I have a Google Apps Script Web App distributed to multiple users all in one domain. They trigger it manually via the web app URL available from the publish screen (i.e. it's not a marketplace app). I'm trying to figure out how to grant user data permissions domain-wide if possible so that users don't have to confront a user data request dialog when it first runs for each given user. FYI they are all on g-suite for business. This is not about "verified app" oath, but about the personal data access permissions. Also, if important, the app is published with "execute the app as user accessing the web app" because the app needs to pull the email address of the current user in order to function, and on that same screen, access was given to "anyone". I couldn't find this question posed already—apologies if I'm wrong. Thoughts appreciated!
If possible please publish add-on app within the domain, it will allow the users.
(You can publish web addon within the domain without any extra cost and permission)
More details https://developers.google.com/apps-script/add-ons/domain-wide
Hope it will helpful for you!
Related
I am in the process of developing a google apps script web app designed for school teachers and students. I have deployed a version of the web app with following settings:
Execute as: User accessing the web app
Who has access: Anyone with Google account
My intention is to make this app available to anyone with a google (gmail, or edu/org google account).
The app still has a Publishing status of 'Testing' in the 'OAuth consent screen' settings. I am trying to get a few users test this web app.
Users in my google domain all seem to be able go through the OAuth2 steps, and access it without issues.
Test users with #gmail.com accounts that I have added to the 'Test users' list in 'OAuth consent screen' settings are able to go through the OAuth2 steps, and access it without issues.
BUT, test users that I have added to the 'Test users' list in 'OAuth consent screen' settings that are google EDU domain accounts (not #gmail.com) can not seem to get past the OAuth2 steps they are presented with. I have two such users, from two different google EDU domains, and both have the same exact issue:
Upon accessing the app URL, they are presented with a google sign in
prompt.
User clicks on "Review Permissions" to open the OAuth flow
in a popup.
User chooses/confirms the google EDU account they wish to
use to sign in.
Everything normal upto the above step, but on the
next screen, they see this message and there is no way to proceed:
Something went wrong
Sorry, something went wrong there. Try again.
The url on the popup at this point starts with https://accounts.google.com/info/unknownerror?access_type=offline&login_hint=xxx
Scopes requested - if relavant:
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/forms",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile"
My questions:
How do I resolve this issue?
Is this issue specific to just the 'Testing' status, or might this still be an issue with the app when it is published?
Update: It appears that the issue goes away if I publish the app (in OAuth Consent screen settings).
Is it possible to write under Google Apps Script a web app who performs a GET by UrlFetchApp.fetch(...) as if it were a request coming from a browser with a GSuite user correctly logged in?
What I need is to send a GET request from my app to another GAS web app accessible only by my domain's users (GSuite).
The main reason I need this is that the second app works on a Google Sheet visible and writable only by my staff, meanwhile the initial GET sent by the first app must be deliverable by everyone, also anonymously.
Many thanks!
It is possible to make a GET request from one Apps Script Web App to another Apps Script Web App within the same domain, and restrict access within the domain.
A Web App can be published with a "Who has access to the app:" setting of:
Anyone within {Your Domain Name Here}
That will restrict access to anyone in your domain.
I have created an App in Google AppMaker and have shared the Deployment to Anyone with the link can view (No sign-in required).
Application Access in Deployment Settings is set to "Do not restrict access to this application".
Application is set to runs with Developer Account.
However, if someone try to access the app with the..
..Deployment URL (https://script.google.com/macros/.../exec), they get redirected to login screen (https://accounts.google.com/signin/...),
the app does open correctly after signing in, but the sign-in shouldn't be required.
..Link to share (https://drive.google.com/file/.../view), they get: No preview available
I switched once to "Application set to runs with User Account", but results remains same. Actually, I reset this setting as I consider "Application set to runs with User Account" to require User authentication in order to load their assigned permission.
I most probably missed something on the way of sharing my app.
Can someone please help?
Let me know if you require more details about this case.
Thanks!!
You can't.
Note: App Maker apps are only available to users in your G Suite domain. You can't share them with external users.
To make sure only users on your domain can access it, users need to sign-in.
I have received email from Google with subject: [Action Required] Submit your app(s) for Restricted Scopes OAuth verification,
same as many of you.
I'm using GAS only for developing applications for my personal use - not for public. Applications such as sending summary emails to my clients, when they buy a product from my web pages.
Do I have to go through the whole process of verification?
Do I have to create public Terms of Service?
Is there any way how I can explain to google, that my applications are not used by anybody else then by
me?
How to get to know for sure that my app won't stop?
I have read through FAQ (https://support.google.com/cloud/answer/9110914) and many other documents by google about this topic..
I have checked similar questions found on web, but with no luck of answers.. It looks it's pretty new experience for all of us..
Thank you for any advices.
I have personal account, so I can't use "internal apps" selection, this works only for paid G-suite customers which I'm not.
EDIT:
As Yoel Vinitsky stated, app doesn't need verification if it has only one user.
Here at bottom: https://support.google.com/cloud/answer/7454865 is table which shows that there is quota 100 new users in total, once the app presents the unverified app screen.
It seems like that I don't have to worry about verification of my apps at all, because I'm the only one user or maybe I use this app from 2 or 3 more users emails so it should be ok, my question is, is it going to be ok without verification, or not?
EDIT 2:
Google sent clarification email:
NO ACTION is required if:
Only owners use the project: If the project is only used by owners of the project, no action is required.
To determine whether you are an owner (versus an editor or viewer), follow these steps:
Click the project link above to navigate to its OAuth Consent Screen
configuration page.
Click the Navigation Menu button in the
upper-left corner, select IAM & admin, and click IAM. This will show you all project contributors and their roles.
The project doesn’t have users outside of your G Suite domain:If the project owner is using a G Suite account and the project is only used by Google Accounts in the project owner’s domain, no action is required (learn more here).
But the question is how to avoid verification with personal accounts for my own scripts used only by me?
As mentioned in the support FAQ You linked to:
When can I skip publishing my app for a review?
You do not need to request for verification if your app is
going to be used in any of the following scenarios:
1) The app is not shared with anyone else.
2) The app is used to send emails through WordPress, or
3) similar single account SMTP plug-ins.
The only drawbacks should be the warning that your app is unverified and maybe quota limits.
For users that are logged into multiple accounts, how can a script let the user pick an account? For example, Gmail, Google Drive, etc. provide a way for the user to select which account to use with a selectable option on the top-right of the page:
How can developers implement a similar mechanism?
There seems to be no way to do that with Google Apps Script libraries - GAS just uses the current primary account. Also, unfortunately, the API Client Library and thus Google Sign-In for websites don't work inside GAS web apps because of the sandbox frame. You could write your own or use some existing OAuth implementation to authenticate with Google but I found a much much simpler solution using Auth0 Lock with only a Google Connection (using the popup method because the redirect method doesn't work within the sandbox frame).
With Chrome Version 70.0.3538.102. You may resolve your issue (at least i did)
Now i make sure i ONLY signed in ONE account at a time. Then use "manage people"
if i have 3 google accounts, i will create 3 people and each time you only have 1 active google account session. With this setup, i ensured everytime my script only execute with my G Suite user instead of #gmail accounts
You can try using the Directory API to work with Apps Script. Retrieve the user using:
GET https://www.googleapis.com/admin/directory/v1/users/userKey.
You can then make an interface that displays the user accounts details(Name, email,etc).