I'm updating a Chrome extension I've written to make use of Google Drive API. It does not require any sensitive scopes; it will use the ..auth/drive.file scope. I've followed the tutorial for OAuth2 authentication for extensions:
https://developer.chrome.com/extensions/tut_oauth
and a few other web resources to get it working in local development. One thing that is not discussed in the tutorial is the OAuth consent screen on the Google APIs console (https://console.developers.google.com/apis). I want the extension to be publicly available, not restricted to my organization. Do I need to obtain verification from Google in order to do this, even if not making use of sensitive scopes? Do I need to follow all the steps included here:
https://developers.google.com/apps-script/guides/client-verification
including creating a website? I don't actually know what app-scripts are; I just found this page by googling for oauth verification.
For what it's worth, on the edit form of the OAuth consent screen of the Google API console, there's a Sumbit for verification button. It is disabled. The tooltip says "Your changes don't require verification". So maybe all is good, as is, without the need to do anything more?
You only need to submit your application for review by Google if you use sensitive scopes. I can also confirm this as I have a number of public facing apps that did not require verification as they do not use sensitive scopes.
Google also makes this apparent by displaying a warning on the OAuth Consent Screen (console.developers.google.com/apis/credentials/consent?project={your-project}) only when you use a sensitive scope.