How does GCP count new users for unverified apps? - google-cloud-platform

I have a Google Cloud Project that has some advertisement APIs enabled (DCM, SA360).
I use these with http in Excel/VBA.
I am pretty much the only person who logs in, there may be about 2-3 other logins.
I also have a Google Apps Script that uses a refresh token to access the APIs on my behalf.
Recently I got the unverified app screen - reading online this doesn't seem to be a problem for a small team.
However, I also got an email from Google saying that I've already expended 60% of the 100 new user quota for unverified apps - which is surprising, because I am confident that I don't have any actual new users.
What counts as a new user? Does the Google Apps Script, accessing from different google IPs, count as a new user everytime it fires?

Related

OAuth Re-Auth Frequency Changed for Google OAuth

I've been using
https://github.com/tokland/youtube-upload
to automate uploading of videos to YouTube, no other processes share the auth session, this process is the only one using the credentials. I've been using this for years however more recently, within the last couple months, it seems like the OAuth session keeps expiring on me almost on a weekly basis. This would break my automation and I have to re-authenticate weekly.
No updates were done to the script prior to this issue starting. Is anyone aware of any changes Google had made that may have cause this new behavior to happen?
The reproduction is as follows:
Have sufficient route to upload videos onto YouTube API
Use https://github.com/tokland/youtube-upload to upload videos to YouTube
When executing youtube-upload, it will prompt for OAuth2 authZ code, enter the code after visiting authZ webpage
Automate the uploads (~30 videos per day)
After a week, OAuth authZ session will expire and re-authZ will be required
OAuth session keeps expiring on me almost on a weekly basis.
From oauth2#expiration:
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
If your app is still in the testing phase your refresh token will expire every week. You need to set your application to production in google cloud console under the auth consent screen.

Google Oauth: Added a new redirect_uri, getting "The app is blocked" error on the new subdomain

My app runs on multiple subdomains
i.e. abc.foo.com xyz.foo.com for different regions.
We recently created a PWA for our app which runs on a different subdomain
m-abc.foo.com m-xyz.foo.com
To enable Sign in with Google for the PWAs, I added the redirect_uris and Authorized origins in the API Credentials for Google Cloud Platform.
Now, for these new subdomains I am getting the following error on the consent screen after choosing the google email address
This app is blocked
This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.
The app currently asks for read/write access for Calendar only.
Could not find anything definitive on support documents either.
Anybody has any idea what I might be missing here?
To check, I added another subdomain def.foo.com and added redirect_uri for it. This time Google Signin worked fine without problem.
Does this have anything to do with the apps being a PWA?
Thanks!

Django Microsoft Graph Authentication

I'd like users to be able to login to my Django app using their Microsoft personal, work or school account.
I have no interest in any profile or other data from the user's account. I just want authentication.
I've been playing with django-allauth and and Azure portal and have successfully set things up so I can log in with my personal outlook.com account. I've set the AD tenants up to allow for personal and institutional accounts.
I've successfully served the .wellknown json and was able to verify the app in Azure.
I run into trouble when I try to log in with a Microsoft 365 work or school account.
The consent form shows the app as "unverified" and indicates that the app wants profile information and to store data.
I ended up in a rabbit hole of Microsoft AD documentation about MPN IDs and such.
Before I go further I want to know if I what I want to do is even possible.
Keeping in mind that I'm not interested in profile information, can I achieve authentication in Django with a users Microsoft Work or School account?
If so, what do I have to do?

Google Cloud API Services Oauth with a Testing App

I have a small personal-use only app that logs into a [throw away] gmail account to pull out an auth-token so it can then run a scheduled job (turning on/off my home cameras). Its dead simple and works, except that the app is in GCP TEST mode and it looks like the gmail auth expires in 7 days.
I highly doubt based on the below requirements that I can promote the app, and I dont want to publish it regardless. I tried GCP Support and wound up here. Im sure Im not the only person that has dealt with the 7 day expiration on a personal project. Any ideas?
If you check the documentation for oauth2#expiration
A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.
The key hear is setting your project into production.
What you are showing in that image are requirements for application verification. You shouldn't have to go though verification for a single user app.
Try just setting it to prodcution and then wait a week and see if it still expires. It shouldn't
I highly doubt based on the below requirements
Unfortunately with the new security restrictions. I wouldn't doubt anything these days. They keep changing the rules.

Google API OAuth When User Gives Approval From App Access Control

I'm currently building a web application that works with the Gmail API. I'm waiting for approval from Google's security team to have a proper OAuth connection, but I noticed that users can pre-approve your application by searching within the API Controls settings by your App ID.
This setting is located in the Google Account via: Admin Panel > Security > API Controls > App Access Control.
I noticed that if a user does this before they try to connect your app it doesn't go against your 100 account limit within Google Developer Console while in beta.
My question is, could you have this as permanent solution to get around the Google OAuth application if Google never approves you? Of course, through this method the user is still giving permission, just curious if this has been done by anyone before.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Yes, this is allowed when all your users are Google Workspace users, and is listed under exceptions to verification requirements here: https://support.google.com/cloud/answer/9110914?hl=en. If your application is meant for a broad set of users, completing app verification is necessary.
Help