When your web app requests certain sensitive OAuth scopes from Google, you must have passed Google OAuth Client Verification. Failing to do that, results “This App isn’t verified” page when a web client makes Google OAuth consent request.
In this article, I’m explaining to you when this unverified app page might appear and how to handle this Google OAuth client verification. Also, the things to take care before starting the process.
This App isn’t verified
There are a couple of examples when this screen appears. Some of them are:
— A web app that triggers Sign-In to the user with their Google account.
— When you utilize third-party tools like Hybridauth which requires a number of scopes.
— When a website asks to view, change, or create certain information or take actions in your Google Account. An example is an app that sees your Google Calendar/Contacts or manages your Gmail.
You can assume a scope as a permission that an app seeks from you in regards to your Google account. A scope is a grant to perform certain activities in your Google account, like reading your profile information or knowing your email address.
Facebook also utilize scopes, for example, email, public_profile or user_friends. Unlike Facebook, Google scopes are mostly in the form of a URL except for Google Sign-In scopes (profile, email, openid) which do not need approval.
What is Unverified App mean?
Your website might cause Google app or script to display an unverified app screen before it displays the consent screen. Security Checkup might also show your app as risky and from an unverified developer. And that screen means Google hasn’t reviewed your app or site.
Starting since July 18, 2017, Google has decided to review OAuth clients that request certain sensitive OAuth scopes in order to protect users and their data from deceptive applications. So you must have to pass Google OAuth client verification if you wish to get rid of “This App isn’t verified” screen during oAuth consent flow.
Read: Zoom to accommodate all markers in Google map!
Even the users can still give the permission, almost all will deny because they don’t trust you or such warning is kind scary and risky. So your app needs to be reviewed and verified by Google. It will give your users confidence that your app is non-malicious.
Prerequisites to OAuth Client Verification
You can request a review of the OAuth client used by your app to Google. Once your app is verified after the review, your users will no longer see the unverified app screen. But there are a few requirements before you apply to Google for OAuth client verification as below:
- You must have verified ownership with Google to the domain serving the app.
- Your app or website must have a privacy policy page and it must be hosted at the same domain.
Verified ownership to Google confirms that you own the domain and you are the authorised person to initiate the review request. There is a separate process to verify ownership and it is explained here in the article “Verify Site Ownership“.
Also create a privacy policy page in your website’s domain, describing what user data you are collecting. How they will be used and how the user’s privacy will be protected. Follow the further instructions described here before filing a review request after the page creation.
Android Apps! new category by Fellow Tuts.
Fill up OAuth Consent Screen
The OAuth consent screen must have enough details for a successful OAuth Client Verification. Login to your Google Developer Console account and choose your desired project. Go to Credentials from API & Services explorer.
Now switch to OAuth consent screen tab there. You need to provide & save the details asked along with Privacy policy URL. Then it’s needed to file a review request of your project’s OAuth client.
I believe you already have OAuth 2.0 client IDs there. Copy two IDs from the console as you will need them a bit minutes later. First is Project ID and second is the OAuth client ID from Credentials. If you’re a Play Store Developer as well and have an Android app, you can also provide its client ID as additional information during file request.
Request OAuth Client Verification
https://support.google.com/code/contact/oauth_app_verification
Go to the URL above and fill the form. The Project ID and OAuth client ID are the same we just copied. We have already discussed the requirement of verifying website ownership and privacy policy URL.
You also need to provide all the scopes which your app wants to access. You can find all the Google OAuth 2.0 API scopes from the link. In the next column, write how your app will use each of the scopes requested along with the features that require the scope. You should carefully inspect your code to specify this information.
Submit the form after you have filled all the information. The Google team will review your application and reply within 2-7 days. If you missed any information, they will direct you. Your website users won’t see “This App isn’t verified screen” after successful Google OAuth client verification.
References:
Google Apps Script
https://developers.google.com/apps-script/guides/client-verification
Unverified apps
https://support.google.com/cloud/answer/7454865
Give an app permission
https://support.google.com/accounts/answer/7455163?hl=en
Google Developer Console
https://console.developers.google.com
Google OAuth 2.0 API scopes
https://developers.google.com/identity/protocols/googlescopes
OAuth client verification form
https://support.google.com/code/contact/oauth_app_verification
As you mentioned above “..Google Sign-In scopes (profile, email, openid) which do not need approval.” I’ve received a mail from Google with following content.
> After further review of your request, we see that your home page url https://example.com
contains no content for users to view (as shown in the screenshot
attached). We would need to test the sign-up flow on the app as a part
of review process.
> For us to proceed with the verification process, please provide us
with a working link of your app where we could test the OAuth flow for
the scopes that you have requested for.
More detail: https://stackoverflow.com/questions/53808206/values-of-google-oauth-consent-screen-for-mobile-app
@disqus_3VqekXgTTK:disqus
I’m not sure what are you processing. I got email from Google informing that these three don’t need approval. May be they have changed it after the new GDPR. Do you have a website where you’ve implemented the Google Sign In? Let me know.
If the screenshot isn’t the same as the app/site then it is suspicious. Also if you’re Signing In from Google, place a good button display the Google logo along with the Sign In text. No matter it’s an app or web, make a working project first which utilizes the permissions.
If it is an app then pass the Play Store URL. I understand that its harder when it comes to implement Google/Facebook services. Do let me know later how did you fix.
As they’ve documented that only 100 authentications are allowed until the app is verified and the verification process can take a long time (1 week generally), I was a bit worried.
They’re asking for the homepage link which is hosted on an Authorized Domain. And I need to prove the ownership of the domain. So I doubt if I can share the google play store URL. I’ve dropped them an email but as expected no response from Google.
@disqus_3VqekXgTTK:disqus
What do you mean by hosted on an Authorized domain? It is a domain transfer that needs approval? And have you started facing Unverified screen?
Also, please provide extract URL, without these people don’t love to support. If you wish to share the URL privately, drop an email at contact@astech.club
As per Google: To protect you and your users, Google only allows applications that authenticate using OAuth to use Authorized Domains. Your applications’ links (privacy policy and T&C ) must be hosted on Authorized Domains.
Google authorize a domain in multiple ways, like by hosting a static file, or DNS TXT record etc
More detail can be found here: https://support.google.com/cloud/answer/6158849?hl=en-GB#authorized-domains
Do you mean my site URL? I’ve no issue to share but would it help?
@Amit Gupta
Yes. Your site URL and Authorized URL should be same. Authorized URLs means that you have ownership on the site URL.
The T&C, privacy pages should be on pages of the site and once you prove site ownership, its called authorized domain.
Also, you should never remove static file/meta etc and meta property should be accessible in every page of the site if you use this method to prove site ownership. Check the link (use same email address for site ownership and verification request).
https://fellowtuts.com/google/verify-site-ownership-google/
Thanks for your attention @Amit Sonkhiya . This was just a mistake from Google team. They’ve approved it now. So basically there was no issue with what I configure. But it was a good learning.
@disqus_3VqekXgTTK:disqus
Welcome and happy to know that the issue is resolved and you’re feeling peaceful. May I know what was their mistake?
Thanks. They didn’t mention anything. We create 2 type of credentials when we have an android app with backend: Android client, Web client. The web client can also be used for web application login. I believe it confused them.
Ok, let it be. They are human too but being Google troubles developers in many cases. Happy coding ahead.