OAuth API verification FAQs - Google Cloud Platform Console ...
文章推薦指數: 80 %
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked to the OAuth consent screen on the Google API ... SkiptomaincontentOAuthAPIverificationFAQsLastmodifiedon:May17,2022 IfyourappusesGoogleAPIstoaccessGoogleusers’data,youmighthavetocompleteaverificationprocessbeforeyoupublishyourapp. Theapplicabilityofthisrequirementtoyourappdependsmostlyontwofactors:thetypeofuserdatayouaccess—publicprofileinformation,calendarentries,filesinDrive,certainhealthandfitnessdata,andsoon—andthedegreeofaccessyouneed—read-only,readandwrite,andsoon.WhenyouuseOAuth2.0togetpermissionfromyouruserstoaccessthisdata,youusestringscalledscopestospecifythetypeofdatayouwanttoaccessandhowmuchaccessyouneed.Ifyourapprequestsscopescategorizedassensitiveorrestricted,youwillprobablyneedtocompletetheverificationprocess(see,however,theexceptions). AfewexamplesofsensitivescopesaresomeofthescopesusedbytheCalendarAPI,PeopleAPI,andYouTubeDataAPI,butthereareothers.Restrictedscopesarefewerinnumber,currentlyincludingonlyscopesusedbytheGmailAPIs,DriveAPIs,andGoogleFitAPIs. Theprocessyouneedtocompletedependsonwhetheryourapprequestssensitivescopes,orrestrictedscopes(allappsmustcompletethefirstprocess,brandverification): AllappsthataccessGoogleAPIsmustverifythattheyaccuratelyrepresenttheiridentityandintentasspecifiedbyGoogle’sAPIServicesUserDataPolicy.IfyouchangeanyofthedetailsthatappearonyourOAuthconsentscreen,suchastheproject'sicon,displayname,homepageorprivacypolicyURL,orauthorizeddomains,youneedtohaveyourappre-verifiedforbrandingpriortoupdatesbeingpublishedtoyourOAuthconsentscreen.Thisbrandverificationprocesstypicallytakes2-3businessdays. AppsthatrequestsensitivescopesmustverifythattheyfollowGoogle’sAPIServicesUserDataPolicy andwillnothavetoundergoanindependent,third-partysecurityassessment.Thissensitivescopesverificationprocesstypicallytakes3-5businessdaystocomplete. AppsthatrequestrestrictedscopesmustalsoverifythattheyfollowGoogle’sAPIServicesUserDataPolicy,buttheymustalsomeettheAdditionalRequirementsforSpecificScopes.Oneoftheseadditionalrequirementsis anindependent,third-partysecurityassessment.Forthisreason,thisrestrictedscopesverificationprocesscanpotentiallytakeseveralweekstocomplete. Therestofthispagedescribestheserequirementsandtheverificationprocessesinmoredetail. Sensitivescopes Restrictedscopes Exceptionstoverificationrequirements Preparingforverification: Allapps Appsrequestingsensitivescopes Appsrequestingrestrictedscopes Submittingyourappforverification Sensitiveandrestrictedscopes Sensitivescopes SomeofthescopesusedbythefollowingAPIsareconsideredsensitive;seetheAPIdocumentationorlookforthelockiconintheCloudConsole.Ifyourapprequestssensitivescopes,anddoesn'tmeetanyofthecriteriaforanexception(seebelow),youwillneedtoverifythatyourappfollowstheAPIServicesUserDataPolicy. ForacompletelistofGoogleAPIs,seeOAuth2.0ScopesforGoogleAPIs.Tocheckifscopesaresensitiveorrestricted,addthescopestoyourprojectviatheGoogleCloudConsole. Restrictedscopes Ifyourapprequestsanyofthefollowingscopes,anddoesn'tmeetanyofthecriteriaforanexception(seebelow),youwillneedtosatisfyboththeAPIServicesUserDataPolicyandtheAdditionalRequirementsforSpecificScopes,whichrequiresamoreextensivereviewprocess. GmailAPI GmailAPI https://mail.google.com/(includesanyusageofIMAP,SMTP,andPOP3protocols) https://www.googleapis.com/auth/gmail.readonly https://www.googleapis.com/auth/gmail.metadata https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.insert https://www.googleapis.com/auth/gmail.compose https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/gmail.settings.sharing Fordescriptionsofeachscope,pleaserefertoGmailAPI. DriveAPI DriveAPI Note:ThesescopesareprovidedtohelpDrivedevelopersprepareforthefuturereviewprocess.Googlewillreachouttodeveloperswhenactionwillberequired. https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/drive.activity https://www.googleapis.com/auth/drive.activity.readonly https://www.googleapis.com/auth/drive.metadata https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/drive.scripts Fordescriptionsofeachscope,pleasereferto DriveAPI. GoogleFitAPI GoogleFitAPI https://www.googleapis.com/auth/fitness.activity.read https://www.googleapis.com/auth/fitness.activity.write https://www.googleapis.com/auth/fitness.blood_glucose.read https://www.googleapis.com/auth/fitness.blood_glucose.write https://www.googleapis.com/auth/fitness.blood_pressure.read https://www.googleapis.com/auth/fitness.blood_pressure.write https://www.googleapis.com/auth/fitness.body_temperature.read https://www.googleapis.com/auth/fitness.body_temperature.write https://www.googleapis.com/auth/fitness.body.read https://www.googleapis.com/auth/fitness.body.write https://www.googleapis.com/auth/fitness.heart_rate.read https://www.googleapis.com/auth/fitness.heart_rate.write https://www.googleapis.com/auth/fitness.location.read https://www.googleapis.com/auth/fitness.location.write https://www.googleapis.com/auth/fitness.nutrition.read https://www.googleapis.com/auth/fitness.nutrition.write https://www.googleapis.com/auth/fitness.oxygen_saturation.read https://www.googleapis.com/auth/fitness.oxygen_saturation.write https://www.googleapis.com/auth/fitness.reproductive_health.read https://www.googleapis.com/auth/fitness.reproductive_health.write https://www.googleapis.com/auth/fitness.sleep.read https://www.googleapis.com/auth/fitness.sleep.write Note:WhileallFitscopesarerestricted,onlyasubsetofFitscopes(ReadHealthScopes)willrequiresecurityassessment.Thosescopesare: https://www.googleapis.com/auth/fitness.blood_glucose.read https://www.googleapis.com/auth/fitness.blood_pressure.read https://www.googleapis.com/auth/fitness.body_temperature.read https://www.googleapis.com/auth/fitness.body.read https://www.googleapis.com/auth/fitness.heart_rate.read https://www.googleapis.com/auth/fitness.oxygen_saturation.read https://www.googleapis.com/auth/fitness.reproductive_health.read https://www.googleapis.com/auth/fitness.sleep.read Fordescriptionsofeachscope,pleaserefertoGoogleFitAPI. Exceptionstoverificationrequirements Exceptionstoverificationrequirements Ifyourappisgoingtobeusedinanyofthefollowingscenarios,youdonotneedtosubmititforreview: PersonalUse:Theappisnotsharedwithanyoneelseorwillbeusedbyfewerthan100users(allofwhomareknownpersonallytoyou).Notethatyourappwillbesubjecttotheunverifiedappscreenandthe100-usercapwillbeineffect. Development/Testing/Staging:Ifyourapp’spublishingstatusissetto“Testing”andnot“Inproduction”,thenyoudonotneedtosubmityourappforverification.Notethatyourappwillbesubjecttotheunverifiedappscreenandthe100-usercapwillbeineffect. LearnmoreaboutPublishingstatus. Service-ownedDataOnly:Theapponlyaccessesitsowndata(usingaServiceAccount),andnotuserdata(linkedtoaGoogleAccount). Tounderstandwhatserviceaccountsare,seeServiceaccounts. Forinstructionsonusingaserviceaccount,seeUsingOAuth2.0forServertoServerApplications. InternalUse:TheappisusedonlybypeopleinyourGoogleWorkspaceorCloudIdentityorganization.Notethatyourappwillnotbesubjecttotheunverifiedappscreenorthe100-usercapifit'smarkedasInternal. Learnmoreaboutpublicandinternalapplications. LearnhowtomarkyourappasinternalintheFAQHowcanImarkmyappasinternal-only? Domain-wideInstallation:TheappisusedonlybyGoogleWorkspaceenterpriseusers.Accesswilldependonpermissionbeinggrantedbythedomainadministrator.GoogleWorkspacedomainadministratorsaretheonlyonesthatcanaddtheapptoanallowlistforusewithintheirdomains. TolearnhowtomakeyourappaDomain-WideInstall,seeMyapplicationhasuserswithenterpriseaccountsfromanotherGoogleWorkspaceDomain. SMTP/IMAP/WP:TheappisusedtosendemailsthroughWordPress,orsimilarsingle-accountSMTPplugins. Preparingforverification Beforeyousubmityourappforverification,completethesetasks: Allapps Stepstoprepareforverification AllappsthatrequestaccesstodatausingGoogleAPIsmustcompletebrandverification: EnsureyourappcomplieswiththeGoogleAPIsTermsofServiceandGoogle’sAPIServicesUserDataPolicy. Confirmyourappdoesn’tfallunderanyoftheusecaseslistedintheExceptionstoverificationrequirements. IfyouuseGoogleSign-InScopesinyourapp,ensurethatyourappcomplieswiththebrandingguidelines. Verifyownershipofyourproject’sauthorizeddomainsusingtheSearchConsole.UseanaccountthatiseitheraProjectOwneroraProjectEditorofyourCloudConsoleproject. MakesureallbrandinginformationontheOAuthconsentscreen,suchastheprojectnameshowntousers,supportemail,homepageURL,privacypolicyURL,andsoon,accuratelyrepresentstheapp'sidentity. Makesurethatyourhomepagemeetsthefollowingrequirements: Yourhomepagemustbepubliclyaccessible,andnotbehindasign-inpage. Yourhomepagemustmakeclearitsrelevancetotheappyou’reverifying. Yourhomepagemustbeaccurate,inclusive,andeasilyaccessibletoallusers. LinkstotheGooglePlayStoreorFacebookarenotconsideredvalidapplicationhomepages. Makesurethatyourapp'sPrivacyPolicymeetsthefollowingrequirements: ThePrivacyPolicymustbevisibletousers,hostedwithinthedomainofyourwebsite,andlinkedfromtheOAuthconsentscreenontheGoogleAPIConsole. ThePrivacyPolicymustdisclosethemannerinwhichyourapplicationaccesses,uses,stores,orsharesGoogleuserdata.YouruseofGoogleuserdatamustbelimitedtothepracticesdisclosedinyourpublishedPrivacyPolicy. Appsrequestingsensitivescopes Stepsforappsrequestingsensitivescopes CompletethepreparationstepsforAllapps. Prepareadetailedjustificationforeachrequestedscopeaswellasanexplanationforwhyanarrowerscopewouldn'tbesufficient.Forexample:Myappwillusehttps://www.googleapis.com/auth/calendartoshowauser'sGooglecalendardataontheschedulingscreenofmyapp,sothatuserscanmanagetheirschedulesthroughmyappandsyncthechangeswiththeirGooglecalendar. Yourrequestedscopemustbeasgranularaspossible(ifyourrequestedscopegoesbeyondtheusageneeded,thenwewilleitherrejectyourrequestorsuggestamoreapplicablescope). PrepareavideothatfullydemonstratestheOAuthgrantprocessbyusersandshows,indetail,theusageofsensitivescopesintheapp. ShowtheOAuthgrantprocessthatuserswillexperience,inEnglish(theconsentflow,and,ifyouuseGoogleSign-in,thesign-inflow). ShowthattheOAuthConsentScreencorrectlydisplaystheAppName. ShowthattheURLbaroftheOAuthConsentScreencorrectlyincludesyourapp’sClientID. Note:Thisisnotrequiredforchromeextensions,nativeAndroid,andiOSapps. Showhowthedatawillbeusedbydemonstratingthefunctionalityenabledbyeachsensitiveandrestrictedscopeyourequest. UploadthevideotoYouTube.You’llneedtoprovidealinktothevideoaspartoftheverificationprocess.Letusknowifyourapprequiresregistrationorfeaturesalocallogin.IfanyofyourOAuthclientsarenotreadyforproduction,wesuggestyoudeleteorremovethemfromtheprojectrequestingverification.YoucandothisintheGoogleCloudConsole. Appsrequestingrestrictedscopes Stepsforappsrequestingrestrictedscopes CompletethepreparationstepsforAppsrequestingsensitivescopesandAllapps. EnsureyourappcomplieswiththeGoogleAPIsTermsofService,Google'sAPIServicesUserDataPolicy,andtheAdditionalRequirementsforSpecificScopes,whichincludesundergoinganannualsecurityassessmentifyourappaccessesrestrictedscopeGoogleusersdatafromorthroughathird-partyserver. EnsureyourappisoneoftheallowedtypesspecifiedintheLimitedUsesectionoftheAdditionalRequirementsforSpecificScopes. Ifyourappisataskautomationplatform:yourdemovideomustshowcasehowmultipleAPIworkflowsarecreatedandautomated,andinwhichdirection(s)userdataflows. EnsureyourappwillbepreparedtomigratetomoregranularAPIscopesincaseyourcurrentlyapprovedscope(s)usageisoverlybroad. PrepareavideothatfullydemonstratestheOAuthgrantprocessbyusersandshows,indetail,theusageofsensitiveandrestrictedscopesintheapp. ShowtheOAuthgrantprocessthatuserswillexperience,inEnglish(theconsentflow,and,ifyouuseGoogleSign-in,thesign-inflow). ShowthattheOAuthConsentScreencorrectlydisplaystheAppName. ShowthattheURLbaroftheOAuthConsentScreencorrectlyincludesyourapp’sClientID. Note:ThisisnotrequiredfornativeAndroidandiOSapps. Showhowthedatawillbeusedbydemonstratingthefunctionalityenabledbyeachsensitiveandrestrictedscopeyourequest. Ifyouusemultipleclients,andthereforehavemultipleclientIDs,showhowdataisaccessedoneachOAuthclient. Submittingyourappforverification Stepstosubmityourapp Tosubmitforverification,followthestepsbelow: GototheGoogleCloudConsoleOAuthconsentscreenpage. Whenprompted, selectyourapp'sproject. Ifyoucan'tfindyourproject,andyouknowyourprojectID,youcanconstructaURLinyourbrowserintheformathttps://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]where[PROJECT_ID]istheprojectIDyouwanttouse. OnceontheOAuthconsentscreenpagefortheprojectthatyouwishtosubmit: Ifyou'repromptedtocreateaconsentscreenandyourappisn'trestrictedtouserswithinyourorganization,select External,and clickthe Create button.Ifyou'vealreadycreatedaconsentscreen,youwon'tseethisprompt. Otherwise,click the EditApp buttonatthetopofthepage. Entertheinformationrequiredontheconfigurationpages.Inadditiontotherequiredfields,youmustprovidelinkstoyourapp'shomepage,privacypolicy,andtermsofservice,aswellasthescopesyou'rerequesting,justificationforneedingthedata,andalinktoavideodemonstratinghowyourappusesthedata. ClickSaveandcontinueaftercompletingeachpage. Whenalltherequiredinformationisfilledin,clickPrepareforverificationatthebottomofthelastpage. OnthePrepareforverificationscreen,confirmthattheinformationoneachpageiscorrect,thenclick Submitforverification onthefinalpage. Afteryousubmityourapp,theTrust&Safetyteamwillfollowupbyemailwithanyadditionalinformationtheyneedorstepsyoumustcomplete. Securityassessment Securityassessment EveryappthatrequestsaccesstorestrictedscopeGoogleuser’sdataandhastheabilitytoaccessdatafromorthroughathirdpartyserverisrequiredtogothroughasecurityassessmentfromGoogleempanelled securityassessors.ThisassessmenthelpskeepGoogleusers’datasafebyverifyingthatallappsthataccessGoogleuserdatademonstratecapabilityinhandlingdatasecurelyanddeletinguserdatauponuserrequest.Inordertomaintainaccesstorestrictedscopes,theappwillneedtoundergothissecurityassessmentonanannualbasis,thisprocessiscalledthesecurityreassessment,alsoknownasannualrecertification.Thecostoftheassessmenttypicallyvariesbetween$10,000-$75,000(ormore)dependingonthesizeandcomplexityoftheapplication;smallerapplicationsmayseecostsatalowerthresholdof$4,500.Thisfeemayberequiredwhetherornotyourapppassestheassessmentandwillbepayablebythedeveloper.Weexpectthatfeeswillincludearemediationassessmentifneeded. Formoreinformation,seeHowlongisthesecurityassessmentvalidfor? OAuthAPIverificationFAQ ThissectionhasanswerstofrequentlyaskedquestionsaboutGoogleCloudOAuthpolicyviolations. ExpandallCollapseall Generalverificationprocess ThefollowingFAQsapplyforsensitiveandrestrictedscopeverification. WhatarethedifferenttypesofverificationthatGooglerequiresforaccessinguserdataviaOAuth? Typeofverification Whythisisneeded Expectedend-to-endtime* Brandverification EnsurethatanappaccuratelyrepresentsitsidentityandintentpertheGoogleAPIpolicyviaverifyingicon,displayname,URLs,domainownership,etc. 2-3days Sensitivescopeverification Ensurethatanapp’susageofsensitivescopesisnotdeceptive,toprotectuserdatapertheGoogleAPIpolicy. 3-5days Restrictedscopeverificationandsecurityassessment EnsurethatanappdoesnotmisuseuserdataobtainedusingrestrictedscopespertheGoogleAPIpolicyandtheAdditionalRequirementsforSpecificAPIScopes.Securityassessmentisrequiredtodemonstrateaminimumlevelofcapabilityinhandlingdatasecurelyanddeletinguserdatauponuserrequest. 4-8weeks *End-to-endtimewillvarybasedondeveloperresponsiveness. Forinformationaboutwhathappensifyoudon’tsubmityourappforverification,seeWhathappensifIdon'tsubmitmyappforreview?Forinformationaboutwhathappenswhenyoudon’tneedtosubmityourappforverification,seeWhatapptypesarenotapplicableforverification?Thethreetypesofverificationlistedintheprecedingtablecanbedoneindividuallyorcombinedifyouhaveaddedormodifiedtheapp’sbrandinginformation,requestedsensitivescopes,and/orrequestedrestrictedscopes. WhendoesmyapphavetobeverifiedbyGoogle? Yourappmightneedtogothroughverificationif: YourappusesanyofthesensitiveorrestrictedscopestorequestGoogleUserData. YouwantyourapplicationtodisplayaniconordisplaynameinsteadoftheredirectURLdomainontheOAuthconsentscreen. Thenumberofauthorizeddomainsforyourappsexceedsthedomaincountlimitforaproject. TherearechangestotheOAuthconsentscreenafteryourapphasbeenapproved. Whatapptypesarenotapplicableforverification? Youdonotneedtosubmityourappforreviewifit's goingtobeusedinanyofthefollowingscenarios: