1

Let's say we're developing an editor add-on (meant for publication) that does not need to interface to third party services (only to a self-developed API server, A). Does A need to implement OAuth i.e. issue tokens and so on, or is it sufficient to use the OpenID token received from Google with ScriptApp.getIdentityToken() as authentication for A (as mentioned at the bottom of [1]) ?

When the users start the plugin, they will anyway be faced with an OAuth consent screen, which mentions the scopes given in the addon's appsscript.json manifest file.

I don't find the requirements listed in the developer guide [1] clear when they mention "non-Google services".

In other words, will the Google security review fail my add-on if my API server A does not implement OAuth?

Thank you for any clarifications.

Edit : I'm not concerned with sensitive scopes.

[1] https://developers.google.com/gsuite/add-ons/how-tos/non-google-services

ocramz
  • 816
  • 6
  • 18
  • The API that you are making the request to will determine whether OAuth is needed or not when an HTTP Request is made to the API's url with `UrlFetchApp.fetch(url)`. The Google add-on only detects whether the Apps Script code is making an HTTP Request with `UrlFetchApp.fetch(url)`. The add-on review doesn't evaluate the requirements of the API. If your add-on needs full access to Google Drive and/or GMail, AND you are making an external request, then you'd need a security assessment which costs a lot of money. – Alan Wells Jul 02 '20 at 00:09
  • Does this answer your question? [Gmail add-on connecting to non-Google Services without oAuth](https://stackoverflow.com/questions/52000806/gmail-add-on-connecting-to-non-google-services-without-oauth) – Iamblichus Jul 02 '20 at 07:17

0 Answers0