In 2019 I have published an Word Add-In in the Office store. Last week-end I have updated the application, changing the UI and expanding its functionality. In the same time I have hosted it on a new domain. I have also updated the privacy policy as I am using a Google Analytics tag for obtaining data regarding the use of the application.
Considering the change in the URL I have submitted with the Office store a new manifest file for approval.
Following the certification process i have received a message mentioning that the validation has failed due to a critical validation failure related to 100.6.1 Privacy Policy
Below is the message body:
Privacy Policy links must lead to information on your policies
regarding users’ personal information (a link to the old
privacy policy from the old domain is inserted here) Please update the Privacy Policy
link in the offer listing and re-submit your offer. Please Note: The
privacy policy must be displayed on the page opened.
The office add-in is developed as an SPA based on Vue framework. The Privacy Policy link is placed in the footer of the website and is not an actual html link but a button which on a click event will display an overlay and a modal containing the privacy policy text.
In the offer listing (which in my mind refers to the Dashboard of the add-in in the Partner Center) the url for the privacy policy is the main url of the add-in as the button displaying he privacy modal appears on all pages (routes) of the application.
I am not quite sure if the problem arise from the fact that privacy policy is not an actual html link leading to a new web page or there are other issues regarding the content of the policy itself.
In the Microsoft Partner Center Dashboard, in the Properties Section of the Add-In i have an alert stating the following:
To pass certification, your privacy policy must include:
Information on your policies regarding user's personal information
Refer to the app or your service overall and NOT your website
Your service description must include the name of app submitted
A valid URL link that does not generate a 404 error
Again, I am not sure if this is an alert message customized to my particular situation or is just a general alert which wish to emphasize some general requirements regarding the privacy policy.
The commercial marketplace certification policies that you can find at this link
https://learn.microsoft.com/ro-ro/legal/marketplace/certification-policies#1006-personal-information
are not very informative in this respect.
So my questions are:
It is mandatory for passing the certification process to actually have the privacy policy as an html link that opens in a separate page or it can be a modal?
Why the e-mail mentioning the failure is referring to the old privacy policy (which was indeed an html link leading to a new web page)? Is this is an indication that I need to keep the old way of displaying this privacy policy?
Considering that this is a Single Page Application a separate route for privacy policy will pass the certification process?
Any help on this matter will be appreciated, as i am not certain of what I need to change.
It will not hurt that this validation failure message to be more specific, either.
Related
I'm writing an Apps Script Add-on for Google Sheets. There are duplicate fields on the OAuth consent screen and the Google Workspace Marketplace SDK Store Listing screen. These are "Terms of Service" and "Privacy Policy" URLs.
Do they need to be filled out in both places? It appears that they are optional on the OAuth consent screen since they do not have an asterisk next to them. Is that true?
If they do need to be entered in both places, do they need to match? On the Store Listing, I used URLs pointing to a shared (with everyone) Google Doc. But on the OAuth screen, it appears they are requiring the documents to be on my website, since they are under the App domain section.
I've seen a working tutorial from a few years ago where a shared Google doc was used for the store listing. But has that policy changed and now do they have to be on my website?
If you are planning to make the OAuth Consent Screen for External users you should add the Terms and Conditions as well the Privacy Policy fields, otherwise it's very unlikely that it will be approved in the verification process, if it will be for Internal users you might try to keep these fields empty as in this case the OAuth Consent Screen will not be verified.
Regarding if these fields should match the fields on the Marketplace listing, it will be weird if they doesn't match. AFAIK Google doesn't review exhaustively the Marketplace listings but if users complain the might review it. They might contact you giving some recommendations, disable the Marketplace listing, etc.
If you want to use a Google Editor files for your TOS and Policy files, you might embed them in a Google Site with a custom URL.
Resources
Use a custom domain for your site
I found the following information about the "Privacy Policy" URLs:
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
Based on the first requirement, I will say they need to be the same URL under the Google Workspace Marketplace SDK Store Listing and the OAuth consent screen in the project.
However, there is no such restriction for the Terms of Service inside Google Documentation.
Reference:
OAuth API verification FAQs.
Getting prepared for verification
I have this website where Bank users register using API and then Bank can use our SSO login API to log their users directly from Bank's mobile App or website. Now the Bank wants to log into our website via Banno's OAuth. Such that users log into Banno via Bank and then login directly into our website.
How can this be achieved? How will banno know which user to login? How to make it without having users to come into our website and fill user's login details? Can anyone help?
It sounds like your scenario is looking for Banno to be the 'Identity Provider' which is supported by our OAuth + OpenID Connection implementation in our Authentication Framework.
It'll be a good idea to take a look at the Consumer API OpenID Connect Example for inspiration.
When you run that example project, you can navigate in your web browser to https://localhost:8080/login.html. That'll show a page with a "Sign in with Banno" button. The page is meant to be a generic representation of what a non-Jack Henry web page would be.
Imagine that the button was formatted to say "Sign in with [Financial-Institution-name-goes-here]", it would be the same concept.
When you click the "Sign in with Banno" button, you'll be redirected to the Garden demo institution. This happens because the example project is configured to begin the authorization flow and use Garden.
