When you or your users set up a Google connection (needed for Drive or Spreadsheets connectors) on your Website as a Service web portal, the authorization message needs to show your brand instead of ours, coupled with redirect URLs pointing to your domain and not nomorePAPER's to be successful.


This is done by registering for Google API access on a Google account that reflects your company and brand name.


CONTENTS

  • Use a dedicated Google developer/system account
  • Setup your Google API access
  • Google's Application Verification Process

Use a dedicated Google developer/system account


For this to occur, you need to create a new Google account. This will be used to gain API access and, incidentally, to publish your Android app in Google Play.


You may have already created one of these Google accounts as part of setting up your Android App as a Service white label app. If yes, use that one.

If not create a new Gmail account and make sure to use an email address that reflects your brand's web domain. 
i.e. admin@myapp.com or itadmin@myapp.com would be ideal.

Do not use your personal gmail account for this process!

Setup your Google API access


Go to https://console.developers.google.com and log in with your chosen developer/system Google account.

  1. Once logged in with your chosen Google account, you will most likely have an existing project (e.g., already having an Android app) and can edit that project.

  2. If you don't have a project, create one by clicking Create Project. Enter a Project name and leave the Project ID to whatever has been generated. Generally, it is easiest to call your project "API Project," tick the Terms & Conditions box, and click Create.

  3. After creation, you'll be in the Project Dashboard.
    Now click on Enabled APIs & Services from the menu and then click on Enable APIs & Services at the top of the page.

  4. In the list of APIs, find Google Drive API and click Enable.

  5. Now, find the Sheets API and click Enable to do that, too.

  6. Now go back to the APIS & Services page and click on the Credentials menu item.
    Then select OAuth client ID under Create Credentials.


  7. Next, click on the Configure consent screen.

  8. Select the User Type to be External and click on the Create button.


  9. Your users will see the OAuth Consent screen whenever they add a Google Connection through the web portal.
    Google changes this configuration page occasionally, so ensure you fill in all fields mentioned below if you see them on the Consent page:

    App Name
    Enter the name of the app asking for consent.
    User Support EmailEnter your preferred company support email address (e.g., info@yourdomain.com—don't use your personal address). Users will use this address to contact you with questions about their consent.
    App LogoOn the consent screen, upload an image not larger than 1MB that will help users recognize your app. Allowed image formats are JPG, PNG, and BMP. Logos should be square and 120px by 120px for the best results.
    Application home page

    Provide users with a link to your home page

    Application Privacy Policy Link

    Provide users with a link to your public privacy policy. This must be hosted as a page on your company/brand's website.

    If you don't already have a Privacy Policy page, you can generate a privacy policy document quite easily - just do a Google search for "privacy policy generator".
    Here's one such site that generates a reasonably standard privacy policy:
    https://app-privacy-policy-generator.firebaseapp.com

    Once you generate appropriate privacy policy words, add this as a web page to your standard company website.
    The result should be that your policy can be accessed via a website link—e.g., www.mycompany.com/privacy-policy. You'll enter this into the provided Privacy Policy URL field.

    If you're unsure how to add a Privacy Policy page to your company website, ask the IT person or provider who maintains it for help.  
    Always consider legal advice on the suitability of any policy for your business.

    Application Terms of Service Link

    		Provide users with a link to your public terms of service.
    Similarly to the Privacy Policy, you must have a Terms of Service web page hosted on your company or brand website.
    You can find some standard generators by Google searching "terms conditions generator SaaS".
    For example:
    https://termly.io/en/products/terms-and-conditions-generator/
    https://www.shopify.com/tools/policy-generator/terms-and-conditions
    Always consider legal advice regarding the suitability of any Terms for your business.
    Authorized DomainClick on Add Domain and enter your custom web domain for your WaaS site.
    E.g. mydomain.com
    Developer Contact InformationEnter email addresses for Google to notify you about any changes to your project.

  10. Then click Save and Continue, and under the Scopes tab, click Add or Remove Scopes. Ensure that you add the following for your scopes section.
    • https://www.googleapis.com/auth/drive.file

  11. Then click on Save and Continue. You can skip the Test Users tab and move onto the Summary tab, ensuring all details are correct, and then click Back To Dashboard.

  12. Return to Credentials on the menu item and select OAuth client ID under Create Credentials.

  13. Now, for Application Type, select Web Application and specify the name of your application.

  14. In the Authorised Redirect URI section, paste in the Google Redirect URL found under the Google API Access Details on the Site Integrations page in the Branding Center area of our platform.

    This should be something like https://myapp.mydomain.com/OAuth2/GoogleCallback


    When setting up your Google Connection you MUST ensure that you use your custom domain URL for all callback/redirect URL's and NOT use nomorePAPER's default callback URL. Failure to do so will result in your Google connections not working.

  15. Click Create, and a popup will appear with your Client ID and Client Secret.


    Copy the Client ID and Client Secret values and paste these into the Google Client ID and Google Client Secret under the Google API Access Details under the Site Integrations page of the web portal. 

Make sure to save your changes to the Site Integrations page.

