This App isn’t verified – Google OAuth Client Verification

Google OAuth Client Verification

When your web app requests certain sensitive OAuth scopes from Google, you must have passed Google OAuth Client Verification. Failing to do that, results “This App isn’t verified” page when a web client makes Google OAuth consent request.

In this article, I’m explaining to you when this unverified app page might appear and how to handle this Google OAuth client verification. Also, the things to take care before starting the process.

This App isn’t verified

There are a couple of examples when this screen appears. Some of them are:

— A web app that triggers Sign-In to the user with their Google account.
— When you utilize third-party tools like Hybridauth which requires a number of scopes.
— When a website asks to view, change, or create certain information or take actions in your Google Account. An example is an app that sees your Google Calendar/Contacts or manages your Gmail.

You can assume a scope as a permission that an app seeks from you in regards to your Google account. A scope is a grant to perform certain activities in your Google account, like reading your profile information or knowing your email address.

Facebook also utilize scopes, for example, email, public_profile or user_friends. Unlike Facebook, Google scopes are mostly in the form of a URL except for Google Sign-In scopes (profile, email, openid) which do not need approval.

What is Unverified App mean?

Unverified appYour website might cause Google app or script to display an unverified app screen before it displays the consent screen. Security Checkup might also show your app as risky and from an unverified developer. And that screen means Google hasn’t reviewed your app or site.

Starting since July 18, 2017, Google has decided to review OAuth clients that request certain sensitive OAuth scopes in order to protect users and their data from deceptive applications. So you must have to pass Google OAuth client verification if you wish to get rid of “This App isn’t verified” screen during oAuth consent flow.

Read: Zoom to accommodate all markers in Google map!

Even the users can still give the permission, almost all will deny because they don’t trust you or such warning is kind scary and risky. So your app needs to be reviewed and verified by Google. It will give your users confidence that your app is non-malicious.  

Prerequisites to OAuth Client Verification

You can request a review of the OAuth client used by your app to Google. Once your app is verified after the review, your users will no longer see the unverified app screen. But there are a few requirements before you apply to Google for OAuth client verification as below:

  1. You must have verified ownership with Google to the domain serving the app.
  2. Your app or website must have a privacy policy page and it must be hosted at the same domain.

Verified ownership to Google confirms that you own the domain and you are the authorised person to initiate the review request. There is a separate process to verify ownership and it is explained here in the article “Verify Site Ownership“.

Also create a privacy policy page in your website’s domain, describing what user data you are collecting. How they will be used and how the user’s privacy will be protected. Follow the further instructions described here before filing a review request after the page creation.

Android Apps! new category by Fellow Tuts.

Fill up OAuth Consent Screen

The OAuth consent screen must have enough details for a successful OAuth Client Verification. Login to your Google Developer Console account and choose your desired project. Go to Credentials from API & Services explorer.

OAuth Consent Screen

Now switch to OAuth consent screen tab there. You need to provide & save the details asked along with Privacy policy URL. Then it’s needed to file a review request of your project’s OAuth client.

OAuth client verification IDs

I believe you already have OAuth 2.0 client IDs there. Copy two IDs from the console as you will need them a bit minutes later. First is Project ID and second is the OAuth client ID from Credentials. If you’re a Play Store Developer as well and have an Android app, you can also provide its client ID as additional information during file request.

Request OAuth Client Verification

https://support.google.com/code/contact/oauth_app_verification

Go to the URL above and fill the form. The Project ID and OAuth client ID are the same we just copied. We have already discussed the requirement of verifying website ownership and privacy policy URL.

You also need to provide all the scopes which your app wants to access. You can find all the Google OAuth 2.0 API scopes from the link. In the next column, write how your app will use each of the scopes requested along with the features that require the scope. You should carefully inspect your code to specify this information.

Submit the form after you have filled all the information. The Google team will review your application and reply within 2-7 days. If you missed any information, they will direct you. Your website users won’t see “This App isn’t verified screen” after successful Google OAuth client verification.

References:

Google Apps Script
https://developers.google.com/apps-script/guides/client-verification

Unverified apps
https://support.google.com/cloud/answer/7454865

Give an app permission
https://support.google.com/accounts/answer/7455163?hl=en

Google Developer Console
https://console.developers.google.com

Google OAuth 2.0 API scopes
https://developers.google.com/identity/protocols/googlescopes

OAuth client verification form
https://support.google.com/code/contact/oauth_app_verification

You Might Interested In