If you're not signed in as your user in Garden, you'll be prompted to sign in.
It's worth noting that the username + password are never shared back to the example project...the user is logging into their (Banno-powered) financial institution.
After signing in (and accepting the permissions which have been requested), your web browser will be redirected to https://localhost:8080/me which finishes the authentication flow.
That page then displays the Identity Token for your convenience as a developer.
The content of the Identity Token is usable to cross-reference the user to your existing system and/or to prefill out registration forms.
Hope this helps!
I am in the process of implementing an OAuth2 flow for a sensitive scope in my chrome extension. In order to remove the 'unverified app' warning in the OAuth2 popup I must verify the app in the Google Cloud Console.
The verification form requires 'Authorized domains' though, and it does not accept a chrome extension URL of the form 'chrome-extension://', neither does it accept a URL of the form '.chromiumapp.org'.
Is it possible to provide another domain I own as the authorized domain, and still initiate an OAuth2 flow from the chrome extension using chrome.identity.getAuthToken({interactive: true}...?
I think you need to read though the documentation on application verification
The very first one mentions that your domain must be authorized and verified in search console. The files must also be hosted on your verified registered domain.
It clearly states that
Links to the Google Play Store or Facebook are not considered valid application homepages.
The only requirements are that
Domain is registered in Search console.
Home page listed in the auth screen is relevant to your app.
So i don't see any reason you can't put it on one of your other domains. Just make sure that it qualifies for this clear its relevance to the app you’re verifying
Relevant points in the documentation.
Verify ownership of your project’s authorized domains using the Search Console. Use an account that is either a Project Owner or a Project Editor of your Cloud Console project.
Then the section about
Make sure that your homepage meets the following requirements:
Your homepage must be publicly accessible, and not behind a sign-in page.
Your homepage must make clear its relevance to the app you’re verifying.
Your homepage must be accurate, inclusive, and easily accessible to all users.
Links to the Google Play Store or Facebook are not considered valid application homepages.
There is also the Privacy posily
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
I have a video that goes though the application verification process. Google OAuth. What you need to know about verification in 2021.
I'm trying to get Microsoft to approve an Web addin that takes a user's email attachments and pushes them to our Web Application. We have some very robust testing notes (up to the max in the free form text box that is) and it includes access to an Office 365 mail account, which in the first submission attempt they told me was required.
In this recent attempt they sent back a response that we had incomplete testing notes:
Your submission did not include all information needed for successful
verification and testing of your offer. We were unable to login to
your Outlook account. Please see the attached (CannotLogin) image.
Please include all necessary instructions and resources for successful
verification and testing in the Notes for certification field when
re-submitting your offer. The Notes for certification field is
available on the Review and Publish page when you are editing your
offer listing.
That's it. They've never made any attempt to reach out to ask to sign in, but this seems to be required in testing. I'm wondering what we do to get this submission through. Do we leave out the email account to test with completely and have them test with one of their own accounts? Or do we put instructions in our submission explicitly to reach out to us for account verification? All we need them to do to test this is have some email with some attachments and use our credentials to our hosted web app (in our testing notes) to push that information to us.
** This is Microsoft's recommended source for support, which is odd, we've tried other forums to try to reach out. I'm aware this question may be 'off topic' according to SO guidelines. I've found that they've responded on Stackoverflow in better fashion.
**** Update ****
The submission attempt failed again. We included a specific email in our submission with test data in the account. Following screenshots explain that the requirement is an Office 365 account. Are we supposed to include an Organization domain specific office 365 account?
The validation team use their own test accounts to confirm the sign up for an account flow and the majority of the testing. If there is any features that require an account with unlocked features, say from a paid for account - that needs to be provided by the add-in submitter. If a large amount of configuration is required or a large amount of test data needs to be present in the account, they will use the provided account. They must be able to log in and use that provided account and as they validate a large amount of add-ins per day, there is no method to contact partners mid-validation. It is the add-in submitters responsibility to ensure a test account is provided and that that account can be accessed.
TL;DR: Does storing instagram user access token counts as "storing user personal data" and why Privacy Policy url is a required field?
-I have an app in instagram.
-It's used to make api calls to get other users' public data (namely their posts to show on sites in "instagram widget").
-My app will always have only one user (me).
-My site doesn't store any user data, except for: one user auth_token (to make api calls) and cache of api responses (other users' public posts).
To get my app out of sandbox I have to fill "Privacy Policy url". What am I supposed to write in my Privacy Policy?
Will "My app/site stores no non-public user data" be enough and true (I still store my own token) in my case?
If the answer is "yes" to my second question, then why is privacy policy url is a required field? As far as I know privacy policy is needed only in case of actually storing private user data.
The Privacy Policy URL is required by the Instagram Platform Policy so that you can disclose:
What information you collect, and
How you will use that information
If you don't collect and use personal data from users, inform users of this practice in your Privacy Policy.
Your Privacy Policy must be used to disclose what kind of data you collect and how you use it. Example of a Privacy Policy that does not collect data from users from Ecquire:
For example, Lightwidget Privacy Policy discloses what type of data they collect through Instagram API: