0

Does anyone know if /auth/classroom.topics.readonly is a sensitive scope? All my sensitive scopes have a green checkmark icon but topics does not. The reason I ask is it is giving me problems with OAuth authorization. Could someone check if their approved consent screen has a green checkbox beside .topics.readonly?

enter image description here

There is no mention of topics here: https://developers.google.com/classroom/guides/auth Although it is mentioned here: https://developers.google.com/identity/protocols/oauth2/scopes

I reached out to the OAuth team many times with no answer. Users cannot move past the OAuth screen and I'm trying to figure out why.

utphx
  • 1,287
  • 1
  • 8
  • 19

2 Answers2

0

It is true that /classroom.topics.readonly is missing in in the list.

However, if you look at other scopes, you will see that

it is always the full scopes that are considered sensitive , while the readonly scope are always the recommended ones.

This makes sense, because full scopes allow you to modify the data, while readonly gives only view access.

It is correct that there is no green checkbox next to the /classroom.topics.readonly scope in the consent screen.

ziganotschka
  • 25,866
  • 2
  • 16
  • 33
  • /auth/gmail.addons.current.message.readonly is a sensitive scope and it is read only. This is weird because topics.read only is 'authorized' in OAuth and if I list it on the G Suite Market place API config it gives this error: https://stackoverflow.com/questions/60582226/g-suite-marketplace-add-on-oauth-error-400-invalid-request-account-restricted/60963807#60963807. If I remove it from market place API then it installs fine. – utphx Apr 03 '20 at 17:57
  • /classroom.topics (without the readonly) also does not have a green arrow beside it, I'm confused if it is a sensitive scope. – utphx Apr 04 '20 at 21:45
  • My answer about `readonly` being not sensitive refers to classroom API. APIs like Gmail or Drive obviously have more restrictions since an email should only be readable for the recipient,while e.g. a classroom topic is visible for all students and domain members. `classroom.topics` without`readonly` is a sensible scope since it allows to create, modify and delete a topic, which only the course teachers are authorised to do. – ziganotschka Apr 05 '20 at 14:26
  • I had a look at your other question: if the problem is that only some users get the 400 error -those users should contact GSuite support to understand the issue. Are those users maybe not teachers of the specific course and this do not have the permission to modify a topic? – ziganotschka Apr 05 '20 at 14:26
  • classroom.topics without readonly is NOT a sensitive scope, it does not have the green checkmark and I was able to add the scope without verification. This is unrelated to a specific course as this occurs at the install screen. It is definitely a setting on the users G Suite account through the admin console but I don't know what it is. – utphx Apr 05 '20 at 14:30
0

The correct answer is:

/classroom.topics and /classroom.topics.readonly are BOTH non-sensitive scopes as shown in this screenshot from OAuth

enter image description here

utphx
  • 1,287
  • 1
  • 8
  • 19