[Users] OAUTH2 Authorisation Status

[Bernard Moreton]

On the second screenshot you posted, David, there is  an initial warning, "Because you're using one or more sensitive scopes your app registration requires verification ..."

Does anyone know what those 'sensitive scopes' are?  
And has anyone gone through this gate of 'in production' status recently - and had to (or not had to!) go through a verification process?


On Sat, 02 Apr 2022 12:01:24 +0000
"David Fletcher" <David at megapico.co.uk> wrote:

> >Bernard Moreton <bernard.moreton at gmail.com> wrote:
> >
> >> Has anyone managed to get a successful (ie. stable) Production
> >> publishing status? Changing codes every 7 days is not sustainable;
> >> nor is every 30 days. Google used to have a refresh code, which
> >> presumably would need activating on request;  but that seems to have
> >> dropped out of the picture ... ?
> >>
> >You have misunderstod the problem here. You do not need to change your
> >password every 7 or 30 days. What you are required to do is make a new
> >login at the identity provider to get a new token. The token is the one
> >that needs to be changed and not the password. How often you need to
> >change the token is solely up to the identity provider.
> >
> 
> I'm not getting this re-authorisation every 7 days thing with Google.
> They are still giving the refresh tokens. The access tokens only last 1
> hour, so to get to 7 days there must be a refresh token. Are you seeing
> things like this in the Network Log:
> 
> * OAUTH2 obtaining access token using refresh token
> * OAUTH2 access token obtained
> 
> I've attached 3 screenshots showing how my Claws Mail ClientID is
> registered at Google - maybe there's some differences here from how
> others have done this? Or maybe Google has changed how newly registered
> ClientIDs are granted (I'm using one that's been registered since
> 2020)?
> 
> Mine is set to "Production" status - but retains the not-verified
> warnings. I hope this helps,
> 
> David.