Consent screen appearing after domain installation (intermittently and timing based) - google-apps-marketplace

I realize that this is a potentially duplicate question and is related to the following issues:
Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?
Consent screen appearing after Google Apps installation using oauth2 while it should not
I currently don't have the commenting privilege yet, but was asked to post here by the Google Apps reviewer currently handling my case.
In any event, after going through the installation flow for my app numerous times at various speeds, I believe there is an issue related to timing and the propagation of permissions through the Google system. If I do the installation and attempt to login really quickly I get presented with the consent pop up. If I wait a few seconds then I do not get presented with the consent pop up.
I have verified that the OAuth scopes configured for the Google Apps Marketplace SDK in the developer console match those we are using during login. I am using the JavaScript client-side library that is mentioned in the Apps Marketplace guide.
Any help would be appreciated as this issue is preventing my app from getting approved.

Related

OAuth Consent Screen

I've been waiting for Google to verify my OAuth consent screen for several months. This means that my functionality is restricted. The message that I am getting on the admin panel is...
Your consent screen is being verified. This may take up to several
days. Your last approved consent screen is still in use.
Is there some way of following this up or checking for any issues with my application?
I would recommend to contact G Suite Support with the G Suite APIs team, they can help you to speed up the verification process. You can check this article https://support.google.com/cloud/answer/9110914?hl=en for more information.
There has been some changes and categorized new scopes as restricted or sensitive, also if you add, remove or update any scope within your consent screen you will be asked for a new verification process.
The verification process should not take months. The G Suite API team will help you to find the best solution since they have the chance to contact the Trust and safety team who will review your verification.
For a faster verification, ensure that your app complies with our policy. For more information, see https://support.google.com/cloud/answer/9110914?hl=en#verification-requirements. And provide with all possible information like videos using your application, things like that.

How much time it will take Verification process completed || google oauth2 || youtube partner scopes

Use of this API scope will be restricted until it is approved
our consent screen is being verified. This may take up to several days. Your last approved consent screen is still in use.
Before your users authenticate, this consent screen will allow them to choose whether they want to grant access to their private data, as well as give them a link to your terms of service and privacy policy. This page configures the consent screen for all applications in this project.
Verification status
Being verified (Last approved consent screen is still in use)
Because you've added a sensitive scope, your consent screen requires verification by Google before it's published.
How long verification takes depends greatly upon the application, and the scopes it uses. I have seen anything from a few days to six weeks+ and Google asking for a video of your application running.
This is why its good to start the process while you are still in development developers with access to the project in google developer console should still be able to use your application while you are in the verification process.

Consent Screen still being verified

I'm developing an Windows application that uses the Google Calendar API, already filled in all the informations in the "Consent Screen" page and sent to verification. After 3 days I received an e-mail saying:
Verification not required. Your app is not required to go through verification at this time. We will be closing out this request and there will be no impact on your app.
After 2 weeks, my consent screen page is still saying "Your consent screen is being verified." and the logo I choosed does not appear in the OAuth Screen. Any ideias of what is happening? Do I need to wait longer?
You must list one or more sensitive scopes in the under the Scopes for Google APIs section of your OAuth consent screen so that Google knows which scopes to verify.
I've created a screencast showing the process to add the ../auth/contacts.readonly scope to an OAuth project here. You should be able to use it as a reference to add the sensitive scopes you are accessing via API.
When you have added a sensitive scope, you'll see a warning asking you to verify your app, like here:

Do we need to wait after an admin accepts an app marketplace scopes for his domain in order to avoid consent screen?

We are integrating our app in the new Google Marketplace.
Our marketplace config in the developer console is ok.
Our oauth2/sso flow is ok (scopes match the ones setup in the console, auth params ok)
All users, when accessing our application through the Navigation bar, don't see any consent screen. All is perfect … except the following :
when an admin user is installing our application for his domain for the first time, he is presented with the domain consent screen displaying the scopes defined in our marketplace config, which is fine, he accepts and is presented with a button "Launch app". This link hit our server and a redirection is made to google auth in order to get the email and profile of that user. The redirection happens quickly that the admin is presented with yet another consent screen displaying the exact same scopes … which is bad.
If we wait 10 - 20 seconds before clicking the 'Launch app' button and after having accepted the scopes for the domain, the redirection to google auth is done and no consent screen is presented to the admin.
Are we missing something? Some sort of pooling technique with callback? "Sleeping"?
The same happens with other apps available on Google Apps Marketplace.
I installed several apps from Marketplace (Mavenlink, Lucidchart, etc), and they showed exactly the same result. I was prompted with consent screen immediately after installing them. A bit later, and I was let in without prompting.
It seems that the information on the installed app is not immediately propagated through Google system. There is a short delay between the time the administrator installs an app to his domain, and the time that app becomes available on his domain.
Most users wouldn't mind to wait a minute after the installation. Unfortunately, a reviewer at Google is not that forgiving. If he is quick enough to start your app immediately after the installation, your app will be caught asking for consent, for which it will be rejected from Marketplace. Too bad.

Google Apps Marketplace app installation callback

We've migrated our app from the old marketplace to the new one. After a few days we've received an email that we don't comply with an SSO policy - the user is not recognized after he installs the application.
In the old app we had a specific setup link, that was opened for the user after he installed the app - thus making him recognizable. Is there such a function in the market? Is there some sort of a callback for the installation event in the new marketplace?
P.S. the guy from Google told me to post technical questions on Stackoverflow and that "Our developer relations team monitors that forum and will be able to assist you."
EDIT:
There's the Additional app setup link in this after-installation popup (which clearly no user will click):
Is there a way to call the URL that of the Additional app setup in the background, without needing the user to click an obscure link?
That was an intentional design change which is different than how it used to work in v1 of the marketplace.
If you need interactive setup, best thing to do is put in a check on login to see if the domain has been configured. You can use the licensing API to check for a marketplace install record or directory API to check user permissions if those matter for your use case.
If you just need to run a background task, you can periodically poll the licensing API to detect new installations of the app. This shouldn't be done too often, so if you need to do things before a user logs you're still better off going with a check on login to route them to the setup flow as needed.

Resources