Sorry I don't have much knowledge in how this stuff works so...
I have a Bitrix24 site running and it has an API, it uses OAuth 2.0 protocol.
I want to create a Google Apps Script web apps (or API executable if it's more appropriate) that will interact with that external API.
From what I understand from the process, I call a page in the Bitrix24 site, which includes a callback URL, and the authentication info is sent to that callback page (https://training.bitrix24.com/rest_help/oauth/authentication.php).
I need to know if I can use Google Apps Script as this callback page. I have been searching but I don't think it's possible to use a web app's function, but maybe I'm looking at it from a wrong angle.
I hope someone can help in how this should be done, or say it's not possible at all.
Thanks in advance!
If it can help, I think there are 2 options :
1 - you can deploy a Web App with a doPost() function that will receive the Callback from Bitrix24. Example :
function doPost(e) { Logger.log(JSON.stringify(e)); }
Deploy your Web App to be accessible to anyone, and with "Execute the app as me" option. Then get this Web App's URL (something like https://script.google.com/..../exec) and pass it as your Callback URL parameter when calling Bitrix24
2 - you can also call Bitrix24 directly from you GAS Web App, using a state token to generate the CallBack URL. More information here :
https://developers.google.com/apps-script/reference/script/state-token-builder
Related
I'm a beginner in Google Apps Script.
I'm basically trying to use the OAuth service in a Google Apps Script to be able to connect a Google spreadsheet to Yahoo fantasy API.
I'm using the package you can found here:
https://github.com/googleworkspace/apps-script-oauth2
In the "read me" part you can see that oauth libraries will by default use the callback url https://script.google.com/macros/**d**/{SCRIPT ID}/usercallback
So I try to use this package in my script, but when I publish my script it creates the following url:
https://script.google.com/macros/**s**/{SCRIPT ID}/
Notice it's an "s" instead of the "d" in the url.
I can access properly to https://script.google.com/macros/**s**/{SCRIPT ID}/exec and so on but the url containing the "d", which is expected to be use by OAuth service, return an error.
When trying to access the url in a browser I got:
an error if I call ../usercallback
the message: "Sorry, the file you've asked doesn't exist", if I call the ../exec
.. is https://script.google.com/macros/**d**/{SCRIPT ID} in that case.
I've been looking on internet for having this url working but no success (it that so obvious that no one else had the issue except me?).
I tried several thing, i've created a project and linked my script to that project, i played a bit with the configuration in the project in regards to what i found on internet, like credential for API, but still can't have the url with a "/d/" responding.
I'm not sure of the meaning of the "s" (script?) or the "d" in the url.
I'm not sure if it has something to do with the way I publish my script or if I need to have specific function in my script or maybe some configuration of the script, maybe I need to persevere with the project thing...
I think that you should re-read the Readme.md file from the Google OAuth Sample GitHub repo. Also I think that d and s parts of Google Apps SCript URLs are irrelevant for using the "OAuth Service".
The .../exec URL is generated when making a new deployment. This URL doesn't contain the script Id... please bear in mind that a single Google Apps Script project might be deployed multiple times and have all or some deployments being live at the same time. Each web app deployment will have it's own URL... none of them have the script id. By the other hand, you might not need to make a deployment in order to be able to use "the OAuth service", this is needed only if the script will be receiving GET/POST HTTP requests.
You should not to access the ../usercallback in the browser, as you will be doing a GET request without proving the required data. This URL should be added when getting the credentials to be used with the "OAuth Service" from the OAuth provider, in this case Yahoo, as the redirect URI.
The referred repo includes multiple samples about how to use the "OAuth Service", one of the is Yahoo.gs
Resources
https://developers.google.com/apps-script/guides/web
https://developers.google.com/apps-script/concepts/deployments
My question is very simple I am new to Firebase cloud functions. Can some user can they see whats written in my function and can they find http url and call them outside my app. Because I will include admin SDK in function so I need credentials to be private. I want to decode uid from token.
The code for your Cloud Functions is only visible to you and collaborators on the project. It is not visible to other users of your app.
