January 12, 2023
2 mins

How to get your Bubble App Verified for Google Social Logins (in under 2 weeks)

Setting up Google SSO in a Bubble App is very easy and there are plenty of guides of how to do it. I have a few bookmarked references I use as a check list: https://www.azkytech.com/post/how-to-set-up-login-with-google-for-bubble-io-apps - this one is good and will get you through to the point where your Bubble app is ready for be verified by Google.

There are plenty of other guides also on how to create a Google SSO app and wire it into your Bubble app. It is very straight forward - once you’ve done it once or twice it is a 20 minute job.

However this doesn’t mean your App is ready to go with Google Single Sign on - in order to use Google SSO with public users - you need to be verified - meaning you need to convince Google that your aren’t using the permission they give you to access a Users data for bad purposes.  Those permissions are called “scopes” by Google - you need minimal scopes for SSO.

This FAQ helps you understand the whole process: https://support.google.com/cloud/answer/9110914

When you start off Google advise it will take 6-8 weeks. I’ve completed the process in 2 weeks (with Xmas and New Year's in the middle of that process).

I did produce a video from the outset that I added in the first submission explaining how it was a built-in feature of Bubble, I only wanted to use the service for authentication of users. Producing a video is listed as one of the requirements so I thought I would get ahead of the process and create one up front and get ahead of the game. In fact no-one ever looked at this video (I know because I hosted it on Youtube and can see the views).

This is how Google explain it: https://support.google.com/cloud/answer/7454865

There is some obvious stuff that is just common sense - eg the agreements must be visible to users! Wow!

In practice what I found I needed to do for a Bubble app is

I “re-purposed” a similar products Privacy Policy & Terms of Service. I won’t say who they are but you could probably guess. I went through every term, and considered if it was what I wanted. I diluted down my obligations. I thought this would be good enough for a startup.

I looked carefully through Bubble’s own Privacy and Terms of Service agreements.  https://bubble.io/terms

I considered commercial services to buy template agreements - there are plenty on the web - but I thought that really only achieved what I could do with find and replace myself, and applying some common sense. Also I wanted to read and understand what I was setting out as my obligations. But in brief - I re-purposed someone else’s as base documents and added things for a Bubble specific app.

I must have got that mostly right because I received this email after a few days of pushing the “Submit for verification” button.

Under the Google API Service: User Data Policy, your privacy policy must follow these guidelines:

  • The privacy policy is hosted by the domain of your website.
  • The privacy policy is accessible from the app’s home page.
  • The privacy policy is visible to users.
  • The privacy policy is linked to the OAuth consent screen on the Google API Console
  • The privacy policy and in-product privacy notifications clearly describe the way your application accesses, uses, stores, or shares Google user data.
  • The way you use Google user data is limited to what you've described in your privacy policy.
  • The privacy policy contains verified domains and accessible URL links.

I noted the bolded bits so I ...

  • Made separate links in the home page to two pages “Terms” and “Privacy Policy” (I made these Bubble links - so they could be easily crawled in case a robot was doing the verification)
  • I put these words at the top of my Privacy Policy

I replied to the verification email saying more or less “I’ve added these words to my policy that you can find these on these links on the homepage

....

We collect and use the following information to provide, improve, protect and promote our Services.

Social Logins. If you link, connect, or login to your account with a third-party service (eg, Google), we receive certain information, such as your email address from that service. This information varies and is controlled by that service or as authorized by you via your privacy settings at that service.

Account information. We collect, and associate with your account, the information you provide to us when you do things such as sign up for your account, upgrade to a paid plan and set up two-factor authentication (such as your name, email address, phone number, payment info and physical address).

A few days later I was verified.

If you were trying to get verified and you wanted the scopes to be able to read someone Google Drive - I’m sure the process would be more stringent. But it was a lot less onerous than I expected.

I did check my Google Analytics and Clarity traffic - someone from India did go and look at my Terms page 😀