5

In Google Cloud, I use the OAuth Consent Screen for a "Sign In With Google" on a website.

I'm now looking to build a Google Workspace Add-on which requires additional scopes (gmail, calendar access).

Should this be added to the existing OAuth consent screen? Or should I make a new project ID for this?

I've tested and looks like I can add extra scope to the consent screen, and the OAuth Dialog only shows the scopes passed in the &scope=... when initiating an oauth request.

d-_-b
  • 21,536
  • 40
  • 150
  • 256
  • You can also create multiple OAuth Clients in the same project. You can also request the desired scopes for each application using the same OAuth Client. Your question does not have enough details to provide a good answer. – John Hanley Jan 18 '22 at 20:50

2 Answers2

1

You can add as many scopes as required to your OAuth consent screen, however, for a public app, you need to submit your OAuth screen for verification again

  • In case of adding sensitive scopes, you need to justify the usage of those scopes and provide a screencast where it is shown how your app uses them.

  • In case of adding restricted scopes, you will need to undergo a paid verification process.

  • Also keep in mind that any app deployed from this project will prompt the user to authorize all the scopes featured in the manifest of your script (not necessary all the scopes added to the OAuth consent screen in your GCP project). Asking the user to authorize more scopes than necessary might feel intimidating for the user.

Usefull links:

ziganotschka
  • 25,866
  • 2
  • 16
  • 33
  • thanks @ziganotschka, is your last bullet point documented anywhere? I've tested and found that to not be true (`Also keep in mind that any app deployed from this project will prompt the user to authorize all the scopes featured in the OAuth screen. Asking the user to authorize more scopes than necessary might feel intimidating for the user.`) – d-_-b Jan 18 '22 at 15:20
  • What is exactly is not true? That the user needs to authorize al scopes or that it would be intimidating? As for the authorization - I am not sure which king of application you are deploying, but e.g. for an Apps Script Addon - the Oauth screen will ask the user to authorize all OAuth scopes featured in the manifest - if manually set. Documentation: https://developers.google.com/apps-script/concepts/scopes – ziganotschka Jan 18 '22 at 15:29
  • There are scopes listed in the Consent Screen, and scopes listed in the manifest (or OAuth redirect flow). I don't think that scopes listed in the Consent Screen are automatically shown if you redirect a user to a lesser-permission flow. – d-_-b Jan 18 '22 at 16:08
  • Hello @d-_-b, sorry if I explained myself in a confusing way: Yes, the scopes that the user needs to be authorize when installing the Addon are only the ones listed in the manifest, not of of the scopes added to the Consent screen in your GCP console, I edited my answer to clarify. – ziganotschka Jan 19 '22 at 12:02
1

We have 5 different types of connections, Google Ads, GA, GA4, Google My Business and Google sign in. We are creating 4 different ones (combining the GA ones). The reason is that if something changes for any app, whatever the reason, all products may shut down.

SurfingViolinist
  • 51
  • 5