Please bear with me as there are a lot of details to include here to give you enough background to help me figure out how to proceed with getting my App Consent Screen verified on the Google Cloud Console.
Overview
I've submitted my app for OAuth Consent Screen verification and have had push back due to the 3-legged OAuth Scopes that I've requested. I don't believe that the "steps" Google's team provided me apply to my app and how it will be used. Maybe I'm wrong, but a second opinion would be super helpful.
Full Background
I run a free and open source app that allows users to self-host a "server" that essentially proxies iMessage to different clients (Windows, Android, etc.). As part of the Android integration, the server needs to be able to send notifications to the corresponding clients. It does so using Google's Firebase Messaging service. Currently, the user needs to manually create a Firebase project, configure an Android app for it, download the Google Services & Service Account JSON files, and apply it within the server. This setup is tedious and confusing to some less tech savvy users.
Recently, we've made an effort to implement Google Sign In to allow my Google Cloud Project to act as a puppeteer and do all that setup & configuration automatically (with their permission). As such, my Google Cloud Project requires the following permissions to create a Firebase project, enable the Firestore, create an Android configuration, and generate a Service Account:
- https://www.googleapis.com/auth/cloudplatformprojects
- https://www.googleapis.com/auth/datastore
- https://www.googleapis.com/auth/iam
- https://www.googleapis.com/auth/service.management
According to Google, some of these scopes are referred to as "three-legged" OAuth 2.0 scopes because it allows users to grant access to all their data hosted within a particular API.
Fair enough.
The Issue
Upon submitting verification for the App, Google's team responded saying that the scopes requested have too broad access and I need to perform the following steps to remediate the concern:
- Create a service account to access data from your users’ Google Cloud Platform project. You may want to create a service account for each customer to avoid confused deputy problems.
- Instruct your customers to grant this service account appropriate access to their Cloud data via IAM Policies.
The issue I see is, because the app/service is completely self-hosted and we do not have direct contact with our users, there is no way I can create a service account for each of them. Moreover, even if we just created one, my understand is each user would need to grant the service account appropriate access via their Cloud IAM policies. This would require user-intervention and would essentially nullify the effort to "make setup more seamless by automating it".
What Next?
Am I completely misunderstanding what Google's team is suggesting? Is it possible for me to limit exactly what my app can have access to via IAM policies without having users intervene within their own Google Console?
Or, is it simply not possible to get this sort of setup to be verified, and the app will need to stay unverified?
If there is a way for me to specifically limit the app even further outside of the scopes, I am all for it. I just do not completely think that the suggestions made by the Google Team would apply to my situation.
Any help is greatly appreciated!