I created 2 simple standalone scripts to test the authorization workflow. The first script is a web app that is accessible only to me.
function doGet(e) {
return ContentService.createTextOutput(JSON.stringify({"message":"works!"}))
.setMimeType(ContentService.MimeType.JSON);
}
The calling script gets the token via ScriptApp.getAuthToken() and makes a 'GET' request to the web app.
function call() {
var token = ScriptApp.getOAuthToken();
var header = {"Authorization":"Bearer " + token};
var options = {
"method":"GET",
"headers": header,
"muteHttpExceptions": true
};
var url = 'APP_URL';
var response =UrlFetchApp.fetch(url, options);
Logger.log(response.getResponseCode()); //returns 401
Logger.log(response.getContentText()); // returns 'Unauthorized'
}
Unfortunately, it doesn't seem to work as I get the 'Unauthorized' response. My initial thought was that the token is scoped to each individual script, but GAS documenation indicates the contrary, stating that the ScriptApp token would be sufficient in month cases.
https://developers.google.com/apps-script/reference/script/script-app#getOAuthToken()
I would appreciate any help.
If you are still looking for this answer, how about this answer? I think that when the scopes are installed by Manifests, you can access the Web Apps using the access token with the scopes.
Deploy Web Apps :
The condition for deploying Web Apps is as follows.
On script editor on the project with doGet().
Publish -> Deploy as web app
For "Execute the app as:", set "Me".
For "Who has access to the app:", set "Only myself".
At above condition, when "headers": {"Authorization":"Bearer " + token} is not used for option, the error occurs. So in order to access to Web Apps with above condition, please add the following 2 scopes. In your case, the following scopes are required to authorize.
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/script.external_request
In your case, the above 2 scopes are required. In the case of only https://www.googleapis.com/auth/script.external_request, the error of Unauthorized occurs.
Add scopes to Manifests :
Please install above scopes to Manifests (appsscript.json) as follows.
On script editor on the project with call().
View -> Show manifest file
Please add the following oauthScopes to appsscript.json.
"oauthScopes": ["https://www.googleapis.com/auth/script.external_request", "https://www.googleapis.com/auth/drive"]
Response :
After it installed above, please try to run your call() again. In my environment, I retrieved the following response.
200.0
{"message":"works!"}
If I misunderstand your question, I'm sorry.
Related
I'm building a Workspace addon that you launch from Google Drive and that will be executed as a background task.
To do so my apps script addon calls a Google Cloud Function that calls the Apps Script back using the Apps Script API. I do see because the process can take quite some time.
In my addon, I have declared some scopes:
"oauthScopes": [
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/script.external_request",
"https://www.googleapis.com/auth/drive.addons.metadata.readonly",
"https://www.googleapis.com/auth/drive.file",
"https://www.googleapis.com/auth/script.scriptapp"
],
The user opens the addon, it has to grant access to those scopes
He selects a Google Drive file on which the process will be executed. He pushes a button.
My Apps script calls a Google Cloud Function and sends the Oauth token of the user
The Cloud Function calls my Apps Script function, with the Apps Script API, using the Oauth token as authentication bearer
When someone, not me, tries the addon (someone who has no permission on the GCP project nor the Apps Script project), it fails with a 403 error.
Both the Apps Script and the Cloud Function are on the same GCP project and the Apps Script API is enabled.
Calling the GCF from Apps Script
const userToken = ScriptApp.getOAuthToken();
const resp = UrlFetchApp.fetch(BACKGROUND_GCF_URL + '?userToken=' + userToken + '&fileId=' + fileId + '&execUid=' + execUid, {
headers: {
Authorization: 'Bearer ' + bearer // it is here an identity token that I've generated
},
muteHttpExceptions: true
})
Calling the Apps Script API from the GCF
const body = {
function: 'receiveGCFcall',
parameters: [
execUid, fileId, userToken
],
devMode: true
}
const config = {
headers: {
Authorization: 'Bearer ' + userToken
}
}
axios
.post(URL, body, config)
.then(resp => {
console.log(`statusCode: ${resp.status}`);
console.log(`data: ${JSON.stringify(resp.data)}`)
if(resp.data.result === 'NOT OK') {
console.error(`[${execUid}] Something went wrong, the slides have not been updated`)
}
}).catch(...) // it goes here with a 403 error
A drawing if it helps
The Apps Script project is deployed as a Workspace addon (and currently being reviewed by the Marketplace team). The project is not shared to anyone but me.
