How to set Google Drive to authorize Auth0 domain? - google-api

I wish to use Google Drive API to get a file content from Google Drive through Auth0: https://auth0.com/.
And when I try to link the google drive account with Auth0, it displays the following:
How to set Google Drive to authorize Auth0?
Thanks.

Requesting verification
You can request a verification of the OAuth client used by your app and its Cloud project. Once your app is verified, your users will no longer see the unverified app screen. In addition, your app will no longer be subject to the user cap.
Requirements
In order to submit your OAuth client for verification, you must own a web site on a domain. The site must host publicly-accessible pages that describe your app and its privacy policy. You must also verify your ownership of the site with Google.
You do not need to publish your app from an account in this domain, but the domain owner must be an editor or owner of the script project.
In addition, you must have the following required assets:
Application name. The name of the app; this is displayed on the consent screen. It should match the name used for the app in other locations, such as the G Suite Marketplace listing for published apps.
Application logo. A app logo JPEG, PNG, or BMP image to use in the consent screen. Its file size must be 1MB or less.
Support email. This is an email displayed on the consent screen for users to contact if they need app support. It can be your email address or a Google Group that you own or manage.
Scopes. The list of all the scopes your app uses. You can view your scopes in the Apps Script editor.
Authorized domains. This is a whitelist of domains containing information about your app. All your application's links (such as its required privacy policy page) must be hosted on authorized domains.
Application homepage URL. The location of a homepage describing your app. This location must hosted on an authorized domain.
Application privacy policy URL. The location of a page describing your app's privacy policy. This location must be hosted on an authorized domain.
In addition to the above required assets, you can optionally provide an Application terms of service URL that points to a page describing your app's terms of service. If provided, this location must be in an authorized domain.
You can read more about it here requesting verification remember this is done though google not auth0
I have submitted a documentation issue with auth0 6946 I suspect that this is not going to work as you cant verify the domain. However i will let them deal with their documentation.

Related

Google OAuth Consent Screen Mobile App Verification

Trying to get my consent screen verified, as my iOS mobile app uses YouTube's API to get their YouTube subscriptions (this falls under the 'sensitive' scope, not 'restricted'). Info on it can be found here -> https://support.google.com/cloud/answer/9110914?hl=en
The consent verification form requires an "Authorized Domain" and also a "Homepage" for the app. The problem is that this is a iOS app and I don't have a website or a URL to give this form.
The consent form:
What do I put in the place of the Authorized Domain and Homepage links?
or
Am I going about the verification process all wrong? Is there another way for mobile apps?
First, if you don't have a domain for it then it is impossible to remove the unverified stuff on your screen.
Second, the domain field is something like google.com, youtube.com where you going to attach the tag for verification. Which, this domain currently you don't have.
Third, the application homepage link is your website.
Lastly, from my experience no special cases for mobile and web process when it comes to that stuff showing on the screen.
The app will show that unverified screen once you are using a sensitive scope that requires app verification regardless if it's a mobile app or web app.

What does Google Play do with the Privacy Policy Link I provide it with?

I am developing an app that will stand on its own without a Website (at the moment).
According to Google Play, I must provide a Privacy Policy URL because my app requires the android.permission.CAMERA permission.
I know that I can place a Privacy Policy on a static hosted Website and give that URL to Google Play, but I would like to know what Google Play will use that URL for.
Does it just give the users the link and if clicked will take the user to the static page where the privacy policy is hosted?
Does it crawl the page and extracts information from it to display the info within the Play Store?
Thanks
There are 2 types of permissions : Normal and Dangerous as listed here
The purpose of a permission is to protect the privacy of an Android
user.
Android apps must request permission to access sensitive user data (such as contacts and SMS), as well as certain system features (such as camera and internet). Depending on the feature, the system might grant the permission automatically or might prompt the user to approve the request.
read more here : https://developer.android.com/guide/topics/permissions/overview
So if you using some of Dangerous level permissions in your app , google will definitely ask you to provide Privacy Policy before uploding apk to playstore .
so if you not provide link , they will not approve your apk build to publish in playstore.
Yes , they also display Privacy Policy Link to all users in ADDITIONAL INFORMATION section in Playstore .
For Example See Below Picture :

Why does the Google Oauth2 consent form display company URL instead of product name?

