Hello everyone, I have set up SSO using Google and submitted my project to the verification process to remove the warning on the consent page.
The Google team has responded that one requirement is to have a login-free home page where users can see information about the project. This is exactly what they describe:
It appears that the submitted Homepage URL: https://domain.passbolt.tld is a Log-in and/or Sign-in page, which restricts public access to your app’s information and intent.
To proceed with the verification process for your project, you will need to provide a homepage that accurately represents your app’s identity to Google users. Every OAuth2 project requires a homepage.
Homepage Requirements:
To ensure users’ understanding of your app’s purpose, your homepage should:
Be a verified domain under your ownership
Be accurate, inclusive, and easily accessible to all users
Link to an externally & publicly accessible domain that describes the necessary content, context, or connection to the app you are submitting
Explain with transparency the purpose for which your application requests user data
Contain or link to a privacy policy that thoroughly discloses the manner in which your app accesses, uses, stores, or shares Google users’ data (Please review the Limited Use Requirements for more information and guidance
Homepage links should NOT lead to:
Third party hosting platform where you cannot verify ownership of your specific subdomain (i.e. Google Play Store, Facebook, Instagram, Twitter)
Log-in or Sign-in pages (Placing sign-in restrictions on the homepage is only allowed for internal apps, which are not subject to the verification process. For more information, see How can I mark my app as Internal-only so it does not require verification?).
A test URL.
Do you think it will be interesting to add a home page as described to Passbolt to improve it and provide information to users?
For example, the steps to register or login (such as downloading the extension and saving the recovery kit…) so that users are informed when they carry out the process and avoid future problems such as not saving the recovery kit because they are unaware of its use. This could be just links to the official documentation in order to keep it updated.
Also could be a link to the privacy policy and terms of service used in the app to the footer
I believe you are using the wrong procedure for setting up your SSO service. In the “OAuth consent screen” you should choose “Internal” and not “External”. Review is not needed for internal services.
Hi @remy, thanks for responding.
I know about internal, but this allows only users from the same @organization.com to log in and since I don’t have a Google workspace, it doesn’t allow me to choose internal or external.
By the way, there could be a use case for using different @organization.com accounts (for example, a company that shares its platform passwords with its clients) or using different Chrome profiles that separate workspaces (such as personal, work, university…) who have emails from different organizations, so they should be able to use external emails, which is what the consent page settings have checked by default without allowing you to choose without a Google Workspace subscription.
With this in mind, will it be interesting to have a home page on Passbolt? I think something basic between the user’s access to the Passbolt server and the login page should be enough.
I see. Yeah then in that case it would make sense to have a mode where instead of having a redirection on / to /auth/login you have a home page which explains what passbolt is, etc.
I think we would need also to an admin section to allow customizing the privacy policy link to link to an internal page, since currently this goes to passbolt.com by default and that is not “correct”. One can do this via environment variables at the moment, but nobody does AFAIK.
Yes, will be useful to have an admin section to modify privacy policy and terms of use.
Maybe it can let you choose to paste the text and render it in a template similar to the pages on the Passbolt server or paste a URL of an already created page
Would be nice to create a request for feature using the template so that people can vote on it.
Currently we have a lot already on our plate (generic SSO connector, password expiry, suspended user, totp, postgresql in installer), most likely we could start Q1 at the earliest unless “someone” does it on “its free time”
