I am testing the installation of a Google Marketplace application from the developer console API.
In the corresponding API project, the following scopes are configured.
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile
I have installed the app and therefore the admin of the account has authorized the scopes. However when users in my domain log in for the first time, using the universal navigation link they get an authorization pop-up.
I am translating this from french but the pop up says something like:
This app requires your permission to
Know who you are on Google
Display your email
with 2 buttons : Accept and Cancel
I thought that the admin authorization was sufficient. What did I miss ?
Lou
The issue was mismatched scopes - the ones registered in the console did not match the scopes requested when the OAuth flow was initiated.
Related
I've added all scopes available to my Gmail API project via the Google Developer Console. It's registered as an Internal application type, so none of the scopes are sensitive.
I've saved and re-saved these settings, regenerated OAuth client IDs and updated them to be used in my flow.
However, when I get to the Google OAuth consent screen, the scopes are listed as:
This will allow [App Name] to:
View your email messages and settings
None of the other scopes I have selected are listed.
Here are some screenshots which might help:
OAuth consent screen:
OAuth settings (public/internal) - Google API Console
Scopes - Google API Console
Worked this one out eventually.
The OAuth settings screen I have in my question only provides for scope permissions to be requested. In order to actually access a specific scope, you must add it in the consent settings screen, and pass it to the API as part of the OAuth flow.
The solution was to add the requisite scopes to my code as well.
I need google oauth for google+ login on my opencart store. My app is requesting the following scopes only and app is public.
https://googleapis.com/auth/plus.me
https://googleapis.com/auth/userinfo.profile
https://googleapis.com/auth/userinfo.email
These are not sensitive scopes and on my oauth consent screen I see the submit verification button is disabled and it says
Your changes don't require verification
Still customers see Unverified app screen (This app isn't verified)
I have also submitted oauth app verification form https://support.google.com/code/contact/oauth_app_verification . Its been more than a week not got any response from google.
Please suggest any way how to remove Unverified app screen for my customers?
Google will ignore your request for verification unless you have one or more sensitive scopes listed in the OAuth consent screen list of "Scopes for Google APIs".
e.g.
There are a bunch of steps for this so I made a video while I add a sensitive scope to an OAuth consent screen.
Here are the steps, written out:
First, be sure that all URIs associated with your project are hosted on HTTPS. This includes the Authorized Javascript URIs and Authorized Redirect URIs listed in each of the OAuth Credentials. Google won't approve any app that uses any insecure connections.
Next, confirm that your OAuth app has enabled access to the sensitive API (such as People or Contacts API).
Then, add the scope to your "OAuth consent screen".
Finally, click the enabled "Submit for verification" button at the bottom of the form.
You should not require app verification if you are only setting up 'Sign in with Google'. An app review is required if you request sensitive scopes. Google+ sign-in is deprecated, you should be using the branding-approved 'Sign in with Google' button: https://developers.google.com/identity/branding-guidelines
If you do use sensitive scopes, you should update the scopes section of the OAuth consent screen configuration to include all sensitive scopes you are requesting before the 'submit for verification' button becomes available. In order to add your sensitive scopes on the configuration page, you need to enable the APIs you would like your project to access. For example, enable the GMail APIs for your project by visiting the API library, then add the GMail scopes to your consent screen configuration, fill out additional information, submit for verification.
Please see the 'User Consent' section of https://support.google.com/cloud/answer/6158849?hl=en for more information.
Well, something is really off with my google account.
[x] All URLS HTTPS
[x] Sensitive scope not added
[x] App submitted for verification
[x] Got an email stating verification not required.
Now if I do the following events:
Open Incognito Browser
Click login with Google
Sign In using a general email id ( I used and email account from Gmail)
Here's the warning: This app isn't verified!!
If I tried doing this in normal browser where I am already signed in, this doesn't show up! This can be really bad for new users, it guarantees a high bounce rate!
can you guys give a try and see if this true.
Also, as an answer: I would suggest you to kindly check the app in incognito mode or in a fresh browser.
scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth?https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]
I received this error when trying to authorize my app with my own account:
Your project is trying to access scopes that need to go through the verification process.
{invalid=https://www.googleapis.com/auth/contacts}
If you need to use one of these scopes, submit a verification request. Learn More
When I use a different account, the error message is different:
This app hasn’t been verified to access:
{invalid=https://www.googleapis.com/auth/contacts}
Are you the developer? If this project needs these scopes, sign in to an account with access to edit your project and try again.
If not, contact the developer for help.
As per the announcement on May 11, 2017, publicly available applications with access to certain user data must pass review. If you see an access error for your app, submit a request using our OAuth Developer Verification form.
For personal-use apps and those you are testing, join the Google group Risky Access Permissions By Unreviewed Apps, which allows you to approve data access for personal and testing accounts. See the Google API Services User Data Policy for more information.
UPDATE: Corrected broken link to form.
