Three-legged OAuth2 scope verification issues for Angular & Firebase app

Question

I'm trying to verify an app that manages a user's Firestore collections using Google Cloud APIs. After submitting for verification, I received this email from the API dev team:

Dear Developer,

Thank you for submitting an OAuth App Verification request for the following Cloud scopes:

https://www.googleapis.com/auth/cloud-platform.read-only https://www.googleapis.com/auth/cloud-platform

Three-legged OAuth2 scope grants are intended for human users to grant access to all of their data hosted on a particular API. Access to your requested OAuth2 scopes would provide overly broad access for Google Cloud Platform customers. Google Cloud Platform only supports grants to specific resources for specific users/services, with access controlled using Cloud IAM Policies.

Follow the instructions below to gain access to the Cloud scopes you requested:

1. Create a service account to represent your service and to access data from your users’ Google Cloud Platform project

2. Instruct your customers to grant your service account appropriate access to their Cloud data via IAM Policies

Note that you may want to create a service account for each customer to avoid confused deputy problems.

I already have 3 service accounts (I think they were created automatically by GCP or Firebase), but I'm having trouble understanding what the second point is and what action should I take.

The app makes requests from the client using my Firebase API Key to read and write on Firestore collections on the users' behalf. These are the scopes I'm using:

email
profile
openid
../auth/cloud-platform.read-only
../auth/cloud-platform

I expect the app verification process to complete successfully so the users don't see the "Unverified application" screen when logging in.

Answer 1

You are trying to grant yourself access to a customer's account/data using your Project's OAuth Client ID. This is very dangerous as you can receive an Identity Token and Refresh Token that can make it difficult for a customer to revoke your Access Token. Most customers/developers do not know how to do this.

Google is tightening the level of access that you can request. You have asked for permissions that are too privileged. The correct approach is for the customer to grant you access to their account via Google Cloud IAM. These privileges can be to a service account created by your Google account or to your Google Account email address. Both methods require the customer to grant permissions in their GCP account using IAM.

Your problem can be solved in three steps:

1) Delete the following scopes as Google will not approve your app with them without an audit.

• cloud-platform.read-only
• cloud-platform

Note: If you only require access to a very specific service, change the scope for that service. You might not get approved.

2) Create a service account in your Google Cloud Platform account. Provide the email address of your service account to each customer. They will need to add the email address to the Google Cloud Platform console under the IAM section and assign the required IAM permissions.

Note: You may want to create one service account per customer for better security, separation, and logging.

3) Use the service account instead of a Client Application.

Note: If you require Google Console access to your client's Google Cloud Platform account, provide them with your Google Account email address. They can assign your email address the required permissions to access the console for their project.