So the issue is that sometimes users end up getting endless Authorisation Screens even after approving authorization.
This happens because of the multiple-user login sessions issue in the Google Apps script "https://issuetracker.google.com/issues/69270374" which somehow mix the account approving the authorization and executing the script.
I have tried the methods found on the issue page so far like these
https://apps.myrout.es/msii
https://sites.google.com/site/scriptsexamples/home/announcements/multiple-accounts-issue-with-google-apps-script
Most of them are relevant to Add-ons not for web apps as I don't see a possibility to compare user emails.
Gone through these questions here but none of them have any references which can be used to find a workaround for web-apps
I can't open my Web App Link on Google App Scripts when multiple Gmail accounts logged in
Google Web App Multiple Google Accounts Error
At the moment I want to determine whether the user is having multiple users logged in and ask them to log out(will provide a link to log out) and log in with a single account instead.
Is there a way to handle it?
Thanks
Related
90% of my Google Apps Script/HTMLService web app is available to anonymous users, however user must be signed in with G-Suite account in order to access the remaining 10%.
Desired behavior is that if user is already logged in to G-Suite (e.g. read Gmail from that browser), the web app recognizes the user without prompting to log in again – as if you went to Google Calendar just after reading Gmail. If user isn’t logged in yet – he needs to be prompted to log in using #my_g-suite.com account when accessing the restricted features.
My first try was two app approach: one published as “available to anyone including anonymous” and another “available to members of the my_g-suite.com”. The problem with this approach is that 2nd app only shows log in screen if browser has no google identity. If user is logged in to regular, non-g-suite gmail, strange google Driver error is shown instead of login prompt. I posted question about this a while ago, no solution.
So instead I implemented a sign-in button using this guide. Behavior I’m seeing is not what I expected:
If user is already signed in with UserOne#my_g-suite.com prior to accessing the app (e.g. looked at G-Suite email account), Session.getActiveUser() on server side returns correct user ID, however googleUser.getBasicProfile().getEmail() on client has nothing.
If user has not signed in with G-Suite ID using prior to accessing the app and then signs in using the Sign In button on web app, googleUser.getBasicProfile().getEmail() returns correct user ID, however ), Session.getActiveUser() on server side returns nothing.
If user has signs in using the button as UserTwo#my_g-suite.com, no other G-Suite app recognizes it. So if user then signs in to UserOne#my_g-suite.com and comes back to the app, Session.getActiveUser() says it’s UserOne#my_g-suite.com and googleUser.getBasicProfile().getEmail() says it’s UserTwo#my_g-suite.com. Two conflicting identities simultaneously.
How do I make sign-in into my app be 1) seamless with other G-Suite services rather than having completely separate, app-only 2nd identity and 2) restricted to #my_g-suite.com?
Following #TheMaster advice I tried this:
Created a Google Sites site "login.my_g-suite.com" which is only available to g-suite users and has a single page which says "you are logged in to g-suite"
In my web app which runs as "me" and is "available to everyone, even anonymous", I implemented a check if Session.getActiveUser() is g-suite user. If not, I do window.open("https://login.my_g-suite.com") which opens log-in screen in the new tab as expected.
After user logs in, I reload web app. And here's the sad part:
If browser hasn't been used for non-G-Suite account (like regular Gmail) - all works great. Session.getActiveUser() shows newly logged in user ID
BUT if that browser has been logged in to non-G-Suite account, Session.getActiveUser() has no idea about the fact that I just logged in G-Suite in another tab (even after reloading web app). Which is back to square one.
Comparing this to Google's own apps, this behavior is not much different: e.g. if you read regular non-g-suite gmail, then go and log in to Google drive using G-Suite account, and then reload gmail - it doesn't take you to G-Suite Gmail automatically just because you logged in to G-Suite account on that browser. You need to explicitly tell Gmail that you want to use G-Suite account by invoking active-account-selection menu (round avatar icon on the right upper corner).
Looks like no matter what approach I take, I hit the same wall: the need to tell stand-alone Google App Script which Google identity is current. And I don't see any way of doing that.
What I stated above is no longer true due to recent change by Google. (2) now results in Error 404 instead of login screen.
Sign-in issues which a few days ago were only affecting stand-alone Google App Script apps now are plaguing entire G-Suite. Our volunteer first-responder organization got G-Suite mainly for the secure intranet site (members.my_g-suite.com) where we share internal protocols and documentation. It's built on new Google Sites and Google Team Drive. Before Wednesday attempt to access members.my_g-suite.com used to take to G-Suite login screen. Now it takes them to "404. That’s an error. The requested URL / was not found on this server. That’s all we know.". The only workaround is to force users to log out of personal Gmail each time before accessing G-Suite, which is not a reasonable request for a volunteer using personal device. We feel like Google pulled the rug from under our feet. The only hope is that this is a temporary change and they'll revert it to how it was in the beginning of the week. We also confirmed that this change is not limited to our G-Suite.
