To make this clear: you don't need to get verified if the app isn't used by other organizations other than your own. In your specific case, the app is meant to be used by customers, thus requiring verification.
The white-listing only works for internal applications, so everyone outside of your org will see the unverified warning. Moving on to the dates for the change: there are several deadlines on the FAQ, since there are several scenarios, there are several dates where your app started showing up as unverified, some as early as March or as recently as the end of June. The dates have been on the FAQ and there were notifications sent since the beginning of the year. On Wednesday, July 17, 2019 at 12:28:27 PM UTC-4, Bryan Zera wrote: > > I never said it was or should be an internal app. No scopes that we are > using on the OAuth consent screen are restricted or sensitive. > > While technically, this is a user-facing app, this app is meant to be > whitelisted by other G Suite administrators at which time, the G Suite > administrators would allow access to the sensitive scopes for their users. > > If you have customers (users) accessing the app, then it should be >> verified, whitelisting on their behalf doesn't change that your app isn't >> verified. > > > So you're confirming that even though we don't technically need to get > verified (per the FAQ that keeps getting referenced), users will still see > the "Unverified App" message if we don't. If you are confirming this, can > you confirm that this is a recent change/fix, as this issue only recently > started occurring. > > > On Wednesday, July 17, 2019 at 11:01:23 AM UTC-5, Jorge A (Google Cloud > Support) wrote: >> >> @Bryan, in that case it isn't an *internal* whitelisted app without >> *sensitive >> or restricted scopes*. If the warning still shows once whitelisted, >> sensitive or restricted scopes are present. Please double check,since you >> *need >> to* go through verification before you launch a *user-facing* app. If >> you have customers (users) accessing the app, then it should be verified, >> whitelisting on their behalf doesn't change that your app isn't verified. >> >> On Wednesday, July 17, 2019 at 11:49:43 AM UTC-4, Bryan Zera wrote: >>> >>> Yeah @Jorge, We are aware that the FAQ says that whitelisting means you >>> *don't >>> have to submit for review*, but what it doesn't *explicitly* say is if >>> the end user is still going to get the "Unverified app" message when the >>> app is whitelisted, because our app was created to be whitelisted, but our >>> customers who do whitelist our app still get the unverified app message. >>> >>> On Wednesday, July 17, 2019 at 10:44:19 AM UTC-5, Jorge A (Google Cloud >>> Support) wrote: >>>> >>>> As David mentioned and to answer your question, yes, if a G Suite >>>> administrator has whitelisted the application, the users of that G Suite >>>> domain should not see the “unverified app” message. This is stated under >>>> https://support.google.com/cloud/answer/9110914/#skip in the FAQ >>>> document for this topic: When can I skip submitting my app for a review? >>>> "The app is domain installed or whitelisted by a G Suite domain >>>> administrator. If your app is intended for G Suite users, access might >>>> depend on domain administrator permission. Obtaining a verification will >>>> likely make it easier for administrators to grant access." >>>> >>>> On Tuesday, July 16, 2019 at 5:01:16 PM UTC-4, Bryan Zera wrote: >>>>> >>>>> @DavidCharlesMartinez. Thank you for that link. It certainly reads >>>>> like users accessing whitelisted apps shouldn't see the "Unverified App" >>>>> message. >>>>> >>>>> @Julie, when the GSuite Updates Blog says the following: >>>>> >>>>> Trust apps that you want to allow users to continue to install: To >>>>>> trust an app, use our API Permissions (OAuth apps whitelisting) >>>>>> feature <https://support.google.com/a/answer/7281227> in the >>>>>> Security section of the Admin console. Trusting an app also means that, >>>>>> if >>>>>> users consent, the app will have access to some G Suite user data >>>>>> (OAuth2 >>>>>> scopes) that you’ve otherwise restricted using this same tool. For >>>>>> example, >>>>>> if you’ve generally blocked access to Gmail OAuth2 scopes, trusted apps >>>>>> will have access for accounts where users consent. >>>>> >>>>> >>>>> *Does that mean that a user whose G Suite administrator has >>>>> whitelisted our app should not see accessing whitelisted apps should not >>>>> see the "unverified app" message?* >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/d8bef26b-4e00-4bbb-bcef-9e3dc4091c2f%40googlegroups.com.
