Google OAuth Developer Reviews Explained

Update: The Google Contacts API has been shut down. See our post on migrating to the People API

When setting up your Google developer account you may see this ugly error after you attempt to import contacts using CloudSponge. This is a new normal requirement from Google to help protect users from malicious applications intending to exploit OAuth access to users’ data.

Google blogged about the security issue here. The gist is that Google wants to manually review your application before they permit you to access certain user data, and they are particularly sensitive about email addresses. The review process involves filling in a long form that describes your request and waiting 3 to 7 days for approval. This article should help you with filling in the form and with continuing to test while you wait.

During Testing

Until Google approves the review, your OAuth screen will display a strong warning page to users. It is still possible to proceed to the OAuth flow by clicking the “Advanced” link and then clicking “Continue to …”. This is acceptable for testing with a small group. However, it will discourage most users if the widget is deployed to production before Google has completed the review. Ask us about disabling Google Contacts until the review is complete, if you don’t want to hold up deploying the widget with other sources.

Troubleshooting

I granted consent, but I see an error in the widget: “Consent was not given to access your contacts or consent was revoked.”

This is usually because the Contacts API has not been enabled for your Google Project. Go to Google APIs and ensure that the Contacts API is enabled.

Requesting a Review

Google recommends that you don’t request a review unless you are publishing an app that will be used by many people. If you are only testing Google’s OAuth and APIs, you don’t need to go any further.

Prerequisites

Before you request a review, ensure that you have set up your OAuth settings for production.

• Complete the OAuth consent screen settings, including setting the privacy URL.
• Ensure your production Authorized Redirect URI and Product Name are correct for your production environment. Changing either of these will disable your OAuth credential and trigger a new review by Google.
• Verify website ownership through Search Console with an account that is either a Project Owner or a Project Editor on your Project.
• Update your Privacy Policy to include an excerpt about how the People API will be utilized. Google provided this content that you can simply paste into your current Privacy Policy, “( Your App’s) use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.”

Additionally and most importantly, before you can request verification, you’ll need to get these things in order inside your Google developer account.

• All URLs in your account use HTTPS. Specifically, your Authorized Redirect URIs need to point to HTTPS endpoints or Google won’t let you request a review. Check out my screencast where I point out the URLs inside the OAuth client settings.
• You’ll need to add the appropriate scope ../auth/contacts.readonly to your account. This is a “sensitive scope” for which Google requires the verification. If you haven’t added it to your OAuth consent screen settings, Google won’t know what scopes you want to be verified for.

  

Request the Review

If you have avoided the pitfalls in setting up your consent screen, you’ll see a button at the bottom to “Submit for verification”. Click it and you’ll see the final step.

The important field to focus on is the Scopes justification. Here’s your chance to explain the use-case that is driving your usage of CloudSponge. One of Google’s major concerns is that your app is clear with end users about what data you are accessing and how you will use that data. Keep in mind Google’s priorities as stated in their User Data Policy and their blog on Setting User Expectations.

Once you have filled in the application form, submit it and wait for Google to respond. If they require more details from you, they will reply asking for clarification. Once they approve your request, you’ll be able to connect to your users Google address books in production.

Updating your OAuth Settings

If you need to make changes to your OAuth project, like updating what people see on the OAuth Consent Screen and/or the Authorized Origins or Redirect URIs, you can make these changes directly in your developer account. If you make changes that trigger a review, your Google will re-enable the Submit for verification button, so you can request another review by them.

Reach out to us if you have questions about the review process or encounter other scenarios that we haven’t covered here. I’m happy to edit this tutorial with updated information.