Google OAuth Consent Screen is still showing confusing scope checkboxes - google-apps-script

I've seen other questions who shared this same issue here and here, but the solutions are not working for us. Our users are confused with the checkboxes since they haven't seen them on other apps before and it's making them more paranoid about the access they give.
Our app requires contacts and calendar read-only access to function, and i've tried many tricks mentioned by others but none of them worked:
We added email, profile, openid in Cloud Console scopes, the checkboxes still appear
We split login from authorization access, the checkboxes still appear.
Are we missing anything?
It seems if we only ask for 1 permission, it might solve the problem, but it's too inconvenient to ask the user to open 3 popups to authorize access.
Feedback to Google Team:.
Granular permissions are definitely in the right direction for user privacy,
but:
Process penalizes apps with granular permissions (e.g. if i ask for all calendars.readonly, and events.readonly, those force to show 2
checkboxes, whereas if i ask for only 1 super permission like
Calendly's "edit/manage/delete all calendars and events", it doesn't
show a checkbox.
Introduces a lot of inconvenience and unnecessary fear for the user.
Not all apps have the same granular permissions, and it's rewarding old apps (like Calendly) who are not yet impacted by granular
permissions, whereas new apps are inherently disadvantaged.
Ideas:
Allow app developers to select which permissions are optional vs required
Add an explanation field that shows the utility next to each permission requested to the end-user, and this could be added to the app review
process for sensitive scopes.
Make authorizing new permissions super fluid 1-2 clicks away, instead of opening a popup. Think how mobile apps ask for contacts
permission, it's granular, contextual and only 1 click away.

The workarounds that you mentioned may work but it seems that Google has announced this change on this behavior since 2018. Looks like the behavior happens when the app is requesting access from different services as noted in this Project Strobe blog.
There will be no direct way to remove the granular scopes if your app would be requesting permissions from different services as this will force the granular permissions to show up.

Related

Google Docs Script: Sharing a script in my account / unreviewed scripts via Marketplace (replacement for previous chrome add-ons store)

Am I correct that there is NO direct replacement for this process on marketplace:
publish unlisted on chrome add-on store
directly share the link with others who can use the script
In particular, the mechanisms allowed me to use a script that I write across all my google dsocs.
With the move to marketplace, is there any way in which I can do this? I.e., write a script (container-bound or otherwise) and have access to it from ALL my google docs?
This is not about privacy: I am super-happy for the script to be shared with others or be public, but the review process has already turned down the script as unfinished. However, the script does what I need it to do... so I'd like to be able to use it across my google drive primarily... however, with the new google marketplace that doesn't seem to be possible.
One way may be via Google Suite domains. That seems to allow for internal publication. However, I've done that, and so far not received an acknowledgement or notification (while the GSuite page says 'under review'). My understanding was that internal scripts weren't subject to review.
Would anybody be able to comment on this and confirm, clarify or refute this understanding?
The move to Marketplace has certainly caused a lot of confusion! Trying to find all the tick-boxes can be difficult.
The two main places to look are the OAuth Consent Screen, where you need to make sure it is Internal (you have to have a GSuite account for that):
And the Marketplace SDK under Configuration check it is set to Private (although note that if it has transferred from the Chrome store it may already be set to Public, and this can't be changed). And under Publish it is set to unlisted.
This "unlisted" setting may be the crucial one for you as even if it is "Public" it won't be in the Marketplace, but will only be available via a link. But if it is "Public" I don't think you can make updates without going through the verification process. But if you don't go through the verification it should still be available.
Hope this helps, happy to answer any other questions.
Andrew

Google Apps Script personal script won't authorize [duplicate]

I am trying to run
this simple Google Script.
However, it does not allow me to authorise. How can I proceed?
Update 1:
As reported by
Rubén, Google says it won't fix this - #163
Some workarounds are provided in #76, #145 and #150 - showing solutions like changing GCP and providing a oauth consent screen.
Update:
Switching Google cloud project from default to a standard project have resolved the issue for some users. This is still a workaround and may not work for all. Therefore, star the issue below.
This seems to be a new issue affecting certain users. You can ★(on top left) star the issue here to let Google developers know that you're affected by this issue and to prioritize the issue.
It stopped complaining once I specified the script only needed access to the current sheet. Google explains how to do it here.
All you need to add to your code is this JsDoc annotation:
/**
* #OnlyCurrentDoc
*/
That's something that happens. To solve the issue just copy the contents of your Script, delete it, and create a brand new one with the same contents, or give it another name in case you are superstitious. If that doesn't work, create another Spreadsheet with the same contents and proceed. Sometimes it's just a temporary issue. Perhaps the problem persists due to the stored browsing data, so it would be convenient to clear it. (I challenge you to take this last move!)
After going through the process twice with a client, I can confirm that the most reliable way to fix the error currently is to go through the verification process. An important note is that after approving the scopes, some accounts need to approve every other sensitive scope that is added to the script and cloud project as well or the issue will resurface.
So the step-by-step guide is as follows:
Switch from default to standard Google Cloud Project
Fill in the OAuth Credentials screen and add all sensitive scopes
Click on "Submit for verification" and prepare a YouTube video showing both authorization process and usage of each of the sensitive
scope
Wait until the verification team sends you an email (usually 1-2 days, but no guarantee here) and reply with the link to the video, then wait for the verification process to complete
If you received a "Granted" response, continue to steps 6 & 7, if not - follow the instructions provided
Remove all previously granted permissions to the project
Reauthorize the script by running it again, everything should be working
Having the same issue no solution of listed in this thread were working for me. After faied authentification i always get the screen as the topic starter gets it, without the "advanced" option.
However i've managed to get at least a limited access and run my script on the following way:
I share the affected sheet to anybody with link, with editor access level.
Then, from incognito window (maybe it isn't necessary, but i did it so), I've logged in into my other Google account,
opened the link, which was shared,
was forced to authorize myself,
failed on authorization - but the screen with failed authorization contains the "advanced" option,
clicking on it i've got a limited access and was able to run the script.

