Invalid Scope – 400 error
When you click ‘Add Google File’, or attempt to authorize with Google, you just see a window saying ‘400 – That’s an error. invalid_scope’:
You probably created the project using a free Google account (or free educational/non-profit G Suite) rather than a paid G Suite (Google Apps) account. That’s fine, but Google has an approval process in place to prevent phishers from setting up false projects. (Please get in touch if you didn’t use a free Gmail account, but still see this error.)
First, for testing purposes, you can ensure your own account is whitelisted so that you can try it out without formally submitting your project for approval.
Simply join the Google Group: Risky Access By Unreviewed Apps
Once you are a member of that Group, you should no longer see the invalid_scope error, and everything should work as expected. That may be sufficient for your site if only you need access to ‘Add Google File’, and you don’t have any Enterprise-style folders embedded in Drive mode (you can find this out just by seeing if users run into the invalid_scope issue).
Submitting your project for Google Approval
For all users to be able to authenticate with Google for Drive purposes, you will need to complete the following form for manual approval:
Note that you will need to resubmit your project for approval if you change URL details or the site name, such as upgrading from http to https or moving your site to a new domain, so it makes sense to ensure everything is working first, using the testing procedure outlined above.
Some pointers to help you fill in the form
Our Unverified App instructions will explain how to fill in this form.
Please get in touch if you need any assistance.
G Suite – new API whitelist controls
It is now possible for a G Suite (Google Apps) domain admin to explicitly whitelist apps so all their domain users can use them. It is also possible to manage which scopes can be granted for apps.
Details are on Google’s blog. Please note these protections are in addition to the verification process described above. You may need to both submit your project for approval and whitelist your project for your domain (if your domain defaults are too restrictive in the scopes you allow your users to grant).