For Magnus and Goliath to work Potens needs be able to execute Google APIs on your behalf.
To get access to Google APIs, Potens uses Google OAuth 2.0 flow.
When you are prompted to sign-in, a google dialog is shown (Potens has no access to that), the OAuth 2 flow will give back a token that Potens will use to access all Google APIs within scope. Potens has no access and visibility on your password. Google will just pass back an access token.
The access token has one hour expiration time, after that the token will become invalid. To improve user experience and to enable Potens to execute jobs that run beyond one hour timespan, Potens will prompt you to “Grant Offline Access”. If you do so, Potens will not prompt you to sign-in every hour. Magnus will be able to run via schedule, triggers and via API. Additionally both Magnus and Goliath will be able to execute jobs that run above the one hour limit. By granting “Offline Access”, Google will issue a refresh token to Potens. The refresh tokens allows Potens to get a new access token every hour or so. User can choose not to grant offline access - in this case product will still function in interactive mode
Potens requires authorization within the following scopes (https://developers.google.com/identity/protocols/googlescopes):
View your data in Google BigQuery: This allows Potens to access some BigQuery APIs on your behalf
For additional information and scopes, see Incremental Authorization.
We should also mention that user can revoke Potens access any time by going to the following URL: https://security.google.com/settings/security/permissions