Hello everyone,
Google Cloud OAuth consent screen docs (screenshot below) mention that you need to verify the domain associated with the redirect URI – which for Forge apps is https://id.atlassian.com/outboundAuth/finish.
Obviously Forge apps developers cannot verify ownership of atlassian-dot-com, but at the same time the Google Photos example Forge app uses a sensitive Google OAuth scope.
How should Forge app developers go about verifying ownership of atlassian-dot-com in the redirect URI?
Thank you
3 Likes
Hi @aponomarov - thank you for reporting this issue, I’m on the team that owns this feature and I can confirm that we’ve reproduced it and are looking into any guidance/workarounds we can provide. I don’t have any updates at this time but just wanted to assure you that this has been seen and is being looked into.
Hey again @aponomarov just wanted to thank you again for highlighting this, addressing this may be more difficult than foreseen and I can’t give you a timeline just now for when we could prioritise and fix it. As such we’ll be taking down this example for now until we can provide an example that doesn’t use sensitive Google scopes.
In the meantime, the only workaround I can suggest is for you to access these sensitive scopes via your own external server/domain and route the Forge requests through that. I’m aware this isn’t ideal and would involve a lot of extra work, but I wanted to float this as an option in the meantime as we may not be able to solve this on our end immediately.
Hi @ChrisWilliams, thank you for getting back to me. I was able to find a less permissive OAuth scope and it looks like Google does not require domain ownership verification for non-sensitive scopes. With this post I wanted to verify if this is indeed the case, but it’s probably better checking with Google directly. Please don’t remove the Google Photos example app.
1 Like
Hey @aponomarov that’s good news, can I ask which scope you were able to find here? The intention was to take down the example and (in the short term) replace it with one that uses non-sensitive scopes.
@ChrisWilliams it’s /auth/drive.file. Full access to any file in Google Drive that was created by the app.
2 Likes
Thanks or sharing that @aponomarov - we’ll update the existing example to make use of a non-sensitive scope (probably https://www.googleapis.com/auth/drive.file) and also update the docs to highlight that sensitive scopes on Google aren’t currently supported.
