The problem:
I've been stuck trying to figure this out all day. I'm writing an app script within my Google Sheets to query YouTube API data from a particular YouTube channel, and it works when I connect every account but the actual YouTube account (brand account) we're trying to query.
The setup:
youtube.email#gmail.com - where the YouTube account is hosted.
ryan#gSuiteCo.com - where I am writing the script.
What happens:
When I execute my code, it asks for authorization, so I log in with youtube.email#gmail.com. Then it gives me the option to choose the YouTube Brand account or the youtube.email#gmail.com Google account. If I select the email Google account it works (but then is pulling from the wrong YT account). If I select my YouTube account, nothing works, and I end up in an authorization loop. I hit run, and a pop-up asks me to authorize. After authorized, it doesn't actually run... and that's an infinite loop.
My suspicion is that the issue relates to enabling YouTube API. For every account, I am able to login to the admin and enable the APIs for my App Script, but I have no way of doing that for the YouTube account. When I enable it for youtube.email#gmail.com, it enables it for the wrong YouTube brand account.
So, I have no idea what's going on. What's the right way to do this? I have tried just writing and deploying the code from the youtube.email#gmail.com account, and I get the same issue.
It sounds like it's because of a known Apps Script issue where it has trouble working when you are logging into multiple Google Accounts - it always uses the default account.
Romain Vialard recently wrote an article about how they get around the issue.
Related
So the issue is that sometimes users end up getting endless Authorisation Screens even after approving authorization.
This happens because of the multiple-user login sessions issue in the Google Apps script "https://issuetracker.google.com/issues/69270374" which somehow mix the account approving the authorization and executing the script.
I have tried the methods found on the issue page so far like these
https://apps.myrout.es/msii
https://sites.google.com/site/scriptsexamples/home/announcements/multiple-accounts-issue-with-google-apps-script
Most of them are relevant to Add-ons not for web apps as I don't see a possibility to compare user emails.
Gone through these questions here but none of them have any references which can be used to find a workaround for web-apps
I can't open my Web App Link on Google App Scripts when multiple Gmail accounts logged in
Google Web App Multiple Google Accounts Error
At the moment I want to determine whether the user is having multiple users logged in and ask them to log out(will provide a link to log out) and log in with a single account instead.
Is there a way to handle it?
Thanks
I've created a few Google Analytics V4 only properties a while ago.
Big mistake.
I'm using Google Spreadsheets to track the progress and such, and had to waste time migrating the API for it using OAuth2 and the Google Analytics Data API (GA4)
All went fine. Until a few weeks ago when it stopped working. I see there's a new version, Google Analytics Reporting API v4
I've procrastinated, so I'm doing the migration now, but hit a brick wall:
"User does not have sufficient permissions for this profile."
I don't understand why I get this issue. Remade the credential in the developer console, redone the Oauth2 process, recreated the tokens, checked everything still this issue.
So I decided trying the "Try this API", I get into the same issue
Which is weird, I'm logging in using the analytics admin account. Also this error is weird:
"This error may be due to using an insufficient credential type. Try using OAuth 2.0.",
since I'm basically logging in using the provided pop-up
The view id I took from here:
I've tried with any ID I could find (yeah, even MEASUREMENT ID and STREAM ID) and multiple sites (views)
What am I missing?
your error
"User does not have sufficient permissions for this profile."
Basically means that the user you are authenticating with does not have permission to access the view id you are using. Authorize your code with user that has access to it. I have a video on this User doesn't have any google analytics accounts easy solution
confusion
I am however a little confused as to what you are doing. Your code says that you are using the Google Analytics reporting api, your using a view id which implies that this is a universal analytics account.
Yet you are trying to use the Google analytics data api which is intended for use with Google Analytics GA4 accounts.
Google Analytics Data API (GA4)
and won't work with your universal analytics account with a view id, it only works with the new Google Analytics GA4 accounts.
90% of my Google Apps Script/HTMLService web app is available to anonymous users, however user must be signed in with G-Suite account in order to access the remaining 10%.
Desired behavior is that if user is already logged in to G-Suite (e.g. read Gmail from that browser), the web app recognizes the user without prompting to log in again – as if you went to Google Calendar just after reading Gmail. If user isn’t logged in yet – he needs to be prompted to log in using #my_g-suite.com account when accessing the restricted features.
My first try was two app approach: one published as “available to anyone including anonymous” and another “available to members of the my_g-suite.com”. The problem with this approach is that 2nd app only shows log in screen if browser has no google identity. If user is logged in to regular, non-g-suite gmail, strange google Driver error is shown instead of login prompt. I posted question about this a while ago, no solution.
So instead I implemented a sign-in button using this guide. Behavior I’m seeing is not what I expected:
If user is already signed in with UserOne#my_g-suite.com prior to accessing the app (e.g. looked at G-Suite email account), Session.getActiveUser() on server side returns correct user ID, however googleUser.getBasicProfile().getEmail() on client has nothing.
If user has not signed in with G-Suite ID using prior to accessing the app and then signs in using the Sign In button on web app, googleUser.getBasicProfile().getEmail() returns correct user ID, however ), Session.getActiveUser() on server side returns nothing.
If user has signs in using the button as UserTwo#my_g-suite.com, no other G-Suite app recognizes it. So if user then signs in to UserOne#my_g-suite.com and comes back to the app, Session.getActiveUser() says it’s UserOne#my_g-suite.com and googleUser.getBasicProfile().getEmail() says it’s UserTwo#my_g-suite.com. Two conflicting identities simultaneously.