I use a service account (and its identity token) to call the GCF from the Apps Script
I try to use the connected user Oauth token when calling back the Apps Script from the GCF
I have a "executionAPI access: anyone" in the manifest, but I'm not sure if it's useful
edit after few other tries, I figured out that if I try the process with an account who is editor of the Apps Script project, all works fine. If the account is only reader on the Apps Script, or nothing, it won't work. So basically the bearer that I put in the header, from GCF, to Apps Script, seems not to be enough to authorize an account...
My friend #st3ph found the problem: I have to remove the devMode: true when calling the Apps Script API cause this dev mode is only available for users who have write access to the Apps Script project.
I'm using Apps Script API to run a function with the service account's credential.
I added all scopes required in Rest resource API https://developers.google.com/apps-script/api/reference/rest/v1/scripts/run.
But when i run this script below it failed.
function run(){
var CREDENTIALS = {
"private_key": "Your Private key",
"client_email": "Your Client email",
"client_id": "Your Client ID",
"user_email": "Your Email address",
"api_key": "Your API key"
};
var service = getService(CREDENTIALS.client_email,CREDENTIALS.private_key);
service.reset();
if (service.hasAccess()) {
var url = 'https://script.googleapis.com/v1/projects/[SCRIPT ID]:run';
var body = {
"function": [FUNCTION NAME]
};
var params = {
headers: {
Authorization: 'Bearer ' + service.getAccessToken()
},
method: 'post',
playload : JSON.stringify(body),
contentType: 'application/json',
muteHttpExceptions: true
};
var response = UrlFetchApp.fetch(url, params);
Logger.log(response);
}
else {
Logger.log(service.getLastError());
}
}
function getService(email, privateKey) {
return OAuth2.createService('Service Account')
// Set the endpoint URL.
.setTokenUrl('https://oauth2.googleapis.com/token')
// Set the private key and issuer.
.setPrivateKey(privateKey)
.setIssuer(email)
// Set the name of the user to impersonate. This will only work for
// Google Apps for Work/EDU accounts whose admin has setup domain-wide
// delegation:
// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
.setSubject([USER EMAIL])
// Set the property store where authorized tokens should be persisted.
.setPropertyStore(PropertiesService.getScriptProperties())
// Set the scope. This must match one of the scopes configured during the
// setup of domain-wide delegation.
.setScope('https://www.googleapis.com/auth/script.external_request');
}
I've got a 404 Error and I think it comes from the scopes list.
So I can't run a script deployed as an API Executable with the OAuth2.0 token.
Which scopes should I choose to run a function via an HTTP request?
In your run function, for the params object you should have payload not playload.
You want to use Apps Script API with the service account.
You want to achieve this using Google Apps Script.
If my understanding is correct, how about this answer? Please think of this as just one of several possible answers.
Issue and workaround:
Unfortunately, in the current stage, the method of scripts.run in Apps Script API cannot be used with the service account. The official document says as follows. About this, when I tested this, I could confirm that the method of scripts.run in Apps Script API cannot be used with the service account.
Warning: The Apps Script API doesn't work with service accounts.
From above situation, as the workaround, how about using the access token retrieved by OAuth2? In order to use the Apps Script API with OAuth2, it is required to link Cloud Platform Project to Google Apps Script Project. About this, you can see the flow for linking them at here.
Note:
I think that when you use OAuth2, Oleg Valter's comment and TheAddonDepot's answer are very useful.
References:
Executing Functions using the Apps Script API
Linking Cloud Platform Project to Google Apps Script Project
If this was not the direction you want, I apologize.
Added:
You want to make several users run the script as the owner who is you.
From your replying, I could understand like above. When Apps Script API is used for above situation, the credential information is required to give each user. When each user uses the access token retrieved by your credential information, your goal can be achieve. But I cannot recommend this. So in your case, I would like to use Web Apps to achieve your goal. The flow is as follows.
