Reputation: 44205
Is there a simple or automated way to know if my Google Workspace add-on would trigger a security assessment?
I am planning to create and publish a Google Sheets add-on to the public in the Google Workspace marketplace. To my knowledge, for certain types of add-ons that use restricted scopes, Google requires a third party security assessment/audit to be done on the add-ons. It costs between $15k-$75k and several weeks to process the audit. I don't plan to pay this hefty fee especially if the add-on is free.
The documentation and the circumstances of whether an add-on will require a security assessment are not clear enough to me. For example, getting a list of Gmail drafts when the add-on user clicks on a button to get a list of them.
Before I spend time creating a finished add-on, is there a way to submit a quick and dirty add-on, with the API calls I plan to use, to Google just to see if the add-on is going to require a security audit? My goal is not to implement a feature if it's going to require a security audit.
Upvotes: 0
Views: 193
Answers (1)
Reputation: 15377
Answer:
If your add-on uses any of the following scopes, it will require a security assessment:
Gmail API
- https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/gmail.metadata
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/gmail.insert
- https://www.googleapis.com/auth/gmail.compose
- https://www.googleapis.com/auth/gmail.settings.basic
- https://www.googleapis.com/auth/gmail.settings.sharing
Google Fit API
- https://www.googleapis.com/auth/fitness.activity.read
- https://www.googleapis.com/auth/fitness.blood_glucose.read
- https://www.googleapis.com/auth/fitness.blood_pressure.read
- https://www.googleapis.com/auth/fitness.body.read
- https://www.googleapis.com/auth/fitness.body_temperature.read
- https://www.googleapis.com/auth/fitness.heart_rate.read
- https://www.googleapis.com/auth/fitness.location.read
- https://www.googleapis.com/auth/fitness.nutrition.read
- https://www.googleapis.com/auth/fitness.oxygen_saturation.read
- https://www.googleapis.com/auth/fitness.reproductive_health.read
- https://www.googleapis.com/auth/fitness.sleep.read
Drive API
- https://www.googleapis.com/auth/drive
- https://www.googleapis.com/auth/drive.readonly
- https://www.googleapis.com/auth/drive.activity
- https://www.googleapis.com/auth/drive.activity.readonly
- https://www.googleapis.com/auth/drive.scripts
- https://www.googleapis.com/auth/drive.metadata
- https://www.googleapis.com/auth/drive.metadata.readonly
Further information about the OAuth API verification process can be found here, including the above list of restricted scopes which require verification.
Upvotes: 0
Related Questions
- Google workspace Add-on with associated server: managing OAuth and permissions
- Testing the installation of an unpublished Apps Script add-on
- How do I detect if someone has removed my Google Workspace Add-On?
- How to deploy an update to an already released Google Workspace Addon?
- How to invite users to test add-on before publishing?
- Creating and testing an add-on for Google Sheets in the new Script Editor
- Configuring an Installable Trigger in Apps Script for a Company Wide Add-on
- Google Spreadsheet AddOn onInstall / onOpen with AuthMode.NONE: How to recognize user gave permissions?
- Test a Google Sheet add-on
- How to test if the Gsuite user is allow to use the addon, or if is a Superadmin