We have an add-on for Google Sheets and would like to switch other Google accounts for some functions.
Half a year ago, I successfully added a URL (https://***.googleusercontent.com) to Authorized JavaScript origins and a URL (https://oauth-redirect.googleusercontent.com/r/\*\*\*) to Authorized redirect URIs.
But now we can't and, therefore, it keeps showing
Authorization Error (Error:400: redirect_uri_mismatch).
When I try to add this URL(https://***.googleusercontent.com), it shows
"Save failed! The request failed because one of the field of the resource is invalid."
I don't know whether the rules changed and what should I do. See the screenshot for details. Thanks!
Error Message: The JavaScript origin in the request, https://***.googleusercontent.com, does not match the ones authorized for the OAuth client.
This appears to be a bug.
The issue you reported on Issue Tracker has been forwarded internally:
Fail to Add *.googleusercontent.com into Authorized JavaScript origins
Thank you for bringing this to our attention. It has been forwarded internally.
Posting this here to give it more visibility. Please click the top-left star if you're affected by this.
I have the same problem, since October I am not allowed to use *.googleusercontent.com as Authorized origin.
I reported it on Issue Tracker, but their answer simply was "Thank you for your report, unfortunately Issuetracker is not the proper forum to address your report".
I solved this problem (At least temporarily) by inserting the Google sign-in button on an external site (Github pages) and once logged, redirect the user to my *.googleusercontent.com page with the sign-in token inserted in the URL as a parameter.
Related
When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()
As the title says I am trying to access a gapi instance (log in a user into a Google account) when launching a chrome.identity.launchWebAuthFlow().
The sign in button is present on the Oauth flow on a page which is launched in a chrome.identity.launchWebAuthFlow() window.
The error I get is: user closed popup but I suspect that it is a CORS issue. (I added the page which is calling the Google sign in to the list of allowed domains).
Any help would be appreciated!
Regards
I have received a mail from noreply-apps-developer#google.com with the subject “[Action Required] Submit your app(s) for Restricted Scopes OAuth verification”. In the email body, there is a link to the Google API Console. After I am in the Google API Console, under the tab named “Credentials” 2 fields are highlighted.
Following is the screenshot of the same.
Link to screenshot
I would like to know the reason for the error “Invalid domain”. Also, would be great if you can help me resolve the issue.
Please note: In the sections highlighted in red color, the site URL is present. I have removed it from the screenshot for security concerns.
Edit1:
As suggested, I have added the links for privacy policy, domain, etc. When I click on the "Submit for verification" button, a modal appears. I am unable to identify what information I need to add here. The details are as follows:
link for the screenshot of the modal which appears when I click on the submit button.
The application interacts with gmail in 2 instances:
1. Sending emails.
2. Reading emails received (emails having a particular subject line) and accessing the attachments present in it.
There is not other use of the gmail connectivity.
I am confused whether I should mark the application as "Internal" or should I submit it for verification. If I have to submit it for verification, then what details should I insert in the modal that appears on click of the "submit for verification" button (screenshot has been shared).
Request you to help me resolve the issue.
All URLs in your project must match one of your Authorized Domains. But your screenshot shows this field to be blank. You will need to tell Google which domains your app is allowed to run on.
For example, let's assume your homepage is at https://www.example.com/ and your privacy policy is at https://www.example.com/privacy. You'll need to include example.com in the first field under Authorized Domains.
In this screenshot below, I've added a matching Authorized Domain and the errors are resolved.
Check the "Learn more". It was stated in bold text that:
Add your Authorized Domains before you add your redirect or origin URIs, your homepage URL, your terms of service URL, or your privacy
policy URL.
Looking into your screenshot, something is missing and it is your Authorized domains.