"Sign in with Google temporarily disabled for this app" error when trying to authorize a script

I am trying to run
this simple Google Script.
However, it does not allow me to authorise. How can I proceed?
Update 1:
As reported by
Rubén, Google says it won't fix this - #163
Some workarounds are provided in #76, #145 and #150 - showing solutions like changing GCP and providing a oauth consent screen.
Update:
Switching Google cloud project from default to a standard project have resolved the issue for some users. This is still a workaround and may not work for all. Therefore, star the issue below.
This seems to be a new issue affecting certain users. You can ★(on top left) star the issue here to let Google developers know that you're affected by this issue and to prioritize the issue.
It stopped complaining once I specified the script only needed access to the current sheet. Google explains how to do it here.
All you need to add to your code is this JsDoc annotation:
/**
* #OnlyCurrentDoc
*/
That's something that happens. To solve the issue just copy the contents of your Script, delete it, and create a brand new one with the same contents, or give it another name in case you are superstitious. If that doesn't work, create another Spreadsheet with the same contents and proceed. Sometimes it's just a temporary issue. Perhaps the problem persists due to the stored browsing data, so it would be convenient to clear it. (I challenge you to take this last move!)
After going through the process twice with a client, I can confirm that the most reliable way to fix the error currently is to go through the verification process. An important note is that after approving the scopes, some accounts need to approve every other sensitive scope that is added to the script and cloud project as well or the issue will resurface.
So the step-by-step guide is as follows:
Switch from default to standard Google Cloud Project
Fill in the OAuth Credentials screen and add all sensitive scopes
Click on "Submit for verification" and prepare a YouTube video showing both authorization process and usage of each of the sensitive
scope
Wait until the verification team sends you an email (usually 1-2 days, but no guarantee here) and reply with the link to the video, then wait for the verification process to complete
If you received a "Granted" response, continue to steps 6 & 7, if not - follow the instructions provided
Remove all previously granted permissions to the project
Reauthorize the script by running it again, everything should be working
Having the same issue no solution of listed in this thread were working for me. After faied authentification i always get the screen as the topic starter gets it, without the "advanced" option.
However i've managed to get at least a limited access and run my script on the following way:
I share the affected sheet to anybody with link, with editor access level.
Then, from incognito window (maybe it isn't necessary, but i did it so), I've logged in into my other Google account,
opened the link, which was shared,
was forced to authorize myself,
failed on authorization - but the screen with failed authorization contains the "advanced" option,
clicking on it i've got a limited access and was able to run the script.

gapi.drive.share.ShareClient false when multiple users are logged in

I'm following https://developers.google.com/drive/web/manage-sharing#launching_the_google_drive_sharing_dialog_in_your_app to add a "Sharing" dialog to my Drive app.
It works perfectly when the user is logged into gmail with a single Google account. If they log in to gmail with a second account, the ShareClient in my app no longer works. Instead, it says "Sharing is unavailable at this time."
To be clear, the change happens after interacting only with gmail, NOT with my app. I guess the problem happens because the share dialog doesn't know which user to default to.
Does anyone have a way to make this work? I would be happy to specify a google id, but ShareClient doesn't seem to have any settings exposed besides appId.
This is an issue we are currently aware of and will fix.
There isn't really a good way for you to work around it at the moment, so hang tight until we address it.

GAS gadget inserted to googleSite... for non-google accounts

I think this is the same as my question: http://code.google.com/p/google-apps-script-issues/issues/detail?id=852
But just to be clear: Google apps scripts won't run on a Google Site without a google/gmail user being signed in?
...are there other google products where GAS can be deployed for non-google accounts?
Thanks,
Nathan
False. You can embed an Apps Script in a Google Site using Insert > Script Gadget. Just be sure that the publishing setting is set to "Anyone, even anonymous".
You've got two different levels of user identity at work here, if not three or more. I will try to pull them apart for you in a clear way.
Google Sites can work for users of Google and non users. It depends entirely on the sharing settings for that site. If you share it with the world, it will be shared and indexed by search engines. If you share with anyone with link, search engines won't index it but no user will have to sign in to use the site.
What you are embedding in a Google site may have it's own user identity issues. The easiest way to manage these is to go into 'Publish' menu, and 'deploy as Webapp'. You will then see a menu that asks which account the script should be run under, essentially you or the user. And then which people to allow access, which you would select 'Anyone, even anonymous'.
This will run that app as your account, but allow anyone to call it. Works great for allowing the public access to a form created in GAS.
Now the other problems. It may be possible for you to have code in your GAS that specifically calls for a user. In that case all of the prior settings don't matter. When the script looks for a user and finds nothing valid it will error. These call are pretty obvious though and are more rarely used. (At least in my experience.)
But, in short, yes! You can certainly embed GAS into Google sites to be called by anonymous users.
Example of mine: https://sites.google.com/site/greenmountainretreat/sign-up
The issue you are referring to is about inserting i-frame gadgets into non-Google sites... please don't confuse things... and read the issue report thoroughly.
If you want another example...