1. Prepare script.
Please prepare your script. For example, in the current stage, you want to make users run a function of myFunction(), please put the following sample script.
function doGet(e) {
var values = e; // When you want to give the values by requesting, you can use the event object like "e".
var res = myFunction(values);
return ContentService.createTextOutput(res);
}
In this case, the GET method is used. When you want to only run the function, you can use this script. When you want to run the function by giving the large data, you can use doPost() instead of doGet().
2. Deploy Web Apps.
On the script editor, Open a dialog box by "Publish" -> "Deploy as web app".
Select "Me" for "Execute the app as:".
By this, the script is run as the owner.
Here, when "Anyone" is set, the script is run as each user. In this case, it is required to share the script to each user. And the access token is required to be used. Please be careful this.
Select "Anyone, even anonymous" for "Who has access to the app:".
In this case, no access token is required to be request. I think that as the test case, I recommend this setting.
Of course, you can also use the access token. At that time, please set this to "Anyone".
Click "Deploy" button as new "Project version".
Automatically open a dialog box of "Authorization required".
Click "Review Permissions".
Select own account.
Click "Advanced" at "This app isn't verified".
Click "Go to ### project name ###(unsafe)"
Click "Allow" button.
Click "OK".
Copy the URL of Web Apps. It's like https://script.google.com/macros/s/###/exec.
When you modified the Google Apps Script, please redeploy as new version. By this, the modified script is reflected to Web Apps. Please be careful this.
3. Run the function using Web Apps.
This is a sample curl command for executing myFunction with Web Apps. Please set your Web Apps URL. At above settings of Web Apps, each user can access by the following curl command.
curl -GL \
-d "key=value" \
"https://script.google.com/macros/s/###/exec"
When key=value is used as the query parameter like above, at doGet(e), you can retrieve value using e.parameter.key.
References:
Web Apps
Taking advantage of Web Apps with Google Apps Script
You can deploy the script as a Web App. To do so, go to Publish > Deploy as web app. Set the Execute the app as: field to Me (youremail). This way you can share the script as a browser link, and any user will run the script with your credentials.
You can add a some user interface with a confirmation message so the users know they have successfully executed the script. You can find the documentation in this link.
I have two Google Apps Scripts like this:
Script A:
This is a webapp. I use it like a web api. Depend on parameter I will return data what I read from a SpreadSheet only I can access and I will add or edit data in this SpreadSheet.
I published it with following options:
Execute as me
Who has access to the web app:Anyone
Script B:(in a SpreadSheet)
I use this SpreadSheet like a input form. And I will request to script A by UrlFetchApp function.
The problem:
When I use UrlFetchApp function, the response content is a html like following image. I think this is a request access dialog what will send a request mail to script A owner. I tried to share script B project to test user. It work fine. But I want to show html dialog and do something for test user can send mail normally.
Questions:
How can I show this html content on a dialog in SpreadSheet B?
If have another way which I must not share script A project to other one, tell me please! Because they can see my script A when I shared it to them.
I have used ScriptApp.getOAuthToken to verified webapp like this:
function requestAPI(request_parameter_string) {
var param = {
method : "get",
headers : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
followRedirects : true,
muteHttpExceptions:true
};
Logger.log("run to this");
var url = "https://script.google.com/macros/s/" + api_id + "/exec?" + request_parameter_string;
var response = UrlFetchApp.fetch(url,param);
if(response.getContentText() != "Success"){
return response.getContentText();
}
}
Your situation is as follows.
Web Apps is deployed as Execute as me snd Who has access to the web app:Anyone.
You want to make users access to your Web Apps using the access token.
If my understanding is correct, how about this modification?
Modification points:
If you access to Web Apps that you are owner, you can access using the access token.
If other users access to your Web Apps, when the project file which deployed Web Apps is shared to users, users can access using the access token.
When the file is not shared, such error occurs.
If you use the container-bound script, please share it.
If you use the standalone script, please share it.
For the access token, https://www.googleapis.com/auth/drive is required to be included in the scopes.
References:
Web Apps
Taking advantage of Web Apps with Google Apps Script
I am trying to POST a request to a simple app script.
