I received the following email from Google a few days ago:
Hi Google API Developer,
We sent this email because you’re listed as a contact on the following Google Cloud Project(s) using OAuth 2.0 to access Google APIs:
project-id-3463066175101762414
In October 2018, we announced that, in January 2019, new Gmail API policies for restricted scopes will go into effect. We want to let you know that, starting today, you can submit your app(s) that use restricted scopes for verification. Please review the full policy and OAuth FAQ for more information including the secure handling requirement.
What you need to do
If you want to use one of the restricted scopes, for verification through the Google API Console (On the left side menu click Credentials, then click OAuth consent screen) between January 16th and February 15th, 2019 for the project(s) listed above. Owners and editors of the project will be able to submit for verification and developers with internal apps for users in the same G Suite domain do not need to do this.
If you do not take action
If you do not submit for verification by February 15th, 2019, we’ll disable account access for new users on February 22nd, 2019.
If you do not submit for verification by March 31st, 2019, we’ll revoke existing consumer grants.
Thanks, Google Cloud Platform/API Trust & Safety
© 2019 Google LLC. 1600 Amphitheatre Parkway, Mountain View, CA 94043
We sent this message to alert you to important upcoming changes to Google Apps platforms.
When I open my Google Developers console or Cloud Platform console, I have three applications, with the following IDs:
- project-id-8803985029671799189
- t-science-139806
- asc-database
One of those strings matches the format of the project-id string, but it is clearly not the same project-id. In the Cloud Platform console I also get a "project number" for each one, but none of those match the number following the project-id from the email.
I've tried searching for the project-id from the email in the Developers console, the Google Cloud Platform console, and also in a general Google search, but none show any results.
Can anyone tell me how I can find the project they are referring to? I tried the suggestion in this answer with "name" set to "projects/project-id-3463066175101762414" and I get no results. With "name" set to "projects/asc-database" it shows me two results but with nothing to indicate that either app is the one from my organisation, nor any numbers matching the project-id from Google's email.
Can anyone explain what they mean in the "if you do not take action" section? Do they mean they will disable account access (e.g access to Gmail) for new users across my organisation? Or do they just mean they will revoke access to this app which I can't find or identify? The Enforcement section of the API Services Data Policy implies something like the former, which is rather punitive given that I don't seem to have any way to access or identify the offending app. Conversely, the "What happens if I don't publish my app for review?" section of the OAuth FAQ indicates a much less catastrophic result.
Two of the projects which I do see in my Console (asc-database and project-id-8803985029671799189) did have sensitive scopes. Does anyone know why these two projects were not included in the email from Google?
Other information:
I have also observed this question on stack overflow and despite my organisation having GSuite accounts, I do not have the choice of making my apps "Internal" or "Public".
I also saw this page about the OAuth grants to new apps report which I thought might provide some relevant information. I don't know whether it would have or not, because as far as I can tell the report doesn't exist. The "security->dashboard" link described in that page does not exist, and searching for the report name in the Google Admin console does not bring up anything helpful.
Everyone else in my organisation who has access to the developer console is aware of this issue and is also mystified, so I am confident that the app has not been deleted since the email was sent.
Our CEO received a similar email with two project-ids listed. One was the same ID as in my email, the other is different and also doesn't match anything I (or anyone else in our organisation) can see in the Google developer/cloud consoles.
Any help would be appreciated.
