2

For a project my teacher gave me i have to add an OAuth authentification to this project https://github.com/M66B/FairEmail so the project is able to connect to a google account directly from the app and not from the android phone, which also means being able to add multiple google account on the app.

The thing is, I contacted FairEmail's dev, and he's saying that OAuth requires approval from Google, which i won't get without an expensive security audit.

But my teachers says the opposite, and I didn't see anything on the web about a security audit.

So I wanted your knowledge about that, do you think it's possible to do it for free ? Considering it's only for studies and won't be commercialize or whatever

Thank you in advance and have a quack day !

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
Zarcoin
  • 133
  • 2
  • 11
  • 1
    Which scopes are you requesting when your are authorizing your user? – Linda Lawton - DaImTo May 06 '21 at 10:23
  • As it's a mailing app i will have to access Gmail api. Considering your response i guess i can't access that without paying a security audit even in testing phase. Am i understanding it right ? – Zarcoin May 06 '21 at 11:11

1 Answers1

2

When you first create an app on Google Cloud console you had to configure the consent screen and tell Google which APIs you will be accessing

enter image description here

Currently your project is status testing while its in testing there are some limitations imposed upon your project. Once your project is complete and you are ready to go to production you may be required to verify your app. The process of verification can be a little complicated, but it depends upon a few things

  • which api you are accessing.
  • which level of scope your application is using, read-only , write, or full access.

If your application is accessing the Google drive api or the Gmail api then you may very well have to pay for a security audit every year which costs between 15k and 75k.

Let your teacher know there have been a lot of changes in this over the last year or two. Here's some links that will make you look good

Links:

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
  • I'm gonna paste the same comment i wrote above so you may have the notification faster here: As it's a mailing app i will have to access Gmail api. Considering your response i guess i can't access that without paying a security audit even in testing phase. Am i understanding it right ? – Zarcoin May 06 '21 at 11:13
  • If your using one of the Gmail scopes then yes your going to need a security audit as that is [restricted scope](https://support.google.com/cloud/answer/9110914) – Linda Lawton - DaImTo May 06 '21 at 11:27
  • From what my teacher says, it's free until a certain amount of api calls that we won't exceed as it's just for studies so it won't be used by anyone besides us for testing.. – Zarcoin May 06 '21 at 12:09
  • Do you agree with that ? – Zarcoin May 06 '21 at 12:10
  • 1
    If you have no plans to verify your application and its just for a student project for testing then your teacher is correct you wont need to verify it and its not going to cost you anything. However you will have a max of 100 users who can login to your application. Then it will stop working. – Linda Lawton - DaImTo May 06 '21 at 12:39
  • 1
    Top tip if you run out of your 100 test users just create a new project Google Cloud console. – Linda Lawton - DaImTo May 06 '21 at 16:45