PersonalUse:Theappisnotsharedwithanyoneelseorwillbeusedbyfewerthan100users.Hence,youcancontinueusingtheappbybypassingtheunverifiedappwarningduringsign-in. SMTP/IMAP/WP:TheappisusedtosendemailsthroughWordPress,orsimilarsingleaccountSMTPplug-ins. InternalUse:Anappisinternalwhenthepeopleinyourdomainsonlyuseitinternally.Learnmoreaboutpublicandinternalapplications.LearnhowtomarkyourappasinternalintheFAQHowcanImarkmyappasinternal-only? Domain-WideInstall:IfyourappisintendedforonlyGoogleWorkspaceenterpriseusers,accesswilldependonpermissionbeinggrantedbythedomainadministrator.GoogleWorkspacedomainadministratorsaretheonlyonesthatcanwhitelisttheappforusewithintheirdomains.TolearnhowtomakeyourappDomain-WideInstall,seeMyapplicationhasuserswithenterpriseaccountsfromanotherGoogleWorkspaceDomain.HowdoesthisapplytomyGoogleWorkspaceorCloudIdentityenterpriseaccounts? Development/Testing/Staging:Ifyourappisindevelopment/testing/stagingmodeandnotreadytobepubliclyaccessible,thenyoudonotneedtosubmityourappforverification.Notethatyourappwillbesubjecttotheunverifiedappscreenandthe100-usercapwillbeineffectwhenanappisindevelopment/testing/staging. IfyourappisforDevelopment/Testing/Staging,itisrecommendedthatyoukeepyourapp’spublishstatussettoTestingandonlyupdatetoInProductiononceitisreadyforpublicuse. Ifyourapp’spublishingstatusissetto“Testing”andnot“Inproduction”,thenyoudonotneedtosubmityourappforverification.Notethatyourappwillbesubjecttotheunverifiedappscreenandthe100-usercapwillbeineffectwhenanappisindevelopment/testing/staging.LearnmoreaboutPublishingstatus. ServiceAccounts:Whenyourappistryingtoaccessdatafromusers'GoogleCloudprojectandcanrunAPIrequestsonitsbehalf.Tounderstandwhatserviceaccountsare,seeServiceaccounts.Forinstructionsonusingaserviceaccount,seeUsingOAuth2.0forServertoServerApplications. Howlongwilltheverificationprocesstake? Thesensitivescopeappverificationsareexpectedtotake3-5daystoaccountforclarificationquestionsandre-submissions.Notethattherestrictedscopeverificationwilltakelongertocomplete,likelyseveralweeks.Useraccesstotheappforexistingapprovedscopeswillnotbeimpactedduringtheverificationprocess. HowcanImarkmyappasinternal-onlysoitdoesn'trequireverification? Ifyou'reanAppsScriptdeveloper,andtheprojectownerisusingaGoogleWorkspaceaccountandtheprojectisonlyusedbyGoogleAccountsintheprojectowner'sdomain,thenyourprojectisautomaticallyinternal-only.LearnmoreaboutOAuthClientVerificationApplicability. IfyourappisonlyforyourorganizationorGoogleWorkspacedomain,youcanmarkitasinternal-onlyintheOAuthconsentscreenconfiguration: GototheCloudConsoleOAuthconsentscreen page. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. UnderUsertype,selectInternal,andthenclickSave. Ifyoudon'tseethisoption,thenyourprojectmightnotbepartofanorganization.Todetermineifyourprojectispartofanorganization: GototheCloudConsoleIAM&adminSettingspage. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. TheLocationsectiondisplaysyourproject'slocationinitsOrganization.Ifthesectionisblankordoesn'texist,thenyourprojectneedstobemigratedtoanOrganization.Learnmoreaboutpublicandinternalapps,howtouseOrganizations,andhowtomigrateyourprojecttoanOrganization. Whocansubmitaprojectforverification? Onlyprojectownersandeditorscansubmitaprojectforverification. HowdoIsubmitforverification? Beforeyousubmitforverification,makesureyouunderstandtheverificationrequirements: ReviewtheAPIUserDatapolicy,OAuthVerificationFAQ,orproductspecificUserDatapolicytogetfamiliarwiththeupdatedpoliciesandsecurehandlingrequirement. ReviewtheFAQHowdoIdetermineifIneedtosubmitmyappforrestrictedscopeverification?below. Tosubmitforverification,followthestepsbelow: GototheCloudConsoleOAuthconsentscreen page. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. Ifyoucan'tfindyourproject,andyouknowyourprojectID,youcanconstructaURLinyourbrowserintheformathttps://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]where[PROJECT_ID]istheprojectIDyouwanttouse. ClicktheEditAppbutton. Entertheinformationrequiredontheconfigurationpage,andthenclickSubmitforverification. Ifthesubmitforverificationbuttondoesnotappearattheendoftheconfigurationpages,savewhatyouhavecompletedandrepeatsteps1-4. OnceyouclickSubmitforVerification, a Verificationrequireddialogboxwillappear,entertheappropriatejustifications,andthenclickSubmittostarttheverificationprocess. Learnmoreaboutverificationstatus. Whycan'tIseetheAPIscopesinthescopepicker? ToviewtheAPIscopes: GototheGoogleAPIConsoleLibrarypage. Ensuretherelevantprojectisselected. SearchforandenabletheAPIforwhichyouneedthescopestobeverified. EnabledAPIscopesarevisibleinscopepickeronOAuthconsentscreenpage ForadetailedlistofAPIsandrelevantOAuthscopes,seeOAuth2.0ScopesforGoogleAPIs. Note:ForAppsScriptsprojects,seetheOAuthClientVerificationguideformoreinstructions. Ineedhelpselectingscopesformyapp.WherecanIfindsupportforvariousproductAPIs? Ifyouneedhelpdecidingwhichscopestouseforyourapp,pleaserefertotheOAuth2.0ScopesforGoogleAPIsdocumentation. HowdoIcheckmyverificationstatus? Tocheckyourproject'sverificationstatus: GototheCloudConsoleOAuthConsentScreenconfigurationpage. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. Ifyoucan'tfindyourproject,andyouknowyourprojectID,youcanconstructaURLinyourbrowserintheformathttps://console.cloud.google.com/apis/credentials/consent?project=[PROJECT_ID]where[PROJECT_ID]istheprojectIDyouwanttouse. Ifyouhavesubmittedyourprojectandit'scurrentlyinreview,BeingverifiedwilldisplayunderVerificationstatus.Formoreinformationaboutotherverificationstatuses,seetheSettingupyourOAuthconsentscreenpage. HowcanImakesuretheverificationprocessisasstreamlinedaspossible? Toensureastreamlinedverificationprocess,pleaseensurethatalltherequiredinformationisincluded,suchasthefollowing: VerifydomainownershipofallyourauthorizeddomainswithGooglethroughSearchConsolebyusinganaccountthatiseitheraProjectOwneroraProjectEditoronyourOAuthProject. Note:Ifyouareusingathirdpartyserviceproviderandyourdomainisownedbythem,thenyouneedtoprovideadetailedjustificationforustovalidateit. Makesurethatyourapplicationhomepagelinkstoanexternallyaccessibledomainthatdescribesthenecessarycontent,context,orconnectiontotheappthatyouaresubmitting. Placingsign-inrestrictionsonthehomepageisonlyallowedforinternalapps,whicharenotsubjecttotheverificationprocess.Formoreinformation,seeHowcanImarkmyappasinternal-onlysoitdoesnotrequireverification?. LinkstotheGooglePlayStoreorFacebookarenotconsideredvalidapplicationhomepages. Makesurethatyourapp'sPrivacyPolicymeetsthefollowingrequirements: ThePrivacyPolicymustbevisibletousers,hostedwithinthedomainofyourwebsite,andlinkedtotheOAuthconsentscreenontheGoogleAPIConsole. ThePrivacyPolicymustdisclosethemannerinwhichyourapplicationaccesses,uses,stores,orsharesGoogleuserdata.YouruseofGoogleuserdatamustbelimitedtothepracticesdisclosedinyourpublishedPrivacyPolicy. Makesurethateachscopethatyou'rerequestinghasanexplanationforitsuse/needfortheproject,aswellasajustificationforwhyanarrowerscopewouldbeinsufficient. MakesureallOAuthbrandinginformationontheOAuthconsentscreen,suchastheprojectnameshowntousers,supportemail,homepageURL,privacypolicyURL,andsoon,accuratelyrepresentstheapp'sidentity. IfyouuseGoogleSign-InScopesinyourapp,pleaseensurethatyourappiscompliantperthesebrandingguidelines. PleaseincludeaYouTubelinktoademovideodemonstratingtheOAuthgrantprocessbyusersandexplaining,indetail,theusageofsensitiveandrestrictedscopeswithintheapp'sfunctionalityforeachOAuthclientbelongingtotheproject. Notethatthevideoshouldclearlyshowtheapp'sdetailssuchastheappname,OAuthclientID,andsoon.FormultipleclientIDs,thedemovideoshouldshowusageofsensitiveandrestrictedscopesoneachclient. Includingthevideoalongwiththeverificationrequestwillspeeduptheapprovalprocesssignificantly. NotethatapprovalwillnotbegrantedifscopeusageoneachOAuthclientIDisnotadequatelyexplained.Additionally,ifanyofyourOAuthclientsintheprojectrequestingverificationarenotreadyfortesting,wewillbeunabletocompleteourreviewandyourrequestwillberejected.WerequirethatyouseparateyourtestandproductionprojectsandmoveOAuthclientsstillindevelopmentintoatestprojectbeforerequestingverification.Yourappswillbethoroughlyreviewedbyourteams. Forinformationaboutusingthenewconsentscreenflow,seeSettingupOAuth2.0. IfyouarerequestingarestrictedScope,pleasereferencetheRestrictedscopeappverificationsection. WhatinformationshouldIincludeinthein-apptestingvideo? PleaseensurethattheYouTubelinktoademovideodemonstratestheOAuthgrantprocessbyusersandexplainstheusageofsensitiveandrestrictedscopeswithintheapp’sfunctionalityforeachOAuthclientbelongingtotheproject. Notethatthevideomustclearlyshowtheapp'sdetailssuchastheappname,OAuthClientID,etc.asapplicable. Thedemovideomustshowusageofsensitiveandrestrictedscopesoneachclient. Includingthevideoalongwiththeverificationrequestwillspeeduptheapprovalprocesssignificantly.NotethatapprovalwillnotbegrantedifscopeusageoneachOAuthclientIDisnotadequatelyexplained. Additionally,ifanyofyourOAuthclientsintheprojectrequestingverificationarenotreadytobeproductionized,wewillbeunabletocompleteourreviewandyourrequestwillberejected.Werequirethatyouseparateyourtesting/developmentandproductionprojects.Ourteamswillthoroughlyreviewyourapps. YoucanreviewthefollowingguidesonhowtomakeascreencastonyourMacorPC: Mac PC WhathappensifIaddnewsensitiveorrestrictedscopestomyappwhilemysensitiveorrestrictedscopeverificationisinprogress? YoucanaddnewsensitiveorrestrictedscopesintheCloudConsoleOAuthconsentscreenconfigpageandclickSubmitforVerification anytime.However,ifyourappstartstouse thenewsensitiveorrestrictedscopesbeforetheyareapproved,userswillexperiencetheunverifiedappscreenandtheappwillbesubjecttothe100-usercap. HowcanIaccessdatafrommyusers'GoogleCloudprojectusingCloudAPIs? Youcanaccessdatafromyourusers'GoogleCloudprojectsbycreatingaserviceaccounttorepresentyourservice,andthenhavingyourcustomersgrantthatserviceaccountappropriateaccesstotheirclouddatausingIAMpolicies.Notethatyoumightwanttocreateaserviceaccountpercustomerifyouneedtoavoidconfuseddeputyproblems.TofamiliarizeyourselfandeducateyourusersonusingserviceaccountsandupdatingcloudIAMpolicies,seethefollowingarticles. ServiceAccountCreation: UsingOAuth2.0forServertoServerApplications ServiceAccounts IAMPolicies: IAMPolicies IAMQuickstart IfyourusersarehavingissuescreatingaserviceaccountorusingIAMpoliciestograntyourprojecttheappropriatepermissions,pleasedirectthemtoGoogleCloudSupport. WhathappensifIdon'tsubmitmyappforreview? Ifyoudon'tsubmityourappforreview: Ifyourpublicappusesanysensitiveorrestrictedscopesthatpermitaccesstocertainuserdata,usersofyourappwillseeanUnverifiedAppwarningscreen. ToprotectusersandGooglesystemsfromabuse,appsthatuseOAuthandGoogleIdentityhavea100-usercaprestrictionbasedontheriskleveloftheOAuthscopestheappuses.Failuretogetyourappverifiedmightresultinexhaustionofyourproject's100-usercapandcauseGooglesign-intobedisabled.LearnmoreaboutUnverifiedapps. HowdoIcheckmyusercapstatus? Pleasenotetheusercapappliesovertheentirelifetimeoftheproject,anditcannotberesetorchanged.Youcancheckyourusercapwiththefollowingtheseinstructions: SignintoGoogleCloudConsole Selectyourproject-id GotoOAuthConsentScreenunderAPIs&Services GotoOAuthusercapandcheckyourusercapusagestatus Failuretogetyourappverifiedforsensitiveand/orrestrictedscopes mightresultinexhaustionofyourproject's100-usercapandcauseGooglesign-intobedisabled.LearnmoreaboutUnverifiedapps. Whathappensifmyappgetsrejectedfromtheverificationprocess? Iftheapphasbeenrejectedforsensitiveorrestrictedscopes,users’accesstotheunapprovedsensitiveorrestrictedscopesintheappviaOAuthwillnolongerwork. Ifyouwanttoreapply,dothefollowing: Ensurethatyourappcomplieswithourpolicies.Formoreinformation,seeWhataretherequirementsforverification? OntheCloudConsoleOAuthconsentscreenpage,selectthesensitiveorrestrictedscopesyou’rerequestingaccesstoandclickSubmitforVerification.Allrequiredmaterialsneedtoberesubmitted. UsersseeingtheUnverifiedAppScreenor"Sign-inwithGoogletemporarilydisabled" Whyareusersseeingthis? ToprotectusersandGooglesystemsfromabuse,unverifiedappsthatareaccessingrestrictedorsensitivescopeshavea100new-usercaprestriction.Failuretogetyourappverifiedbeforemakingrequeststosensitiveorrestrictedscopeswillresultinyourproject's100new-usercapeventuallygettingexhaustedandGooglesign-inbeingdisabledforyourusers.LearnmoreaboutUnverifiedapps. Whyareusersofverifiedappsseeingtheunverifiedappscreenor"Sign-indisabled"? Thisiscausedbyapprovedappsmakingrequeststosensitiveorrestrictedscopesthatwerenotapprovedduringtheverificationprocess.ReviewtheapprovedscopesinyourCloudConsolefortheprojectandmakesurethatthecodebaseofyourappisnotrequestinganyscopesthatarenotlisted. Ifyouneedassistancewithidentifyingwhichunapprovedscopesyourprojectisrequesting,reachoutbydirectlyrespondingtothelastemailthattheverificationteamsentyou.Afterthescopesareidentified,dothefollowing: Ifthescopesarenotneeded,removerequestsforthescopesfromyourcodebase. Ifthescopesareneeded,addthemtotheCloudConsoleandsubmitthemforverification. Whyareusersofappsthatarecurrentlyintheverificationprocessseeingtheunverifiedappscreenor"Sign-indisabled"? Thisiscausedbytheprojectactivelymakingrequestsforrestrictedorsensitivescopesthathavenotyetbeenapproved/verified.Ifyouneedassistancewithidentifyingwhichunapprovedscopesyourprojectisrequesting,reachoutbydirectlyrespondingtothelastemailthattheverificationteamsentyou.Afterthescopesareidentified,dothefollowing: Ifthescopesarenotneeded,removerequestsforthescopesfromyourcodebase. Ifthescopesareneeded,addthemtotheCloudConsoleandsubmitthemforverification. Sensitivescopeappverification WhataresensitiveAPIscopes? SensitivescopesallowaccesstoGoogleUserData.Ifanappusessensitivescopes,itmustcomplywiththeGoogleAPIUserDataPolicyorproductspecificUserDatapolicyandhaveitsOAuthconsentscreenconfigurationverifiedbyGoogle. Theappverificationprocesscantakeanywherefrom3to5businessdays. Restrictedscopeappverification WhatarerestrictedAPIscopes? Likesensitivescopes,restrictedscopesallowaccesstoGoogleUserData.Ifanappusesrestrictedscopes,itmustcomplywiththeGoogleAPIUserDataPolicyorproductspecificUserDatapolicyandhaveitsOAuthconsentscreenconfigurationverifiedbyGoogle.Inaddition,GoogleverifiesthatanappthatusesrestrictedscopescomplieswiththeAdditionalRequirementsforSpecificAPIScopes. GmailAPI https://mail.google.com/(includesanyusageofREST,IMAP,SMTP,andPOP3protocols) https://www.googleapis.com/auth/gmail.readonly https://www.googleapis.com/auth/gmail.metadata https://www.googleapis.com/auth/gmail.modify https://www.googleapis.com/auth/gmail.insert https://www.googleapis.com/auth/gmail.compose https://www.googleapis.com/auth/gmail.settings.basic https://www.googleapis.com/auth/gmail.settings.sharing DriveAPI Note:ThesescopesareprovidedtohelpDrivedevelopersprepareforthefuturereviewprocess.Googlewillreachouttodeveloperswhenactionwillberequired. https://www.googleapis.com/auth/drive https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/drive.activity https://www.googleapis.com/auth/drive.activity.readonly https://www.googleapis.com/auth/drive.metadata https://www.googleapis.com/auth/drive.metadata.readonly https://www.googleapis.com/auth/drive.scripts GoogleFitAPI https://www.googleapis.com/auth/fitness.activity.read https://www.googleapis.com/auth/fitness.activity.write https://www.googleapis.com/auth/fitness.blood_glucose.read https://www.googleapis.com/auth/fitness.blood_glucose.write https://www.googleapis.com/auth/fitness.blood_pressure.read https://www.googleapis.com/auth/fitness.blood_pressure.write https://www.googleapis.com/auth/fitness.body_temperature.read https://www.googleapis.com/auth/fitness.body_temperature.write https://www.googleapis.com/auth/fitness.body.read https://www.googleapis.com/auth/fitness.body.write https://www.googleapis.com/auth/fitness.heart_rate.read https://www.googleapis.com/auth/fitness.heart_rate.write https://www.googleapis.com/auth/fitness.location.read https://www.googleapis.com/auth/fitness.location.write https://www.googleapis.com/auth/fitness.nutrition.read https://www.googleapis.com/auth/fitness.nutrition.write https://www.googleapis.com/auth/fitness.oxygen_saturation.read https://www.googleapis.com/auth/fitness.oxygen_saturation.write https://www.googleapis.com/auth/fitness.reproductive_health.read https://www.googleapis.com/auth/fitness.reproductive_health.write https://www.googleapis.com/auth/fitness.sleep.read https://www.googleapis.com/auth/fitness.sleep.write Note:WhileallFitscopesarerestricted,onlyasubsetofFitscopes(ReadHealthScopes)willrequiresecurityassessment.Thosescopesare: https://www.googleapis.com/auth/fitness.blood_glucose.read https://www.googleapis.com/auth/fitness.blood_pressure.read https://www.googleapis.com/auth/fitness.body_temperature.read https://www.googleapis.com/auth/fitness.body.read https://www.googleapis.com/auth/fitness.heart_rate.read https://www.googleapis.com/auth/fitness.oxygen_saturation.read https://www.googleapis.com/auth/fitness.reproductive_health.read https://www.googleapis.com/auth/fitness.sleep.read Whatistherestrictedscopeappverificationandhowisitdifferentfromthesensitivescopeappverification? ThesensitivescopeappverificationverifiescompliancewiththeGoogleAPIUserDataPolicy. TherestrictedscopeappverificationverifiescompliancewiththeGoogleAPIUserDataPolicyandanadditionalsetofrequirementsforrestrictedscopesoutlinedinAdditionalRequirementsforSpecificAPIScopes. HowcanIprepareforarestrictedscopeverification? Enforcementforrestrictedscopepolicieswillbeaphasedrollout.IfyouwerealreadyapprovedfortheseAPIsunderthesensitivescopeverificationprocess,thenwewillnotifyyouwhenyourapplicationmustbereverified. Ifyourappisforinternalorganizationusageonly,besuretomarktheappasinternal.Forinstructions,seetheFAQHowcanImarkmyappasinternal-only?.Publicenterpriseappsthatrequestrestrictedscopesandareusedbyotherenterprisesareaffectedbythispolicychangeandwillneedtosubmittheirappforverification.Regardlessofwhetheranapprequiresverificationornot,GoogleWorkspaceadministratorsareincontroloftheirusers’appsandcanwhitelistappsasneededfortheirbusinesses. EnsurethatprojectownerandeditoremailaddressesareuptodatesothatGooglecancommunicateimportantpolicyupdatesandimpactrelatedtoadevelopers’appwiththedeveloper.Ensurethatprojectsupportemailsareuptodatesothatuserscancontactthedeveloperasneeded. Removeanyunusedandtestclientsfromtheprojectbeforerequestingverification. EnsurethatallscopesthatyourGoogleAPIprojectusesappearinyourproject'sOAuthconsentscreenscopeconfigurationintheGoogleAPIConsole.Forinstructions,seetheUserconsentsectioninthe"SettingupOAuth2.0"helparticle. Ensurethatyourscopeusageisasnarrowaspossible,andbepreparedtotelluswhyanarrowerscopeisinsufficientintheverificationprocess. VerifydomainownershipofallyourauthorizeddomainswithGooglethroughSearchConsolebyusinganaccountthatiseitheraProjectOwneroraProjectEditoronyourOAuthProject. Note:Ifathird-partyserviceproviderownsyourdomain,thenyouneedtoprovideadetailedjustificationforustovalidateit. Ensurethatyourapp'sPrivacyPolicymeetsthefollowingrequirements: ThePrivacyPolicymustbevisibletousers,hostedwithinthedomainofyourwebsite,andlinkedtotheOAuthconsentscreenontheGoogleAPIConsole. ThePrivacyPolicymustbecompliantwiththeGoogleAPIUserDataPolicyandtheLimitedUserequirements.Itmustdisclosethemannerinwhichyourapplicationaccesses,uses,stores,orsharesGoogleuserdata.YouruseofGoogleuserdatamustbelimitedtothepracticesdisclosedinyourpublishedPrivacyPolicy. Verificationprocess HowdoIdetermineifIneedtosubmitmyappforrestrictedscopeverification? Ifyouareusingrestrictedscopes,youneedtosubmitforverification.Youdonotneedtosubmitforverificationifanyofthefollowingappliestoyourproject: YourprojectusesGmailAdd-onsthatdoesn'tuseanyoftherestrictedscopes. Onlyownersusetheproject:iftheprojectisonlyusedbyownersoftheproject,noactionisrequired.Todeterminewhetheryouareanowner(versusaneditororviewer): GototheGCPConsoleIAM&adminpage. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. YourrolesarelistednexttoyouremailaddressintheMemberslist. Ifyouaren'tanAppsScriptdeveloperANDtheprojectispartofanOrganizationandisforinternaluseonly:IftheprojectownerisusingaGoogleWorkspaceaccountandtheprojectisonlyusedbyGoogleAccountsintheprojectowner'sOrganization,noactionisrequired. TodetermineifyourprojectispartofanOrganization: GototheGCPConsoleIAM&adminSettingspage. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. TheLocationsectiondisplaysyourproject'slocationinitsOrganization.Ifthesectionisblank,thenyourprojectneedstobemigratedtoanOrganization.Learnmoreaboutpublicandinternalapps,howtouseOrganizations,andhowtomigrateyourprojecttoanOrganization. Toindicatethattheapplicationisforinternaluse: GototheGCPConsoleOAuthConsentScreenconfigurationpage. ClicktheProjectselectordrop-downatthetopofthepage. OntheSelectfromdialogthatappears,selectyourproject. UnderUsertype,selectInternal,andthenclickSave. IfyouareanAppsScriptdeveloper: Theprojectdoesn'thaveusersoutsideofyourGoogleWorkspacedomain:IftheprojectownerisusingaGoogleWorkspaceaccountandtheprojectisonlyusedbyGoogleAccountsintheprojectowner'sdomain,noactionisrequired.LearnmoreaboutOAuthClientVerificationApplicability. TodetermineifyouhaveanAppsScriptthatneedstobesubmittedforverificationevenifyouhaveusersoutsideofyourGoogleWorkspacedomain: OpenthescriptintheAppsScripteditor. SelectResources>CloudPlatformproject. Inthedialogthatappears,clickthetoplink,whichistypicallysomethinglike[ScriptName]-project-id-123456789012. Ifyoucan accesstheprojectusingthatlink,thenyouneedtosubmitforverification.Ifyoudon'tseealinkinthedialogandamessagedisplaysthat"ThisscripthasanApps-Script-managedCloudPlatformproject",thenyoudon'tneedtosubmitforverification. IfyourprojectisusedbyGoogleAccountsoutsideofyourorganization,suchasthegeneralpublic,youneedtosubmityourappforverification. MyapplicationhasuserswithenterpriseaccountsfromanotherGoogleWorkspaceDomain.HowdoesthisapplytomyGoogleWorkspaceorCloudIdentityenterpriseaccounts? YoucanskiptheverificationprocessifyourappissolelybuiltforGoogleWorkspacecustomersandifthecustomers’domainadminwhitelistsyourappbycompletingthefollowingsteps: MakesureyourprojecthasUsertypesettoExternal ontheOAuthconsentconfigurationpageonCloudConsole. Askyourcustomers'domainadmintoallowaccesstoyourappsothatunverifiedappUIwillnotbeshowntousersonthatdomain.NotethatGoogleWorkspaceadministratorsforthoseenterpriseaccountscancontrolwhichapplicationstheiruserscanaccess. NotethatthefollowinguserswillstillexperiencetheunverifiedappUIandeventuallyausercapwillbeenforced: Userstryingtoaccesstheappfromanydomainthathasn’texplicitlywhitelistedyourapp Consumeruserstryingtoauthorizeaccesstoyourapp Ifyourapplicationdoesn’tfittheusagepatternintheprecedingdescription,thenyouneedtosubmityourapplicationforverification.Ifyouallowonlyenterpriseaccountstouseyourapp,bepreparedtoprovideuswithasampleenterpriseaccountforverificationpurposes. WhatifmyappisusingIMAPorSMTP?DoIneedtosubmitforverification? Yes,becauseIMAPandSMTPusagerequiresusinghttps://mail.google.com/,youwillneedtosubmityourappfortherestrictedscopeverificationforthisdetermination.IfyourusageofIMAP/SMTPisdeemedtoviolatetheminimumscopepolicywithintheverificationprocess,youwillneedtomigratetousingtheGmailAPI. IfyourappusesIMAPprotocolorjointIMAP/SMTPprotocols,notethatthehttps://mail.google.com/scopeshouldonlyberequestedifyourapplicationalsoneedstoimmediatelyandpermanentlydeletethreadsandmessages,bypassingTrash;allotheractionscanbeperformedwithlesspermissivescopes.Ifyourappdoesnotdothis,youwillneedtomigratetotheGmailAPIandrequestlesspermissivescopes. IfyourappusesSMTPprotocolonly,notethatusingthebroadaccesshttps://mail.google.com/scopejustforsendingemailswiththeSMTPprotocolviolatestheminimumscopepolicy.TousetheGmailAPIandcontinuewiththeverificationprocess,youwillneedtomigrateoffSMTPprotocolandusethesensitivehttps://www.googleapis.com/auth/gmail.sendscopeinstead. HowdoImigratemyOAuthclienttonewAPIscopesandminimizeimpacttousers? Insomecases,appswillberequiredtomigratethescopestheyarecurrentlyusingtonewonesthatmeettheminimumscoperequirements.Anexampleofthisismigrationoftheuseofthefullmailscope(“mail.google.com”)totheread-onlyscope(“gmail.readonly”).Tominimizeimpactonyourusers,followthesesteps: Obtainapprovalforthenewscopeswithanapprovedverificationrequest(refertoHowdoIsubmitforverification?). Revokethepriorusertokentothescopethatwillberemovedorremoveaccesstotheappentirely:forexample,thetokenwithhttps://mail.google.com/accessthatisbeingremoved.Youmightconsiderdoingtherevocationwhileyourusersareusingyourappsothatyoucanpromptforuserconsentimmediately. Promptyouruserstore-consentwiththenewscopes:forexample,gmail.readonlywithouthttps://mail.google.com. RemovethescopethatisbeingphasedoutofyourAPIConsole’sOAuthregistration. Ifyoudon'tfollowthesesteps,thenanyuserwithanactivetokenthatstillhasaccesstothescopebeingphasedoutwillreceiveaSecurityCenterwarningtoremoveriskyaccesstoyourdata.ThisoccursbecausetheuserhasanactivetokenwheretheAPIscopehasnotbeenverifiedanylonger.Ifyourappdoesnotrevokethetokenasdescribedintheprecedinglist,theuserwillcontinuetoreceivethiswarningmessage. Howlongwilltheverificationprocesstake? Therestrictedscopesverificationprocesschecksforcomplianceinmultipleareas.Verificationis expectedtotakeseveralweekstoaccountforclarificationquestionsandre-submissions.Itiscommontoexperiencemanyback-and-forthsduringthisreviewprocess.Anyoutstandingitemswillbecommunicatedtoyouintheverificationthread.Failuretocomplywiththeserequirementswilllikelyresultinarejectionofyourrequest. Pleaseensurethatallcontactsassociatedwiththeverificationofyourprojectareincludedintheverificationthreadtoavoidmissinganykeycommunications. WhatifIhaveseveralappsrequestingrestrictedscopes;willtheyallneedtobeverified? Yes,allGoogleCloudprojectsthataccessrestrictedscopesmustbesubmittedforverification.ThisalsomeansthatallOAuthClientswithinaprojectrequestingrestrictedscopesmustbereadyforverificationoncesubmitted.WesuggestyoudeleteorremoveOAuthClientsthatarenotreadyforproductionbeforesubmittingaverificationrequest. Ifmyappusesacombinationofrestrictedandnon-restrictedAPIs,willIneedtosubmitforverification? Yes,yourappwillneedtobesubmittedforverification.Ifitisnot,accesstoallrestrictedandnon-restrictedAPIscopeswillbedisabledforconsumeraccounts. HowdoIgetmyverificationcompletedfaster? Yourverificationcanbecompletedfasterifyoursubmissionisasdetailedandthoroughaspossible.Pleasemakesurethefollowingareprepared: Yourappcanbeaccessedandusedbyourverificationteamwiththeirtestaccounts. Yourapp'swebsiteiscomplete,descriptiveandincludeseasyaccesstotheprivacypolicy. Ifyourappusesrestrictedscopes,ensureyourapp'sprivacypolicycomplieswiththeLimitedUsesectionoftheGoogleAPIUserDataPolicyorproductspecificUserDatapolicy. Whataretherequirementsforverification? Homepagerequirements Yourhomepagemustlinktoanexternallyaccessibledomainthatdescribesthenecessarycontent,context,orconnectiontotheappyouaresubmitting. Yourhomepagemustnotbealinktoasign-inpage. Yourhomepagemustexplainwithtransparencythepurposeforwhichyourapplicationrequestsuserdata. Yourhomepagemustthoroughlydescribehowyourappenhancesuserfunctionality. Yourhomepagemustbeaccurate,inclusive,andeasilyaccessibletoallusers. YourPrivacyPolicymustbeaccessiblefromyourhomepageURLandvisibletousers.ThePrivacyPolicymustclearlydisclosethemannerinwhichyourapplicationaccesses,uses,stores,orsharesGoogleuserdata. VerifieddomainsandaccessibleURL/URLlinks Youmustverifythedomainownershipforallauthorizeddomainslistedinyourrequest: GototheSearchConsoletocompletethedomainverificationprocess. TheaccountyouusemustbeeitheraProjectOwneroraProjectEditorofyourproject. Scopesselectionandjustification