Fixed Verify Your Google API Project

[Sim]

I received the following email from Google:

Verify Your Google API Project

Hello Developer of _____,
You’re receiving this email because you’re listed as a contact on the Google Cloud Project that uses OAuth 2.0 to access Google APIs for your app: ______.
In July, we announced new security protections to protect users from malicious and deceptive apps. As part of that effort, we need you to submit your app for verification.

• How?
  Submit the verification form https://support.google.com/code/contact/oauth_app_verification
  (Even partial submissions will help launch the review process.)
• By when?
  Prior to 2018-01-15
• Web client(s) that need verifying:
  ______

If you don’t submit the verification form by the deadline, your users will begin to see the “Unverified App” screen.

I'm assuming this is the Google logon integration for XenForo - pretty sure that's the only Google API thing I'm using on my site?

Has anyone submitted the verification for their XenForo site? Does it work? Is there anything required at the XenForo end for this verification to pass?

 

[Paul B]

Yes, it's for log in via Google.

It's a Google thing, not an XF thing so nothing needs to change in XF.

Google now require them to be verified and a privacy policy is required.

Your privacy policy should be posted at the domain you have verified and should disclose the manner in which your app accesses, uses, stores, and shares Google user data.

 

[Moshe1010]

What should we answer here?

Which scopes does your app need access to? *
User data accessed through these apps must be approved. Please include full scope names separated by a comma.

Example: https://www.googleapis.com/auth/calendar.readonly

A full list of scopes can be seen here: https://developers.google.com/identity/protocols/googlescopes


List the specific ways your app will use each of the scopes you're requesting and explain the features in your app that require these scopes. *
Example: my app will use https://www.googleapis.com/auth/calendar.readonly to show a user's calendar data on the scheduling screen of my app to help users manage their schedule directly through my app.

 

[markku]

Yeah, definitely need some help here.

And what kind of Privacy Policy are Google expecting? Are there any examples a site can use?

 

[Okuma Steve]

What should we answer here?

Which scopes does your app need access to? *
User data accessed through these apps must be approved. Please include full scope names separated by a comma.

Example: https://www.googleapis.com/auth/calendar.readonly

A full list of scopes can be seen here: https://developers.google.com/identity/protocols/googlescopes


List the specific ways your app will use each of the scopes you're requesting and explain the features in your app that require these scopes. *
Example: my app will use https://www.googleapis.com/auth/calendar.readonly to show a user's calendar data on the scheduling screen of my app to help users manage their schedule directly through my app.

Were you able to find the answer to this? I'm dealing with the same thing currently.

 

[Sim]

Given this is a core part of XenForo's offering (Google login integration), it would be useful to have some input from @Mike @Kier or @Chris D on what the appropriate settings are - and the documentation should be updated to reflect the new requirements:

• https://xenforo.com/help/google-integration/
• https://xenforo.com/xf2-docs/manual/google/

 

[Mike]

In XF2, I don't believe this verification is needed. The FAQ specifically mentions that you can skip the process if "I am using this app to allow users to sign-in to my platform using their basic profile information". Later, this is specifically mentioned as the "Google Sign-in scopes" and that's what we use.

It does look like XF1 uses a legacy scope in the JS, so we can likely change this so it isn't needed and that should prevent this from being required.

 

[Chris D]

We've made a change in the next 1.5 release to account for this, which reduces the number of permissions required to use the Google integration.

To modify this for your own site now edit the js/xenforo/xenforo.js file and find:

https://www.googleapis.com/auth/plus.login email

And replace with:

profile email

However, what I'm not sure about is whether this will satisfy Google if you already have users who have approved scopes that require the verification. It may be the case of deleting that existing app set up and creating it again, but I'm not sure about that.

 

[Moshe1010]

That's what they sent me right now:

Dear Developer,
Thank you for your response! We have reviewed the information you provided and noticed that along with the scopes you have mentioned in the form, your app previously also accesed following scopes:

• https://www.googleapis.com/auth/plus.circles.members.read

Please reply to this email and confirm if your app still needs access to the scopes mentioned above. If yes, provide detailed further explanation of your planned use/need of each scope in order to move forward with the approval process.
Example: my app will use https://www.googleapis.com/auth/calendar to show a user's Google calendar data on the scheduling screen of my app, so users can manage their schedules through my app and sync the changes with their Google calendar.
For reference, a full list of all OAuth scopes can be found on the OAuth 2.0 Scopes page.

Later, this is specifically mentioned as the "Google Sign-in scopes" and that's what we use.

do we use plus circles?

 

[Mike]

No. We've only used the ones mentioned in Chris's post.

 

[Wildcat Media]

@Moshe1010 Did you ever get this resolved?