I am trying to authenticate using OAuth2 with Google Maps Coordinate but I am having an issue when specifying the scope that I want the Auth tokens to be valid for. The URL I am using to request an access code is in this format:
https://accounts.google.com/o/oauth2/auth?response_type=code&client_id={client id}&redirect_uri={App URL}&approval_prompt=force&scope=https://www.googleapis.com/auth/coordinate
The issue I am having is that the consent screen just says "This app would like to: Have offline access". It does not mention granting permissions for interacting with Google Maps Coordinate. I am starting to think this a bug on Google's side, because if i try to get a read only token by adding .readonly to the end of the url, the consent screen shows "This app would like to: View your Google Coordinate Jobs". Similarly, if I replace coordinate with docs or drive, I get the correct consent screen where the app requests permissions to access and modify Google Drive content.
If I get a token using the coordinate scope with the "Have offline access" permissions and then use that token to try and make requests to coordinate, I just get "Insufficient Permissions" errors.
The issue only seems to be happening when trying to get an access code for Maps Coordinate. Has anyone else experienced this issue?
Thanks
This is not a bug, this is just a strange behaviour (and maybe a bug). (so it may be not 100% correct, what I'm telling)
You use in your request url approval_prompt=force, that means, that the user will always be asked to give permission. What follows is, that you get a refresh token (that doesn't expires, unless the user removes explicitly the permission for your app from his account), which you have to exchange for an access token.
That is also the reason, that you always get only "This app would like to: Have offline access". Once you permitted a specific scope, it won't show up anymore in the consent screen.
The docs and drive consent screens are showing the right, because you didn't give the permsission for them.
I see basically two possibilities for you: don't use approval prompt (and thus skip the consent screen after the first authorization, you will be simply redirected as the user clicked allow, but without clicking allow) or exchange the token to a refresh token.
Or try revoking your permission for your account.
I think when it shows Offline Access it means you've already accept these permissions before. This has sometimes happened to me, try revoking the old access and try again to obtain fresh tokens. Go to you Google account page (https://www.google.com/settings/personalinfo) --> Security --> Account Permissions --> View All, then search the Maps access and revoke it, then try again
I'm playing around with AppScript and try to get an oAuth 2.0 access token.
Any sample out there how to get this working in AppScript?
I am working on a cleaner tutorialized version of this, but here is a simple Gist that should give you some sample code on how things would work -
https://gist.github.com/4079885
It still lacks logout, error handling and the refresh_token capability, but at least you should be able to log in and call a oAuth 2 protected Google API (in this case its a profile API).
You can see it in action here -
https://script.google.com/macros/s/AKfycby3gHf7vlIsfOOa9C27z9kVE79DybcuJHtEnNZqT5G8LumszQG3/exec
The key is to use oAuth 2 Web Server flow. Take a look at getAndStoreAccessToken function in the gist to get the key details.
I hope to have this published in the next few weeks but hopefully this will help in the mean time.
UPDATE - adding in info on redirect_uri
The client secret is tied to specific redirect URIs that the authorization code is returned to.
You need to set that at - https://code.google.com/apis/console/
The highlighted URI needs to match the published URI (ends in /exec). You get the published URI from the script editor under Publish -> Deploy as web app. Make sure you are saving new versions and publishing the new versions when you make changes (the published URI stays the same).
I've modified the example above to use the newish state token API and the CacheService instead of UserProperties, which is now deprecated. Using the state token API seems to make things a little more secure, as the callback url will stop accepting a state token after a timeout.
The same caveats apply. Your redirect URIs have to be added to your (script) project in the developer's console, meanwhile you have to yank the CLIENT_SECRET and CLIENT_ID from the console and paste them in. If you're working within a domain, there don't seem to be any guarantees on what URL will be returned by ScriptApp.getService().getUrl(), so I wound up basically having it get the address dynamically, then waiting for to fail on the the (second) redirect, and then hard-coded the resulting URI.
https://gist.github.com/mclaughta/2f4af6f14d6aeadb7611
Note that you can build an OAuth2 flow using this new API, but it's not a complete sample yet:
https://developers.google.com/apps-script/reference/script/script-app#newStateToken()
In particular, you should not pass 'state' directly to the /usercallback URL yourself, because the OAuth2 service provider is responsible for round-tripping the 'state' parameter. (Instead, you pass 'state' to the auth URL, and the service provider automatically attaches it to the callback URL.)