Google OAuth -- Change displayed redirect url

[Nick-Mazuk]

When following the guide for setting up Google OAuth, a Supabase url is shown to users upon sign-in instead of my app url. How can you change that?

[silentworks]

At the moment I don't think this can be changed. But I'm sure in the future you will be able to change this.

[liaujianjie]

I just discovered a way around this. If you try logging in to my app (Mobbin) now, you'll see that the name displayed is our app name instead of any kind of domain name:

You can replace the domain name shown on the Google OAuth screen with the App name configured on Google Cloud > APIs and services > OAuth consent screen.

To do this, you'd need to trigger the OAuth consent screen verification process. I got it triggered by uploading a logo. After triggering the verification process, you should receive an email asking your to verify the ownership of the domains listed on your authorized domains list:

For your own domain, you'd need to go through the Google domain verification process. For domains that you do not own (e.g. Supabase or other services), you'd need to reply back to an email that you'll receive (I got in only the next day). You should reply stating that those belong to 3rd party services which you use to integrate with Google OAuth.

Note that you'll also need to provide a privacy policy and ToS link during verification.

[zakaria-chahboun]

@liaujianjie thanks!
The question should be closed now

[tourbillonlabs]

For reference. I am in the process of doing this same thing and it's a bit like pulling teeth. Despite confirming that supabase is my third party auth integration provider and sharing links to tickets on supabase where other users have managed to get their supabase auth domain verified, I keep receiving seemingly canned responses back with variations of:

"Unfortunately, it is against Google API User Data Policy for multiple unique domains associated with distinct brands to be verified under the same project."

I am persisting and linking the relevant comments, but the process is not a seamless one.

[fabpicapp]

Yeah same thing they are doing with me as well.
I don't know how those people are in google.
Can't they understand this simple thing and keep on repeating same thing.
I am still not able to get verified.

[tourbillonlabs]

Aloha,

I've have just successfully had my app verified. Google did not care a whit that Supabase is my third party authentication provider, and irrespective of what I said, sent back a canned response informing me I was: "in direct violation of the Google API Services: User Data Policy, which requires that projects accurately represent their identity and intent to Google and to our users when they request access to Google user data." and provided instructions to move the offending domains into another project (18 emails in total).

For those who are also on this path, this is what worked for me. I only had non-sensitive scopes selected.

When asked to confirm ownership of the domains, you will see your domain and the Supabase domain listed. Confirm ownership of your domain as they instruct, but in the oAuth Consent Screen, under Authorised Domains, ensure only your owned domains are in the list. If you see Supabase, clear the field before you click the trash button for the line item. I don't recall adding this in myself, but I cannot confirm if it was automatically added or not.

As long as Supabase is still in your Authorised redirect URIs in the OAuth 2.0 Client IDs, auth should still work as expected (confirm this once you remove the Authorised Domain line item). Then respond advising your domains are confirmed, but that Supabase is still in the OAuth 2.0 Client IDs because they're your third party authentication provider. They don't acknowledge other than to approve or send a canned response, but it's probably worth mentioning.

Should you get past the domain ownership hurdle, the only additional step required for me was to add more detail to my privacy policy to indicate what Google oAuth info was used for.

I hope this helps others.

[AdrianKrebs]

@fabpicapp how did you solve this issue? I'm not able to remove the supabase URI either.

[eMeRiKa13]

Yes same for me...

[fabpicapp]

Hey @AdrianKrebs and @eMeRiKa13 .
Actually you can't remove this supabase URL.
You just have to tell them in the mail that this domain belongs to the 3rd party Supabase I am using to impliment my oAuth.
Though they will not listen in one mail but after a few to and fro of emails finally they will approve it.
For me after 11 emails of to and fro they approved.
Just keep saying that this is the 3rd Party domain.
Here I have mentioned it.

[tourbillonlabs]

Empty the field and then hit trash on the line item. You can't delete it when the field is populated.

[tourbillonlabs]

I've had a second app approved using this method.

The only additional step required was that they said my Sign in with Google button didn't match their style guide. Updated it and it went through immediately.

[fabpicapp]

After a lot of to and fro(11 emails in total) they finally approved my project. I had to mention this again and again the supabase link is my 3rd part oAuth provider. And my google signin button was not as per their guideline so I had to make the change for it. Now if you login to my app it will show you my app logo and name.

[stretch07]

@fabpicapp having the same issue, would you be able to share their support email? I haven't been able to find it...

[miketromba]

@fabpicapp having the same issue, would you be able to share their support email? I haven't been able to find it...

@its-pablo Once you submit your app for verification in the dashboard, the Google "Trust and Safety" team will send you an email to start the verification process. You can go back and forth with them there to resolve any issues.

See the "Submitting your app for verification" section:
https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Csteps-to-submit-your-app

[miketromba]

Going through this process now.

It would be great if Supabase added a feature where we could map a domain of our own (e.g. supabase.mydomain.io) to the supabase project domain (e.g. arbitrarychars.supabase.co) using a CNAME DNS record.

This would help us avoid this messy verification process since our callback URLs would be through our own domain.

[miketromba]

Update: Took a few days of back and forth but they eventually approved my app. Just be clear with them that the Supabase domain is a 3rd-party backend as a service provider and they should understand.

[eMeRiKa13]

I just did the verification process, I explained at the beginning that Supabase is a third party backend and authentication provider. I had no questions about it, and my application was approved!

Maybe the Google validation people know better Supabase now.