I have received email from Google with subject: [Action Required] Submit your app(s) for Restricted Scopes OAuth verification,
same as many of you.
I'm using GAS only for developing applications for my personal use - not for public. Applications such as sending summary emails to my clients, when they buy a product from my web pages.
Do I have to go through the whole process of verification?
Do I have to create public Terms of Service?
Is there any way how I can explain to google, that my applications are not used by anybody else then by
me?
How to get to know for sure that my app won't stop?
I have read through FAQ (https://support.google.com/cloud/answer/9110914) and many other documents by google about this topic..
I have checked similar questions found on web, but with no luck of answers.. It looks it's pretty new experience for all of us..
Thank you for any advices.
I have personal account, so I can't use "internal apps" selection, this works only for paid G-suite customers which I'm not.
EDIT:
As Yoel Vinitsky stated, app doesn't need verification if it has only one user.
Here at bottom: https://support.google.com/cloud/answer/7454865 is table which shows that there is quota 100 new users in total, once the app presents the unverified app screen.
It seems like that I don't have to worry about verification of my apps at all, because I'm the only one user or maybe I use this app from 2 or 3 more users emails so it should be ok, my question is, is it going to be ok without verification, or not?
EDIT 2:
Google sent clarification email:
NO ACTION is required if:
Only owners use the project: If the project is only used by owners of the project, no action is required.
To determine whether you are an owner (versus an editor or viewer), follow these steps:
Click the project link above to navigate to its OAuth Consent Screen
configuration page.
Click the Navigation Menu button in the
upper-left corner, select IAM & admin, and click IAM. This will show you all project contributors and their roles.
The project doesn’t have users outside of your G Suite domain:If the project owner is using a G Suite account and the project is only used by Google Accounts in the project owner’s domain, no action is required (learn more here).
But the question is how to avoid verification with personal accounts for my own scripts used only by me?
As mentioned in the support FAQ You linked to:
When can I skip publishing my app for a review?
You do not need to request for verification if your app is
going to be used in any of the following scenarios:
1) The app is not shared with anyone else.
2) The app is used to send emails through WordPress, or
3) similar single account SMTP plug-ins.
The only drawbacks should be the warning that your app is unverified and maybe quota limits.
Related
I am in the process of developing a google apps script web app designed for school teachers and students. I have deployed a version of the web app with following settings:
Execute as: User accessing the web app
Who has access: Anyone with Google account
My intention is to make this app available to anyone with a google (gmail, or edu/org google account).
The app still has a Publishing status of 'Testing' in the 'OAuth consent screen' settings. I am trying to get a few users test this web app.
Users in my google domain all seem to be able go through the OAuth2 steps, and access it without issues.
Test users with #gmail.com accounts that I have added to the 'Test users' list in 'OAuth consent screen' settings are able to go through the OAuth2 steps, and access it without issues.
BUT, test users that I have added to the 'Test users' list in 'OAuth consent screen' settings that are google EDU domain accounts (not #gmail.com) can not seem to get past the OAuth2 steps they are presented with. I have two such users, from two different google EDU domains, and both have the same exact issue:
Upon accessing the app URL, they are presented with a google sign in
prompt.
User clicks on "Review Permissions" to open the OAuth flow
in a popup.
User chooses/confirms the google EDU account they wish to
use to sign in.
Everything normal upto the above step, but on the
next screen, they see this message and there is no way to proceed:
Something went wrong
Sorry, something went wrong there. Try again.
The url on the popup at this point starts with https://accounts.google.com/info/unknownerror?access_type=offline&login_hint=xxx
Scopes requested - if relavant:
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/forms",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile"
My questions:
How do I resolve this issue?
Is this issue specific to just the 'Testing' status, or might this still be an issue with the app when it is published?
Update: It appears that the issue goes away if I publish the app (in OAuth Consent screen settings).
Tired of my G Suite users falling for emails "from" our CEO and other leadership team members, and the [EXTERNAL] that I appended to the subject of all external emails has been great but not helping everyone.
I have written a Google Apps Script that compares the "from" name of the sender to that user's company email and personal email, and then if there is not a match, it forwards the email to IT (to confirm/let the user know if it was somehow legit) and then deletes it to the user's trash.