This is because your web-app runs inside a iframe. You can force login by denying access to the web-app manually.
onload, Check Session.getActiveUser().getEmail() server side and see if it matches your domain,
If it does, proceed to load your actual web-app
If not, just provide the information that the user needs to login to your gsuite to access.
You can also
Proceed to open https://admin.google.com (or any url specific to your domain) in a another tab
See whether it's open and use setInterval to check the other window.close property. When closed, reload your web-app.
The problem:
I've been stuck trying to figure this out all day. I'm writing an app script within my Google Sheets to query YouTube API data from a particular YouTube channel, and it works when I connect every account but the actual YouTube account (brand account) we're trying to query.
The setup:
youtube.email#gmail.com - where the YouTube account is hosted.
ryan#gSuiteCo.com - where I am writing the script.
What happens:
When I execute my code, it asks for authorization, so I log in with youtube.email#gmail.com. Then it gives me the option to choose the YouTube Brand account or the youtube.email#gmail.com Google account. If I select the email Google account it works (but then is pulling from the wrong YT account). If I select my YouTube account, nothing works, and I end up in an authorization loop. I hit run, and a pop-up asks me to authorize. After authorized, it doesn't actually run... and that's an infinite loop.
My suspicion is that the issue relates to enabling YouTube API. For every account, I am able to login to the admin and enable the APIs for my App Script, but I have no way of doing that for the YouTube account. When I enable it for youtube.email#gmail.com, it enables it for the wrong YouTube brand account.
So, I have no idea what's going on. What's the right way to do this? I have tried just writing and deploying the code from the youtube.email#gmail.com account, and I get the same issue.
It sounds like it's because of a known Apps Script issue where it has trouble working when you are logging into multiple Google Accounts - it always uses the default account.
Romain Vialard recently wrote an article about how they get around the issue.
For users that are logged into multiple accounts, how can a script let the user pick an account? For example, Gmail, Google Drive, etc. provide a way for the user to select which account to use with a selectable option on the top-right of the page:
How can developers implement a similar mechanism?
There seems to be no way to do that with Google Apps Script libraries - GAS just uses the current primary account. Also, unfortunately, the API Client Library and thus Google Sign-In for websites don't work inside GAS web apps because of the sandbox frame. You could write your own or use some existing OAuth implementation to authenticate with Google but I found a much much simpler solution using Auth0 Lock with only a Google Connection (using the popup method because the redirect method doesn't work within the sandbox frame).
With Chrome Version 70.0.3538.102. You may resolve your issue (at least i did)
Now i make sure i ONLY signed in ONE account at a time. Then use "manage people"
if i have 3 google accounts, i will create 3 people and each time you only have 1 active google account session. With this setup, i ensured everytime my script only execute with my G Suite user instead of #gmail accounts
You can try using the Directory API to work with Apps Script. Retrieve the user using:
GET https://www.googleapis.com/admin/directory/v1/users/userKey.
You can then make an interface that displays the user accounts details(Name, email,etc).
We have a chrome extension that posts data back to a Google Apps Script app and I'd like to know if I'm going to hit any limits at Google.
The Apps Script app has a doPost function that takes the information that was passed across and uses appendRow to add the content to different sheets. Very similar to how forms works but allows us to deploy to users (via the chrome extension) and have a better looking UI.
We're wanting to push this out to potentially thousands of users and we expect a few form submissions a day from each of them. Should I be expecting to hit any set limits with this?
I've already taken a look at https://script.google.com/a/netpremacy.com/dashboard but don't see anything that would indicate any limits.
Let me know if you need more info.
There are no published limits at this time. However, the key thing to ask with apps deployed as web apps is that is the App running as you (the developer) OR the users accessing the web app?
If its running as the users, then you are going to be ok with the volume. The quota is fully debited to the end user.
If its running as you, then you need to worry about other quota first - does it send out lots of emails, does it create a lot of documents, etc.
The only exception to quotas is ScritptDb that always consumes the script developers quota.
I'm using Google Apps Script UI to create forms for students at my school. I've restricted access to my domain for added security, and to capture users' email addresses.
The problem is that many of our students have separate Gmail accounts. If they are already logged into Gmail (not our domain), they don't get a log-in page, but something prompting them to request access.
Any suggestions for avoiding this?
Thought I saw a request in the issue tracker for an account choosing feature, but my guess is that you'll want to allow anyone to access your web app and show a custom prompt if their email is non-domain. I don't know how well this would work with shared computers, but creating separate Chrome user accounts for each of my Google accounts has solved all my multiple sign-in pain.