Here's the code:
var BACKEND_URL = "https://script.google.com/macros/s/AKfycbyYAWMv6O8Xld1EvqPuBk9EgxgfpVNly3dyX3JkSc3h/dev";
data = {"obj1": "data1", "obj2": "data2"};
function doGet() {
var resp = UrlFetchApp.fetch(BACKEND_URL, {
'method': 'post',
'contentType': 'application/json',
'payload': JSON.stringify(data),
'muteHttpExceptions': true
});
Logger.log(resp);
}
And here's the code for the server which should accept POST requests:
function doGet() {
}
function doPost(e) {
Logger.log("posted");
return;
}
NOTE: there's no user part in the URL, so this question isn't the same as a similar one posted in SO.
As a response a get an html page where it's said that sorry, Sorry, unable to open the file at this time. Please check the address and try again.
I've re-checked the page and it does exist.
In your case, the project with doGet() including UrlFetchApp.fetch() is the different from the project with doPost(e). And you want to call doPost() by running doGet() including UrlFetchApp.fetch(). If my understanding your situation is correct, can you confirm the following points.
BACKEND_URL you are using includes dev. This is used for using the latest code. But there is a limitation as follows. So please try to use Current web app URL like https://script.google.com/macros/s/#####/exec.
The second is the link labeled latest code and ends in /dev. This URL can only be accessed by users who have edit access to the script. This instance of the app always runs the most recently saved code — not necessarily a formal version — and is intended for quick testing during development.
At Web Apps, when there are no return messages, the error message of The script completed but did not return anything. is returned. If you want to get the return message, please set it using Content Service.
When the script at Web Apps side was modified, please redeploy the Web Apps as a new version. By this, the latest script is reflected to Web Apps.
References :
Deploying a script as a web app
Content Service
Edit :
When you deploy Web Apps, please try the following settings.
"Me" for "Execute the app as:"
"Anyone, even anonymous" for "Who has access to the app:"
I am facing HTTP 401 errors while trying to call a deployed Apps Script (as a web app, accessible to "anyone") from a second GAS with UrlFetch and a bearer in authorization header. The scripts were working fine for months until around two weeks ago.
Here are two small scripts to reproduce the error.
Script A - Deployed as a web app, accessible to "Anyone".
function doGet(e) {
var params = e.parameter.params;
console.info("Parameters : " + JSON.stringify(e.parameter));
return ContentService.createTextOutput("Success");
}
Script B - Calling the script A via UrlFetch
function callURL() {
var param = {
method : "get",
headers : {"Authorization": "Bearer " + ScriptApp.getOAuthToken()},
followRedirects : true,
muteHttpExceptions:true,
};
var url = "https://script.google.com/macros/s/<script_A_deployed_url>/exec?param1=test";
var resp = UrlFetchApp.fetch(url,param);
if(resp.getContentText() != "Success"){
console.info(resp.getContentText());
throw resp.getContentText();
}
}
Can you confirm the following points again?
For the client side, are there some functions except for your script of the client side in the project? If there is only the script in the project, the scope for accessing to Web Apps is not enough. The scopes for Drive API are required to be included in the scope of access token.
You can see the current scopes at File -> Project properties -> Scopes.
For example, those are the following scopes.
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/drive.file
https://www.googleapis.com/auth/drive
In my log, when Who has access to the app: is installed as Anyone, I confirmed that from April 11, 2018, it is required to be shared the project to access to Web Apps. This might be due to the update of Google.
Please share the project of Web Apps with users and try again.
For the Web Apps server side, if you set User accessing the web app for Execute the app as:, please authorize the scopes using own browser. This authorization is required to do only one time.
If these were not useful for your situation, I'm sorry.
Tanaike pointed me in the right direction. Apparently, some internal rules recently changed in the authentication mechanism for Apps Script deployed as a web app.
For B script, the default scope with UrlFetch is https://www.googleapis.com/auth/script.external_request, but it looks like we now need at least read access to A script, which means we also need Drive scopes.
In order to achieve that, you can for example have this function in B script to authorize them.
function setScope() {
DriveApp.getRootFolder();
}