Gmail add-on connecting to non-Google Services without oAuth - google-apps-script

Is it possible to authenticate to third-party service in G-Suite (Gmail) Add-ons, but without oAuth. The service I want to authenticate works on REST API and has no oAuth support.
The best for me would be to open a new window (as with oAuth), login there and return token to the Gmail add-on frame. If that won't be possible, I'd go with giving a username and password in dedicated Card in add-on, but I'm not sure it that solution will pass Google verification when publishing in Marketplace.
I'll be grateful for all the suggestions.

Unfortunately no. When connecting your add-on to third party services(ex. your application server), Gmail forces you to set up a separate authentication process for user to go through to use your services.
However, if the non-Google service does require authorization, you'll have to configure OAuth for that service. You can make this process easier by using the OAuth2 for Apps Script library (there is also an OAuth1 version).
Your service can still use Google OAuth to authenticate the user, you just need to set it up separately from your Gmail add-on.
You can read more on it here: https://developers.google.com/gmail/add-ons/how-tos/non-google-services
Also in my post I explain the process of connecting your non-google services to gmail add-on in more detail

Related

How to Publish Google App Sccript Gmail add-on for Google Workspace Marketplace SDK

I have developed a Google Appscript gmail addon which users can report spam emails.
I followed the exact steps mentioned in here to publish the add-on.
Setup GCP project and linked it with App Script
Configure OAuth screen and submit it for verification.
I am using following scopes.
OAuth Scopes
Since I am using sensitive scopes, I have to submit it for OAuth
verifcation. I was asked to verify all domains and then I verified all
domains and now all are showing as verified in search console .
I communicated it with the OAuth verification team and still OAuth
verification status is showing as "Pending developer action". I tried
to get some advice from OAuth verification team and I did not get any
response from them.
OAuth verification status
Enable and configure the Google Workspace Marketplace SDK
Create a store listing.
Since Gmail add-on needs to be available for all domains, I have
submitted the GCP for store listing as well. Status is shown as "Under
Review".
I need to publish the Add-on to Google Workspace Marketplace ASAP.
Can some one advice me to continue the publish process?

How do I get user credentials (refresh token) after the user installs my Drive App in the GSuite Marketplace?

I am making a server side web app that integrates with Google Drive's "Open With" button.
I've been able to get a refresh token with the InstalledAppFlow in the python client library (go to my install endpoint redirect user to consent screen and google uses the redirect_uri to send the code to my server) and access the data I want.
What I don't understand now is how do I get a refresh token after a user installs and consents to the permissions requested by my app in the GSuite marketplace? Does Google post the information to one of the redirect URIs of your OAuth2.0 client Ids? Do I have to ask the user for consent again and get the refresh token as before when he uses "Open With" from Google Drive?
Its not clear to me how the oauth flow works with apps installed through the GSuite Marketplace. Thanks for any help!
I've figured out my problem. What I was looking for doesn't exist. Google doesn't already generate credentials when the app is installed from the G-Suite marketplace, unless you use a service account. Presumably you have to authorize the user yourself the first time he uses your app.

Is it true that the Drive API does not revoke the token but the Gmail API revokes when the account password is changed?

UPDATE TITLE: "Why does RCLONE work with Drive API without credentials, while Gmail API doesn't?" to "Is it true that the Drive API does not revoke the token but the Gmail API revokes when the account password is changed?"
What does the link below say are only valid for the Gmail API? Because with the rclone application, even if the password was changed, the token was never revoked.
https://support.google.com/a/answer/6328616?hl=en
I don't know how RCLONE works, but at a certain point it has to make the OAuth process to authenticate your app and let it use the Drive API.
OAuth 2.0 The authorization protocol that Google Drive API requires to
authenticate your app users. If your application uses Google Sign-in,
it handles the OAuth 2.0 flow and application access tokens.
Now, this PHP Quickstart will give you guidance on how to use the Gmail API, there it shows how to download and use the credentials.json file.
Docs
For more additional info, read this:
Authenticate your users
Enable the Google Drive API

Install and run Google apps script from domain administartor account

is it possible to install and run my Google apps script to all users within the domain as a domain admin?
No, it isn't. AFAIK anyway.
What you can do is, on most Google APIs, using Apps Script UrlFetch instead of the built-in services, you can impersonate the users if you're running from the domain admin account.

Can I authenticate with Google username and password in Google Drive API?

Can I authenticate with just Google account username and password instead of using OAuth? If not, is it planned to support this kind of authentication in the future versions of Google Drive API?
I am currently using Google Documents List API which allows to authenticate with just username and password. So I am wondering if I can I do the same thing with Google Drive API.
Are there any reasons you cannot use OAuth 2.0 as your authorization mechanism?
Client Login is currently being deprecated and it would be better for you and your users to use OAuth 2.0.
There are multiple code samples available in the Drive SDK documentation as well as in the various client libraries project page to help you get started.
If you are running a server application, consider using a service account with OAuth2 and the Drive API. This will allow you to run the app on a server without a user having to provide OAuth2 credentials on the console or through a UI. You can also do impersonation if you want your app to act on documents with a specific account.
GoogleCredentials credentials = new GoogleCredential.Builder()
.setTransport(HTTP_TRANSPORT)
.setJsonFactory(JSON_FACTORY)
.setServiceAccountId("[[SERVICE_ACCOUNT_EMAIL]]")
.setServiceAccountScopes(DriveScopes.DRIVE, DriveScopes.DRIVE_FILE,
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile")
.setServiceAccountPrivateKeyFromP12File(Auth.keyFile)
.setServiceAccountUser("[[impersonateduser#domain]]")
.build();
credentials.refreshToken();
I've found this blog post somewhere (possibly here): http://blog.databigbang.com/automated-browserless-oauth-authentication-for-twitter/.
I know it is regarding Twitter, but it uses the same method, so I reckon it just needs a little tweak in the names. In short: if the script is run only by server, install Jython + HTMLUnit, simulate user going to the generated authorization link and clicking 'allow access' button and get token.