Contact Importing

Google OAuth Developer Reviews Explained

Google has started to individually review apps requesting access to user's contact data. This tutorial walks you through how to prepare and apply for an app review.

When setting up your Google developer account you may see this ugly error after you attempt to import contacts using CloudSponge. This is a new normal requirement from Google to help protect users from malicious applications intending to exploit OAuth access to users’ data.

Google blogged about the security issue here. The gist is that Google wants to manually review your application before they permit you to access certain user data, and they are particularly sensitive about email addresses. The review process involves filling in a long form that describes your request and waiting 3 to 7 days for approval. This article should help you with filling in the form and with continuing to test while you wait.

During Testing

Until Google approves the review, your OAuth screen will display a strong warning page to users. It is still possible to proceed to the OAuth flow by clicking the “Advanced” link and then clicking “Continue to …”. This is acceptable for testing with a small group. However, it will discourage most users if the widget is deployed to production before Google has completed the review. Ask us about disabling Gmail imports until the review is complete, if you don’t want to hold up deploying the widget with other sources.

Troubleshooting

I granted consent, but I see an error in the widget: “Consent was not given to access your contacts or consent was revoked.”

This is usually because the Contacts API has not been enabled for your Google Project. Go to Google APIs and ensure that the Contacts API is enabled.

Requesting a Review

Google recommends that you don’t request a review unless you are publishing an app that will be used by many people. If you are only testing Google’s OAuth and APIs, you don’t need to go any further.

Prerequisites

Before you request a review, ensure that you have set up your OAuth settings for production.

  • Complete the OAuth consent screen settings, including setting the privacy URL.
  • Ensure your production Authorized Redirect URI and Product Name are correct for your production environment. Changing either of these will disable your OAuth credential and trigger a new review by Google.
  • Verify website ownership through Search Console with an account that is either a Project Owner or a Project Editor on your Project.

Request the Review

Request a review on Google’s OAuth Developer Verification Form. Most of the fields should be self-explanatory.

There are two fields that are very important to get right:

  1. “What scopes does your app need to access?”
    Enter https://www.googleapis.com/auth/contacts.readonly
  2. “List the specific ways your app will use each of the scopes you’re testing”
    Here’s your chance to explain the use-case that is driving your usage of CloudSponge. One of Google’s major concerns is that your app is clear with end users about what data you are accessing and how you will use that data. Keep in mind Google’s priorities as stated in their User Data Policy and their blog on Setting User Expectations.

Once you have filled in the application form, submit it and wait for Google to respond. If they require more details from you, they will reply asking for clarification. Once they approve your request, you’ll be able to connect to your users Google address books in production.

Updating your OAuth Settings

If you need to make changes to your OAuth project, like updating what people see on the OAuth Consent Screen and/or the Authorized Origins or Redirect URIs, don’t make these changes directly in your developer account.

Instead, submit this update form to ask Google to update the fields for you.
If you change the fields directly in Google’s UI, it will invalidate your approved review and your users will see the warning again. Boo.

NB The execption to this is if you want to add scopes (i.e. to use a new Google API), then you’ll need to use the Google’s OAuth Developer Verification Form again and request a review for the new scopes.

Reach out to us if you have questions about the review process or encounter other scenarios that we haven’t covered here. I’m happy to edit this tutorial with updated information.

Graeme Rouse, CTO at CloudSponge

Follow @thunderouse

Comments

Create your sandbox account now

Get Started

Your trial doesn’t start until you go live.