Yourrequestedscope(s)mustbeasgranularaspossible(ifyourrequestedscopegoesbeyondtheusageneeded,thenwewilleitherrejectyourrequestorsuggestamoreapplicablescope). Youmustprovideadetailedjustificationforyourrequestedscope(s)aswellasanexplanationforwhyanarrowerscopewouldn'tbesufficient.Example:Myappwillusehttps://www.googleapis.com/auth/calendartoshowauser'sGooglecalendardataontheschedulingscreenofmyapp,sothatuserscanmanagetheirschedulesthroughmyappandsyncthechangeswiththeirGooglecalendar. Appdemonstrationvideo YoumustprovideaYouTubelinktoavideo,inEnglish,thatfullydemonstratestheOAuthgrantprocessbyusersandshows,indetail,theusageofrestricted/sensitivescopeswithintheapp’sfunctionalityforeachOAuthclientbelongingtotheproject. Thevideomustclearlyshowtheapp'sdetailssuchastheappname,OAuthClientID,etc.asapplicable. ThedemovideomustshowusageofsensitiveandrestrictedscopesoneachOAuthclient. Includingthevideoalongwiththeverificationrequestwillspeeduptheapprovalprocesssignificantly.Wewillnotgrantapprovalifyoudon'tadequatelyexplainscopeusageoneachOAuthclientID. Additionally,ifanyofyourOAuthclients,intheprojectrequestingverification,arenotreadytobeputintoproduction,wewillnotbeabletocompleteourreviewandyourrequestwillberejected.Werequirethatyouseparateyourtesting/developmentandproductionprojects.Wewillthoroughlytestyourapps. Failuretosatisfy/providetheprecedinginformationmightresultinarejectionofyourrequest.Toavoidthisoutcome,updatetheapplicableinformationinyourrequesttomeetourrequirements. Securityassessment EveryappthatrequestsaccesstorestrictedscopeGoogleuser’sdataandhastheabilitytoaccessdatafromorthroughathirdpartyserverisrequiredtogothroughasecurityassessmentfromGoogleempanelled securityassessors.ThisassessmenthelpskeepGoogleusers’datasafebyverifyingthatallappsthataccessGoogleuserdatademonstratecapabilityinhandlingdatasecurelyanddeletinguserdatauponuserrequest.Inordertomaintainaccesstorestrictedscopes,theappwillneedtoundergothissecurityassessmentonanannualbasis,thisprocessiscalledthesecurityreassessment,alsoknownasannualrecertification.Thecostoftheassessmenttypicallyvariesbetween$10,000-$75,000(ormore)dependingonthesizeandcomplexityoftheapplication;smallerapplicationsmayseecostsatalowerthresholdof$4,500.Thisfeemayberequiredwhetherornotyourapppassestheassessmentandwillbepayablebythedeveloper.Weexpectthatfeeswillincludearemediationassessmentifneeded. Appsnotapplicableforverification Appsforinternaluseonly(singledomainuse) Appsforpersonaluseonly AppsthatareGmailSMTPpluginsforWordPress Appsthatareindevelopmentorstaging/testing IfGoogleannouncesadditionalAPIsthatfallintotherestrictedscopecategory,doIneedtore-submitforanotherverification? Enforcementforrestrictedscopepolicieswillbeaphasedrollout.IfyouwerealreadyapprovedfortheseAPIsunderthesensitivescopeverificationprocess,thenwewillnotifyyouwhenyourapplicationmustbereverified. Applicationtypes Whatifmyappisataskautomationplatform? Ifyourappisataskautomationplatformthatconnectsuserdatabetweenapps(likeZapier)anditsuseofrestrictedscopesdatawouldbeconsideredappropriateunderthe“Applicationsthatenhancetheemailexperienceforproductivitypurposes”category,youwouldberequiredtocomplywithadditionalguidelinesinordertobeapprovedforrestrictedscopeaccess.Submityourapplicationforthesescopes,andwewillprovidetheseguidelinesduringyourverificationprocess. WhatifmyappisnotoneoftheApplicationTypes? Ifyouareunsureofyourapp'sApplicationType,youcanselectNoneofthesewhensubmittingtheappforverificationandourverificationteamwillmakethisdetermination. WhattypeofapplicationsarenotallowedtouseGmailRestrictedScopes? ThefollowingapplicationtypesareexamplesofappsthatarenolongerallowedperthePermittedApplicationTypespolicy: Mobilekeyboards. Applicationsthatexportemailonaone-timeormanualbasis. Applicationsthatcontinuouslyandautomaticallybackupemailarepermitted. Appsthatstoreorbackupdataotherthanemailmessages inGmail. Securityapps,includingthosethatscanformalwareoridentifyspamorphishingemails. LimitedUserequirements CouldyouexplaintheLimitedUserequirementsfromtheGoogleAPIServicesUserDataPolicy? AllappsthatrequestrestrictedscopesmustshowaLimitedUsedisclosureontheirproject’shomepageoronapageoneclickawayfromthehomepagethatcomplieswiththeGoogleAPIServicesUserDataPolicy,includingtheLimitedUserequirements. ThisLimitedUsedisclosureshouldbewrittenbyyou,thedeveloper,andshouldmeetthefollowingrequirements: Thedisclosureshouldclearlydescribetheapp’scompliancewiththeGoogleAPIServicesUserDataPolicyorproductspecificUserDatapolicy,includingtheLimitedUserequirements. YoumustprovidealinktotheURLwherethedisclosureishosted. Thedisclosuremustbeeasilyvisibletoallusers. Thedisclosuremustbeaccessibleontheproject’shomepageURLoroneclickawayfromthehomepageURL. Thedisclosuremustbeunder500characters. Forexample:“{App’s}useandtransfertoanyotherapp ofinformationreceivedfromGoogleAPIswilladheretotheGoogleAPIServicesUserDataPolicy,includingtheLimitedUserequirements.” Ifyouareunabletoaddadisclosure,thenyourapp’sprivacypolicymustcomplywiththefollowingrequirements.Thisoptionmightmakethereviewtimeforyourapplonger. TheLimitedUserequirementshavefourelements: AllowedUse:Developersareonlyallowedtouserestrictedscopedatatoprovideorimproveuser-facingfeaturesthatareprominentfromtherequestingapp'suserinterface.Itshouldbecleartoyouruserswhyandhowyouusetherestrictedscopedatathey'vechosentosharewithyou. AllowedTransfer:Developersareonlyallowedtotransferrestrictedscopedatatoothersifthattransferis(a)necessarytoprovideorimproveuser-facingfeaturesthatareprominentfromtherequestingapp'suserinterface,(b)tocomplywithapplicablelaws,or(c)apartofamerger,acquisitionorsaleofassetsofthedeveloper.Allothertransfersorsalesofuserdataarecompletelyprohibited. ProhibitedAdvertising:Developersareneverallowedtouseortransferrestrictedscopedatatoserveusersadvertisements.Thisincludespersonalized,re-targetedandinterest-basedadvertising. ProhibitedHumanInteraction:Developerscannotallowhumanstoreadrestrictedscopeuserdata.Forexample,adeveloperwithaccesstoauser'sdataisnotallowedtohaveoneofitsemployeesreadthroughauser'semails.Therearefourlimitedexceptionstothisrule:(a)thedeveloperobtainsauser'sconsenttoreadspecificmessages(forexample,fortechsupport),(b)it'snecessaryforsecuritypurposes(forexample,investigatingabuse),(c)tocomplywithapplicablelaws,and(d)thedeveloperaggregatesandanonymizesthedataandonlyusesitforinternaloperations(forexample,reportingaggregatestatisticsinaninternaldashboard). YoucanonlycompletetheverificationprocessifyourprivacypolicycomplieswiththeLimitedUserequirements.Forexample,ifyourprivacypolicystates“Appcollectsdatafromyourelectronicmessages(email),andwesharethatdatawithouradvertisingpartnersformarketingpurposes,”thenyourappcannotcompletetheverificationprocess.ThisistrueevenifyoudiscloseelsewhereinyourproductthatyourappfollowstheLimitedUseRequirements. AppsdistributedonGooglePlayaresubjecttotheGooglePlayDeveloperDistributionAgreement. HowdoIknowifmyprivacypolicydoesnotmeettheLimitedUserequirements? Ifyourprivacypolicydescribespracticesaroundyourapp'suseofrestrictedscopedatathatviolatetheLimitedUserequirements,itisinconsistentwiththeserequirements.ThefollowingexamplesshowpracticesthatwouldbeinconsistentwiththeLimitedUserequirementsforrestrictedscopes: Example1:MarketResearchNotPermitted Weshareyourinformationwiththefollowing: Affiliateswhoenhanceourmarketresearchcapabilitiesbycombiningtheinformationwecollectwithotherinformationavailabletothemfromothersources; [Reason:Impermissibletransferofdata,ifusingdatafromarestrictedAPIscope.] Third-partybusinesspartnersthatworkwithustodevelopandresellproducts; [Reason:Impermissibletransferofdata,ifusingdatafromarestrictedAPIscope.] and Customersthathaveaccesstoourmarketresearchdatasetsandanalyses. [Reason:Impermissibleuseandtransferofdata,ifusingdatafromarestrictedAPIscope.] Example2:TransferofAnonymizedDatasetsNotPermitted Theappusesyourinformationasdescribedinthispolicy,whichincludescreatinganonymizeddatasetstoimproveourproductsandservicesandtheproductsandservicesofouraffiliates. [Reason:Impermissibleuseandtransferofdatatoimproveservicesoutsidetheappusingarestrictedscope.] Wedonotshare,sell,ortransferyourpersonaldataforpurposesotherthanthoseoutlinedinthispolicy.Wemight,however,discloseaggregatedinformationaboutourusers,andinformationthatdoesnotidentifyanyindividual,withoutrestriction. [Reason:Impermissibletransferandpotentialhumanreadingofdata.Asareminder,evenaggregatedandanonymizeddataaresubjecttoLimitedUserequirements.] Example3:TransferwithUserConsentNotPermitted Wemightshareyourinformationinanyotherwaywemightdescribewhenyouprovidetheinformationandforanyotherpurposewithyourconsent. [Reason:Impermissibleuseandtransfer.NotethattheLimitedUserestrictionsapplyevenifyouseekpermissionfromyourusers.] Example4:AdvertisingwithUserDatafromRestrictedScopesNotPermitted