We Keep Coding

How to handle duplicate fields (TOS, Privacy Policy) on OAuth Consent & Marketplace Listing

I'm writing an Apps Script Add-on for Google Sheets. There are duplicate fields on the OAuth consent screen and the Google Workspace Marketplace SDK Store Listing screen. These are "Terms of Service" and "Privacy Policy" URLs.
Do they need to be filled out in both places? It appears that they are optional on the OAuth consent screen since they do not have an asterisk next to them. Is that true?
If they do need to be entered in both places, do they need to match? On the Store Listing, I used URLs pointing to a shared (with everyone) Google Doc. But on the OAuth screen, it appears they are requiring the documents to be on my website, since they are under the App domain section.
I've seen a working tutorial from a few years ago where a shared Google doc was used for the store listing. But has that policy changed and now do they have to be on my website?

If you are planning to make the OAuth Consent Screen for External users you should add the Terms and Conditions as well the Privacy Policy fields, otherwise it's very unlikely that it will be approved in the verification process, if it will be for Internal users you might try to keep these fields empty as in this case the OAuth Consent Screen will not be verified.
Regarding if these fields should match the fields on the Marketplace listing, it will be weird if they doesn't match. AFAIK Google doesn't review exhaustively the Marketplace listings but if users complain the might review it. They might contact you giving some recommendations, disable the Marketplace listing, etc.
If you want to use a Google Editor files for your TOS and Policy files, you might embed them in a Google Site with a custom URL.
Resources
Use a custom domain for your site

I found the following information about the "Privacy Policy" URLs:
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
Based on the first requirement, I will say they need to be the same URL under the Google Workspace Marketplace SDK Store Listing and the OAuth consent screen in the project.
However, there is no such restriction for the Terms of Service inside Google Documentation.
Reference:
OAuth API verification FAQs.
Getting prepared for verification

Google Drive API: Is it possible to have app without permission to access a file

I have an external application that is making use of OAuth 2.0 to connect to access Google Drive API.
The app has domain-wide delegation enabled and in the scope, it has been configured with the necessary Drive API.
So with this, will my app be able to access all the files in any user's Google Drive in the Google workspace, or is it possible that some files might not be accessible to my application?

The answer depends on the scope you choose in the Drive API, like there are different scopes with the Google Drive API, those are:
Recommended - These scopes provides the smallest scope of authorization access and does not require any app verification or security assessment.
Sensitive - These scopes allow access to Google User Data and require a sensitive scope verification process. For information on this requirement, see Google API Services: User Data Policy. These scopes do not require a security assessment.
Restricted - These scopes provide wide access to Google User Data and require you to go through a restricted scope verification process. For information on this requirement, see Google API Services: User Data Policy and Additional Requirements for Specific API Scopes. If you store restricted scope data on servers (or transmit), then you need to go through a security assessment.
I will go with one of the example of OAuth 2.0 scope information for the Drive API:
https://www.googleapis.com/auth/drive
The above Auth scope is restricted, and it gives you full, permissive scope to access all of a user's files, excluding the Application Data folder.
I hope this might be helpful for you.

OAuth requirement for publishable add-ons that only act as clients to Google

Let's say we're developing an editor add-on (meant for publication) that does not need to interface to third party services (only to a self-developed API server, A). Does A need to implement OAuth i.e. issue tokens and so on, or is it sufficient to use the OpenID token received from Google with ScriptApp.getIdentityToken() as authentication for A (as mentioned at the bottom of [1]) ?
When the users start the plugin, they will anyway be faced with an OAuth consent screen, which mentions the scopes given in the addon's appsscript.json manifest file.
I don't find the requirements listed in the developer guide [1] clear when they mention "non-Google services".
In other words, will the Google security review fail my add-on if my API server A does not implement OAuth?
Thank you for any clarifications.
Edit : I'm not concerned with sensitive scopes.
[1] https://developers.google.com/gsuite/add-ons/how-tos/non-google-services

Adding Google API OAuth scopes for an Add On project

I'm having an inordinate amount of trouble fixing my OAuth screen for my published Google Docs add on. Specifically, I've gone into the project to retrieve the scopes that the project accesses, and it gives me this list:
3 OAuth Scopes required by the script:
https://www.googleapis.com/auth/documents
https://www.googleapis.com/auth/script.container.ui
https://www.googleapis.com/auth/script.external_request
When I enter Google Cloud Console and attempt to edit the project and add these APIs, I simply can't. I keep typing in the latter two into the scope box and they just do not show up. I have a sneaking suspicion that this is why the OAuth still won't work...
TIA.

UPDATE: 7/6/20
The user interface for the G Suite Marketplace SDK in the Cloud Platform has recently changed for G Suite accounts. But for free / consumer accounts, it looks like it's hasn't been updated.
The information below is NOT for the new user interface. If the new user interface fixes this problem, then obviously this answer will become obsolete.
END UPDATE
Unfortunately, the user interface for adding scopes often fails when adding a new scope. When publishing an add-on, you need to enter your scopes in two different places:
The OAuth Consent page
The GSuite Marketplace SDK Configuration page
See the following image for adding scopes to the OAuth Consent page. Note that at the bottom, there is a link for adding a scope manually. Click that, and paste in your scope, then click the "Add" button.

Do All Google Oauth 2.0 Client need verification?

If I plan to use the following scope:
https://www.googleapis.com/auth/drive.file
Does Google need to verify my consent screen?
What does application type public mean? I'm assuming that if it is not accessible to everyone than it is not public.
Does sensitive scope always mean full access?

Verification is required if:
Your application type is public, and
You add a sensitive scope

Today, if you use a sensitive scope and trigger the Google OAuth authorization flow, you should see an unverified app screen that indicates that you need to apply for app verification.
You do not need to request a review if one of the following is true:
Your app is an enterprise application built only for your enterprise users. You should make sure your Google Cloud Project is associated with your cloud organization
You are building an app just for yourself or a few users. See the 'OAuth user quotas' section here.