I've got a trigger to setup so it runs every minute. It's only looking 3 mins back in emails so it doesn't waste resources/runs but also doesn't miss if it has an error for some reason. Have individually set up for a couple users as a test and myself and it appears to be working great.
My question after not finding a use case in the Google Add-Ons examples that really fit this use case...
How do I best deploy this to all of my domain users such that it uses the existing 1 min trigger, requires no user interaction - except maybe to install, and updates as I update the script?? I'm reading stuff about cards and icons and triggers for opening an email and such but none of this is what I'm looking for. I want it running in the background at all times to where if the user only looks at email on their phone or Mac Mail/Outlook that the script is still catching the phony emails.
Has anyone done anything like this. Google Support people, is there a page I've missed in my search for answers?
Depending on your g suite account...why not enable "Advanced phishing and malware protection". Specifically the section on spoofing as you can choose a giant warning banner, send to spam or quarantine it. If you only want execs then you could do a check in Gmail settings for unauthenticated email vs a whitelist and take action that way also.
https://support.google.com/a/answer/7490901?hl=en#spoofing-authentication-safety
I figure out that the question here is that you want to develop an add-on over your whole domain. If my assumption is correct, then you can opt in to follow these steps on how to install G Suite Marketplace apps in your domain. If you want to test the reach of this operation, you could develop an reviewed and trivial app like Cats and introduce it to your domain. While developing your add-on, please be aware of the best practices. After the developing process you can publish it to G Suite Marketplace. Keep in mind that you could add this add-on to your domain even if it's published as internal.
After reading your comments I get that you want to use this add-on even if users aren't online. In that case you could activate domain wide delegation of authority over your domain and use service accounts to control G Suite API interactions. To run this script at every minute you can use cron, but please be mindful of Gmail API quotas.
Along with the former, you can reach G Suite support and they'll better assist you with preventing phishing forces. Please, ask me any question to better clarify myself.
For users that are logged into multiple accounts, how can a script let the user pick an account? For example, Gmail, Google Drive, etc. provide a way for the user to select which account to use with a selectable option on the top-right of the page:
How can developers implement a similar mechanism?
There seems to be no way to do that with Google Apps Script libraries - GAS just uses the current primary account. Also, unfortunately, the API Client Library and thus Google Sign-In for websites don't work inside GAS web apps because of the sandbox frame. You could write your own or use some existing OAuth implementation to authenticate with Google but I found a much much simpler solution using Auth0 Lock with only a Google Connection (using the popup method because the redirect method doesn't work within the sandbox frame).
With Chrome Version 70.0.3538.102. You may resolve your issue (at least i did)
Now i make sure i ONLY signed in ONE account at a time. Then use "manage people"
if i have 3 google accounts, i will create 3 people and each time you only have 1 active google account session. With this setup, i ensured everytime my script only execute with my G Suite user instead of #gmail accounts
You can try using the Directory API to work with Apps Script. Retrieve the user using:
GET https://www.googleapis.com/admin/directory/v1/users/userKey.
You can then make an interface that displays the user accounts details(Name, email,etc).
Is it possible to use a Google form, develop a GAS script that executes on form submission but have it run under the context of the users submitting the form?
Users will be in a GApps for Business domain?
Will it need to be published as a web app using doGet(), even though there will be no UI?
Only webApps have the ability to run under user's authority and they have an authorization request feature to handle that case. A form has no way to ask for authorization so it won't be able to do anything (or to trigger a script that would do anything) in the name of a user without explicit permission. That's a basic security case and hopefully there will be no way to go around it.
I guess the only way to get what you want would be to create the form with UiApp or HTML Service and deploy it as a webapp running under user's authority, in that case your users will be asked for authorization to access the services you need.
note : you said "even though there will be no UI?" but the form itself is a Ui isn't it ?...
I'm using Google Apps Script UI to create forms for students at my school. I've restricted access to my domain for added security, and to capture users' email addresses.
The problem is that many of our students have separate Gmail accounts. If they are already logged into Gmail (not our domain), they don't get a log-in page, but something prompting them to request access.
Any suggestions for avoiding this?
Thought I saw a request in the issue tracker for an account choosing feature, but my guess is that you'll want to allow anyone to access your web app and show a custom prompt if their email is non-domain. I don't know how well this would work with shared computers, but creating separate Chrome user accounts for each of my Google accounts has solved all my multiple sign-in pain.