Application verification
In 2020 Google introduced Application verification If an app uses Google APIs to access Google users’ data. This makes it impossible to use the Appmixer Google modules in production without the verification process. Such a verification process has to be done by you.
Most of the Google modules need what Google marks as Sensitive or Restricted Scope in order to work. For example, the Gmail module needs https://www.googleapis.com/auth/gmail.compose scope to create a new email and https://www.googleapis.com/auth/gmail.readonly to get new emails.
Originally, the Gmail module was the only one affected by this new Google policy. But new scopes are being marked as restricted. Later, they shut down the older Spreadsheets API, and with the new API, the only way to get a list of users Spreadsheets is to use the Drive API and restricted scope https://www.googleapis.com/auth/drive.metadata.readonly.
The last (up to now) module affected by this policy is the Drive module.
Register Oauth2 app
Go to the Google developer console at https://console.developers.google.com/ and create a new project.
When the project is created, add some APIs.
Add the Gmail API.
The Google Sheets API.
The Google Drive API.
The Google Calendar API.
The Analytics API.
OAuth consent screen
The next step is the OAuth consent screen.
User Type - Internal vs External. The Internal user type allows you to use the Google modules without the app verification process mentioned at the beginning of this page. However, the modules will work only for accounts within your organization.
We are going to choose External for the purpose of this tutorial.
On the next page, leave the scopes empty.
You can add test users, but you can do this later. Only users added as test users will be able to authenticate!
Here is the Oauth consent screen configured. The app is in the testing mode, it is external (for users outside your organization). No more than 100 accounts (user cap) can be used with this application.
Client ID and Client Secret
We need a client ID and a client secret.
Choose the Web application type and give it a name and authorize redirect URI.
For the purpose of this tutorial, we are going to use localhost:2200 which is the default port for the Appmixer API when running on localhost. If you are creating an Oauth application for your production/QA, the URI of your server will be here. The suffix /auth/google/callback will remain there.
You will get your Client ID and Client Secret.
They have to be inserted into the Appmixer. You can use the Backoffice to do that.
Domain verification
In order to use Google API Webhooks you have to verify your domain ownership. More about domain verification can be found here. When Appmixer is running on your servers, you can use CNAME records to verify your domain ownership, but if you want to use components that use Google API Webhooks (appmixer.google.drive.NewFile for example) in an Appmixer instance running on your localhost (typical for testing the trial or when developing new components) you need something else. When running Appmixer on localhost, you usually use tools like ngrok to create a public tunnel to the Appmixer API. In order to verify ngrok domain ownership, you can use the HTML file method .
When you use a Google Webhook component without a verified domain, you will receive the Unauthorized WebHook callback channel error.
First, open Google developers console and your Appmixer project and follow instructions in the next picture.
Then copy&paste your ngrok URL.
Then you have to verify domain ownership.
Click 'Take me there' and then 'Add a property'.
Then download the HTML verification file.
After you download your HTML verification file, copy it into Appmixer engine.
After then, click the 'Verify' button and that's it. You don't need to restart the Appmixer engine.
Now, you can go back to developer console and add the ngrok domain once more.
But this time, because it's already verified, it will appear in the list of your domains.
Last updated