How do I make sign-in into my app be 1) seamless with other G-Suite services rather than having completely separate, app-only 2nd identity and 2) restricted to #my_g-suite.com?
Following #TheMaster advice I tried this:
Created a Google Sites site "login.my_g-suite.com" which is only available to g-suite users and has a single page which says "you are logged in to g-suite"
In my web app which runs as "me" and is "available to everyone, even anonymous", I implemented a check if Session.getActiveUser() is g-suite user. If not, I do window.open("https://login.my_g-suite.com") which opens log-in screen in the new tab as expected.
After user logs in, I reload web app. And here's the sad part:
If browser hasn't been used for non-G-Suite account (like regular Gmail) - all works great. Session.getActiveUser() shows newly logged in user ID
BUT if that browser has been logged in to non-G-Suite account, Session.getActiveUser() has no idea about the fact that I just logged in G-Suite in another tab (even after reloading web app). Which is back to square one.
Comparing this to Google's own apps, this behavior is not much different: e.g. if you read regular non-g-suite gmail, then go and log in to Google drive using G-Suite account, and then reload gmail - it doesn't take you to G-Suite Gmail automatically just because you logged in to G-Suite account on that browser. You need to explicitly tell Gmail that you want to use G-Suite account by invoking active-account-selection menu (round avatar icon on the right upper corner).
Looks like no matter what approach I take, I hit the same wall: the need to tell stand-alone Google App Script which Google identity is current. And I don't see any way of doing that.
What I stated above is no longer true due to recent change by Google. (2) now results in Error 404 instead of login screen.
Sign-in issues which a few days ago were only affecting stand-alone Google App Script apps now are plaguing entire G-Suite. Our volunteer first-responder organization got G-Suite mainly for the secure intranet site (members.my_g-suite.com) where we share internal protocols and documentation. It's built on new Google Sites and Google Team Drive. Before Wednesday attempt to access members.my_g-suite.com used to take to G-Suite login screen. Now it takes them to "404. That’s an error. The requested URL / was not found on this server. That’s all we know.". The only workaround is to force users to log out of personal Gmail each time before accessing G-Suite, which is not a reasonable request for a volunteer using personal device. We feel like Google pulled the rug from under our feet. The only hope is that this is a temporary change and they'll revert it to how it was in the beginning of the week. We also confirmed that this change is not limited to our G-Suite.
This is because your web-app runs inside a iframe. You can force login by denying access to the web-app manually.
onload, Check Session.getActiveUser().getEmail() server side and see if it matches your domain,
If it does, proceed to load your actual web-app
If not, just provide the information that the user needs to login to your gsuite to access.
You can also
Proceed to open https://admin.google.com (or any url specific to your domain) in a another tab
See whether it's open and use setInterval to check the other window.close property. When closed, reload your web-app.
I am using, since a long time, a Google script that accesses my YouTube channel, gets and modifies some information from it and saves some data in a Google sheet.
It always worked fine, but then, about a week ago, Google somehow split my access rights between my normal account (primary email) and my YouTube account (that goes under a different nickname).
I cannot find a way to run even the simplest command:
var my_playlists = YouTube.Playlists.list('snippet', {
mine: true,
maxResults: 50,
})
.items;
The problem is that google now prompts me with an authorization page and I can choose between 2 accounts. One is my primary account, the other is the YouTube one.
If I choose my primary account, the code runs but I cannot see the data of the YouTube account.
If I choose the YouTube one, I still cannot access the data I want and it keeps asking for permission every time I run the code.
I understand there is a problem of authorization between the two channels, but I did not have it before and cannot find any suggestion to solve it.
What can I resolve this problem?
I've been struggling with the exact same issue but for another cause.
Anyways, so far I can manipulate anything I want within my PERSONAL youtube account, granting access using OAuth to MY ACCOUNT, but if grant access to my branded account, the script doesn't even begin, apparently it's a bug that causes loop in the script.
You can check this out for more info:
YouTube Apps Script API only runnable by accounts without a YouTube channel?
https://issuetracker.google.com/issues/36764531
https://mashe.hawksey.info/2017/09/identity-crisis-using-the-youtube-api-with-google-apps-script-and-scheduling-live-broadcasts-from-google-sheets/
Using Youtube Data API to Edit with Brand Account Playlist
For users that are logged into multiple accounts, how can a script let the user pick an account? For example, Gmail, Google Drive, etc. provide a way for the user to select which account to use with a selectable option on the top-right of the page:
How can developers implement a similar mechanism?
There seems to be no way to do that with Google Apps Script libraries - GAS just uses the current primary account. Also, unfortunately, the API Client Library and thus Google Sign-In for websites don't work inside GAS web apps because of the sandbox frame. You could write your own or use some existing OAuth implementation to authenticate with Google but I found a much much simpler solution using Auth0 Lock with only a Google Connection (using the popup method because the redirect method doesn't work within the sandbox frame).
With Chrome Version 70.0.3538.102. You may resolve your issue (at least i did)
Now i make sure i ONLY signed in ONE account at a time. Then use "manage people"
if i have 3 google accounts, i will create 3 people and each time you only have 1 active google account session. With this setup, i ensured everytime my script only execute with my G Suite user instead of #gmail accounts
You can try using the Directory API to work with Apps Script. Retrieve the user using:
GET https://www.googleapis.com/admin/directory/v1/users/userKey.
You can then make an interface that displays the user accounts details(Name, email,etc).