I'm attempting the verification process for an Apps Script web app that uses the URL Fetch service via class URLFetchApp. Per URLFetchApp documentation, this requires the scope https://www.googleapis.com/auth/script.external_request. I can't find any Google documentation for this scope, and it doesn't appear on this list of OAuth2 scopes. I'm having a hard time demonstrating how my app uses the data provided by the scope when I don't actually know what user data the scope provides. I mean, I don't think I'm using any user data... I'm just calling API executable functions from another Google Apps Script project.
What user data is this scope giving me access to? Or do I just need to explain why/how I'm using URLFetchApp?
If you head over the editor dashboard of your script, you will see further information about this scope stating :
Connect to an external service under project OAuth scopes.
Moreover, when you run your script for the first time, the permissions it is asking for are:
Create a network connection to any external service (e.g., to read or write data)
Therefore, despite not having much more description in the documentation (just in UrlFetchApp), I don't think you are using any user data apart from getting the user to use your script and connect to an external service.
I hope this has helped you. Let me know if you need anything else or if you did not understood something. :)
According the documentation if you wish to use UrlFetchApp Service then external_request is the scope you'll have to add to you manifest. Like it or not.
UrlFetch Service
I have searched StackOverflow, etc. for a solution to this problem, and several answers 'point me in a direction' (mentioning approval_prompt = auto not approval_prompt = force), but none are applicable (as far as I can tell) to my situation.
I have a Web Application hosted at www.mjpanel.com that expects to use a Google Apps Script that I 'own', but the Javascript at www.mjpanel.com calls the Google Apps Script (deployed as a Web App with doGet()) as a Web Service. It expects the web service call to return various JSON objects.
If the user has not yet authorized my application, the call to the Google Apps Script Web App / Web Service will not return a JSON object, causing www.mjpanel.com Javascript code to fail saying "Invalid Request" (because it isn't a JSON object as my code expects).
To prevent this from happening, www.mjpanel.com uses gapi.auth2.init to get the permissions/scopes it needs. I'm developing everything now, so if/whenever the Google Apps Script evolve to use something (like sending GMail emails as the user) that is new, I have been figuring out the scope to request, adding it to the list of scopes in the gapi.auth2.init call, and everything is fine. The next time a user uses the app., they get initially prompted for the newly added scope, then everything proceeds fine.
However, now sometimes one of my test users has a Web Service call fail because Google Apps Script is returning another request for permissions for a 'new permission' of 'Have Offline Access'.
There's nothing about my script that would warrant the user needing to grant this permission.
When I research, a lot of stuff (mostly about requesting OAuth2 stuff in a 'structure' different than the way my app. is set up) says it has to do with submitting a 'approval_prompt=force' in my request URL.
However, the way I have my app set up, all the URLs I would use (aside from my 'custom stuff' in the query string) are dictated by Google Apps Script. And I can't find any place where any URL I use has an approval_prompt in it.
I can't figure out where I would need to configure that approval_prompt to be auto (as is recommended in the 'successful answers' I find).
Of if the idea of approval_prompt is 'on the wrong track', any information in general to help me solve this problem would be greatly appreciated.
Thanks in advance for any help you can give me.
Unfortunately the Google Apps Script native OAuth flow includes approval_prompt=force. This causes the following conditions:
If cookie exists in browser and has permission for this application the consent screen will not be displayed.
If cookie exists in browser but does not have permission for this application: consent screen will be displayed
If cookie does not exist in browser and the application has permissions: application will request 'Have offline access'.
The easiest way around this is to manage your own OAuth flow and use the Execution API. The following link will take you to the javascript quick start.
https://developers.google.com/apps-script/guides/rest/quickstart/target-script
While creating the Client_ID I am stuck in these two textboxes (JavaScript Origins and Authorized Redirect URLs) appearing on that PopUp. I am not able to search the internet about those two things.
In a tutorial it was written that we just need to put our hostnames there! But why? What do they actually mean?
Hope I am clear.
Any help would be appreciated.
If you're using the JavaScript client, you need to set a valid JavaScript origin for us to authorize you.
Authorized redirect URIs are the endpoints we're going to call as a callback if you're using 3-legged OAuth 2.0 flow. https://developers.google.com/accounts/docs/OAuth2#webserver illustrates a sequence where Google endpoints pushes a code to your application. Push is done by calling a redirect url with a code query parameter.
http://yoursite/callback?code=[code to exchange]