Google App Verification for Auth0 Enterprise Connections

Yesterday we set up a new Enterprise SSO connection for one of our customers that uses “Google Apps for Work” as their IdP. This was done by going to our dashboard and performing the following steps:

  1. Click Connections > Enterprise
  2. Click ‘+’ next to Google Apps to create a new connection
  3. Enter the customer’s domain for home-realm discovery.
  4. Give the resultant link to the IT administrator for our customer
  5. Wait until the administrator clicks the link and allows access for our app.
  6. Enable our client for that connection.

Unfortunately, what appeared when the IT administrator clicked the link in step (5) and entered his credentials was the following screen:

![App isn’t verified][1]

We were able to continue on because he trusts us, but that trust certainly took a hit as we attempted to get his users signed up to our web service because we didn’t have a good answer to why this screen appeared. Now we want to get verified in order to prevent our next customer from having to go through this experience.

After a little bit of searching, we found this blog post that explained this is a heightened piece of security Google put in place as a result of a Google Apps phishing attack earlier this year. We have no qualms with Google’s the desire to keep its users safe, so we filled in the requirements from this help page, and then filled in this form to begin the process.

We filled it in stating we needed the following scopes from “Google Sign-In” listed here:

  • profile
  • email
  • openid

Today, we got the following email back from Google stating we don’t need to be verified:
![Verification Not Needed][2]

So given the above, we’re confused. How are we supposed to verify a Google Apps for Work connection with Auth0 for our customers? Our current thought process is that we have the scopes wrong and we should repeat the verification process, but we don’t know which scopes to specify. The tutorial for Google Apps for Work doesn’t reference this workflow. Is it outdated? incomplete? something else? bueller?

The scopes will vary depending on the configuration of the connection. Google Apps connections created from the Dashboard are created based on the previous configuration template you created (the screen where you provide your Google application client identifier and secret.

If you selected more than what’s required then you’ll be asking for more scopes. For example, if you enabled the Enable Users API toggle then your application will be asking for the https://www.googleapis.com/auth/admin.directory.user.readonly scope; if you also enabled the Groups then it will also request https://www.googleapis.com/auth/admin.directory.group.readonly.

If your application does not need to perform calls associates with those scopes then the simplest approach would be to not enable them; this would probably mean that you would not even need to go through the verification process for now as the minimum requires scopes seem to been granted.

Have in mind that the way the configuration is done the changes will affect all Google Apps connections.

Thanks for the response, @jmangelo.

We were including the “Enable Users API” toggle because we foresee our application utilizing it sometime in the future. When we disabled asking for the “Enable Users API” permission in the connection, we were no longer met with the “This app is unverified” screen when testing the connection. We’ll go through Google verification with the scope you referenced.

Now I have two questions:

  1. How can we figure out which dashboard toggle maps to which Google scope?
  2. Is the Auth0 documentation going to be updated to reflect this is new verification workflow?