Yesterday a question popped up on Stack Overflow like I normally do with questions on stack that I feel confident enough in, I answered it and moved on. However something about it just stuck in my head and over the last day I have been thinking about it. This morning the author of the question posted a comment on my answer, and I responded by turning my answer into a wall of text. Here is a link to the question in question. Create one or multiple credentials for different projects using OAuth 2.0 client IDs? I used to often turn my answers on Stack Overflow into posts on this site but its been a while.
So I have a Google Developer console / TOS question / comment / concern. This question got me to thinking that what he is doing in fact may be against the Google APIs Terms of Service. In the process of turning my answer into a wall of text I went though the Google APIs Terms of Service and there wasn’t really anything in there about it. So then I went over to help on Google Developer console and checked the documentation there and it out right says what he is doing is OK.
[wp_ad_camp_3]
So I am here to state my case that what he is doing is wrong and maybe we should have something in the TOS about that.
The Problem
The author of the question has created one project on Google developer console and created different client credentials for each of his applications.
Why this is bad.
Just for augment sake I am going to give you three reasons why this is a bad idea. The first two I have no problem with the last is the one I have an issue with.
Project based quotas
First off lets talk about quota. A number of the Google APIs quota are project based not client credential based.
Example: Google Analytics example max project request 50000 per day.
The time is 10 am same project two different client credentials
- Application one requests 20000
- Application two requests 30000
both application one and application two are now blocked from making requests for the rest of the day as they have in totally hit 50000 requests.
The time is 10 am Two separate projects
- Application one makes 30000 requests
- Application two makes 50000 requests.
Application two is now blocked for the rest of the day as it made 50000 requests. Application one continues to work until it has also hit 50000 requests.
[wp_ad_camp_5]
Bans are project based
If something happens and you do something wrong Google has the right to block a project so that all client credentials within that project will stop working. Consider this if one of your applications has an error it it and it suddenly starts flooding Google and they shut your project down. What then? If you have more then one application using client credentials under the same project they are all going to be shut down.
misleading application name
Here is the one that has me conserned.
When we create a new project on Google Developer console we have to fill out a few things about said project. Now IMO these things are application based. If I create Super Awesome GMail app it will have a different Product name, homepage, privacy policy and TOS then say Super Awesome Google Drive App. So this has always lead me to believe that each project on Google Developer console should be used by only one application containing client credentials for that app only.
Now the person in the question on stack has been using the same project and creating client credentials for different applications. We know this is a bad idea due to any project based quotas as explained above, but it got me to thinking (yeah I know that’s never a good thing).
Is he also misleading his users?
If I as a user attempted to login to Supper Awesome Gmail app and am actually shown the consent screen for Super awesome Drive app, visa versa or even just given a general one for Supper Awesome Apps (which is probably even worse as TOS would have to be to general IMO). Who am I actually giving consent to access my data? Then I began to wonder. Are they also be misleading Google? By creating this consent screen Google thinks its one app and its actually another making the call.
So I wondered if this was actually against the rules for Google.
When I write answers on stack overflow i like to give concrete proof and facts. I assumed that there was some rule that said one app one project so I started digging. There is nothing in TOS that says one application and one project on developer console. Then I checked the help on Google Developer console here Manage projects in the API Console it says
metadata about the application or applications you’re working
Which could almost lead me to think that Google is saying its OK to have a single project on Google developer console for multiple applications.
Conclusion
So am I wrong in thinking that having the same consent screen for multiple applications is misleading the users as to who they are granting access to? Do you think its misleading users?
I have sent an email off to a few people at Google I will let you know if I get a response.
Follow up
This post appears to have spawned some additional feedback on the issue. Allen “Prisoner” Firstenberg has posted a comment over on Google+ about it Software Ethics, OAuth, and Misleading Users