WetransferinformationtoadvertisingpartnerswhoworkwithourAppunderconfidentialityagreements. [Reason:Impermissibletransferanduse;confidentialityagreementsdonotmakethetransferoruseforadvertisingpermissibleundertheLimitedUserequirements.] Wemightuseyourinformationtodeliveradvertisementsaccordingtoouradvertisers'target-audiencepreferenceswithyourexpressconsent. [Reason:Impermissibleuseofdataforadvertising.NotethattheLimitedUserestrictionsapplyevenifyouseekpermissionfromyourusers.] Wemightalsouseyourinformationtopersonalizeyourcontent,marketing,andrecommendations,includingtotargetcontentandservicestomorecloselymatchyourinterestsandlocation. [Reason:Impermissibleuseofdataforadvertising.Yourappcancontinuetodeliveradvertisementsbutcannotusetheuserdatafromrestrictedscopestoaffectadvertising.PersonalizationofcontentandrecommendationsthatfollowtheLimitedUserequirementsarepermitted.] WhatisanexampleoflanguagethatmeetstheLimitedUserequirements? Thefollowingisanexampleoflanguagethatmightbeappropriateifyourappusesdatafromrestrictedscopesandisawebemailclientapp. YoumightdecidetoincorporatelanguagefromtheLimitedUserequirements,orotherpolicies,directlyintoyourprivacypolicy.However,keepinmindthattheGoogleAPIServicesUserDataPolicyorproductspecificUserDatapolicymightchangefromtimetotimeandthatyouareresponsibleforensuringthatyourprivacypolicyremainsconsistentwiththesepoliciesandotherapplicablelaws/regulationsaroundchangestoyourprivacypolicyanddatapractices.Thedetailsofyourprivacypolicywilldependonyourappandyourdatapractices,includingwhatdatafromrestrictedscopesyoucollectanduse. AdditionalLimitsonUseofYourGoogleUserData:NotwithstandinganythingelseinthisPrivacyPolicy,ifyouprovidetheAppaccesstothefollowingtypesofyourGoogledata,theApp'suseofthatdatawillbesubjecttotheseadditionalrestrictions: TheAppwillonlyuseaccesstoread,write,modify,orcontrolGmailmessagebodies(includingattachments),metadata,headers,andsettingstoprovideawebemailclientthatallowsuserstocompose,send,read,andprocessemailsandwillnottransferthisGmaildatatoothersunlessdoingsoisnecessarytoprovideandimprovethesefeatures,complywithapplicablelaw,oraspartofamerger,acquisition,orsaleofassets. TheAppwillnotusethisGmaildataforservingadvertisements. TheAppwillnotallowhumanstoreadthisdataunlesswehaveyouraffirmativeagreementforspecificmessages,doingsoisnecessaryforsecuritypurposessuchasinvestigatingabuse,tocomplywithapplicablelaw,orfortheApp'sinternaloperationsandeventhenonlywhenthedatahavebeenaggregatedandanonymized. Whatifmyprivacypolicycoversmultipletypesofdata,includingnon-restrictedscopedata? OnlydatafromrestrictedscopesneedstocomplywithourAdditionalRequirementsforSpecificAPIScopes. Theexactwordingofyourprivacypolicywilllargelydependonyourspecificdatapractices,includinghowyouuse,store,ortransferotherdatayoucollect.Werecommendseekinglegaladviceonwhat'srightforyourapp. Ifyouusebroadtermsinyourprivacypolicytorefertodatafromrestrictedscopesandothertypesofdata,wewillinterpretyourdisclosuresasapplyingtouserdatafromrestrictedscopes.Wherepossible,youshouldrefertodatafromrestrictedscopesseparatelyinyourprivacypolicy.Forexample,ifyourappusesdatafromrestrictedscopes,aswellasotherdataobtainedfromyourusersinyourapp,youcanseparateyourdisclosuresonhowyouusethosedifferentsourcesofdata. HowcanImakemyprivacypolicycompliantwiththeLimitedUseRequirements? DescribinghowyourappusesGoogleuserdataconsistentwithGooglepoliciesthroughapublicweb-accessibledisclosure(suchasanin-productdisclosureontheapplicationhomepage,orpublicFAQ)isenoughforgoingthroughtheverificationprocess. Forexample,yourpublicFAQcouldcontainastatementlikethefollowing: “{App’s}useofinformationreceivedfromGoogleAPIswilladheretoGoogleAPIServicesUserDataPolicy,includingtheLimitedUserequirements.” FormoreinformationabouttheLimitedUsedisclosurerequirements,seeCouldyouexplaintheLimitedUserequirementsfromtheGoogleAPIServicesUserDataPolicy? Securityassessment Whyisthesecurityassessmentneeded? Tohelpkeepuserdatasafe,everyappthatrequestsaccesstorestrictedscopeGoogleuser’sdataandhastheabilitytoaccessdatafromorthroughathirdpartyserverisrequiredtogothroughasecurityassessmentfromGoogleempanelled securityassessors.ThisassessmenthelpskeepGoogleusers’datasafebyverifyingthatallappsthataccessGoogleuserdatademonstratecapabilityinhandlingdatasecurelyanddeletinguserdatauponuserrequest.Inordertomaintainaccesstorestrictedscopes,theappwillneedtoundergothissecurityassessmentonanannualbasis,thisprocessiscalledthesecurityreassessment,alsoknownasannualrecertification.AssessmentswillbeconductedbyaGoogle-empanelledthird-partyassessor.Thecostoftheassessmenttypicallyvariesbetween$10,000-$75,000(ormore)dependingonthesizeandcomplexityoftheapplication;smallerapplicationsmayseecostsatalowerthresholdof$4,500.Thisfeemayberequiredwhetherornotyourapppassestheassessmentandwillbepayablebythedeveloper.Weexpectthatfeeswillincludearemediationassessmentifneeded. Howwillthesecurityassessmentwork? First,yourapplicationwillbereviewedforcompliancewiththeGoogleAPIServices:UserDataPolicyviatherestrictedscopeverificationyousubmitthroughtheCloudConsole.Uponcompletingmostofthechecksintherestrictedscopeverification,youwillreceiveanemailwithcontactinformationofthird-partysecurityassessorswhoyoucancontactandusetoperformyoursecurityassessment. AssessmentswillbeconductedbyaGoogle-empanelledthird-partyassessor.Thecostoftheassessmenttypicallyvariesbetween$10,000-$75,000(ormore)dependingonthesizeandcomplexityoftheapplication;smallerapplicationsmayseecostsatalowerthresholdof$4,500.Thisfeemayberequiredwhetherornotyourapppassestheassessmentandwillbepayablebythedeveloper.Weexpectthatfeeswillincludearemediationassessmentifneeded. AllappsthatrequestaccesstorestrictedscopeGoogleuser’sdataandhavetheabilitytoaccessdatafromorthroughathirdpartyserverarerequiredtogettheirappreassessedonanannualbasis. Allappsarerequiredtogettheirappreassessedonanannualbasis.Formoreinformation,seeHowlongisthesecurityassessmentvalidfor? WhatifmyappaccessesGoogleuserdatathroughOAuthAPIScopesthataren'tRestrictedAPIScopes? WestronglyrecommendthatyouworkwiththesecurityassessortodemonstratesecurehandlingofallGoogleuserdatalikeContactsandCalendarthatyourapprequests,eventhoughtheseOAuthAPIscopesaren'tconsideredRestrictedscopes yet.Yourappmaybesubjecttofuturesecurityassessmentforthesescopes. Whatwillthesecurityassessmentinclude? Thesecurityassessmentincludesthefollowing. ExternalNetworkPenetrationTesting:Identifypotentialvulnerabilitiesinexternal,internet-facinginfrastructure,systemssuchasthefollowing: Discoveryandenumerationoflivehosts,openports,services,unpatchedsoftware,administrationinterfaces,authenticationendpointslackingMFA,andotherexternal-facingassets Automatedvulnerabilityscanningcombinedwithmanualvalidation Brute-forcingofauthenticationendpoints,directorylistings,andotherexternalassets Analysisofpotentialvulnerabilitiestovalidateanddevelopcomplexattackchainingpatternsandcustomexploits Potentialexploitationofsoftwarevulnerabilities,insecureconfigurations,anddesignflaws ApplicationPenetrationTesting:IdentifypotentialvulnerabilitiesinapplicationthataccessGoogleuserdatasuchasthefollowing: Real-worldattacksimulationfocusedonidentificationandexploitation Discoveryofattacksurface,authorizationbypass,andinputvalidationissues Automatedvulnerabilityscanningcombinedwithmanualvalidation Exploitationofsoftwarevulnerabilities,insecureconfigurations,designflaws,andweakauthentication Analysisofvulnerabilitiestovalidateanddevelopcomplexattackchainingpatternsandcustomexploits Verifytheabilityforuserstodeletetheiraccountwithnoexternalindicationthattheuseroruser'scontentisaccessible. DeploymentReview:Identifyexploitsandvulnerabilitiesindeveloperinfrastructuresuchasthefollowing: Gatheringallavailableconfigurationsettingsandmetadataaswellasmanualtechniquestobuildaprofileofthecloudenvironment Analyzingcollectedinformationtoidentifyanygapsordeviationsfromacceptedcloudsecuritybestpractices ManuallyexaminingconfigurationsettingstolocateanomaliesandissuessuchasweakIAMpolicies,exposedstoragecontainers,poorlydefinedsecuritygroups,insecurecloudservicesusage,andinsecurekeymanagement Exploitationofvulnerabilities,insecureconfigurations,designflaws,andweakauthentication—asneeded VerifyingthatstorageofOAuthtokensanduserdatafromRestrictedScopesisencryptedatrestandkeysandkeymaterialaremanagedappropriately,suchasstoredinahardwaresecuritymoduleorequivalent-strengthkeymanagementsystem Ensuringthatdeveloperaccesstothedeploymentenvironmentissecuredwithmulti-factorauthentication PolicyandProcedureReview:Reviewandexaminetheefficacyofinformationsecuritypoliciesandproceduressuchasthefollowing: IncidentResponsePlan:Establishesroles,responsibilities,andactionswhenanincidentoccurs RiskManagementPolicy:Identifies,reduces,andpreventsundesirableincidentsoroutcomes InformationSecurityPolicy:Ensuresthatalluserscomplywithrulesandguidelinesrelatedtothesecurityoftheinformationstoreddigitallyatanypointinthenetwork