What are the public facing IP addresses, when app maker calls an external service with urlfetch?
My external service insists on white-listing these. Is there a public list available from google?
Within App Maker, I want to use the UrlFetch to call an external service, very much like the App maker sample.
I see there is a list of Apps Script's IP address ranges for the JDBC. Would this be the same ranges?
(https://developers.google.com/apps-script/guides/jdbc#accessing)
Thanks in advance,
John
Since App Maker uses Apps Script's URL Fetch service, you need to look at their doc to answer this question. From what I can tell from:
https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
You need to go here:
https://cloud.google.com/appengine/kb/#static-ip
And then follow these instructions. Since Stack Overflow has an issue with simply posting links (although I really recommend you go to the link :), I'll summarize the instructions here:
nslookup -q=TXT _cloud-netblocks.googleusercontent.com 8.8.8.8
And then nslookup each "include" in the response. This gives you all the IPs currently in use.
Edit: It looks like this might be the same IPs Google uses for it's general URL fetch service, which could mean that if you're whitelisting for these IPs you may also whitelist for all App Engine applications, and probably even more. Obviously you'd be whitelisting for all Apps Script and App Maker applications, so I assume this doesn't matter, but I just wanted to mention it. If your service is trying to rely on this for security reasons then, obviously, it's not adequate.
I had the same issue,
may be you can try the "useIntranet" option which may reduce the ipaddress range within your websites/webapps current network
https://developers.google.com/apps-script/reference/url-fetch/url-fetch-app
eg:
var response = UrlFetchApp.fetch("https://Url.com",{
'method' : 'post',
'payload' :{
'useIntranet':true,
'key':"value"
}
}
);
Related
When attempting to use Google federated authentication login button for a Google webapp, error message identified mismatch with related URI and javascript host domains. Solutions, as in this 2019 post (Get gmail address using Google Apps Script, Error: redirect_uri_mismatch) weren't working for me.
I then found this recent article: What is the Authorized Javascript Origin for a webapp powered by Google Script?
I understand it to say that, due to recent actions by Google, it is no longer possible to use the Google authenticator for a Google webapp because redirect URI and javascript origin host domains "cannot be googleusercontent.com”, which is the host domain for Google webapps.
So, my question duplicates earlier posts (i.e., 2019) but in new circumstances. The conclusion of the recent post I've cited seems so radical to me that I'm seeking confirmation, or explanation of how I am misunderstanding it.
As background: I need the webapp to operate under the "(me)owner" account for connectivity to owner spreadsheets, but also need the user's Gmail address (required) for application access control (no other access to user Gmail account; users not all in a shared Workspace domain). Google login would provide the user Gmail address. So, before totally abandoning this solution, I hoping to get additional clarification.
According to the official docs, it's not possible to use Google Sign-In for Websites, and this post from the Google Apps Script Issue tracker Fail to Add *.googleusercontent.com into Authorized JavaScript origins as Google Apps Script uses googleusercontent.com
To achieve your goal, as I mentioned in your previous question, you might use the UrlFeth service to call the Google Sheets API to do the connectivity to your spreadsheet and setting the web app as the user instead as you.
From https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
Domain
Host TLDs (Top Level Domains) must belong to the public suffix list.
Host domains cannot be “googleusercontent.com”.
Redirect URIs cannot contain URL shortener domains (e.g. goo.gl) unless the app owns the domain. Furthermore, if an app that owns a shortener domain chooses to redirect to that domain, that redirect URI must either contain “/google-callback/” in its path or end with “/google-callback”.
Related
How to Properly Configure GAS Web App (as another user) to Execute GAS API Executable (as me) using OAuth2?
User access request when GAS run as the user
While true that you can no longer add googleusercontent.com, you may be able to solve this by using two webapps and managing authentication/authorization between the two:
Webapp#1:
Run as: Me
Access: Anyone even anonymous
Webapp#2:
Run as: User
Access: Anyone
You may be able to create a jwt token from webapp#2 and verify it on webapp#1. As it is a custom solution, security may be questionable.
References:
Authenticate with a server - Here, webapp#1 acts as server and webapp#2 acts as client.
