LaVOZs

The World’s Largest Online Community for Developers

'; android - How do I enable access to Google API sensitive scopes with 'Unverified' mobile app under development? - LavOzs.Com

I am developing a mobile app (Flutter) that is designed to access a user's Google Calendar events. I have learned that this has a newer process that requires verification of the Oauth consent screen in some circumstances.

I have configured everything on the 'Oauth Consent Screen' as explained in these instructions: https://support.google.com/cloud/answer/6158849?hl=en&ref_topic=3473162

I have read through the FAQ here: https://support.google.com/cloud/answer/9110914?hl=en&ref_topic=3473162

I have read that without 'verification' you can use restricted scopes up to 100 users and the Google signin process will display 'Unverified App' as explained here: https://support.google.com/cloud/answer/7454865

My experience is different and I am hoping to get some guidance. As an aside, I also use GSuite.

  • I marked my app under development as 'External' because I need to test the app with beta users (less than 10 users) that will be random email addresses -not- within Gsuite, including personal gmail addresses.

  • When I did this, it automatically set the status of my app to 'Being Verified' for Verification Status

  • I received an email that in part said: *Thank you for your patience while we reviewed your project. Unfortunately, testing/development apps are inapplicable for the Verification process. If your app is only for testing purposes, we recommend that you continue to use your app with the “unverified app” screen intact. *

  • Ok fine, but the thing is I do 'NOT' get an 'Unverified app' screen, what I do get is a consent screen that does -not- list the sensitive scopes I selected in my consent screen.

Here are the scopes I have selected in the consent screen Here is how my consent screen appears In my app, of course - attempting to access the calendar API results in "Insufficient Permission: Request had insufficient authentication scopes."

From what I gather, there is scenario where I create a project that remains 'unverfied' but can access sensitive scopes. Is this correct? Can someone point me to what might be wrong or point me to instructions for setup of Oauth for a mobile app under development?

Related
google warns “Unverified developer” for private site with spreadsheets API
Values of Google OAuth consent screen for mobile app
Scopes added to Gmail API project aren't reflected in OAuth consent screen
Where is the list of which Google OAuth2 scopes are considered “sensitive”?
auth/calendar scope doesn't show in OAuth Consent scopes list (yet users are asked to grant access to Calendar)
Is OAuth developer verification process need when already verified?