We're trying to figure out how to submit to the marketplace, but are not sure what we need to do to alter our existing signup flow to accomodate the SSO requirement
Our app was not originally built to be a marketplace app so our signup flow is built for individual users. We are already following the OAuth2 flow as outlined on this documentation page. However, its not clear to me how this works for an entire org when installing from the context of a marketplace app.
Does the admin grant access to all the individual scopes we currently request for the entire org at once? Is there need for some sort of service account or something since we currently are requesting offline access? I'd like to understand what changes we need to make to our server's signup flow in or whether it is just a scope / manifest mismatch.
We currently request the following scopes from an individual user when signing up.
['email', 'profile' ,'https://mail.google.com/', 'https://www.googleapis.com/auth/calendar'],
Exact questions are...
What (if anything) do we need to do to alter our current individual-focused signup flow to accommodate a Google Apps Admin signing up their whole domain?
What scopes do we need to in our Google Apps Admin listing and how do they relate to the scopes we currently request from individuals?
There are not so many changes if you are already using three legged OAuth2.
The first change would be in you project in the developer console. There you need to enable the Marketplace SDK and make the necessary configurations. Here you will add the scopes that your app will request and those are the scopes that the admin will see when installing the app.
The admin will see the scopes your app is requesting, and he will decide if it's ok to install the application in the domain. If it is approved, then yes, the admin would grant access to the entire domain.
Offline access is part of the Oauth flow, after you receive the refresh token, you can continue refreshing the access token without having the user to grant access again.
It is not necessary to have a service account. The service account has two purposes:
To manage information related to the application. In this case the service account can have access to it's own drive to store and retrieve information that is related to the app functionality.
Impersonation of users. When using domain delegation of authority, you can use a service account to impersonate any user in a domain and act on it's behalf to make API calls.
To deploy your app, you also have to create a new project in the Chrome Web Store, with a manifest for Marketplace.
To answer your questions:
It's not necessary that you modify your current oauth flow. The admin will install the app in the domain, but when a user access to the app, the process for authentication is the same as individual.
The scopes in your Marketplace SDK configuration should match the scopes your app will use. This is mostly for security reasons, it wouldn't be safe if you install an app with some scopes and then the app uses different scopes.
You can try your app before actually deploying it by adding trusted testers in the chrome web store dashboard or in the Console API configuration. This way you can check if your flows and all the configurations were done correctly.
Hope this helps. Let me know if you have more questions.
Is it possible for me to create an application that can send our requests to access to users' Google Calendar so that I can see the events in there and be able to add, edit, and delete events?
I do not want the users to log into my website to enable this access. Rather, I want to be able to send this request, perhaps via email.
Alternatively, perhaps they could log in the web app and authorize access themselves somehow.
One option would be to e-mail the user a link to the OAuth 2.0 consent screen. The users would still need to open the link in a browser, sign in to their Google account (if not already signed in), and click the "Authorize" button to grant your application access to their Google calendar events.
First, you will need to register your application as a Web App in Google's Developer Console (just like for any other application) and obtain a client_id. Be sure to fill in the name of your application and a link to your website in the "OAuth consent screen" section, because these values will be shown to your users when they click the authorization link.
Then, follow these steps:
Send the user an authorization link in an HTML e-mail message. The link should be constructed according to the guidelines in "Redirecting to Google's OAuth 2.0 server", and pay attention to the following aspects:
Ensure that the redirect_uri parameter in the authorization link points to your application.
Since you already know the e-mail address of the user, consider including the login_hint=<email address> parameter to bypass the account selection screen.
Important: provide a value in the state parameter so that you can link this authorization request with the user.
The link should be placed in an <a> tag somewhere in the body of the e-mail: Allow access to my Google calendar
When the user clicks on this link, their browser will open and show the standard Google consent screen:
Once the user has made a choice, their browser will be redirected to the redirect_uri which you have provided.
Make sure that the redirect_uri will work even if the user isn't signed in to your application. Capture the state and authorization_code values which Google appends to the redirect_uri, and then return a confirmation page (e.g. "Thank you for giving us access to your Google calendar" would be a good idea).
Using the state and authorization_code values, follow the rest of the standard OAuth 2.0 flow and retrieve a refresh_token which will allow you to access the user's Google calendar from your application.
Keep in mind that the calendar owner (the user who is clicking the link in the e-mail and granting your application consent to access the calendar) may not even be a user of your application. This is why it is important to provide as much information as possible on the consent screen and in the confirmation page.
Since your confirmation page will be loaded even if the user does not grant your application consent, you could take the opportunity to give the user a full description of why you are asking for access to their calendar and provide a link that will take them back to the consent screen. This should increase your success rate.
Every request your application sends to the Google Calendar API must
include an authorization token. The token also identifies your
application to Google.
Your application must use OAuth 2.0 to authorize requests. No other
authorization protocols are supported. If your application uses
Google+ Sign-In, some aspects of authorization are handled for you.
The details of the authorization process, or "flow," for OAuth 2.0
vary somewhat depending on what kind of application you're writing.
For more details on the workflow to gain access click here. Once your app has access, it will be able to view and edit a user's calendar events, depending on the approved permissions.