OAuth Client Verification

Starting July 18, 2017, Google OAuth clients that request certain sensitive OAuth scopes will be subject to verification by Google.

Users from outside the developer’s domain accessing the OAuth prompt for a client that has not been verified will see a new unverified app screen, and the number of such users will be capped. An unverified authorization flow allows users to authorize unverified apps, but only after confirming they understand the risks. You can read more about this change in this help center article.

Unverified app screen
Figure 1: Unverified app screen
Unverified app authorization flow
Figure 2: Unverified app authorization flow

 

This change applies to Google OAuth web clients, including those used by all Apps Script projects. By verifying your app with Google, you can remove the unverified app screen from your authorization flow and give your users confidence that your app is non-malicious.

Unverified apps

Add-ons, web apps, and other deployments (such as apps that use the Apps Script API) may need verification.

Applicability

If the app uses sensitive OAuth scopes, the unverified app screen may appear as part of the authorization flow. Its presence (and the resulting unverified app authorization flow) depends on what account the app is published from and what account is attempting to use the app. For example, apps published in a specific G Suite organization do not result in the unverified app authorization flow for accounts in that domain, even if the app has not been verified.

The following table illustrates what situations result in the unverified app authorization flow:

Client is verified Publisher is a G Suite account of customer A Script is in a Team Drive of customer A Publisher is a Gmail account
User is a G Suite account of customer A Normal auth flow Normal auth flow Normal auth flow Unverified auth flow
User is a G Suite account not of customer A Normal auth flow Unverified auth flow Unverified auth flow Unverified auth flow
User is a Gmail account1 Normal auth flow Unverified auth flow Unverified auth flow Unverified auth flow

1Any Gmail account, including the account used to publish the app.

User cap

The number of users who can authorize an app via the unverified app flow is capped to limit possible abuse. See OAuth application user limits for details.

Requesting verification

You can request a verification of the OAuth client used by your app and its Cloud project. Once your app is verified, your users will no longer see the unverified app screen. In addition, your app will no longer be subject to the user cap.

Requirements

In order to submit your OAuth client for verification, you must own a web site on a domain. The site must host publicly-accessible pages that describe your app and its privacy policy. You must also verify your ownership of the site with Google.

In addition, you must have the following required assets:

  1. Application name. The name of the app; this is displayed on the consent screen. It should match the name used for the app in other locations, such as the G Suite Marketplace listing for published apps.
  2. Application logo. A app logo JPEG, PNG, or BMP image to use in the consent screen. Its file size must be 1MB or less.
  3. Support email. This is an email displayed on the consent screen for users to contact if they need app support. It can be your email address or a Google Group that you own or manage.
  4. Scopes. The list of all the scopes your app uses. You can view your scopes in the Apps Script editor.
  5. Authorized domains. This is a whitelist of domains containing information about your app. All your application's links (such as its required privacy policy page) must be hosted on authorized domains.
  6. Application homepage URL. The location of a homepage describing your app. This location must hosted on an authorized domain.
  7. Application privacy policy URL. The location of a page describing your app's privacy policy. This location must be hosted on an authorized domain.

In addition to the above required assets, you can optionally provide an Application terms of service URL that points to a page describing your app's terms of service. If provided, this location must be in an authorized domain.

Steps

  1. If you have not done so already, verify ownership of all the authorized domains you use to host your script project's privacy policy and other information. The verified owners of the domains must be editors or the owner of the script project.
  2. In the Apps Script editor, select File > Project properties > Scopes. Copy all the scopes your script project uses.
  3. Ensure that you have access to the Cloud Platform project for your Apps Script Project. If your project resides in a Team Drive, you must associate it with a new Cloud Platform project.
  4. Access the API Console by selecting Resources > Cloud platform project… In the dialog that opens, click the top link, which is typically something like [Script Name] - project-id-123456789012. This opens your script's Cloud Platform project.
  5. If you can't find the left nav bar, click the menu icon in the top left.
  6. In the nav bar, select APIs & services > Credentials.
  7. Update the OAuth consent screen form by providing the required assets.

    1. Be sure to list all the Authorized domains where your app's information (such as its privacy policy) are hosted.
    2. To add your application scopes, click the Add scope button. The resulting dialog attempts to autodetect scopes for APIs you've enabled in the Cloud Platform (such as advanced services). You can select scopes from this list by checking the corresponding checkboxes.

      This autodetected list doesn't always include scopes used by Apps Script built-in services. You must enter these scopes manually by clicking the manually paste link and then entering the scopes in the resulting checkbox.

      When you are done selecting or entering scopes, click Add.

  8. When you've entered all the required information, click Save.

  9. Click Submit for verification to start a verification request.

Most verification requests receive a response within 24 to 72 hours. You can check the Verification status at the top of the OAuth consent screen form. When verification of your OAuth client is confirmed, your app is verified.

发送以下问题的反馈:

此网页
Apps Script
Apps Script
需要帮助?请访问我们的支持页面