How to create OAuth 2.0 application in GSuite for internal usage only?

Question

I'm working on development of web application that communicates with GSuite services (e. g. Gmail and Google Drive). Bunch of people currently use my application. I have 2 OAuth 2.0 applications created in my GSuite organization: one used for development and testing purposes (let it be MY_DEV_APP) and another one for public usage (let it be MY_PROD_APP). Recently I've got a message from Google team that my apps should be verified till the end on May 2019. So I went through all the requirements described in documentation and made changes in order to meet them. After that I sent MY_PROD_APP application to verification but not the MY_DEV_APP application. MY_PROD_APP gets verified and is still used publicly. However MY_DEV_APP application left unverified and now I see that all the scopes are removed from it (looks like it was disabled by Google) so that I can't use this application anymore.

As documentation states:

An unverified app is a web application or Apps Script that requests a sensitive OAuth scope, but hasn't gone through the Google verification process. Users of unverified apps or your test builds might get warnings based on the OAuth scopes you're using. This is to protect users and their data from deceptive applications.

OAuth 2.0 application can be created for internal usage only in GSuite or with limited access AFAIK. But currently I can't figure out how can I do this. Could you please provide detailed manual how to do this? How can I create OAuth 2.0 application in GSuite for internal usage only without mandatory verification?

Answer 1

Creation process of G Suite application for internal usage (inside your organization) only is almost the same as for the regular application. All the steps for creation and publishing G Suite application is described in G Suite Marketplace Guide. In order to create G Suite application for usage inside of single organization and omit verification process you should set Visibility option value to "My Domain" (application will be only available to users inside your domain) during configuration of G Suite Marketplace SDK as described here. This option can't be changed after saving configuration so it should be set during initial setup.

After publishing your internal application it can be found in G Suite Marketplace section where all applications for your domain are located.

Here is a short list of steps for creating of G Suite application based on information from G Suite Marketplace Guide:

1. Create new project in Google API console. Set name, project ID (project ID can't be changed after project creation and it should be unique) and project location (as a rule this is current GSuite domain and it can't be changed at this point).
2. Configure consent screen as described here. Here you can choose required scopes for Google APIs and authorized domains. Set "Internal" Application type so that only users with a Google Account in your organization can grant access to the scopes requested by this app.
3. Setup OAuth 2.0 client ID. After saving the configuration you will see popup with client ID and clien secret. Copy and save them somewhere. Please note that these value will be later available under creadentials tab for given application (OAuth 2.0 client IDs > Client ID for Web application item) at any time.
4. Setup service account key. After that JSON file will be downloaded where you can find private key and other information that you need to use your application.
5. Add APIs & services that you application use (e. g. Gmail API, Google Drive API). G Suite Marketplace SDK is required here.
6. Setup G Suite Marketplace SDK and publish you application as described here. Choose "Public" Visibility option to allow your application to be found by and used by any admin from the G Suite Marketplace. Otherwise you can select "My Domain" visibility (also known as Private visibility) that indicates that only admins in your domain can find and install the app from the G Suite Marketplace. If Enable individual install is also checked, then single user can find and install the application as well as well as it can be installed by organization admin.

Answer 2

I don't know the version of the G Suite account you have but I would suggest to create an App Maker application if is for internal use since no one can access if is from outside the domain.

To get your application verified I would suggest to send a verification request from the consent screen of your project, the first time you may send the verification without the scopes your application needs then it should be approved for you to add the scopes that your application use in order to get these verified one more time. Usually since the very first verification request by adding all the scopes you should have your account verified.

If you are still having problems by getting the verification I would suggest to contact the G Suite Support and request to speak with the API team, they don't have direct access to approve or reject the applications but will be able to help to provide you a guideance or may request internal help for you.

To know more about Google App Maker you can check here https://developers.google.com/appmaker/?hl=es-419 and https://gsuite.google.es/intl/es/products/app-maker/.

I hope this information is still useful. Greetings.