Should separate projects be used for different OAuth use cases?

Question

In Google Cloud, I use the OAuth Consent Screen for a "Sign In With Google" on a website.

I'm now looking to build a Google Workspace Add-on which requires additional scopes (gmail, calendar access).

Should this be added to the existing OAuth consent screen? Or should I make a new project ID for this?

I've tested and looks like I can add extra scope to the consent screen, and the OAuth Dialog only shows the scopes passed in the &scope=... when initiating an oauth request.

Answer 1

We have 5 different types of connections, Google Ads, GA, GA4, Google My Business and Google sign in. We are creating 4 different ones (combining the GA ones). The reason is that if something changes for any app, whatever the reason, all products may shut down.

Answer 2

You can add as many scopes as required to your OAuth consent screen, however, for a public app, you need to submit your OAuth screen for verification again

• In case of adding sensitive scopes, you need to justify the usage of those scopes and provide a screencast where it is shown how your app uses them.

• In case of adding restricted scopes, you will need to undergo a paid verification process.

• Also keep in mind that any app deployed from this project will prompt the user to authorize all the scopes featured in the manifest of your script (not necessary all the scopes added to the OAuth consent screen in your GCP project). Asking the user to authorize more scopes than necessary might feel intimidating for the user.

Usefull links:

• OAuth API verification FAQs
• Unverified apps