[Users] OAUTH2 Authorisation Status

Dustin Miller dustbiz at gmail.com
Sun Apr 3 15:35:37 UTC 2022


On Sun, 3 Apr 2022 10:19:13 +0100
Bernard Moreton <bernard.moreton at gmail.com> wrote:

> On the second screenshot you posted, David, there is  an initial
> warning, "Because you're using one or more sensitive scopes your app
> registration requires verification ..."
> 
> Does anyone know what those 'sensitive scopes' are?  
> 
DM: I'm guessing this refers to the 'Gmail API' restricted scope
(perhaps these scopes are a subset of sensitive scopes?). In any case,
what is needed for this setup to work almost certainly requires the
verification process before Google will put their 'stamp of approval'
on it. But my guess is that their approval is not needed for it to be
actually usable -- you'll just got all the warnings everywhere about it
being unverified, potentially dangerous, untrustworthy, etc. :)
---Dustin
> 
> And has anyone gone through this gate of 'in production' status
> recently - and had to (or not had to!) go through a verification
> process?
> 
DM: I doubt it, but I could be wrong. ---Dustin
> 
> 
> On Sat, 02 Apr 2022 12:01:24 +0000
> "David Fletcher" <David at megapico.co.uk> wrote:
> 
> > >Bernard Moreton <bernard.moreton at gmail.com> wrote:
> > >  
> > >> Has anyone managed to get a successful (ie. stable) Production
> > >> publishing status? Changing codes every 7 days is not
> > >> sustainable; nor is every 30 days. Google used to have a refresh
> > >> code, which presumably would need activating on request;  but
> > >> that seems to have dropped out of the picture ... ?
> > >>  
> > >You have misunderstod the problem here. You do not need to change
> > >your password every 7 or 30 days. What you are required to do is
> > >make a new login at the identity provider to get a new token. The
> > >token is the one that needs to be changed and not the password.
> > >How often you need to change the token is solely up to the
> > >identity provider.
> > >  
> > 
> > I'm not getting this re-authorisation every 7 days thing with
> > Google. They are still giving the refresh tokens. The access tokens
> > only last 1 hour, so to get to 7 days there must be a refresh
> > token. Are you seeing things like this in the Network Log:
> > 
> > * OAUTH2 obtaining access token using refresh token
> > * OAUTH2 access token obtained
> > 
> > I've attached 3 screenshots showing how my Claws Mail ClientID is
> > registered at Google - maybe there's some differences here from how
> > others have done this? Or maybe Google has changed how newly
> > registered ClientIDs are granted (I'm using one that's been
> > registered since 2020)?
> > 
> > Mine is set to "Production" status - but retains the not-verified
> > warnings. I hope this helps,
> > 
> > David.  
> _______________________________________________
> Users mailing list
> Users at lists.claws-mail.org
> https://lists.claws-mail.org/cgi-bin/mailman/listinfo/users



More information about the Users mailing list