We have a Google App Script project for a Gmail add-on associated with a Google Cloud project. We have 2 OAuth clients within the Google Cloud project. The 1st is the auto generated client to be used by the App Script project (the Gmail add-on). The 2nd one is the client used for server-side integration powering the functionalities in the Gmail add-on behind the scenes on our server.
When the user installs the Gmail add-on, they need to grant permissions to the add-on (i.e. using the 1st OAuth client). They then log into their account in our product via our own auth flow in the add-on. Once the user logged in, they grant access to our server components to access their Gmail data (i.e. using the 2nd OAuth client).
The issue is that the two Google tokens issued by the 2 OAuth clients are linked in some way.
When the user performs a log out in the Gmail add-on, it calls our API to hit https://oauth2.googleapis.com/revoke to revoke the server-side token. This successfully invalidates the server-side token which was issued by the 2nd OAuth client, but it also invalidates the token issued by the first OAuth client for the App Script Gmail add-on.
The only way we have been able to fix this is to split the Google Cloud project into 2 separate projects with their own OAuth client and consent screens.
Does anyone know if this behaviour is the expected one with our type of integration with Google?