ScriptApp.getIdentityToken()
I've searched for similar questions here on Stackoverflow but they didn't give an answer.
I make a UrlFetchApp.fetch(url) request to some api service, but the service probably bans this requesting IP. I need to whitelist it. I know there are lots of IPs which google apps use, but for now I need to determine at lease this one which is used for this specific call.
I tried this script to figure out the requests:
function getR(){
var url = 'https://my.APIENDPOINTURL'
req = UrlFetchApp.getRequest(url, options)
Logger.log(req)
resp = UrlFetchApp.fetch(url, options)
Logger.log(resp)
}
And it gives me this log:
Why does it show my real IP?
What's going on under the hood? I expected the real IP with UrlFetchApp uses in .getRequests() output.
Am I missing something?
Are there any tricks of knowing which IP does UrlFetchApp use?
I know that there is no this functionality as a native function.
You can find a list of IP addresses that Apps Script may use while calling other services here - https://www.gstatic.com/ipranges/goog.txt
It's buried in this JDBC article.
Maybe a strange question, but how long will google support http on cloud functions. Be default the https version of a cloud function will be used ofcourse.
But some IoT devices aren't able to create a secure connection and can only send (already encrypted) data straight to an IP addresses or http urls.
A static IP address pointing to a cloud function is not supported, but I do can send GET requests to the http version of a cloud function endpoint.
The only big thing is: If Google will ever redirect http to https, data will not come in anymore.
Regards, Peter
Your question seems to be asking about the future of Cloud Functions. There is no public roadmap for the development of Cloud Functions, so it's not really possible to say with certainty whether or not HTTP support will ever go away. I suggest contacting Google Cloud support directly if you need a more definitive answer.
In the scenario of scripts that need authentication to run (run as service account, locked down sharing settings, etc) is there a way to authenticate as a Google user via an HTTP tool like cURL, UrlFetchApp, or even PowerShell scripts from Windows Server environments?
You are going to have to do a little leg work on this one.
Firstly, when you publish your apps script, make sure to change the "who has access to the app" to something like "only myself".
Then you need to see what happens when you try to hit that URL from an external service without authenticating. There may be some help from the error codes you are likely to receive.
I imagine you can then use the following documents to Authenticate for Google Services IN GENERAL. Then you will most likely have to pass a sessionID or Accesskey of some sort. I only have a brief understanding of OAuth, but I do imagine that you may be able to set up a more permanent connection between your other server and your particular Google Apps Script.
I hope this helps.
Jacob
I am looking at creating a good google chrome extension for tumblr.
Now tumblr uses Oauth as it's authentication method.
So my question becomes.
Do I:
Distribute a single key with the application and hope people are nice enough to not use it for illegitimate purposes.
Put in the options the ability for a user to enter their own key, hence asking each user to register an application.
Create an intermediary on my server that makes the actual request.
Something else?
I also had to consider this for my Template extension when using OAuth to communicate with the goo.gl URL shortener service on the user's behalf.
After reading Chrome's OAuth tutorial I managed to implement this simply using the following;
ChromeExOAuth.initBackgroundPage({
access_url: 'https://www.google.com/accounts/OAuthGetAccessToken',
app_name: chrome.i18n.getMessage('app_name'),
authorize_url: 'https://www.google.com/accounts/OAuthAuthorizeToken',
consumer_key: 'anonymous',
consumer_secret: 'anonymous',
request_url: 'https://www.google.com/accounts/OAuthGetRequestToken',
scope: 'https://www.googleapis.com/auth/urlshortener'
});
This is surrounded by quite a bit of logic due to the complexity of the extension but this results in the user simply being shown a page (on a new tab) the first time they attempt to shorten a URL using my goo.gl implementation. Here the user can decide to allow/deny the authentication. Since this is only done once (unless the user later removes it from their list of authorized applications) I thought this was fine and my users seem to agree.
I did also provide an option to toggle OAuth on/off but I'm guessing this will always be required for the tumblr API. On that note I must admit I'm not familiar with that particular API so I'm afraid I can't help you further.