I am in the process of implementing an OAuth2 flow for a sensitive scope in my chrome extension. In order to remove the 'unverified app' warning in the OAuth2 popup I must verify the app in the Google Cloud Console.
The verification form requires 'Authorized domains' though, and it does not accept a chrome extension URL of the form 'chrome-extension://', neither does it accept a URL of the form '.chromiumapp.org'.
Is it possible to provide another domain I own as the authorized domain, and still initiate an OAuth2 flow from the chrome extension using chrome.identity.getAuthToken({interactive: true}...?
I think you need to read though the documentation on application verification
The very first one mentions that your domain must be authorized and verified in search console. The files must also be hosted on your verified registered domain.
It clearly states that
Links to the Google Play Store or Facebook are not considered valid application homepages.
The only requirements are that
Domain is registered in Search console.
Home page listed in the auth screen is relevant to your app.
So i don't see any reason you can't put it on one of your other domains. Just make sure that it qualifies for this clear its relevance to the app you’re verifying
Relevant points in the documentation.
Verify ownership of your project’s authorized domains using the Search Console. Use an account that is either a Project Owner or a Project Editor of your Cloud Console project.
Then the section about
Make sure that your homepage meets the following requirements:
Your homepage must be publicly accessible, and not behind a sign-in page.
Your homepage must make clear its relevance to the app you’re verifying.
Your homepage must be accurate, inclusive, and easily accessible to all users.
Links to the Google Play Store or Facebook are not considered valid application homepages.
There is also the Privacy posily
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
I have a video that goes though the application verification process. Google OAuth. What you need to know about verification in 2021.
Related
I'm writing an Apps Script Add-on for Google Sheets. There are duplicate fields on the OAuth consent screen and the Google Workspace Marketplace SDK Store Listing screen. These are "Terms of Service" and "Privacy Policy" URLs.
Do they need to be filled out in both places? It appears that they are optional on the OAuth consent screen since they do not have an asterisk next to them. Is that true?
If they do need to be entered in both places, do they need to match? On the Store Listing, I used URLs pointing to a shared (with everyone) Google Doc. But on the OAuth screen, it appears they are requiring the documents to be on my website, since they are under the App domain section.
I've seen a working tutorial from a few years ago where a shared Google doc was used for the store listing. But has that policy changed and now do they have to be on my website?
If you are planning to make the OAuth Consent Screen for External users you should add the Terms and Conditions as well the Privacy Policy fields, otherwise it's very unlikely that it will be approved in the verification process, if it will be for Internal users you might try to keep these fields empty as in this case the OAuth Consent Screen will not be verified.
Regarding if these fields should match the fields on the Marketplace listing, it will be weird if they doesn't match. AFAIK Google doesn't review exhaustively the Marketplace listings but if users complain the might review it. They might contact you giving some recommendations, disable the Marketplace listing, etc.
If you want to use a Google Editor files for your TOS and Policy files, you might embed them in a Google Site with a custom URL.
Resources
Use a custom domain for your site
I found the following information about the "Privacy Policy" URLs:
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
Based on the first requirement, I will say they need to be the same URL under the Google Workspace Marketplace SDK Store Listing and the OAuth consent screen in the project.
However, there is no such restriction for the Terms of Service inside Google Documentation.
Reference:
OAuth API verification FAQs.
Getting prepared for verification
When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()
Let's say we're developing an editor add-on (meant for publication) that does not need to interface to third party services (only to a self-developed API server, A). Does A need to implement OAuth i.e. issue tokens and so on, or is it sufficient to use the OpenID token received from Google with ScriptApp.getIdentityToken() as authentication for A (as mentioned at the bottom of [1]) ?
When the users start the plugin, they will anyway be faced with an OAuth consent screen, which mentions the scopes given in the addon's appsscript.json manifest file.
I don't find the requirements listed in the developer guide [1] clear when they mention "non-Google services".
In other words, will the Google security review fail my add-on if my API server A does not implement OAuth?
Thank you for any clarifications.
Edit : I'm not concerned with sensitive scopes.
[1] https://developers.google.com/gsuite/add-ons/how-tos/non-google-services
I have been developing an extension, which is using the chrome.identity API (chrome.identity.getAuthToken method) in order to receive the OAuth2 token for signing up extension users via Google+.
I would like to push this extension in a company via Google Admin Console, but when chrome.identity.getAuthToken method is being called, our extension users are present with the "Identity API Scope Approval" screen - the consent screen, where users have to authorize extension's access to scopes we want access to.
I am aware, how process of getting OAuth2 access tokens works in general, and that user's approval is normally required in order to receive the OAuth2 token.
However, is it possible to automatically skip & authorize this OAuth2 consent screen only for users, whose extension was deployed via Google Admin Console?
I've found an interesting on Chromium Bugs list, where OP states:
We are working on integrating Quickoffice for Chrome (which is a chrome extension) with the Drive Web UI. In order to handle OAuth we use chrome.identity, which works great.
and also the following:
since our extension is white listed as a first party app, we by pass the user content screen for the OAuth flow (which is what we want for the seamless integration with drive web ui).
I was not able to find any information, how to neither whitelist the extension as a first party app in order to prevent the consent screen from showing up, nor how to automatically authorize extension's access to those API scopes.
Any ideas?
If you include identity.email in the manifest permissions, and it is a force-installed extension or app through the admin console, then you will be able to get the user's identity and also the auth token without user oauth prompt approval.
However this only allows you to get the user's identity, no extended permissions. Any extended permissions (such as gdrive access, etc) need an oauth prompt.
According to the Google Drive documentation, an application needs a so-called "client secret" in order to interact with the Google Drive SDK -- even if, as in the case of a client-side JavaScript app, the code is plain for all to see. (Of course, it's not really that much safer in any other client-side code, it just makes for a bit more work to find the "secret"...)
So, um:
How is it okay to distribute these "secrets" inside applications?
Is there any reason why that logic wouldn't apply to open source computer programs?
BONUS: Wouldn't it make more sense to just use user-based authentication for such apps, without pretending to authenticate the app as being a specific app?
Whilst it's true that a Client Secret is generated for all apps that consume Google services, the Client Secret is never used by a browser/javascript app. Typically a browser-app (I use the phrase "browser-app" instead of "Javascript app" because a server node.js app is also using Javascript) would authenticate and authorize using the gapi library described here https://developers.google.com/api-client-library/javascript/reference/referencedocs#gapiauthauthorize. As you can see, Client Secret is never used.
So, picking out your questions ...
It isn't OK, don't do it, no need, see above.
See 1
You're conflating authenticating the user with authenticating the app. Both are needed, each for different purposes. In the case of a browser app, the authentication is done using a combination of the client ID, verified against the http origin (which the developer has previously declared to Google). Once the app is authenticated, we can then move on to authenticate the user by leveraging the OAuth authorization mechanism in conjunction with an extant Google session.