I have to do this for one of our sites, but Google has made it such a hassle anymore I may just remove the integration instead. Unless someone is a major developer using Google APIs, I don't see how they expect the rest of us to figure out their terminology. I don't have hours to wade through their multiple pages, dashboards, etc. to figure out exactly where all of this information resides. It's made, like, zero sense and I've already wasted two hours on it. (And it makes me wonder if it's better to just delete what is there, and start over from scratch with a new...whatever...to get the Google login working.)

Given this is a core part of XenForo's offering (Google login integration), it would be useful to have some input from @Mike @Kier or @Chris D on what the appropriate settings are - and the documentation should be updated to reflect the new requirements:

That would definitely help, if it hasn't been done yet. My development days (and mental acuity) have passed me by many years ago. I need things as simple and direct as possible. (I'm at the point where I do only a few things really well, as opposed to being mediocre at many things.)

 

[markku]

@Mike @Chris D

When is the next update coming for 1.5.x?

The Google API verification deadline was yesterday, so this "unverified app" screen thing will probably start happening now for folks (?)

And what happens to the existing users who have authed using Google previously? Will those need to auth again?

"Only request scopes that your app needs. Ensure that you are not asking for permissions that your app does not use."

I understand that is fixed in the next 1.5. release, but I'm still wondering how the old users are affected who were asked for wider scopes / permissions than was necessary.... ugh

However, what I'm not sure about is whether this will satisfy Google if you already have users who have approved scopes that require the verification. It may be the case of deleting that existing app set up and creating it again, but I'm not sure about that.

That is basically what I wish someone would confirm. Do all the previous Google auth users need to re-auth? That's a major hassle. I wish that wouldn't need to be done.


PS.

It seems the unverified app screen hasn't yet kicked in, even though the deadline passed.
I tried authenticating a new Google account with my forum.

The following permissions are visible in the Google dashboard after allowing my auth app on the forum to authenticate:

 

[Mike]

There is a fix for the issue above. If you have any concerns with applying that, let us know and we can help.

I don't believe that users need to re-auth as we've essentially lowed the permissions. With the new permissions, you shouldn't need to fill out the Google form for new users (and thus won't get the unverified warning), though it's possible it may be needed for historical users. Unfortunately there isn't a way we can prevent that. That is what the Chris's quote was referring to.

 

[Wildcat Media]

I ended up making Chris's edit above, then generated a new set of API credentials, figuring to start with a clean sheet. There is an additional tab to enter information like logo, link to privacy page, etc., so I thought maybe this would keep me in the clear.

A day or two later, I got another email telling me to verify my new "app". So I have no clue again what it's asking for, and I pick the https://www.googleapis.com/auth/plus.login scope, filling out the form with what I feel should be correct information. That's all I could make out of their gibberish.

Today I get the email:

Dear Developer,​

Thank you for submitting the developer verification form. Based on the information you provided, we noticed that you have requested access to following scopes.​

​

https://www.googleapis.com/auth/plus.login​

Scope names provided by you do not need approval and thus inapplicable for the verification process. Please refer full list of OAuth scopes can be found on the OAuth 2.0 Scopes page.​

Clicking their link for information, I find this under "inapplicable" (emphasis mine):

Inapplicable scopes: You may have submitted list of scopes which your app already has access to and verification process is not needed for them. If your app is using only Google Sign-in scopes, you do not have to go through the verification process. However, if you are still seeing the ‘unverified app’ screen, please provide a complete list of scope names your app is currently using and detailed further explanation of your planned use/need of each scope on the same email thread where you received this communication for us to look into the issue.​

So...maybe we don't even need to be verifying these? However, I am wondering about something here. I know we use this as a sign-in for the forum, but during registration where we are pulling in limited information from a Google member's account, is there possibly another scope that is in use?

Or am I overthinking this?

(I know it's not a XenForo issue, but for forum admins like us, we don't have spare hours to wade through all of their developer documentation about APIs, scopes, whatever, just to do a simple registration and login. IMHO they have made this overly complicated, although I do have some sensitivity about keeping our members' information safe and private.)

 

[Mike]

Based on some comments in the Google FAQ, I think they may just send out this email to all apps, regardless of whether you need it. (It mentions verification before launching the app, so they may not know the scopes required.

From the FAQ, it says you can skip the verification if "I am using this app to allow users to sign-in to my platform using their basic profile information" and then "You should not be seeing the Unverified App screen if you use Google Sign-In scopes to enable users to login to the platform." If you look at those scopes, that's specifically what the XF1 change above switches to use (and what XF2 uses out fo the box).

So at this point, certainly for new apps (XF1 with the fix/XF2), I believe you can simply disregard the verification request.

 

[Wildcat Media]

So at this point, certainly for new apps (XF1 with the fix/XF2), I believe you can simply disregard the verification request.

That's my feeling on this as well. We can't even tell if anyone uses it, but we have not had any complaints this week, and I get no verification error when I access the forum and use the Google login.

I changed to the new Google "G" logo and changed the button background to white (to stick to their branding guidelines), but that is not a big deal. Good enough until we upgrade to 2.0!

Thanks Mike!