24 votesSeptember 2018 Calendar commented
How to verify your application for use with OAuth 2
Due to recent changes with how Gmail handles authentication via OAuth2, applications requesting access to a gmail account must be verified.
Applications only need to be verified if they’re using certain scopes, such as the scope Context.IO requires in order to access IMAP, which is the highest level of scope available.
The error an end-user may see when attempting to grant access to your application via OAuth2 is “This app hasn’t been verified by Google yet. Only proceed if you know and trust the developer.”
This does NOT mean context.io is unsafe.
The error is a bit misleading.
When you see the link “Go to context.io”, the UI is guessing the name of the application based on the Redirect URL detected when making the OAuth2 request, not based on the name of your actual application.
If you are handling your own oauth, then the redirect URL will be on your own domain, and the name of the application appears correctly as the name of your app.
If you are using our connect tokens, the redirect URL will be “api.context.io”, and therefore, “context.io” appears as the name of the app making the request, when in fact it is your application.
We blogged about this previously here.
This means you have a couple of options:
If you are handling your own oauth and seeing this error, you will need to follow the instructions here in order to get your application verified with Google.
If you are using our connect tokens, you can follow the instructions to get verified by Google here, or delete your custom Gmail API key and secret from your Context.IO developer account. Subsequent OAuth requests will use Context.IO’s Gmail API key and secret, which is already verified.
We have a handy Verification process Q&A below, so you can understand the questions asked of you during the verification process as they relate to Context.IO.