  16. Now click on OAuth Consent Screen from the menu, click on Publish App, and confirm to push to production.

  17. Once you have done the above, you should see the Prepare For Verification dialogue on the OAuth Consent Screen.


    At this stage, you are limited to 100 sensitive scopes (50 x Sheets & 50 x Drive) logins.
This is generally enough for as long as you do not have more than 50 different Google connections added across all your client accounts.

You should now be able to authorize your google-connection under the Connected Data>Connections page of your web portal.

  18. However, if you want this limit removed, you must verify your app and complete the steps mentioned in the next section.

Google's Application Verification Process


You must have HTTPS Enabled on your WaaS account before you can go ahead with the verification process.
If this has not been done please contact our Support Team.


Google requires that all API integrators must verify their intent and legitimacy.

Failure to complete this process will result in users receiving a "This app isn't verified" message when they try to add a Google Connection to your branded web portal.


  1. Go to the OAuth Consent Screen and click on Prepare For Verification dialogue.

  2. Ensure all the mandatory fields in the OAuth Consent Screen are input.

  3. Under the Scopes tab, you will see a question - How will the scopes be used? You can answer as follows:

    https://www.googleapis.com/auth/drive.file is used to import files into our platform and to store documents generated by our platform. Folders and subfolders are also often created based on the user's configuration of the Google connector on our application.

  4. If they have any further questions, like for any programming language question, answer "We primarily use C#".

  5. Google Demo video: how will the scopes be used?

    For this, you will need to provide a YouTube video link demonstrating how you'll use the data from these scopes in your app. Your video must include all OAuth clients that you assigned to this project.
    Use a tool like Screen-o-Matic or a screen recording software of your choice to record the process.

    The video should start from your WaaS web portal login.
You can then move to adding a Google Connection via the Connections page of your web portal by inputting your Google account details.

Please be sure that all URLs that Google is requesting are clearly visible.

You can then add a Google Sheets Data Source connector and sync down the rows.

You should aslo do the same for an Excel/CSV file stored on Google Drive with a Google Drive Data Source Connector.


  6. This shows Google how your users would use the sensitive scopes.

    Upload the video to a YouTube account. We recommend setting up a YouTube account with the same Google account you used to activate the API above. Note that you need to add a YouTube channel for this account, too.

    Then, update the YouTube link under the Demo video: how will the scopes be used?

  7. Verify Ownership of Your Web Domain

    In addition to the verification submission you already made above (when filling out the OAuth Consent Screen), Google needs to verify your ownership of your chosen website domain.

    While logged in with your Google developer/project account, click here to verify your website ownership through Google's Search Console.

    Google will NOT approve your OAuth verification request until your site ownership verification is complete.

  8. Wait for Google to Verify or Contact you

    As your project verifies, the current status displays under Verification status in the Google Console.

    Being verified
    		OAuth developer verification is in progress
    Published
    		Your OAuth consent screen passed the verification, and your project is being verified.
    Failed verification
    		Your OAuth consent screen didn't pass the verification.
    You'll receive more information at the contact email you provided, or you can contact the Trust and Security team at security@google.com.

    The time Google takes to verify is highly variable, but you should hopefully get confirmation and acceptance back from them within 7 days.

    The time Google takes to verify is highly variable, but you should hopefully get their confirmation and acceptance within 7 days.

    Should Google have questions or further requirements, you should be notified by them via email to your Google developer/system account.
    You should also receive confirmation of verification approval via email.
    If you don't hear back from them, review Google's OAuth Application Verification FAQ and consider contacting them via their Developer channels.

    If you don't hear back from them, review Google's OAuth Application Verification FAQ and consider contacting them via their Developer channels.

  9. Google sometimes requires additional information/details.

    Google is becoming much more strict about API security, etc. While this is generally a good thing, it may mean more work for you. You may receive an email from Google asking the questions below.


    To proceed with the approval process, please reply to the email with the answers below:

    Q1: How does the user sign up on your app and grant access to the sensitive scopes requested in verification?

    This is a business application, so only an administrator user will link a Google account (this is optional and only required if they want to connect their Google Drive, etc.).
    Administrators would initially sign up via our website.
    Access is not granted during the signup process. It occurs only if the admin user decides to connect data from their Google account to our platform. Authorisation occurs through the standard Google OAuth2 consent process.

    Q2. OAuth consent screen as seen by end-users
     
    You need to provide a screenshot of the OAuth consent screen here.
    This is the page sent AFTER hitting the Auth button on a Google Connection in your Connections page of the web portal.

    Q3: How does your application use the requested scopes to provide services to developers?

    https://www.googleapis.com/auth/drive.file is used to import files into our platform and to store documents generated by our platform.
    Folders and subfolders are also often created based on the user's configuration of the Google connector on our application.

    Q4: A test account email and the password for us to test the user sign-up process and validate the project's functionality

    Create a test client account and add an Enterprise Admin level user.
    Explain to them that there is no sign-up process (as such) for general platform users, as they are registered into the platform by their administrators.
    Provide them with the test user login details and written instructions on exactly how to get to the Connections page and add a Google Connection.
    They will only care about seeing the Auth button and the subsequent consent process.

    Q5: Please address all the points mentioned above in the video so that we can validate your application's usage of sensitive scopes.
     
    You can use the same YouTube video link used in Step 5.



Although this can be a long journey, ultimately, it should get your approval from Google.