implement
OAuth 2.0 authorization.
Youtube has a Ruby Quickstart sample which includes the OAuth process.
I simply do not understand why I would need to use OAUTH to access my own account on Google?
I think OAuth answers exactly that question, "how will Google products know if you are who you claim to be?"
Read the OAuth Google guide for more info.
OAuth 2 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook, GitHub, and google. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth 2 provides authorization flows for web and desktop applications, and mobile devices.
for more detail study :-
https://www.rfc-editor.org/rfc/rfc6749
Since approx 5:30 UTC we are receiving only this response for this api call
https://www.googleapis.com/appsmarket/v2/customerLicense/{appId}/{customer}
{"error":{"errors":[{"domain":"global","reason":"forbidden","message":"Not authorized to access the application ID"}],"code":403,"message":"Not authorized to access the application ID"}}
but there has not been any previous development or changes on our side and this affects all of our marketplace applications.
Any ideas what is going on and how to fix/workaround this issue?
This issue should now be fixed by Google.
If you are still experiencing 403 Forbidden on marketplace API calls make sure you are following these guidelines
Access to these APIs is restricted: only project members of the
Developer Console project associated with your application may use the
API. Specifically, these project members must be in Can Edit or Is
Owner roles. You may also access UserLicense and CustomerLicense as
the logged in user to your app. Refer to
https://cloud.google.com/compute/docs/access/add-remove-change-permissions-for-team-members to learn how to
add members to your project.
For example by doing the API requests using a service account in the Google Cloud Platform Project for you application without using any impersonation/delegation.
I realize that this is a potentially duplicate question and is related to the following issues:
Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?
Consent screen appearing after Google Apps installation using oauth2 while it should not
I currently don't have the commenting privilege yet, but was asked to post here by the Google Apps reviewer currently handling my case.
In any event, after going through the installation flow for my app numerous times at various speeds, I believe there is an issue related to timing and the propagation of permissions through the Google system. If I do the installation and attempt to login really quickly I get presented with the consent pop up. If I wait a few seconds then I do not get presented with the consent pop up.
I have verified that the OAuth scopes configured for the Google Apps Marketplace SDK in the developer console match those we are using during login. I am using the JavaScript client-side library that is mentioned in the Apps Marketplace guide.
Any help would be appreciated as this issue is preventing my app from getting approved.