PrivacyUserDataDetection:Ensuresthatuserscandeletetheiraccountsandrelateduserdatabydemonstratinganaccountdeletionifrelevant Thelistofactivitiesmaybeupdatedquarterly.Allappsarerequiredtogettheirappreassessedonanannualbasis.Formoreinformation,seeHowlongisthesecurityassessmentvalidfor? Whataremoredetailedsecurityrequirementsthatmightbeappliedduringasecurityassessment? YoushouldcloselyreviewthesecurityrequirementslistedbelowthataretypicallyappliedtooutsourcedsoftwarethatisusedbyGoogle.Yoursecurityassessormayapplytheserequirementsbasedonthecircumstancesofyourapp. WebSecurityRequirements MobileSoftwareRequirements WhyisGooglechargingafeeforthesecurityassessment? AssessmentswillbeconductedbyaGoogle-empanelledthird-partyassessor.Thecostoftheassessmenttypicallyvariesbetween$10,000-$75,000(ormore)dependingonthesizeandcomplexityoftheapplication;smallerapplicationsmayseecostsatalowerthresholdof$4,500.Thisfeemayberequiredwhetherornotyourapppassestheassessmentandwillbepayablebythedeveloper.Weexpectthatfeeswillincludearemediationassessmentifneeded. Existingassessmentsthatmeetthesecurityassessmentprogramstandardsmightreducethescopeandcostofyourreview.Theassessorswillconsiderexistingassessmentsintheirreview. Becausewe’vepre-selectedindustry-leadingassessors,theletterofassessmentyourappwillreceivecanbeusedforothercertificationsorcustomerengagementswhereasecurityassessmentisneeded. IfIhavegonethroughasecurityassessmentoncefortherestrictedGmailscopes,doIneedtogothroughtheassessmentagainwhenthelistofrestrictedscopesexpands? Ingeneral,thesecurityassessmentmustbedoneonceayear.Ifyourapphasbeenusingthesamesetofrestrictedscopesaswhenyourappwentthroughthesecurityassessment,yourappdoesnotneedtogothroughanadditionalassessment;however,itwillstillberequiredtogetanannualreassessment.Formoreinformation,seeHowlongisthesecurityassessmentvalidfor? However,ifyourapponlyrecentlystartedrequestingadditionalrestrictedscopesafterthesecurityassessmentwascompleted,yourappwillneedtogothroughanadditionalsecurityassessmenttoensuresecureimplementationofthenewscopes.Theadditionalsecurityassessmentshouldbesmallerinscope. Howistheassessmentscopeimpactedifmyapplicationsendsdatatothirdpartiesforprocessingorishostedonthird-partyservicessuchasacloudprovider? Totheextentthatyourappissendinguserdatatoanyotherserviceorhostedonathird-partyservicesuchasacloudplatform,theyarealsoinscopefortheassessment.ServicesthatareSOC2TypeIIcompliantareexpectedtomeetthesecurityassessmentstandards.Duringtheassessment,youprovidethesecertificationstotheassessors.Anythird-partyservicesthatarenotSOC2TypeIIcompliantarein-scopeforassessmentandlikelytosignificantlyincreasethescopeandcostoftheassessment. Whenisthesecurityassessmentnotrequired? Thefollowingscenariosdonotrequireasecurityassessment. NoRestrictedScopesRequested:Youcanupdateyourprojectsothatitdoesnotrequestanyrestrictedscopes,therebyavoidingthesecurityassessmentrequirement. Fewerthan100Users:Ifyourappisintendedforasmallaudienceandyourusersareindirectinteractionwithyou,yourappwillbegrantedaccessforupto100userswithanunverifiedappscreen. UsersareEnterpriseAccounts:IfonlyGoogleWorkspaceaccountsuseyourapp,aGoogleWorkspacedomainadministratorcanenableyourappviadomaininstallorwhitelisting.YourappcanalsobelistedontheGoogleWorkspaceMarketplace. LocalDataStorage:Localclientapplicationsdon'tneedtoundergoasecurityassessmentbecausedataisrun,stored,andprocessedonlyontheuser'sdevice.Localclientapplicationsthatonlyallowuser-configuredtransmissionsofRestrictedScopedatafromthedevicemaybeexemptfromthisrequirement. Howlongisthesecurityassessmentvalidfor? Appsaccessingrestrictedscopesarerequiredtoreverifytheirappforcomplianceandcompleteasecurityassessmentevery12monthsfromyourGoogleLOAapprovaldatetokeepaccesstoanyverifiedrestrictedscopes.Ifyourappisaddinganewrestrictedscope,yourappmightneedtobereassessedtocovertheadditionalscopeifitwasnotincludedinapriorsecurityassessment. TheGooglereviewteamwillreachouttoyouviaemailonceit’stimeforyourapptorecertify.KeepingyourProjectOwnerandProjectEditorinformationup-to-dateinyourCloudConsolewillensuretherightmembersofyourteamarenotifiedofthisannualenforcement. WhatshouldIdoafterIreceivemyLetterofAssessment(LOA)fromtheassessor? TheassessorwillsharetheLOAwithGoogleimmediatelyafteritissharedwithyousothatyourappcanbeapprovedassoonaspossible.Ifyoudon’twantapprovalimmediatelyafteryourLOAissharedwithyou,thenpleaselettheassessorknowinadvance,andGooglewillawaityourresponsetoproceedwithapprovalofyourapp. HowdoIprepareformyannualsecurityreassessment? Beforeyourreassessment,yourappwillneedtobereverifiedforcompliancewiththeGoogleAPIsTermsofService,Google'sAPIServicesUserDataPolicy,theproductspecificUserDataPolicy(ifapplicable),andtheAdditionalRequirementsforSpecificScopes.TheTrustandSafetyteamwillcontactyoutogetthereverificationprocessstarted. Afteryourapppassesreverification,pleasereachouttoanyoftheempanelled securityassessors fordetailsonthescopeandcostofyourreassessment.Ifyouchoosetogotoanothersecurityassessorforyourreassessment,youwillneedtoshareyourreportfromthepreviousyearwiththenewassessor. Ifyouplanonaddingorremovingrestrictedscopestoyourprojectduringyoursecurityassessment,pleasenotifyyoursecurityassessorinadvanceandmaketherelevantchangestoyourGoogleCloudConsole.Scopechangesduringassessmentmightchangethescopeandcost.Formoreinformation,seeWhathappensifIaddnewsensitiveorrestrictedscopestomyappwhilemysensitiveorrestrictedscopeverificationisinprogress? IfyouhaveanyadditionalprojectsthatyouwouldliketoincludeinyourLetterofAssessment,pleasebesurethatthoseprojectshavegonethroughtheOAuthverificationprocessandthatGooglegrantedyoueligibilitytogothroughasecurityassessment.Youshouldthennotifyyoursecurityassessoroftheseadditionalprojects.Youwon’tberequiredtogetasecurityassessmentforprojectswithnorestrictedscopes. ToreceiveanLOA,youmusthaveremediatedanycriticalorhighfindingsfromthecurrentyear’sassessmenttest,andremediateanymandatorySAQfindings. Whataccessisneededbythethird-partysecurityassessorfortheDeploymentReview? Thethird-partysecurityassessorwillneedread-onlyaccesstothecloudsystemwhereGoogleproductiondatawillbestored.MorepopularcloudproviderssuchasAWS,GCP,andAzureprovideread-onlysecurityauditorroles.Thesecurityassessorwillusetheserolestoreviewconfigurationanddeploymentsettingsinproduction.Thesecurityassessorwillalsoneedread-onlypermissiontoallavailablesecuritygroupsandclusterstoruntoolsorscriptsthatanalyzethesecuritypostureofthecloudenvironment.OnepopulartoolthatisoftenusedbythesecurityassessorsisScoutSuite,whichisfreeandcanberunbeforehandtopreviewresults. Ifyoucannotprovideremoteread-onlyproductionaccesstothethird-partysecurityassessment,youmayneedtobringthethirdpartyassessoronsitefortheassessment,ormaychoosetoallowthethird-partyassessortoreviewtherelevantconfigurationsviaaremotescreenshare/webconference.Theremotescreenshare/webconferenceapproachallowsyoutoremainincontrolofthecloudsystemwhilethesecurityassessorprovideswhichcommandstoenterandreviewsresults.Thisapproachwilltakemoretimeandthereforewillbeamorecostlyassessment. DoestheannualsecurityreassessmentonlytestchangesI’vemadetomyapplicationsincethepreviousassessment? Werequiretheannualsecurityreassessmenttobeacompletetestofyourapplicationwhetheryouhavemadeanychangesornot. WhathappensifIdon’tremediatemyvulnerabilities? Ifacriticalvulnerabilityisnotresolvedwithinareasonableamountoftimeorexceedsthetimeframesetbyyourassessor,youruseoftheAPImaybesuspendedduetofailuretocomplywiththe“maintainasecureoperatingenvironment”requirementintheGoogleAPIServicesUserDataPolicy. Feedback HowcanIsubmitfeedbackaboutthesepoliciesandchanges? Youcansubmitfeedbackabouttheverificationprocessto:[email protected],butwillnotresponddirectlytosubmissions. Wasthishelpful?Howcanweimproveit?YesNoSubmitNeedmorehelp?SigninforadditionalsupportoptionstoquicklysolveyourissueSignintrueHelpCloudPlatformsupportGoogleMapsPlatformSupportPolicyviolationsFAQDomainLimitExceededFAQUnverifiedappsBillingduringthefreetrialSettingupOAuth2.0SettingupyourOAuthconsentscreenOAuthApplicationRateLimitsOAuthAPIverificationFAQsSearchClearsearchClosesearchGoogleappsMainmenuSearchHelpCentertrue95384false
延伸文章資訊
- 1Google API Services User Data Policy
- 2Google API Services User Data Policy Compliance - RecruitBot
RecruitBot's use of information received from Google APIs will adhere to Google API Services User...
- 3Google's API Services and Your Privacy Policy
Disclosure of Use of APIs ... Attempting to lie to your users or defraud them is strictly prohibi...
- 4Privacy Policy for Google OAuth - Iubenda
Continua a leggere Privacy Policy for Google OAuth. ... as you can see on your Google Cloud Platf...
- 5OAuth API verification FAQs - Google Cloud Platform Console ...
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked...
