I'm trying to wrap my head around how the publishing options for Google Apps Script web-apps work. I have a GAS project that delivers a JSON API. I want other non G-Suite services to be able to call the web-app URL. I am on G-Suite enterprise and my GAS project is created in our GCP organization.
When I publish the web-app there are three options:
myself
anyone in my organization
anonymous
For various reasons, I cannot use the anonymous and obviously myself option won't work. So I have to use the anyone in my organization option.
Now, when a human, logged into a G-Suite account that is in the organization, goes to my web-app URL it will work as expected.
I have another web-site, outside of my organization. I want that web-site to call the web-app URL. I know everything online says to use the anonymous option but I cannot.
So I am wondering what options I have. I had some ideas but not sure:
Do something such that my web site server/account has a G-Suite account that is in the organization. That way, when the web server makes a call to the web-app URL it would look like its coming from a G-Suite account that is in the organization. Does that make sense?
Make the call to the web-app URL and pass some token information that would tell GAS to allow access.
Are either of these possible? Or are any other ways possible?
Related
I have developed a google apps script web app, in conjunction with an MIT App Inventor app, that will/should allow a user to access their own google drive/sheets/documents.
I am having trouble connecting to the web app through the Appinventor app's web component (not a webview), after the user had given their authorization to use the web app via their device's default browser (Chrome).
My Web App is connected to Google Cloud Console and has been verified by the Trust and Safety Team at Google. The app is set to "User who assesses the app" and "Anyone". I can't use the native webview in AppInventor, because Google blocked this off for authentication in 2016.
The web component offers GET/POST/PUT HTTP functions but I have no idea how to get the authorisation codes and tokens for a user in order to access the web app. (Note; the web app has no GUI, it simply receives GET requests and returns text/stringified json output for a range of functions.) I have been able to translate many curl examples in other situations to good effect with the web component, but not for 0Auth.
I have done my best to read up and use the offerings from Google on 0Auth, but just get lost halfway through, as always, nothing I do is quite the same as the examples or documentation provided.
How do I, therefore, construct HTTP GET URLs, with all the various authorization codes and tokens already in place, that will authorize the Web App to work for the user?
A simple request would be like this:
https://script.google.com/macros/s/AKfycbyZ_27nLOKi8ssX........Bz40yAbGfJt_TRswvm6zpY/exec?func=authenticate
which would return the text output "Authenticated"
With a web browser (Chrome) all of this is fairly straight forward for a user. If they are logged into their Google account in the browser they go to the URL provided for my web app, they will be asked to authenticate, and give my Web App access to their google account. Once accepted, 'magic' happens in the browser (any 'magic' happen at the web app end?), and as long as they stay logged in, they can use the browser to send GET requests (URLs with parameters) to the Web App and see the results returned in their browser. Happy days.
In my scenario, I do not have a suitable web browser capable of all of the above. I have a web component that can send GET/POST requests to web services, and handle the server responses. (think of it as a web 'terminal'). I can, therefore (hopefully) construct URLs with all the right content, codes, and parameters. Remember that this has to be straight forward for the user, who will not be interested in 'back end' activities, they will just want to use the app to do things on their google drive.
They need to, I guess, at the very least, perform the authentication in a web browser, to connect their Google account with the web app. Then with the web component connect to the web app using authorization codes and access tokens, as them (their google account) so that actions by the web app occur on their google drive. As stated above, the web app is set to "User who accesses the app" and "Anyone". This is the part I need help with. I do not understand what I need to do to connect the user to the web app without using a web browser.
This is the kind of thing I mean:
https://developers.google.com/gdata/articles/using_cURL
Your setting of Web Apps and goal is as follows.
Web Apps is deployed as Who has access to the app: Anyone.
You want to make users access to Web Apps.
Issue and solution:
In the current situation, there are the following situations for using Web Apps.
When the users access to the Web Apps by each browser, the users can access by logging in to each Google account.
When you want to make users access to the methods (for example, curl command and script) except for the browser, it is required to share the Google Apps Script project of Web Apps with the users.
Unfortunately, it seems that above situation is the current specification. I confirmed the change of this specification at April 11, 2018. Before this change, the users had been able to access to the Web Apps by the curl command and script with the access token without sharing the Google Apps Script project. By the change of specification, when the project is shared with the users, the users can access to Web Apps using the access token.
