When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()
Related
The "Find and delete malicious emails" page in the Google Workspace Admin Help Center states:
Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to delete the email from your users' Gmail inboxes (note that log data might take up to a few minutes before being available in the investigation tool).
From this, I understand that, assuming you have the right package, it is possible to use the investigation tool to delete the unwanted email from your users' Gmail inboxes.
Can I delete emails from my users' Gmail inboxes via Google App Script using the API? If so, how can I do that?
Currently it is not possible with the Investigation tool
But there is already an existing feature request for exposing the Google Workspace Investigation Tool programmatically.
I recommend you to "star" it to show Google that more people are interested in this feature - hopefully this will accelerate the implementation.
UPDATE:
In th meantime you can use a workaround, e.g. using a service account with domain-wide delegation as suggested by #TheAddonDepot
It is possible via DwDg(domain-wide delegation)
You have to create a service account and delegate domain-wide authority to that service account with the appropriate scopes. There are no explicit instructions for the Gmail API but you can use this guide from the Admin Directory API documentation.
You then use the service account credentials with the GAS OAuth2 Library to make calls on behalf of your existing users to the Gmail API. Note that you can't use the built-in or advanced services for Gmail, you'll have to call out to the Gmail REST API directly via UrlFetchApp.
I am in the process of implementing an OAuth2 flow for a sensitive scope in my chrome extension. In order to remove the 'unverified app' warning in the OAuth2 popup I must verify the app in the Google Cloud Console.
The verification form requires 'Authorized domains' though, and it does not accept a chrome extension URL of the form 'chrome-extension://', neither does it accept a URL of the form '.chromiumapp.org'.
Is it possible to provide another domain I own as the authorized domain, and still initiate an OAuth2 flow from the chrome extension using chrome.identity.getAuthToken({interactive: true}...?
I think you need to read though the documentation on application verification
The very first one mentions that your domain must be authorized and verified in search console. The files must also be hosted on your verified registered domain.
It clearly states that
Links to the Google Play Store or Facebook are not considered valid application homepages.
The only requirements are that
Domain is registered in Search console.
Home page listed in the auth screen is relevant to your app.
So i don't see any reason you can't put it on one of your other domains. Just make sure that it qualifies for this clear its relevance to the app you’re verifying
Relevant points in the documentation.
Verify ownership of your project’s authorized domains using the Search Console. Use an account that is either a Project Owner or a Project Editor of your Cloud Console project.
Then the section about
Make sure that your homepage meets the following requirements:
Your homepage must be publicly accessible, and not behind a sign-in page.
Your homepage must make clear its relevance to the app you’re verifying.
Your homepage must be accurate, inclusive, and easily accessible to all users.
Links to the Google Play Store or Facebook are not considered valid application homepages.
There is also the Privacy posily
Make sure that your app's Privacy Policy meets the following requirements:
The Privacy Policy must be visible to users, hosted within the domain of your website, and linked from the OAuth consent screen on the Google API Console.
The Privacy Policy must disclose the manner in which your application accesses, uses, stores, or shares Google user data. Your use of Google user data must be limited to the practices disclosed in your published Privacy Policy.
I have a video that goes though the application verification process. Google OAuth. What you need to know about verification in 2021.
For users that are logged into multiple accounts, how can a script let the user pick an account? For example, Gmail, Google Drive, etc. provide a way for the user to select which account to use with a selectable option on the top-right of the page:
How can developers implement a similar mechanism?
There seems to be no way to do that with Google Apps Script libraries - GAS just uses the current primary account. Also, unfortunately, the API Client Library and thus Google Sign-In for websites don't work inside GAS web apps because of the sandbox frame. You could write your own or use some existing OAuth implementation to authenticate with Google but I found a much much simpler solution using Auth0 Lock with only a Google Connection (using the popup method because the redirect method doesn't work within the sandbox frame).
With Chrome Version 70.0.3538.102. You may resolve your issue (at least i did)
Now i make sure i ONLY signed in ONE account at a time. Then use "manage people"
if i have 3 google accounts, i will create 3 people and each time you only have 1 active google account session. With this setup, i ensured everytime my script only execute with my G Suite user instead of #gmail accounts
You can try using the Directory API to work with Apps Script. Retrieve the user using:
GET https://www.googleapis.com/admin/directory/v1/users/userKey.
You can then make an interface that displays the user accounts details(Name, email,etc).
I'm using Google Maps Web Services API for work, and they've given me a client ID. When I load up the main page, I don't get an error. However, when I click a sub-page, eg localhost:8080/pages/page.xhtml, I get an error called UnauthorizedURLforClientIdMapError, with the message that this URL is not authorized to use the provided Google Maps client ID.
For reference, Google discusses it in its documentation here: https://developers.google.com/maps/documentation/business/clientside/auth#registering_authorized_urls
With all that being said, I'm currently testing my server with TomCat using the URL http://localhost:8080. This domain has been authorized, as has my individual IP. In my view files, I'm adding this:
<script src="https://maps.googleapis.com/maps/api/js? &client=MY_CLIENT_ID
&v=3.19
&channel=MY_CHANNEL" type="text/javascript"></script>
where 'MY_CLIENT_ID' and 'MY_CHANNEL' are obviously changed to suit my needs (my client id and channel are correct). I've searched through stack overflow and also read all of the relevant Google Documentation but I feel like I'm missing something very small (or large, I'd hope not though).
What's going on?
Each URL that uses Google Maps for Work with the ClientID must be authorized to use that clientid.
You can find all the details here. But this is the summary:
The domain name or IP address does not have to be publicly accessible
All subdomains of a specified domain are also authorized.
All subpaths of an authorized path are also authorized.
Paths are case sensitive.
You may restrict valid URLs to those using certain ports.
HTTP and HTTPS protocols are considered different URLs.
If you are getting the UnauthorizedURLForClientIdMapError, look through the URL authorization rules and see if you simply need to add the URL to the list of authorized URLs.
Btw, here is the the list of Google Maps API Error Codes with explanations.
You must allow the referred URLs related to that Client ID in the Google support management portal.
Access to the Google Support Management portal - http://www.google.com/enterprise/portal - , login with your enterprise google account, then in the left menu, go to "Maps, Manage Client ID" link, select you client id in the combo, and in the "Enter the URLs" textarea, write the referrer URL you want to authorize and click on "Add URL" button.
If you are using a ClientID instead an API KEY to authenticate to Google Maps services, the referrer URLs must be authorized here. If you are using an API KEY, yo must authorize the referrer urls from the google developers console.
I have been trying to follow the Quickstart: Run a Drive app in JavaScript sample in order to use Google Drive API and SDK. I went through the authentication and set up the Client ID and API key etc. I had assumed that the token can be created without the user being logged in to a Google Account, since the client has the Client ID that is connected to a Project on Google Developer Console. Am I missing something here?
Can a user use the JavaScript based Google Drive app without logging in to a Google Account?
no. From your question, it sounds like you've interpreted client ID as referring to the user. Client ID refers to the app. So separately, Google needs to confirm the user has given his permission, and that requires authentication, ie login