This just my local test page.
is there some parameter to show my product name ?
https://accounts.google.com/signin/oauth/oauthchooseaccount?client_id=750613625541-ju0p2hvmml1eahjmt9l4f01gdtp9s33o.apps.googleusercontent.com&as=-2201fc670d7b92ee&nosignup=1&destination=https%3A%2F%2Fwww.storage.com&approval_state=!ChRxdl9WYmw4YURnUWxCemhGSTFUZRIfMC1LRl90bTZ2Z2NaWUg3R0Q2SDQtRUVFOEJjeHpoVQ%E2%88%99ADiIGyEAAAAAWVH50eZlchIgJ3-_vV2dZuQUMH9bhmmI&passive=1209600&ltmpl=nosignup&oauth=1&sarp=1&scc=1&xsrfsig=AHgIfE_ysFUz37usqpUy0VanY6KxOc5Kkg&flowName=GeneralOAuthFlow
This is the url of authorization in my App.
This used to be possible as a is a setting in the Google developer console.
Google developer console -> credentials -> Oauth consent screen tab
Google has been making a number of changes to the OAuth consent form recently. This is a direct consequence of the Gmail phishing hack a few months ago. One of the changes is as you see it the website of the application is now being displayed instead of the application name. This it was thought would be easier for users to understand WHO they are granting access to their data rather than what application has access to their data. This is not something you can change.

How does the Google Apps Marketplace SSO requirement work?

We're trying to figure out how to submit to the marketplace, but are not sure what we need to do to alter our existing signup flow to accomodate the SSO requirement
Our app was not originally built to be a marketplace app so our signup flow is built for individual users. We are already following the OAuth2 flow as outlined on this documentation page. However, its not clear to me how this works for an entire org when installing from the context of a marketplace app.
Does the admin grant access to all the individual scopes we currently request for the entire org at once? Is there need for some sort of service account or something since we currently are requesting offline access? I'd like to understand what changes we need to make to our server's signup flow in or whether it is just a scope / manifest mismatch.
We currently request the following scopes from an individual user when signing up.
['email', 'profile' ,'https://mail.google.com/', 'https://www.googleapis.com/auth/calendar'],
Exact questions are...
What (if anything) do we need to do to alter our current individual-focused signup flow to accommodate a Google Apps Admin signing up their whole domain?
What scopes do we need to in our Google Apps Admin listing and how do they relate to the scopes we currently request from individuals?
There are not so many changes if you are already using three legged OAuth2.
The first change would be in you project in the developer console. There you need to enable the Marketplace SDK and make the necessary configurations. Here you will add the scopes that your app will request and those are the scopes that the admin will see when installing the app.
The admin will see the scopes your app is requesting, and he will decide if it's ok to install the application in the domain. If it is approved, then yes, the admin would grant access to the entire domain.
Offline access is part of the Oauth flow, after you receive the refresh token, you can continue refreshing the access token without having the user to grant access again.
It is not necessary to have a service account. The service account has two purposes:
To manage information related to the application. In this case the service account can have access to it's own drive to store and retrieve information that is related to the app functionality.
Impersonation of users. When using domain delegation of authority, you can use a service account to impersonate any user in a domain and act on it's behalf to make API calls.
To deploy your app, you also have to create a new project in the Chrome Web Store, with a manifest for Marketplace.
To answer your questions:
It's not necessary that you modify your current oauth flow. The admin will install the app in the domain, but when a user access to the app, the process for authentication is the same as individual.
The scopes in your Marketplace SDK configuration should match the scopes your app will use. This is mostly for security reasons, it wouldn't be safe if you install an app with some scopes and then the app uses different scopes.
You can try your app before actually deploying it by adding trusted testers in the chrome web store dashboard or in the Console API configuration. This way you can check if your flows and all the configurations were done correctly.
Hope this helps. Let me know if you have more questions.

Programmatically avoid Google OpenID access request

I am providing my Google Apps Domain users content via Google Sites.
Furthermore I have 3rd party content which I would like to integrate. This content needs to be secure and available only to the Google Apps Domain users.
I have implemented openid which authenticates that the users are from my domain. I consider the users to be "stupid" so I wish to avoid any access request pages, which also makes my site look rather unprofessional / unpolished.
I can see the security setting under my personal account here:
https://www.google.com/settings/security
Is there anything in the SDK which will allow me upon user creation to add the necessary account permissions?
Hypothetically if you can host your 3rd party content on Google app Engine (GAE) and all your users reside in your Google Apps Domain it is possible to set Authentication Type to "Google apps Domain" More about GAE authentication can be found here
Do not forget to deploy GAE under same Google apps Domain account
Authorization protocols like OpenID and OAuth have been deliberately designed to require explicit user confirmation of access privileges. Any mechanism that bypassed user intervention would effectively be a security exploit. I'd recommend you save yourself time and frustration by accepting that you're not going to get around that interstitial authorization page.
For better or worse, scope authorization pages have become a well-established part of the modern web application landscape. Users these days routinely confirm authorization dialogs for Facebook, Google+, LinkedIn, and Twitter access without batting an eyelash. Your less savvy users may not recognize it as such, but using existing security mechanisms is a sign of greater professionalism than rolling your own.

Resources