Auth0 Home Blog Docs

Security assessment for google connection

Dear Auth0,

we have received a Security Assessment from Google where we have to store all the user data on google server otherwise we have to undergo a security assessment.

I’m sure other users of Auth0 have also been asked to reapply for verification and since they use Auth0 Google requires them to undergo a security assessment. Using Auth0 is considered sharing personal data with 3rd party by Google.

Do you have any support for the verification process that will help avoid the need to undergo the security assessment?

Best regards,
Anže

Hey there @amatelic93!

Thanks a lot for reporting that! Would you be able to share the screenshot or the whole text of that message from Google getting rid of any sensitive data? It’s the first time someone reported such a thing and I would like to pass it to appropriate team to take care of that!

Here is the email:

Dear Developer,
Thank you for your response and patience.

It is critical that 3rd-party apps handling Gmail data meet minimum security standards to minimize the risk of data breach. We require apps that store data on non-Google servers to demonstrate a minimum level of capability in handling data securely and deleting user data upon user request.

Since your OAuth callback URL indicates that data access is not restricted to users’ devices and not managed by Google, you will need to go through a security assessment for your app.

Applications accessing restricted scopes must demonstrate that they adhere to certain security practices. These applications must pass an annual security assessment and obtain a Letter of Assessment from a Google-designated 3rd party.

When Security Assessment is Not Required

The following scenarios do not require a security assessment.

Local Data Storage: If you don’t want to go through a security assessment, you will need to change your server storage to local storage only. Local client applications do not need to undergo a security assessment because data is run, stored, and processed only on the user’s device (such as a computer, mobile phone, or tablet).

As an example, apps such as Deseat.me have migrated from server storage to local web-client storage, and as a result a security assessment is no longer required for this app. It also increases the level of trust users may have with this app.

Fewer than 100 Users: If your app is intended for a small audience and your users are in direct interaction with you, your app will be granted access for up to 100 users with an unverified app screen.

Users are Enterprise Accounts: If your app will be used exclusively by G Suite accounts, your app can be enabled via domain install or whitelisting by a G Suite domain administrator. Your app can also be listed on the G Suite Marketplace. Keep in mind that many enterprises value a third-party security assessment and a completed assessment for the Restricted Scopes verification will provide a “Security Assessment” badge in your Marketplace listing.

No Restricted Scope(s) Requested: You can update your project so that it does not request any restricted scopes, thereby avoiding the security assessment requirement.

Update Scope Type: Upon further review of your request, we noticed that you have selected the following scope in the OAuth Google Cloud Console, which is causing your application to require a security assessment: https://www.googleapis.com/auth/script.external_request

Below are steps to remove this scope so that you do not need to go through a security assessment:

Sign-in to the Google Cloud Console

Select the project-id ##########

Go to Credentials on the OAuth Consent Screen

Go to Scopes for Google APIs and delete the scope: https://www.googleapis.com/auth/script.external_request

Security Assessment Assessors

Our 3rd party security assessment assessors, Leviathan Security and Bishop Fox, have been extensively qualified and trained to ensure consistent and high-quality assessments. We are closely monitoring the needs of the program and will add additional assessors when necessary.

Cost

Depending on the scope and complexity of your app, the cost for the 3rd party assessment may vary from $15,000 to $75,000. Smaller apps will be on the lower end while more complex apps will require more review and expense.

Existing assessments that meet the security assessment program standards may reduce the scope and cost of your review. These will be considered by the assessors.

For more information, review the FAQ for Restricted Scopes App Verification and the Google API User Data Policy. If you have additional questions, respond to this email

Thank you a lot for sharing that! Let me relay it to appropriate team and see what they have to share!

Hi Anže,

Google’s request seems to be caused because your application accesses Gmail data, and specifically uses the https://www.googleapis.com/auth/script.external_request scope.

Auth0 is not requesting that scope or any other gmail scopes unless you ask for that. Please verify if your application actually need those. If you do request restricted scopes, then your application will need to go through the security review.

More info here:


https://support.google.com/cloud/answer/9110914?hl=en

I hope it helps,

Andres

1 Like

Thank you for the fast response. I will verify it.

1 Like

We’re here for you! Let us know if you have further questions!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.