When your web app requests certain sensitive OAuth scopes from Google, you must have passed Google OAuth Client Verification. Failing to do that, results “This App isn’t verified” page when a web client makes Google OAuth consent request.
In this article, I’m explaining to you when this unverified app page might appear and how to handle this Google OAuth client verification. Also, the things to take care before starting the process.
This App isn’t verified
There are a couple of examples when this screen appears. Some of them are:
— A web app that triggers Sign-In to the user with their Google account.
— When you utilize third-party tools like Hybridauth which requires a number of scopes.
— When a website asks to view, change, or create certain information or take actions in your Google Account. An example is an app that sees your Google Calendar/Contacts or manages your Gmail.
You can assume a scope as a permission that an app seeks from you in regards to your Google account. A scope is a grant to perform certain activities in your Google account, like reading your profile information or knowing your email address.
Facebook also utilize scopes, for example, email, public_profile or user_friends. Unlike Facebook, Google scopes are mostly in the form of a URL except for Google Sign-In scopes (profile, email, openid) which do not need approval.
What is Unverified App mean?
Your website might cause Google app or script to display an unverified app screen before it displays the consent screen. Security Checkup might also show your app as risky and from an unverified developer. And that screen means Google hasn’t reviewed your app or site.
Starting since July 18, 2017, Google has decided to review OAuth clients that request certain sensitive OAuth scopes in order to protect users and their data from deceptive applications. So you must have to pass Google OAuth client verification if you wish to get rid of “This App isn’t verified” screen during oAuth consent flow.
Even the users can still give the permission, almost all will deny because they don’t trust you or such warning is kind scary and risky. So your app needs to be reviewed and verified by Google. It will give your users confidence that your app is non-malicious.
Prerequisites to OAuth Client Verification
You can request a review of the OAuth client used by your app to Google. Once your app is verified after the review, your users will no longer see the unverified app screen. But there are a few requirements before you apply to Google for OAuth client verification as below:
- You must have verified ownership with Google to the domain serving the app.
Verified ownership to Google confirms that you own the domain and you are the authorised person to initiate the review request. There is a separate process to verify ownership and it is explained here in the article “Verify Site Ownership“.
Android Apps! new category by Fellow Tuts.
Fill up OAuth Consent Screen
The OAuth consent screen must have enough details for a successful OAuth Client Verification. Login to your Google Developer Console account and choose your desired project. Go to Credentials from API & Services explorer.
I believe you already have OAuth 2.0 client IDs there. Copy two IDs from the console as you will need them a bit minutes later. First is Project ID and second is the OAuth client ID from Credentials. If you’re a Play Store Developer as well and have an Android app, you can also provide its client ID as additional information during file request.
Request OAuth Client Verification
You also need to provide all the scopes which your app wants to access. You can find all the Google OAuth 2.0 API scopes from the link. In the next column, write how your app will use each of the scopes requested along with the features that require the scope. You should carefully inspect your code to specify this information.
Submit the form after you have filled all the information. The Google team will review your application and reply within 2-7 days. If you missed any information, they will direct you. Your website users won’t see “This App isn’t verified screen” after successful Google OAuth client verification.
Google Apps Script
Give an app permission
Google Developer Console
Google OAuth 2.0 API scopes
OAuth client verification form