I've got an increasing number of users that login to my web app with "Sign in with Slack" successfully, but then fail to add any further permissions at the following step (you can't have regular + identity.* scopes requested at the same time in the OAuth flow).
The reason is either the user isn't happy with the permissions being requested and closes the window, or the app is blocked by the workspace as it needs approval. If my app is blocked, there appears to be absolutely no feedback. Unfortunately, I have no idea which of these a customer experiences.
Is there a way to find out if my app requires approval for a workspace?
Slack doesn't currently provide any feedback to an app developer or owner as to why their app was not installed or approved. Often, organizations have security policies or other reasons for denying an app approval that would not be appropriate to share externally.
I'll take your feedback to the app directory team and see if there are ways we might be able to help solve this problem.
Related
At work we have developed an individual customer specific software application that is in use for a long time. We have a new requirement in this same program to implement an option for sending emails directly from the program.
The user is able to add his own email account with the credentials and login through our program. For Microsoft and Gmail accounts OAUTH is implemented and something here is not very clear.
For Gmail-API we have made an OAUTH Client and Consent screen on Google Cloud Console which we need to publish and verify and here is where the problems start. I am not very clear with the whole process of verifying the app.
In the steps for verifying is stated that we should verify a domain for the app, but this software is not hosted anywhere on internet and is not publicly available, it is available to a number of specific users (2000-3000).
Also Google requires a YouTube video of the software to be available publicly, which we are not able to upload because of customer requirements. Also here is required a Data Protection Policy page for the application which we as a developers don't have because we are only developing the software.
Other thing that is not clear to me, how is this type of software rated by Google, internal or public?
Have anyone experience with this or something similar?
Verifying an app for one of the Gmail scopes is a very complicated process. This process depends upon which scope of authorization you are requesting of the users.
In your case you are trying to send an email so you are using the users.messages.send method from the Gmail api. This uses a restricted scope. Which means you will need to go though the full process.
First of it doesn't matter if your application is hosted or not. It also doesn't matter that you give this app to a limited number of users. What matters is the scopes you are using.
You will need to ensure that your domain has been registered via google search console. So this app will need a domain
Once that is done you will be able to host your website, and the privacy policy on that domain.
You will need to create a YouTube video showing your application running, and how authorization is used.
You will also need to submit to a third party security checkup of your application which is not free and will need to be done once a year.
All of this is needed because of your consent screen it doesn't matter if its hosted any where, It also doesn't matter if this is only available to specific number of users.
If all of the users are part of a single google workspace account, that has created your client id and client secrete then you can set the app to internal and you wont need to be verified. This only works for google workspace domain accounts.
In Apple's guidelines about Offering account deletion in your app, it states the following:
If people need to visit a website to finish deleting their account,
include a link directly to the page on your website where they can
complete the process.
However, in the FAQ section of the same page, it states:
If my app links out to the default web browser for account creation,
does it still need to offer account deletion within the app?
Yes. Additionally, note that linking out to the default web browser to
sign in or register an account provides a poor user experience and is
not appropriate, per App Store Review Guideline 4.
Given the above information, would having a button in the app that says "request account deletion" that opens a website to complete account deletion requests be compliant with Apple's guidelines? In other words, is it ok to just have a website for the account deletion request process (link to this website will be available from the app), or is it required that the account deletion request process be completed on the app itself?
Everything needs to happen within the app, either natively or via an embedded browser for both user sign-ups and user account deletion.
From my experience, Apple doesn't like "Request" or "Deactivate" as a default modus operandi and prefers only "DELETE" and "IMMEDIATELY"
See https://developer.apple.com/design/human-interface-guidelines/patterns/managing-accounts/
If you help people create an account within your app or game, you must
also help them delete it, not just deactivate it. In addition to
following the guidelines below, be sure to understand and comply with
your region’s legal requirements related to account deletion and the
right to be forgotten.
Also see https://developer.apple.com/support/offering-account-deletion-in-your-app/
If my app links out to the default web browser for account creation, does it still need to offer account deletion within the app?
Yes. Additionally, note that linking out to the default web browser to
sign in or register an account provides a poor user experience and is
not appropriate, per App Store Review Guideline 4.
See the responses below from Apple on both issues.
Guideline 4.0 - Design
We noticed that the user is taken to the default web browser to sign
in or register for an account, which provides a poor user experience.
Next Steps
To resolve this issue, please revise your app to enable users to sign
in or register for an account in the app.
You may also choose to implement the Safari View Controller API to
display web content within your app. The Safari View Controller allows
the display of a URL and inspection of the certificate from an
embedded browser in an app so that customers can verify the webpage
URL and SSL certificate to confirm they are entering their sign in
credentials into a legitimate page.
and
Guideline 5.1.1(v) - Data Collection and Storage
We noticed that your app supports account creation but does not
include an option to initiate account deletion that meets all the
requirements. Specifically:
Your app only offers to deactivate the account. Temporarily deactivating accounts is not sufficient to meet the account deletion
requirement.
