Background: I'm the creator of PlantUML Gizmo, one of the first Google Docs add-ons. As such, it's a kind of legacy add-on, and I began the development long before there were today's processes of managing OAuth 2.0 scopes and consent (which are still evolving it seems). At one point I had to even migrate it to G Suite Marketplace, so I'm not entirely sure what the process of creating a new Add-on today would be like.
A few weeks ago I got an email from Google saying I must "Submit your apps’ sensitive scopes for OAuth API verification" before a certain date, which I'm trying to respect now.
Here is the list of scopes I see:
Two of them surprise me, namely email and profile. My add-on does not use these things directly, so I never (to the best of my knowledge) requested these scopes.
On the other hand, I remember that, in the early days, my add-on would request a permission of "Allow this application to run when you are not present" (see the list of permissions). The explanation I got from a Google employee (or on Google+ forums that are now dead) that it was due to OAuth tokens being refreshed when you're off line. I never explicitly do anything in my code to run when users are not present!
So my question is to know why email and/or profile scope are required in my add-on as it's configured. I can easily delete those scopes today, but I'm afraid to break some functionality.
Clicking on Learn more in the Scopes page takes me to a long list of APIs. I can find the email scope on this page and it says only:
https://www.googleapis.com/auth/userinfo.email View your email address
I didn't explicitly request that scope. How can I know if it's coming from an API call (e.g., saving preference data, etc.)? The same goes for the profile scope.
p.s. I have always found it frustrating as a user (developer) to know which features (API calls) require which permissions/scopes. I have always wanted transparency (and to provide it as a developer).
