My scenario:
A Google Apps Script Web Application served from its server-side index.html to fill the students score on a spreadsheet.
The script is embedded as iframe in a website page hosted on Firebase.
I need a way to protect this web app and make it only accessible for specific users via Firebase Auth. username and password.
It's not possible to protect static web content with Firebase Auth. What you can do instead is is protect access to your backend using a ID token provided by the client to the server, and the server can validate that the user can take action. You would use the Firebase Admin SDK on the backend to validate the token.
Related
I'm developing a desktop app that makes uses of Google Sheet API v4. Within the app's Project in the GCP console, the scopes for the OAuth consent screen are the following:
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/userinfo.email
I'm able to get an OAuth access token (plus a refresh token) from my desktop app via the authorization code flow. I can get the list of Spreadsheets and all their tab names, etc via cURL calls when I add the access token as a Authorization : Bearer {{token}} header.
Now, I have written a simple Google Apps Script that I associated with the desktop app's project in the GCP console using the "Resources > Cloud Platform Project" menu item. Then, I deployed the Apps Script as a Google Web App with the following settings within the "Publish > Deploy as web app" dialog:
Execute the app as: User accessing the web app
and
Who has access to the app: Anyone
The manifest for the Google Apps Script Web App contains the following for OAuth Scopes:
"oauthScopes": ["https://www.googleapis.com/auth/drive", "https://www.googleapis.com/auth/spreadsheets", "https://www.googleapis.com/auth/userinfo.email"]
Now, I figured that since the desktop app scopes are the same as the deployed Web App, the access token I retrieve from the initial authorization code flow would be enough to grant the end-user permission to access and use the Web App. However, when I test the Web App by making a call to it via cURL, I am met with a response that says:
Drive
You Need Permission
Want In? Ask for access, or switch to an account with permission. Learn more
You are signed in as end-user#sampledomain.com
Based on the You are signed in as... statement, the Web App permission screen does "know" the desktop app's end-user email address.
Is it possible to use the initial access token the end-user retrieved via my desktop app to successfully interface with the deployed Web App? Or, does the end-user need to authorize BOTH the desktop app (to retrieve the Drive Spreadsheet files, etc.) AND the Web App that queries and updates the sheet? I would prefer that the user NOT have to grant permission twice. Is it possible to have the user grant permission to ONLY the desktop app which would also grant permission to the Web App?
If the end user MUST grant permission to both the desktop app and the Web App, I'm not sure how to retrieve an access token from the Web App permission screen. If the end user grants access to the Web App explicitly, does that permission last forever for that particular user's email? I'm not certain we can use a OAuth authorization code flow for a deployed Web App.
Any insight or guidance is appreciated!
In my Google App Script webapp, I would like to implement Firebase Phone authentication using FirebaseUI. But I am getting an error 'Hostname match not found' error when authenticating after reCaptcha verification.
So, please help me to understand:
If Firebase phone auth can be implemented for GAS webapps using FirebaseUI?
If yes, then what should I put as the 'Authorized Domain'? (I have tried with script.google.com, but it did not work)
Edit: After further studying, I found that the GAS webapp is served over a subdomain of script.googleusercontent.com and was able to use FirebaseUI phone auth by adding the subdomain as 'Authorized Domain' under Firebase auth.
Now, I would like to understand:
The subdomain over which a GAS webapp is served, is it exclusive and static per appscript project?
I am developing an application using Google Apps Script and using some Advanced Services such as Admin SDK (Directory API) and Reseller API.
It seems like these API's are being called by my WebApp under context of user who is accessing my WebApp (it's deployed with 'Execute the app as 'User accessing the webapp').
Ideally, I would like these API's calls to be authenticated with some Service Account under my project (in Dev Console). Is it possible? How?
When your scripts are ran as 'User accessing the webapp' it runs off the users data against your quota. If you want to run it against your data you need to change the settings to execute the app as "me".
If you need to do a mixed authentication model where the app needs to access the data of two different accounts, you have some options. Either way one account gets to access the built in Apps Script services and the other will use the REST interfaces to the APIs to access their data.
You can run the app as "me" then manage your own Oauth for the user. This can be done with an OAuth Library such as:
https://github.com/googlesamples/apps-script-oauth2
Or you can run the app as the user and use a service account for your server. Here is a library I put together for using service accounts in Apps Script:
https://github.com/Spencer-Easton/Apps-Script-GSApp-Library
From a small appliance, not capable of SSL, I would like to update data in a google spreadsheet. Using this script I can submit the data - but only using SSL (via the URL https://script.google.com/a/macros/...).
Is there any possibility to access the same published web app script, but without SSL?
No, SSL is always required to access a script.
Can I authenticate with just Google account username and password instead of using OAuth? If not, is it planned to support this kind of authentication in the future versions of Google Drive API?
I am currently using Google Documents List API which allows to authenticate with just username and password. So I am wondering if I can I do the same thing with Google Drive API.
Are there any reasons you cannot use OAuth 2.0 as your authorization mechanism?
Client Login is currently being deprecated and it would be better for you and your users to use OAuth 2.0.
There are multiple code samples available in the Drive SDK documentation as well as in the various client libraries project page to help you get started.
If you are running a server application, consider using a service account with OAuth2 and the Drive API. This will allow you to run the app on a server without a user having to provide OAuth2 credentials on the console or through a UI. You can also do impersonation if you want your app to act on documents with a specific account.
GoogleCredentials credentials = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("[[SERVICE_ACCOUNT_EMAIL]]")
.setServiceAccountScopes(DriveScopes.DRIVE, DriveScopes.DRIVE_FILE,
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile")
.setServiceAccountPrivateKeyFromP12File(Auth.keyFile)
.setServiceAccountUser("[[impersonateduser#domain]]")
.build();
credentials.refreshToken();
I've found this blog post somewhere (possibly here): http://blog.databigbang.com/automated-browserless-oauth-authentication-for-twitter/.
I know it is regarding Twitter, but it uses the same method, so I reckon it just needs a little tweak in the names. In short: if the script is run only by server, install Jython + HTMLUnit, simulate user going to the generated authorization link and clicking 'allow access' button and get token.