Google OAuth Developer Reviews Explained

A Nasty 400 Error: invalid_scope

When setting up your Google developer account you may see this ugly error after you attempt to import contacts using CloudSponge. This is a new normal requirement from Google to help protect users from malicious applications intending to exploit OAuth access to users’ data.

Google blogged about the security issue here. The gist is that Google wants to manually review your application before they permit you to access certain user data and they are particularly sensitive about email addresses. The review process involves filling in a long form that describes your request and waiting 3 to 7 days for approval. This article should help you with filling in the form and with continuing to test while you wait.

During Testing

You can still test the integration in a very limited manner by registering each user account with a specific Google group. When you join this group, your account will no longer be protected by the new security measure. This is a great way to opt-out for specific accounts for testing the OAuth flow and API integrations.

Allow Unreviewed Apps

Now load the page where CloudSponge is installed and test a Gmail import. If your OAuth credential, proxy URL and Google account are all set up properly, you will see the OAuth consent flow and you will be able to import your contacts.

NB: Joining the Allow Risky Access Permissions By Unreviewed Apps Group will disable the security check for all OAuth apps, even ones that are registered outside your organization. When you have completed your testing or when Google has reviewed and approved your app, you should return to the Group and leave it so that your account is better protected.

Restore Unreviewed App Protection

You can rejoin the group later if you need to grant access to another unreviewed app.

Troubleshooting

I granted consent, but I see an error in the widget: “Consent was not given to access your contacts or consent was revoked.”

This is usually because the Contacts API has not been enabled for your Google Project. Go to Google APIs and ensure that the Contacts API is enabled.

Requesting a Review

Google recommends that you don’t request a review unless you are publishing an app that will be used by many people. If you are only testing Google’s OAuth and APIs, you don’t need to go any further.

Prerequisites

Before you request a review, ensure that you have set up your OAuth settings for production.

  • Complete the OAuth consent screen settings, including setting the privacy URL.
  • Ensure your production Authorized Redirect URI and Product Name are correct for your production environment. Changing either of these will disable your OAuth credential and trigger a new review by Google.
  • Verify website ownership through Search Console with an account that is either a Project Owner or a Project Editor on your Project.

Request the Review

Request a review on Google’s OAuth Developer Verification Form. Most of the fields should be self-explanatory.

There are two fields that are important to get right:

  1. “What scopes does your app need to access?”
    Enter https://www.googleapis.com/auth/contacts.readonly
  2. “List the specific ways your app will use each of the scopes you’re testing”
    Here’s your chance to explain the use-case that is driving your usage of CloudSponge. One of Google’s major concerns is that your app is clear with end users about what data you are accessing and how you will use that data. Keep in mind Google’s priorities as stated in their User Data Policy and their blog on Setting User Expectations.

Once you have filled in the application form, submit it and wait for Google to respond. If they require more details from you, they will reply, asking for clarification. Once they approve your request, you’ll be able to connect to your users Google address books in production.

Reach out to us if you have questions about the review process or encounter other scenarios that we haven’t covered here. I’m happy to edit this tutorial with updated information.

Follow @thunderouse


Originally published at www.cloudsponge.com.

Show your support

Clapping shows how much you appreciated Graeme Rouse’s story.