The process for initiating account deletion must provide a consistent,
transparent experience for App Store users.
Next Steps
It would be appropriate to revise your app to address the issues
identified above and resubmit your app once the account deletion
option meets all the requirements.
If you believe your current account deletion option meets all the
requirements, either because your app operates in a highly-regulated
industry or for some other reason, reply to this message and provide
additional information or documentation.
Resources
Review frequently asked questions and learn more about the account deletion requirements.
Yes you have to provide account deletion or account deactivate option on website as well.
I recently received an email from the Google Cloud Platform Team notifying me of a policy violation stating that we had not completed the OAuth developer verification process and we're limited to 100 new user grants of which we're already at 60% towards.
The thing is, if I view this Oauth consent screen in the Google Cloud Platform, at the top of the page, it states:
Your consent screen is being verified. This may take up to several days. Your last approved consent screen is still in use.
This page was last saved and 'submitted for verification' some months ago now.
The page itself is constantly glitchy and poor anyway I've noticed at various points in the past.
The information this page contains is correct and I am unable to re-submit for verification unless I make changes.
Nonetheless, I'll make a change, resubmit, then edit removing that change and resubmit again but it's proving to be a bit of a hassle when either their system doesn't work or we're waiting on them to approve/reject the Oauth verification.
Am I supposed to be doing something else or is there a workaround at all?
Make sure that you've taken a look at the App Verification help page:
https://support.google.com/cloud/answer/7454865?hl=en
and the much more detailed verification FAQ:
https://support.google.com/cloud/answer/9110914
From the sounds of your post, it seems like you probably just need to get your app's branding verified because you are accessing sensitive scopes. That should be a pretty straightforward process if you have everything ready for review. Make sure you haven't gotten any messages from the review team with open items you need to accomplish. If not, you can make a trivial change and resubmit.
If you are trying to access a restricted scope like Gmail APIs, the process will be much more involved. Make sure you have all your requirements taken care of as outlined in the FAQ. And be sure you look closely at what scopes your code is actually requesting. If you are asking for sensitive or restricted scopes in your app but don't have those fully registered and approved in the developer console, your users will get warnings and you'll have restricted tokens revoked.
I have been making a slack app for the users on my workspace. It is a sidebar that adds slack messaging functionality to our website, so that we don't have to leave the site to see our slack messages. I am having trouble trying to get bearer tokens for each user.
What I have been doing so far is following the Slack OAuth 2.0 Authentication flow in order to receive tokens for users. This worked for me in testing and it works for some of our users currently. However, some users see something completely different.
Instead of asking them for permission to use their slack profile, the slack.com/oauth/authorize is telling them they can't install the app because it isn't listed in the slack directory. However, this page should not be installing the app to the workspace. It is already installed. It should just be asking for their permission to use their profile.
Am I using the wrong page? Did I miss something I need to do?
The Oauth process in Slack is not only used to get an access token, but also always is regarded as installation process for the respective Slack app. So your users are basically (re-) installing your Slack app each time they run through the Slack Oauth process. This is the standard behavior and can not be changed.
If you want to continue using this process you can simple enable installation for your Slack app on the workspace for all users (click on approve on the app management page of your workspace for this particular app) and then your users will no longer get the error message. You may also need to enable distribution of your Slack app on the app management page.
Btw. installing the same Slack app by multiple users is the default approach for getting access tokens for individual users. Slack calls those additional installations "configurations" and you can see them listed on the app ages for your workspace.
Note that Slack access tokens obtained from the Oauth process do not expire. So you only have to let the user install your Slack app once and then store the Slack access token for the next time.
Hello Everyone I am using the prime 31 facebook plugin for the Unity 3D engine and I am running into an issue of testing out the ability for our users to post a message containing their score onto their facebook wall.
I believe the issue is related to needing to add a publish_permission to my app yet I can't test this feature because I believe I have to have that permission approved to utilize it in my pap.
I also noticed that the approval process calls for explaining your usage of said permission and submitting your app with what I imagine would be a form of implementation .
So I guess my confusion has to do with the general process of having my publish permissions approved and whether or not i can make use of the publish permissions in my not-approved app for testing at the very least .
You should always be able to test your permissions with the admin/test/developer users of the specific app.
Have a look at https://developers.facebook.com/docs/apps/review/login#do-you-need-review which is stating that
...your app's developers will be able to see, and grant, any permission without requiring review by Facebook.
Note: People who are listed in your app's Roles tab will have access to extended permissions without going through review (e.g. publish_actions or manage_pages). For example, if you use the Facebook Plugin for Wordpress to publish your blog posts to your Facebook Page or Profile, you do not need to submit for review so long as all your publishers are listed in your app's Roles tab.
Also, if you're the developer of an app and are the only person using it, then your app doesn't need to go through review. Since you're the developer, all app capabilities should be available. You will still need to take your app out of developer mode, but you should be able to do that without going through review.