For Magnus and Goliath to work Potens needs be able to execute Google APIs on your behalf.
To get access to Google APIs, Potens uses Google OAuth 2.0 flow.
When you are prompted to sign-in, a google dialog is shown (Potens has no access to that), the OAuth 2 flow will give back a token that Potens will use to access all Google APIs within scope. Potens has no access and visibility on your password. Google will just pass back an access token.
The access token has one hour expiration time, after that the token will become invalid. To improve user experience and to enable Potens to execute jobs that run beyond one hour timespan, Potens will prompt you to “Grant Offline Access”. If you do so, Potens will not prompt you to sign-in every hour. Magnus will be able to run via schedule, triggers and via API. Additionally both Magnus and Goliath will be able to execute jobs that run above the one hour limit. By granting “Offline Access”, Google will issue a refresh token to Potens. The refresh tokens allows Potens to get a new access token every hour or so. User can choose not to grant offline access - in this case product will still function in interactive mode
Potens requires authorization within the following scopes (https://developers.google.com/identity/protocols/googlescopes):
View and manage your data in Google BigQuery: This allows Potens to access BigQuery APIs on your behalf
Manage your data and permissions in Google Cloud Storage: This allows Potens to access Google Cloud Storage APIs on your behalf
View and manage your data across Google Cloud Platform services: This allows Potens to know what permission the user has within google projects. Goliath and Magnus UIs will show only features and functionality the users has access to. Additionally, this scope, gives Magnus the ability to run some other Google APIs (e.g. BigQuery Data Transfer, Dataflow, Cloud Natural Language, Cloud Translation, etc…) on your behalf via the API Task.
We should also mention that user can revoke Potens access any time by going to the following URL: https://security.google.com/settings/security/permissions