4

I need google oauth for google+ login on my opencart store. My app is requesting the following scopes only and app is public.

https://googleapis.com/auth/plus.me

https://googleapis.com/auth/userinfo.profile

https://googleapis.com/auth/userinfo.email

These are not sensitive scopes and on my oauth consent screen I see the submit verification button is disabled and it says Your changes don't require verification

enter image description here

Still customers see Unverified app screen (This app isn't verified)

I have also submitted oauth app verification form https://support.google.com/code/contact/oauth_app_verification . Its been more than a week not got any response from google.

Please suggest any way how to remove Unverified app screen for my customers?

Haroon
  • 496
  • 5
  • 14
  • 31

4 Answers4

4

Google will ignore your request for verification unless you have one or more sensitive scopes listed in the OAuth consent screen list of "Scopes for Google APIs".

e.g. An example of a sensitive scope in Google OAuth consent screen

There are a bunch of steps for this so I made a video while I add a sensitive scope to an OAuth consent screen.

Here are the steps, written out:

  1. First, be sure that all URIs associated with your project are hosted on HTTPS. This includes the Authorized Javascript URIs and Authorized Redirect URIs listed in each of the OAuth Credentials. Google won't approve any app that uses any insecure connections.
  2. Next, confirm that your OAuth app has enabled access to the sensitive API (such as People or Contacts API).
  3. Then, add the scope to your "OAuth consent screen".
  4. Finally, click the enabled "Submit for verification" button at the bottom of the form.
Graeme
  • 970
  • 8
  • 16
  • so email, openid and profile are NOT sensitive scope? If I need just them I can use without request submission? – Nux Jun 16 '19 at 19:45
  • That is correct. The difference is that those scopes provide access to the current user's information, not their contacts. – Graeme Jun 17 '19 at 21:59
  • I don't need contacts by the way. Thanks for reply – Nux Jun 18 '19 at 09:57
  • in 2019 I've spent the past hour trawling Google sites in search of which scopes are neither SENSITIVE nor RESTRICTED, yet cannot find it explicitly spelled out in Google's docs which scopes don't require verification. – joedotnot Dec 27 '19 at 19:51
  • @joedotnot here are the Restricted scopes: https://support.google.com/cloud/answer/9110914?hl=en#restricted-scopes. Google doesn't appear to publish a definitive list of sensitive scopes. The way to find out is by adding the scope in your GCP account and looking for the icon to indicate that the scope is sensitive. Here's where another SO user asked about it: https://stackoverflow.com/a/54374860/399615 – Graeme Jan 06 '20 at 19:00
2

You should not require app verification if you are only setting up 'Sign in with Google'. An app review is required if you request sensitive scopes. Google+ sign-in is deprecated, you should be using the branding-approved 'Sign in with Google' button: https://developers.google.com/identity/branding-guidelines

If you do use sensitive scopes, you should update the scopes section of the OAuth consent screen configuration to include all sensitive scopes you are requesting before the 'submit for verification' button becomes available. In order to add your sensitive scopes on the configuration page, you need to enable the APIs you would like your project to access. For example, enable the GMail APIs for your project by visiting the API library, then add the GMail scopes to your consent screen configuration, fill out additional information, submit for verification.

Please see the 'User Consent' section of https://support.google.com/cloud/answer/6158849?hl=en for more information.

user2705223
  • 1,219
  • 6
  • 10
  • I just need the scopes I have mentioned in my question. I am using hybrid auth library for social logins on my website. so should I look into that to fix this? – Haroon Sep 29 '18 at 00:17
  • Your answer showed me the right path and I have found a way to fix my problem. Thanks! – Haroon Sep 30 '18 at 18:55
  • I have found that my app was not requesting sensitive scopes but in my code i was requesting for some sensitive scopes like viewing users contacts list etc. – Haroon Sep 30 '18 at 18:56
  • @user2705223 Can we withdraw the app from verification after submitting the request if not using any sensitive scope – iPhone 7 Feb 25 '20 at 05:56
  • is this still up to date as of upwards of March 2021? – PathToLife Apr 21 '21 at 09:52
1

Well, something is really off with my google account.

  • [x] All URLS HTTPS
  • [x] Sensitive scope not added
  • [x] App submitted for verification
  • [x] Got an email stating verification not required.

Now if I do the following events:

  • Open Incognito Browser
  • Click login with Google
  • Sign In using a general email id ( I used and email account from Gmail)
  • Here's the warning: This app isn't verified!!

If I tried doing this in normal browser where I am already signed in, this doesn't show up! This can be really bad for new users, it guarantees a high bounce rate!

can you guys give a try and see if this true. Also, as an answer: I would suggest you to kindly check the app in incognito mode or in a fresh browser.

Sarthak Sawhney
  • 432
  • 4
  • 14
  • Same thing here and no way to resolve it yet. I did not add any sensitive scope and yet new users can't signup – Trapcode Jan 05 '20 at 05:42
  • Most likely, you have a sensitive scope in the Sign-in URL that you are sending your users to. Check out the `scope` parameter in the URL that starts with `https://accounts.google.com/o/oauth2/auth?`. If you pass any scope that is sensitive, your users will see the warning regardless of the scopes that you specified in your GCP project. For example: `https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]` will result in the warning screen showing. – Graeme Jan 06 '20 at 19:23
0

scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth?https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcontacts.readonly[other params here]

Md. Yeasin
  • 1
  • scope parameter in the URL that starts with https://accounts.google.com/o/oauth2/auth? – Md. Yeasin Feb 09 '22 at 17:31
  • Please take the [tour], read [answer] and read https://stackoverflow.com/editing-help to improve your post. It currently gives an impression of a failed formatting test post.... but I think you actually try to help. So, do some polishing please. – Yunnosch Apr 11 '22 at 20:43