LinkedIn
Twitter
Hi @lxp200,
Welcome to Google Cloud Community!
Here are the following involve descriptions:
1. Do I understand correctly that the webapp user will have to go manually into a consent screen every 7 days?
For external user types with publishing status as "Testing", authorization/refresh token for test users will expire after 7 days of consent. To provide a smooth user experience and avoid service disruption, Google attempts to renew refresh tokens near the end of their lifetime. In some scenarios, user consent might be required to re-link accounts when a valid refresh token is unavailable.
2. What are my options to extend this delay so that unattended video uploads are not failing at some point (when refresh token has expired)?
- Designing platforms to support multiple unexpired access and refresh tokens can minimize race conditions present in client-server exchanges between clustered environments, avoid user disruption, and minimize complex timing and error handling scenarios.
- There is a limit of 100 refresh tokens per Google Account per OAuth 2.0 client ID. If the limit is reached, creating a new refresh token automatically invalidates the oldest refresh token without warning.
- If the app requests a subset of the following: name, email address, and user profile (through the userinfo.email, userinfo.profile, openid scopes or their OpenID Connect equivalents) or its only used for Sign In to the APP. Therefore, there is no need to add them as test users, they will be allowed to access the APP and their tokens won't expire after 7 days.
3. I am under the impression that "publishing" the Google Cloud app would make no sense since it is meant to be used exclusively by one Google Cloud user, which is fine a private webapp that will be used only by a few people.
- Google's OAuth policies require separate projects for testing and production. Some policies and requirements only apply to production apps. It is needed to create and configure a separate project that includes OAuth clients that correspond to the production version of your app available to all Google Accounts.
- Your app will be subject to the unverified app screen and the 100-user cap will be in effect when an app is in development/testing/staging. This cap is removed only after an app has been successfully verified.
4. What if the webapp code is then hosted by other people totally unrelated to me and my instance, with their own Google account. Will they all have to "publish" their own Google App to obtain a long lasting refresh token?
- Apps with a publishing status of "Testing" may request authorization from a Google Account in its list of test users.
- Apps with a publishing status of "In production" must complete verification for all requested sensitive and restricted scopes. An app requesting unverified sensitive or restricted scopes will result in the display of unverified app warnings , which may prevent user authorization. See OAuth user quotas for more information about user authorization limitations while your app's use of these scopes is unverified.
- If your app requests access to scopes other than basic profile scopes commonly used for login (e.g. openid, email, profile), there will be a per-minute and per-day quota of how many token grants the Google OAuth API endpoints will allow for your app. Your current token grant rate and quota is displayed in the OAuth rate limits section.
I hope the above information is helpful.
