Google Cloud API Services Oauth with a Testing App

Question

I have a small personal-use only app that logs into a [throw away] gmail account to pull out an auth-token so it can then run a scheduled job (turning on/off my home cameras). Its dead simple and works, except that the app is in GCP TEST mode and it looks like the gmail auth expires in 7 days.

I highly doubt based on the below requirements that I can promote the app, and I dont want to publish it regardless. I tried GCP Support and wound up here. Im sure Im not the only person that has dealt with the 7 day expiration on a personal project. Any ideas?

score 0 · Accepted Answer · answered Jan 10 '22 at 13:51

0

If you check the documentation for oauth2#expiration

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

The key hear is setting your project into production.

What you are showing in that image are requirements for application verification. You shouldn't have to go though verification for a single user app.

Try just setting it to prodcution and then wait a week and see if it still expires. It shouldn't

I highly doubt based on the below requirements

Unfortunately with the new security restrictions. I wouldn't doubt anything these days. They keep changing the rules.

answered Jan 10 '22 at 13:51

Linda Lawton - DaImTo

106,405
32
180
449

when I try to push publish, it brings up the verification screen. Ill try to figure out if I ticked something that requires verification – cgmckeever Jan 11 '22 at 14:10
Doesnt sound like a way around based on the use case "If your app uses Google APIs to access Google users’ data, you might have to complete a verification process before you publish your app. Restricted scopes are fewer in number, currently including only scopes used by the Gmail APIs." https://support.google.com/cloud/answer/9110914?hl=en – cgmckeever Jan 11 '22 at 14:15
Unfortunately this is the way thing work these days. Google says that you shouldn't need it for single use apps. Yet the way things work currently it appears that you do. There is no other option. If its in testing your refresh token is only going to last for seven days. If you go though verification then there are a lot of hoops to jump though not to mention with the gmail api your going to have to go though an expensive security audit. Have you considered using a workspace domain account, and a service account. You will only be able to access domain email addresses. – Linda Lawton - DaImTo Jan 11 '22 at 14:25
I have not considered that, and that sounds promising. Do you have a quick reference link that could get me up to speed on this idea? – cgmckeever Jan 11 '22 at 15:42
This is promising .. thank you .. https://support.google.com/a/answer/7378726?hl=en – cgmckeever Jan 11 '22 at 15:54
What language are you using? if you go with a workspace account you need to set up domain wide delegation properly. – Linda Lawton - DaImTo Jan 12 '22 at 08:43
1

python, I did go with the workspace and a new project under it. I think keeping it as an internal app it will all work. Ill see in 6 day – cgmckeever Jan 12 '22 at 16:56
Let me know if it works. I reported a bug about internal apps last year wonder if they fixed it. if it doesnt work set it to production as well. – Linda Lawton - DaImTo Jan 13 '22 at 08:22
1

DaimTo -- I think its been a week ... or its just shy of the 7 day mark. Its still working. If I dont post back ... that means it has continued to work. Thanks for the tip! – cgmckeever Jan 19 '22 at 14:29

Google Cloud API Services Oauth with a Testing App

1 Answers1