Example of an OAuth Homepage for Google

Solution 1:

I've been back and forth with google over this issue. I can't give a simple answer, but I can summarize the items I've changed in order to meet compliance.

For context, I'm just using oauth on my personal webpage to identify users. I'm not selling an app. I'm not using restricted scopes. I'm not touching any user data.

This should be the simplest case, yet it was difficult to get approval. Each rejection reply is in the style of a form letter. I conclude that an AI has be trained against a set of compliant pages, and it "feels" mine isn't compliant, i.e. it's not able to point to a specific violation like a human or a rule's based system would. For this reason, I advise against spending time in your email replies. It doesn't seem that anyone reads them, just change your content and reply to get the AI to look again.

In the google console you must provide:

a homepage url
a privacy policy url
an uploaded icon image file

If you're using oauth for a website, don't confuse the oauth console "homepage url" with the base url of your website. Google wants a "homepage" that says "what your app is".

The content served at the homepage must have a [link rel="shortcut icon"] whose href points to the identical bytes of the icon you uploaded in the oauth console. If the bytes differ because you're using a scaled or differently styled image, you'll be rejected.

The content served at the homepage must have a privacy policy link where the href is identical to the characters entered at the console. If they're the same page, but differ by an anchor for example, you'll be rejected.

Also watch for caching. I changed the contents of my [link rel="shortcut icon"/] and got a reply that seemed to accept the icon but complain about another issue. Then when I fixed the other issue they rejected me for the icon again. I think since I changed the uploaded icon but didn't change it's name that they later saw a cached icon. I changed just the url (thus invalidating their cache) and the next reply didn't complain about the icon.

If you're not using restricted scopes you shouldn't need the limited use disclosure, but I got a complaint about that so I added it.

Here's what I'm using for both the homepage and the privacy policy: https://holtstrom.com/michael/about/

Here's how that looked at the time of this posting when it was finally approved.

enter image description here

You'll see that I have all of the google requirements rendered in underline followed by the text that satisfies the requirement.

In case it helps, here's the replies I received from Google:

enter image description here

Solution 2:

Google OAuth Consent Screen Verification:

@Michael Holtstrom's answer works perfectly, And I got my app approved in just the 2nd attempt.

But, since there is no information available anywhere on internet regarding this, that's why

I am posting my answer with all the screenshots, only to support @Michael Holtstrom's answer, so that you can move ahead with more confidence.

Because, I was really worried for 3-4 days whether my app will get approved or not. Because this was the last part left in my project.

I was also using Google OAuth only to get email, name and profile picture.

My app could have got approved in the first attempt only, but the first time I submited homepage had text selection disabled(Because I built it using Flutter Web, on which text selection is disbaled by default).

So, I think the Google's AI was unable to read the text on homepage, and thus asked me to update the homepage.

Next time, I built using wordpress, and then my app got approved.

(And by the way, I'm using chrome extension dark reader, that's why all the screenshot has dark mode enabled.)