In this case, it is required to include the access token to the request headers. Because in the current stage, access_token=### as the query parameters cannot be used. Ref
Note:
From this situation, I think that when sharing the Google Apps Script project is not the direction you expect, in the current stage, the Web Apps with Who has access to the app: Anyone cannot be used by the method except for the browser.
References:
Taking advantage of Web Apps with Google Apps Script
Web Apps
I'm developing some automation/integration between a CRM software and my google account. I am attempting to use the Google Apps Script API so I can remotely execute functions in Google Apps Script through the integration I'm building from within the CRM software.
The only problem is, when attempting to run a function which calls a GAS function through the API, I get the following error:
"Apps Script API has not been used in project project number before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/script.googleapis.com/overview?project=103424032563 then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry."
This would normally be no problem, as I would simply access the GCP portal through the link and enable the GAS API, but when I try to access my project, I don't have access at all, and get the "failed to load data" error.
Further complicating my issue, GCP support will not help because they suspect I am a hacker trying to obtain access to a project that, for all they know, isn't mine.
And because I cannot access this project to authorize the API, I also cannot associate my google script with the same project, as this is a requirement for the Google Apps Script API to function.
I suspect it's the CRM software piece in which I'm developing this integration that is causing this error, (somehow the GCP project is being created by a different user,) but they haven't been all that helpful in determining what's going on.
Have any of you had a similar situation? And, if so, how did you approach solving it?
Further complicating my issue, GCP support will not help because they
suspect I am a hacker trying to obtain access to a project that, for
all they know, isn't mine.
Google Support does not refuse to help. They don't accuse you of being a hacker. Google Support can look at the project and see if you have credentials in the project and if you do they can explain how to authorize yourself. However, Google Support requires a support agreement, which is not free. If you do not have one, then you are not entitled to technical support only billing support. Look up your billing account ID and send a request for billing support. Your billing account will also show you which projects are linked to your billing account.
The issue is that you are trying to access the wrong Project ID. Figure out what is the correct Project ID. If you have the Cloud SDK installed execute this command gcloud projects list and this will tell you which projects your credentials have access to.
I have a Google Apps Scripts web app and I would like to publish it on the Google Apps Market Place. I followed this instruction (https://developers.google.com/apps-script/guides/domain-wide-web-app) to properly setup the Apps Market Place SDK but I have some troubles.
To test installation flow I use the button in the setup page of the API, so :
My issue is if a user install the app as I allow personal install
The user validate rights and after he is redirected to the application. There I have an issue because the apps script web app request a "Offline access" in a new pop up.
=> I don't know how to add this scope because I don't find any scope for this need to add in the market place SDK setup.
What I found on stackoverflow is I probably have this message because on scope request by apps script web app there is the approval_prompt parameter set to force.
My question is how to avoid that and allow user to connect to app after validating scope on the apps market place ?
Thank you,
Stéphane
You can follow the List of Best Practices
Before you publish your Google App Marketplace application, please review the following list of best practices. Adhering to these best practices will help your application make it through the Google Apps Marketplace review process smoothly without you needing to make additional changes.
This document explain:
3: Define your scopes properly
All OAuth2.0 scopes must be defined in the Google Developer's Console, in the Scopes section of the Google Apps Marketplace SDK. This is essential in order to achieve one-click or zero-click SSO, as described in the following section.
According to this previous question, in the Admin Conso
I've added a few scripts to a Google Spreadsheet. One uses the Drive API. First time a person runs the script he has to manuallly enable access to Drive API and click on the link to Google Developer Console and enable access to Drive API.
There are about 100 people in my organisation who are going to use this spreadsheet and is there some way for me as a domain owner to enable Drive API so that the users don't have to do it by themselves?
/Magnus
Your users are going to have to create there own application in Google Developers console, and authenticate themselves.
Google Made a change recently that makes it against terms of service for you as a developer to give out your client id from Google developer console. So they will need to make there own. There is also no API that will let you automate this for them either.
As for authenticating that is the nature of authentication. Each user must give the application /or in this case script access to there account.
Sounds like you are doing everything correctly right now. It may seam time consuming but that is the way things have to be done.
I have a script that I would like to make available to all the users of our Google Apps domain, but I don't want to publish it to the Chrome store. We would like to avoid deploying it from a single user account. How is this normally done?
It really depends on your use case, but there are a number of ways this might be achieved from publishing a code library (and limiting the sharing of the link), hosting it in a Google Site to publishing it as a url triggered webservice.
It depends on whether you want to share the functionality to others or literally the code.