Reputation: 83
Google app script publish require CASA verification after initial OAuth verification. Is there any way to avoid it?
I have completed initial OAuth verification process for the scopes I have been using in the app. (see scopes detail below).
Now Google verification team is requesting CASA verification process as you can see in email screenshot attached too. So getting to my question, is this verification requested because I am using external_request scope? or there is any other reason behind it?
I published another app too with same scopes except drive and external_request scopes and it's successfully published. Thats why I am asking that some scope could be responsible for it.
Project OAuth Scopes 5 Scopes Requested
See, edit, create, and delete all of your Google Drive files https://www.googleapis.com/auth/drive
See, edit, create, and delete all your Google Sheets spreadsheetshttps://www.googleapis.com/auth/spreadsheets
Connect to an external service https://www.googleapis.com/auth/script.external_request
Display and run third-party web content in prompts and sidebars inside Google applications https://www.googleapis.com/auth/script.container.ui
See, edit, create, and delete all your Google Docs documents https://www.googleapis.com/auth/documents
Upvotes: 4
Views: 2021
Answers (2)
Reputation: 83
As TheAddonDepot mentioned in this comment, it was the https://www.googleapis.com/auth/drive scope that triggered the security assessment. Instead I will try to use https://www.googleapis.com/auth/drive.file scope for now. It was also confirmed when I emailed google about this issue.
Upvotes: 2
Reputation: 536
Before I continue I would like to clarify that I have no more information than the one found publicly so I don't want this answer to come across as nothing more than mere speculation which is the best we can do in these situations as I'm sure Google will not provide us with a specific list of criteria for this.
However, based on this help center article it seems like you might be up to something, here is what the article says about the reasons why your particular application has to go through the CASA verification:
Although the information is vague (and I believe that is 100% intended) I believe that the fact that your application requires full access to all sheets and that it connects to a external service would be considered an "internal risk" as Google evaluators might consider that you could potentially be stealing and/or modifying user data without their permission as they might not be sure what exactly does the external service does.
Maybe removing the external service would help, if that is an option I would definitely suggest giving that a go, if the way the Sheets data is processed is clear on the code the additional code verification might not be needed, if this is not possible maybe showing documentation about the external service to Google might help a little although I would believe that if security is what they are after they might still ask you to go through the verification as they wouldn't have a way to know for a fact that the third party service does what they claim.
Once again I would like to clarify that this is just an educated guess, maybe the code is deemed to complex to understand or maybe there is something about the external service Google already knows that makes them not too trustworthy but I hope that the article I shared would be useful for you when making decisions about how to structure your code or which scopes to request.
Best of luck!
Upvotes: 1
Related Questions
- Remove two unnecessary permissions in the consent screen
- You do not have permission to call "UrlFetchApp.fetch"
- Enable Google API OAuth Scope
- Limiting OAuth scope for Google App Script
- Authorize 2 scopes in Google App Script
- How to use narrower Google Apps Script Authorization Scope when accessing file from own drive
- Can Google Sites API still be authorized?
- The OAuth Client was not found - Google Apps Script - BigQuery