This article is written for Google Workspace Administrators.

Why Whitelist Foresight?

To put it simply, some modules of Foresight request access to your Gmail or Drive data or settings without being verified by Google. These modules will not function unless you explicitly add Foresight as a trusted app.

Foresight connects with your Google services via Google APIs and OAuth 2.0 protocol. OAuth 2.0 protocol has a concept called Scope. It's like a key to specific lockers. When Foresight requests Google service scopes, a consent screen is prompted to the user. Not until the user clicks Allow to grant these scopes, Foresight cannot access any data. Here is an example consent screen when Foresight requests Google API scopes.

Google's scope consent screen for Foresight
Google's scope consent screen for Foresight

Sensitive or restricted OAuth scopes (like reading your calendar events or sending emails on behalf of you) are subject to Google's scope verification process, otherwise you will see an unverified app screen below, or a rejection screen by Google.

Unverified app alert screen
Unverified app alert screen
Google rejects granting Foresight access to your restricted Google services
Google rejects granting Foresight access to your restricted Google services

While we have been through many OAuth scope verification processes by Google, we are unable to handle these restricted scopes due to an unaffordable $15,000 to $75,000 security assessment policy imposed by Google (see OAuth API Verification FAQ).

  1. https://www.googleapis.com/auth/gmail.settings.basic. In the Update vacation responder action, Foresight uses this scope to modify users' vacation reply settings in Gmail.
  2. (To be continued with product updates...)

Unless you, the Google Workspace administrator, trust Foresight for such underlying scopes, the modules would not guarantee to function.

How to Whitelist Foresight in Admin Console?

You must be a Google Workspace Administrator for this part.

First of all, it's a worth overviewing Google's official documentations, Control which third-party & internal apps access Google Workspace data.

Then follow these steps to add Foresight from your trusted app list

  1. Log into your Google Admin Console
  2. Go to Security > API Controls
  3. In the App access control section, click MANAGE THIRD-PARTY APP ACCESS
    App access control in Google Admin Console
  4. If you see Foresight is in the third-party app list, change Access from Limited to Trusted.
    Foresight in Google API Controls srcset= App Access Control">
    Change Foresight Access from Limited to Trusted
  5. Otherwise, add Foresight to the list.
    1. Click Configure new app > OAuth App Name Or Client ID.
      Configure new app in Google Admin Console srcset= API Controls > App Access Control">
    2. In the Search an app step
      1. Enter Foresight client ID. 659443922444-misph67nbs49u8e807vff0qrn3o141sq.apps.googleusercontent.com.
      2. Click Search
      3. Select Foresight.
        Search Foresight in "Configure an OAuth app"
    3. In the Select OAuth client IDs step, check the OAuth client ID and click Select.
    4. In the Configure an app step, select the Trusted: Can access all Google services option and click Configure.
      Select Trusted: Can access all Google services for Foresight
  6. Verify you have successfully trusted Foresight.
    Trusted Foresight in App Access Control
  7. Now ask your user or yourself to double verify if the warning screen has gone by adding an Update Vacation Responder action and request access permissions in Foresight.

Takeaways

Since the restricted scopes mainly associate with accesses to Gmail and Drive data, you probably don't need to whitelist Foresight if your users don't need those modules (triggers and actions). If you encountered any problems, please leave any comments below or contact support.