Submit OAuth app to be verified by Google

[simonw]

So people can start using this tool.

[simonw]

Here's the project: https://console.developers.google.com/home/dashboard?project=fluted-anthem-341502

[simonw]

The OAuth Consent screen can show a 128x128px logo - this will do:

[simonw]

I'm going to click this button:

I clicked it and it said:

Push to production?

Your app will be available to any user with a Google Account.

You've configured your app in a way that requires verification. To complete verification, you will need to provide:

1. An official link to your app's Privacy Policy
2. A YouTube video showing how you plan to use the Google user data you get from scopes
3. A written explanation telling Google why you need access to sensitive and/or restricted user data
4. All your domains verified in Google Search Console

[simonw]

https://support.google.com/cloud/answer/9110914 has a ton more detail.

[simonw]

The most annoying part here is needing to provide a privacy policy - since the tool runs entirely on the user's own computer I'm not really sure what these should say.

Make sure that your app's Privacy Policy meets the following requirements:

• The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
• The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.

[simonw]

If I add the privacy policy as a section of the README I can link to https://datasette.io/tools/google-drive-to-sqlite#privacy

[simonw]

I think I might actually be building something that requires the highest level of validation - for "Restricted Scopes".

https://cloud.google.com/blog/products/identity-security/enhancing-security-controls-for-google-drive-third-party-apps

https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes says:

Restricted Scopes:

Drive - Any Drive API scope that permits an application to read, modify, or manage the content or metadata of a user’s Drive files, without the user individually granting file-by-file access.

But it also says:

Only certain application types may access Restricted Scopes for each product.

• Native and web apps that provide local sync or automatic backup of users’ Drive files

I think that fits what this tool is doing. There's also this bit:

Secure Data Handling: Applications accessing Restricted Scopes must demonstrate that they adhere to certain security practices. These applications must pass an annual security assessment and obtain a Letter of Assessment from a Google-designated third party. Local client applications that only allow user- configured transmissions of Restricted Scope data from the device may be exempt from this requirement.

I was worried that I might have to "pass an annual security assessment", which https://support.google.com/cloud/answer/9110914#sec-assess says:

In order to maintain access to restricted scopes, the app will need to undergo this security assessment on an annual basis, this process is called the security reassessment, also known as annual recertification. The cost of the assessment typically varies between $10,000 -$75,000 (or more) depending on the size and complexity of the application; smaller applications may see costs at a lower threshold of $4,500. This fee may be required whether or not your app passes the assessment and will be payable by the developer. We expect that fees will include a remediation assessment if needed.

But... that earlier bit said "Local client applications that only allow user- configured transmissions of Restricted Scope data from the device may be exempt from this requirement." - so maybe I'm OK here.

[simonw]

My initial attempt at a privacy policy:

Privacy policy

This tool requests access to your Google Drive account in order to retrieve metadata about your files there. It also offers a feature that can download the content of those files.

The credentials used to access your account are stored in the auth.json file on your computer. The metadata and content retrieved from Google Drive is also stored only on your own personal computer.

At no point to the developers of this tool gain access to any of your data.

[simonw]

"It also offers a feature that can download the content of those files" means this feature:

• 4

[simonw]

Privacy Policy is now available here: https://datasette.io/tools/google-drive-to-sqlite#user-content-privacy-policy

[simonw]

OK, I added that privacy policy. Next step is this bit:

I have to record a YouTube video explaining what the app is doing: https://console.developers.google.com/apis/credentials/consent/edit;verificationMode=true?project=fluted-anthem-341502

[simonw]

For "How will the scopes be used?" I wrote:

This is a tool that users install on their own personal computers, which uses the Google Drive API to download metadata about the files that they have in their Google Drive and create a local SQLite database of that metadata which they can then use to analyze their own content.

The guidelines say: "Local client applications that only allow user- configured transmissions of Restricted Scope data from the device may be exempt from this requirement"

I believe this tool falls under that condition. The user stays in complete control of their data at all times, and no data is transferred to any third party.

[simonw]

Video from #14 is: https://youtu.be/KuTmYUF1PJM

[simonw]

"Share any final details about your app. Include any information that will help us with verification, like the Project IDs of any other projects that use OAuth."

I built this tool to help people with large Google Drives gain a better understanding of what they have in their drive, by exporting out the metadata for their drive files to a SQLite database to enable them to analyze it using SQL.

It's related to my Datasette project, which provides an open source tool for running queries against SQLite databases: https://datasette.io/

google-drive-to-sqlite is an open source command-line utility written in Python. The user runs "google-drive-to-sqlite auth" to authenticate with Google and retrieve a refresh_token that can access their Google Drive data - using the https://www.googleapis.com/auth/drive.readonly scope

They can then use the "google-drive-to-sqlite files" command to download metadata about their files - which they can store in a SQLite database file or they can output as JSON if they want to use it with other tools.

The tool is only designed to be run on the user's own computer - it does not share data with anyone else.

[simonw]

OK, submitted that all for verification here: https://console.developers.google.com/apis/credentials/consent?project=fluted-anthem-341502

[zelleroSupport]

Hi, did google verified your app?