This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Does changing scopes for a Google Workspace Marketplace app require admins to grant access again?

Posted 2 weeks ago
cameron19
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Our Marketplace app GQueues recently updated our integration with Google Drive to use the less permissive drive.file scope instead of the now “restricted” full drive scope. (This is better for our users, and also means we don’t have to go through the very time-intensive and costly third-party security audit).

We refactored our code to only use the drive.file scope and removed the full drive scope on our OAuth Consent Screen, which then was re-verified by the Google Trust and Safety Team. Our Marketplace SDK App Configuration page currently requests both the drive.file and full drive scope. So the last step is to remove the full drive scope from the App Configuration, so the restricted drive permission is no longer requested when Admins install our app.

What we didn’t know, and could not find anywhere in documentation or searching on the web, was whether removing the full drive scope would then make all the other scopes in our App Configuration invalidated as well. Essentially, would all our Google integrations break for existing installations until admins re-granted access to our app?

To answer this question I created a separate Marketplace app so I could test what happens to existing installations when scopes are added and removed. And I decided to share what I discovered here so others don’t have to go through all this effort to know what happens.  Here’s what I learned:

  1. Adding a scope to your App Configuration causes existing installations to go into a “Partially granted” state, as shown here when I added a calendar scope. Apps can’t use the new scope until Admins grant access to the newly added scope.Screen Shot 2024-04-22 at 2.06.36 PM.png
  2. Removing a scope has NO IMPACT on existing installations, as shown here when I removed the full drive scope on the test app configuration. In fact, the full drive permission stays active for existing installations and can continue to be used. Only new installations are affected - they will not request access to the removed scope.

    Screen Shot 2024-04-22 at 2.10.01 PM.png

    Workspace Admin Console...
    Screen Shot 2024-04-22 at 2.11.10 PM.png

  3. That means the scope removed from the App Configuration will only be removed from existing installations if Admins uninstall the app entirely and reinstall it.

 

 

This is all very good news for our situation. This means we can safely remove the full drive scope from our App Configuration so new installs don’t have to grant this permission, while existing installs will continue to work seamlessly, without us having to message Admins to re-grant access to our app.

I recorded a short video where I change scopes in a test app so you can see how this all works with your own eyes.

https://www.youtube.com/watch?v=h1LhuagmP6s

1 0 58
Topic Labels
0 REPLIES 0
Top Labels in this Space
Top Solution Authors
View all