I've built a google apps script web application. For Google Drive related features the application requires auth/drive.install (to integrate with Drive UI) and auth/drive.file (to store some data associated with a file in the related file properties) scopes. Other scopes are auth/urlshortener, auth/userinfo.email, and auth/userinfo.profile. The two latter are required for auth purposes, as far as I understand.
The above scopes are specified at oauth dance within the app. However, at app installation the following scopes are presented to a user:
- View and manage the files in your Google Drive (corresponds with
auth/drive scope) - Manage your goo.gl short URLs (
auth/urlshortener) - and three other that correspond with
auth/script_*scopes
This correlates with scopes from the script properties.
5 OAuth Scopes required by the script:
https: //www.googleapis.com/auth/drive
https: //www.googleapis.com/auth/script.external_request
https: //www.googleapis.com/auth/script.scriptapp
https: //www.googleapis.com/auth/script.storage
https: //www.googleapis.com/auth/urlshortener
Obviously, auth/drive and auth/urlshortner are added as a result of Advanced Google Services use, that are turned on in both GAS IDE (Resources > Advanced Google services) and Developer's Console.
GAS IDE doesn't allow specifying any scope narrower than e.g. auth/drive.
Google Apps Marketplace SDK configuration in Developer's Console doesn't allow to add any specific scopes for some reason. Actually, it allows adding but doesn't save any.
The problem:
Recently Google introduced a review procedure for OAuth clients requesting sensitive OAuth scopes and auth/drive is definitely a one of.
I do not need the entire auth/drive scope and also I do not want users seeing anything like this:
This app ins't verified
Is there a way to narrow down the drive scope via GAS IDE or Developer's Console?
The script itself doesn't employ any auth/script_* functionality. Those were added somehow implicitly since I employed node google apps script module for development. I don't need user's permission for those. How to get rid of that?
Any workarounds?
